PC Security
May 06, 2008
* Yahoo Announces Search Feature to Fight Malware

Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

May 03, 2008
* CQ: Hundreds of Laptops Missing at State Department, Audit Finds

Jeff Stein, CQ National Security Editor - excerpt: "Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found.

As many as 400 of the unaccounted for laptops belong to the department’s Anti-Terrorism Assistance Program, according to officials familiar with the findings.

The program provides counterterrorism training and equipment, including laptops, to foreign police, intelligence and security forces.

Ironically, the Anti-Terrorism Assistance Program is administered by the State Department’s Bureau of Diplomatic Security (DS), which is responsible for the security of the department’s computer networks and sensitive equipment, including laptops, among other duties. It also protects foreign diplomats during visits here.

April 20, 2008
* Freedom of the Cyber Seas - U.S. Cybersecurity Policy

Freedom of the Cyber Seas - "How lessons from the U.S. government's response to pirates in the early 1800s can help the next president of the United States improve information security," Aaron Turner & Michael Assante, April 10, 2008.

  • "In modern times, the nearly ubiquitous availability of powerful computing systems, along with the proliferation of high-speed networks, have converged to create a new version of the high seas--the cyber seas. The Internet has the potential to significantly impact the United States' position as a world leader. Nevertheless, for the last decade, U.S. cybersecurity policy has been inconsistent and reactionary. The private sector has often been left to fend for itself, and sporadic policy statements have left U.S. government organizations, private enterprises and allies uncertain of which tack the nation will take to secure the cyber frontier."
  • April 18, 2008
    * Computerworld Guide to Removing Data From Your Hard Drive

    "With stories surfacing on news channels regularly about lost or stolen data or the ability to recover data from discarded or resold computers and their hard drives, Computerworld decided to look at some cheap methods of removing that sensitive data from your hard drive permanently. And, what better place to look than YouTube?"

  • Related postings on PC hard drives
  • April 08, 2008
    * Treasury OIG Audit: Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information

    Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

  • "Because the IRS sends sensitive taxpayer and administrative information across its networks, routers on the networks must have sufficient security controls to deter and detect unauthorized use. Access controls for IRS routers were not adequate, and reviews to monitor security configuration changes were not conducted to identify inappropriate use. A disgruntled employee, contractor, or hacker could reconfigure routers and switches to disrupt computer operations and steal taxpayer information in a number of ways, including diverting information to unauthorized systems."
  • March 25, 2008
    * DOE OIG: Office of Intelligence and Counterintelligence Internal Controls Over DOE's Sensitive Compartmented Information Access Program

    DOE OIG Inspection Report: Office of Intelligence and Counterintelligence Internal Controls Over the Department of Energy's Sensitive Compartmented Information Access Program, March 2008 - "We concluded that Office of Intelligence and Counterintelligence did not have adequate internal controls over its Sensitive Compartmented Information (SCI) access program."

    February 24, 2008
    * Research Paper: Cold Boot Attacks on Encryption Keys

    Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

    • Introductory blog post

    • Frequently asked questions

    • Experiment guide

    • Videos and images

    • Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

    February 17, 2008
    * White Paper - Wireless Security: Past, Present and Future

    CODENOMICON White Paper - Wireless Security: Past, Present and Future, by Sami Petäjäsoja, Tommi Mäkilä, Mikko Varpiola, Miikka Saukko and Ari Takanen, Version 1.0, February 1st, 2008

  • "New wireless technologies such as WiMAX, NFC and ZigBee are rapidly being adopted, along with existing wireless standards such as Bluetooth, Wi-Fi, GSM and other cellular technologies. Bluetooth and Wi-Fi have already become notorious for severe security shortcomings during their relatively brief existence. New vulnerabilities and exploits are reported and demonstrated every week on live public networks. The credibility of these wireless technologies has been damaged by security incidents, stemming from fundamental problems in requirement gathering, implementation quality and protocol design. Despite boasts of hardened security measures, security researchers and black-hat hackers keep humiliating vendors. On the other hand, GSM and various descendant technologies have been almost 100 percent free of security incidents...This paper draws from the past and current state of existing wireless technologies and reflects experiences with emerging technologies. It describes how robustness-testing techniques can be used to assess the security of the available implementations and give statistics about the current state of affairs of Bluetooth and Wi-Fi. Quality and reliability improvements in these implementations will lead directly to decreased development and deployment costs, as well as increased public acceptance and faster adoption."
  • February 11, 2008
    * Educational Security Incidents (ESI) Year in Review - 2007

    Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

    February 10, 2008
    * One person in eight in the EU27 avoids e-shopping because of security concerns

    Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

    February 08, 2008
    * Census Has Improved Accountability for Laptops and Other Personal Property, But Additional Improvements Are Needed

    Department of Commerce OIG - Census Has Improved Accountability for Laptops and Other Personal Property, But Additional Improvements Are Needed -- Audit: Census-18387-1 [PDF] Report

    February 06, 2008
    * Cisco Study on Remote Workers Reveals Need for Greater Diligence Toward Security

    "Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."

    January 31, 2008
    * Minimizing the Effect of Malware on Your Computer: FTC Offers Information on Protecting, Reclaiming Your Computer

    "Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."

    January 24, 2008
    * Sensitive Data Retrieved From Used Government Tapes

    Press release: "Congresswoman Betty McCollum (MN-04), has sent a letter to the Government Accountability Office asking that it reopen its investigation of the privacy and national security risks posed by government agencies reselling used magnetic data tapes that may once have contained large amounts of sensitive personal and government information. Researchers working for Imation, an Oakdale, MN-based corporation that produces magnetic data tapes, were able to recover a wide range of sensitive information from used data tapes that were supposedly wiped clean before being re-sold. Using readily available equipment and information, Imation investigators found out where the tapes originated and recovered bank account numbers, expense reports, employee tax and benefit information, and other sensitive data."

    January 21, 2008
    * Department of Commerce Breach Notification Response Plan

    Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF)

  • This Plan identifies key Department officials who will serve on the Identity Theft Task Force (ID Theft Task Force) to develop strategies for handling data security breaches, including those incidents posing a potential risk of identity theft. In addition, the Plan specifies the responsibilities of the ID Theft Task Force, whose mission is to provide advance planning, guidance, in-depth analysis, and a recommended course of action in response to a data breach/loss. In the event of a data breach/loss declared by a Department Bureau/Office to be of moderate or high risk, the ID Theft Task Force will be convened promptly, conduct a risk analysis to validate the level of risk associated with the loss, review all relevant compensating controls in place to protect the data after the loss, determine whether the breach poses risks related to identity theft or other harms,3 and timely implement a risk-based, tailored response to
    each breach. As part of this process, the ID Theft Task Force will consider all existing compensating controls available to protect PII data after loss."

  • Network Working Group of the Internet Engineering Task Force, request for comments (RFC), Network Ingress Filtering: Defeating Denial-of-Service Attacks Which Employ IP Source Address Spoofing, May 2000
  • December 29, 2007
    * Draft Guide for Assessing the Security Controls in Federal Information Systems

    SP 800-53 A - DRAFT Guide for Assessing the Security Controls in Federal Information Systems: "NIST announces the release of Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Comments will be accepted until January 31, 2008...Final publication of NIST Special Publication 800-53A is expected in March 2008."

  • draft-SP800-53A-fpd-sz.pdf

  • draft-SP800-53A-fpd-sz.zip

  • Federal Information Security Management Act
  • December 05, 2007
    * CRS Report - Botnets, Cybercrime, and Cyberterrorism

    Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
    secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."

    November 24, 2007
    * 2007 Identity Theft Resource Center Breach List

    "...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."

  • 2007 Identity Theft Resource Center Breach List

  • 2007 Identity Theft Resource Center Breach Stats Report


  • "The Identity Theft Resource Center® released an important report [November 19, 2007] discussing the impact of identity theft victimization. This report was not based on a census survey but rather one that invited confirmed victims of identity theft in 2006 to respond to a series of 44 questions. These ranged from the emotional impact this crime has had on their lives and their ability to recover their good name to the financial loss to the business community in goods and services."
  • Identity Theft: The Aftermath 2006, Conducted by the Identity Theft Resource Center® (ITRC), With comparisons to The Aftermath 2003, 2004, 2005 Surveys

  • November 23, 2007
    * 101 Best Web Freebies - BusinessWeek

    101 Best Web Freebies - BusinessWeek.com scoured the Internet for the most useful free products and services available online that you probably don't know about, by Douglas MacMillan. This 45 screen slideshow includes graphics and links to recommended products by category - tech tools, personal finance, career, entertainment, print media, research, health, online learning, PC security.

    November 17, 2007
    November 15, 2007
    * Wi-Fi piggybacking widespread, Sophos research reveals

    Press release, November 15, 2007: "IT security and control firm Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research, carried out by Sophos on behalf of The Times, shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission. According to Sophos, many internet-enabled homes fail to properly secure their wireless connection with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an Internet Service Provide (ISP) for their own. In addition, while businesses often have security measures in place to protect the Wi-Fi networks within their offices from attack, Sophos experts note that remote users working from home could prove to be a weak link in corporate defenses."

    November 07, 2007
    * Guide to Optimizing Investments in Security Countermeasures

    Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets, by Jonathan Caulkins and Nancy R. Mead, September/October 2007 edition of IEEE Security and Privacy Magazine. "In the article, the team presents a tool and methodology they developed for software engineers and their clients to help them make security decisions when resources are limited."

    October 21, 2007
    * CDT Comments on FTC's Spyware Principles

    CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

    October 11, 2007
    * Guidelines on Securing Public Web Servers, Version 2

    National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."

    October 08, 2007
    * Deloitte 2007 Global Security Survey

    "Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."

  • Deloitte 2007 Global Security Survey (48 pages, PDF)

  • September 12, 2007
    * FTC Plays Critical Role in Online Consumer Protection

    Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."

  • Prepared Statement of the Federal Trade Commission On Reauthorization: Major Activities, Planned Initiatives, and Legislative Recommendations, Presented by Chairman Deborah Platt Majoras Before the Subcommittee on Interstate Commerce, Trade, and Tourism of the Committee on Commerce, Science, and Transportation, United States Senate (September 12, 2007)

  • "The Federal Trade Commission (FTC) plays a central role in combating mounting online threats like spyware and phishing and must be reauthorized to continue its vital consumer protection functions, CDT told a congressional panel today. Testifying before the Senate Commerce Committee's Subcommittee on Interstate Commerce Trade and Tourism, CDT Deputy Director Ari Schwartz highlighted the agency's emergence as the lead government organization in the fight against spyware and other online scams. CDT also noted that the threats are growing in scope and sophistication and may require that the FTC be granted additional resources in the near future. September 12, 2007"
  • September 06, 2007
    * National Institute of Standards and Technology Guidelines on Active Content and Mobile Code

    August 31, 2007: Draft Special Publication 800-28 Revision 2 Guidelines on Active Content and Mobile Code (60 pages, PDF)

  • "SP 800-28 version 2 is now available for public comment. It provides an overview of active content and mobile code technologies in use today and offers insights for making informed IT security decisions on their application and treatment. Active content refers to electronic documents that contain embedded software components, including mobile code; examples of mobile code are JavaScript, VBScript, Java applets, and ActiveX controls. The publication gives details about the active content and mobile code threats, technology risks, and safeguards for end user systems. SP 800-28 version 2 updates the original version of SP 800-28, which was released in 2001. NIST requests comments on NIST SP 800-28 version 2 by October 12, 2007."

  • * DOT OIG Analysis of Loss of Control Over Sensitive Personally Identifiable Information

    Analysis of Loss of Control Over Sensitive Personally Identifiable Information and Follow-up Actions to Strengthen its Protection, August 28, 2007. Correspondence (23 pages, PDF)

  • Summary: "On August, 28, 2007 we issued a memorandum on our analysis of the circumstances surrounding the July 27, 2006 theft of an OIG laptop from a government vehicle in Doral, Florida and a prior theft that had occurred on April 24, 2006 from a hotel conference room in Orlando, Florida. Both laptops contained Sensitive Personally Identifiable Information (SPII) information on 138,000 individuals that heightened their potential risk of identity theft. Following our notification of the July theft, Members of the Florida congressional delegation requested that we examine our procedures for handling and storing such information and identify steps we have taken to ensure that such a breach would not happen again...We identified three interrelated factors that contributed to the loss of our control over the sensitive personal information stored on the laptops:(1) measures taken to protect the physical security of the laptops were insufficient; (2) the data on the laptops had been decrypted to preserve the data during an upgrade to the OIG's information technology (IT) system; and (3) SPII databases were stored on laptop computers, which are inherently less secure than computers that operate in a centralized environment. The memorandum also sets forth the steps we have taken to improve the physical security of our laptops and improve how sensitive personal information is handled and stored."
  • August 30, 2007
    * NIST Guide to Secure Web Services

    August 29, 2007: "NIST announces the publication of Special Publication (SP) 800-95, Guide to Secure Web Services (128 pages, PDF). SP 800-95 seeks to assist organizations in understanding the challenges in integrating information security practices into Service Oriented Architecture (SOA) design and development based on Web services. The publication also provides practical, real-world guidance on current and emerging standards applicable to Web services, as well as background information on the most common security threats to SOAs based on Web services. SP 800-95 presents information that is largely independent of particular hardware platforms, operating systems, and applications. Supplementary security devices (i.e., perimeter security appliances) are considered outside the scope of this publication. Interfaces between Web services components and supplementary controls are noted as such throughout this publication on a case-by-case basis."

    August 11, 2007
    * Article Examines Corporate Responsibility for Compromised Personal Records

    Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

  • "The computer hacker is one of the most vilified figures in the digital era, but to what degree are organizations actually responsible for compromised personal records? To examine the role of organizational behavior in privacy violations, we analyze 589 incidents of compromised data between 1980 and 2006. There were more reported incidents in 2005 and 2006 than in the previous 25 years combined. Excluding a particularly large security breach at Acxiom, hackers account for the largest volume of compromised records, some 45%, while 27% of the volume is attributed to organizational mismanagement and 28% remains unattributed. In terms of incidents, 9% were an unspecified type of breach, 31% of the incidents involved hackers, and 60% of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors. Options for public policy oversight are discussed."
  • August 08, 2007
    * FTC Offers Tips for Laptop Security

    "Consumers can take many measures to make their laptop secure from hackers, viruses, and other potential threats, such as installing firewalls, updating antivirus software, and using strong passwords. Now, the Federal Trade Commission is offering tips for protecting laptops from theft."

  • OnGuard Online – Laptop Security
  • August 06, 2007
    * Consumer Report's 2007 State of the Net

    "The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

  • In this report: Overview >> Phishing >> Viruses >> Spam >> Social networking >> A safer net >> How criminals deceive >> Where criminals plot >> State of the Net >> Properly erasing hard drives >> Ways to stay safe online >> Canadian online security
  • March 18, 2007
    * University of Washington Report on Data Breaches Faults Companies for Organizational Mismanagement

    Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

  • The World Information Access Project Report for 2007 will be available here
  • March 16, 2007
    * 2006 Annual Report Issued by Internet Crime Complaint Center

    Press release: "The FBI’s Internet Crime Complaint Center (IC3) today released its annual Internet Fraud Crime Report. From January 1 through December 31, 2006, the center received 207,492 complaint submissions. These filings were composed of fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types to include auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited email..."

  • Report summary and highlights

  • e Internet Crime Complaint Center (IC3) is a joint project of the FBI and the National White Collar Crime Center. The entire 2006 Internet Fraud Crime Report, PDF
  • March 05, 2007
    * USPTO Report Finds Inadvertent Filesharing Threatens Personal, Government and Corporate Data

    Press release: "...the Department of Commerce's United States Patent and Trademark Office (USPTO) released a report that concludes that the distributors of five popular filesharing programs repeatedly deployed features that they knew or should have known could cause users to share files inadvertently. The report, Filesharing Programs and "Technological Features to Induce Users to Share, identifies five features in recent versions of five popular filesharing programs that could cause users to inadvertently distribute to others downloaded files or their own proprietary or sensitive files. "Computer programs that can cause unintended filesharing contribute to copyright infringement, and they threaten the security of personal, corporate, and governmental data," noted Jon Dudas, under secretary of commerce for intellectual property-the Bush Administration's point person on copyright policy."

    March 03, 2007
    March 01, 2007
    * Paper on Disk Failures in the Real World

    Follow up to February 19, 2007 posting, Google Publishes Study on Failure Rates of Hard Disk Drives, from the 5th USENIX Conference on File and Storage Technologies and Awarded Best Paper, Disk Failures in the Real World: What Does an MTTF of 1,000,000 Hours Mean to You?

  • "Component failure in large-scale IT installations is becoming an ever larger problem as the number of components in a single cluster approaches a million. In this paper, we present and analyze field-gathered disk replacement data from a number of large production systems, including high-performance computing sites and internet services sites. About 100,000 disks are covered by this data, some for an entire lifetime of five years. The data include drives with SCSI and FC, as well as SATA interfaces."
  • February 22, 2007
    * Comprehensive Emergency Management Program - Model for State and Territorial Courts

    A Comprehensive Emergency Management Program - A Model for State and Territorial Courts 2007 , February 2007 (187 pages, PDF).

  • "A Comprehensive Emergency Management Program (EMP) consists of... six elements [Program Management Program Management, Prevention, Preparedness, Response, Recovery, Training]...As new plans and programs that address one or more of these elements are developed, they will become available via this website".
  • February 19, 2007
    * Google Publishes Study on Failure Rates of Hard Disk Drives

    Failure Trends in a Large Disk Drive Population, Eduardo Pinheiro, Wolf-Dietrich Weber, Luiz André Barroso, 5th USENIX Conference on File and Storage Technologies (FAST 2007), 2007

  • "We have built an infrastructure that collects vital information about all Google's systems every few minutes, and a repository that stores these data in timeseries format (essentially forever) for further analysis. The information collected includes environmental factors (such as temperatures), activity levels and many of the Self-Monitoring Analysis and Reporting Technology (SMART) parameters that are believed to be good indicators of disk drive health. We mine through these data and attempt to find evidence that corroborates or contradicts many of the commonly held beliefs about how various factors can affect disk drive lifetime. Our paper is unique in that it is based on data from a disk population size that is typically only available from vendor warranty databases, but has the depth of deployment visibility and detailed lifetime follow-up that only an end-user study can provide."
  • February 15, 2007
    February 12, 2007
    January 31, 2007
    * EPA OIG Report Highlights Need for Improved Controls Over Mainframe System Software

    2007-P-00008 EPA Could Improve Controls Over Mainframe System Software [Report PDF - 35 pages] [At a Glance -PDF] January 29, 2007.

    January 30, 2007
    * National Infrastructure Advisory Council Final Report on Cyber Threats

    Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations (PDF, 42 pages), January 19, 2007 and Transmittal Letter (PDF, 2 pages), January 19, 2007.

    January 26, 2007
    * Anti-Spyware Coalition Releases Best Practices Documents For Public Comment

  • Best Practices Suggestions Document: "Building upon the Definitions and Risk Model documents, the Best Practices document aims to expand past defining what behaviors and consent factors will currently make software potentially unwanted and to focus upon making the marketplace better. This document highlights the sorts of technological behaviors that limit the negative impact of potentially unwanted technologies." Public Comment Draft (January 25, 2007) [HTML|PDF]

  • Conflicts Resolution Document
    Anti-Spyware software, as part of its operation, regularly interfaces with parts of a computer's operating system that control specific and low-level pieces of architechture. Multiple pieces of software all attempting to operate on the same low-level controls can cause conflicts. This document is intended to provide voluntary guidelines within the Anti-Spyware industry to assist in avoiding and resolving conflicts between suites of Anti-Spyware software and to better serve consumers. Public Comment Draft (January 25, 2007) [HTML|PDF]
  • * Federal Chief Information Officer Council Strategic Plan FY 2007-2009

    Federal Chief Information Officer Council Strategic Plan FY 2007-2009 (28 pages, PDF), January 17, 2007.

  • "The CIO Council works to improve agency practices related to the acquisition, modernization, use, sharing, and performance of Federal government information resources."
  • January 24, 2007
    * Use of Workplace Technology Continues Despite Policies

    LexisNexis press release: "Most office workers use workplace technology for personal reasons; many may be ignoring employer policies, new research shows...Despite the fact that nearly one-half (45%) of office workers have been explicitly informed their at-work technology usage is monitored, a majority still use their employers’ technology resources for personal reasons, according to a new survey conducted by Harris Interactive®..."

    January 19, 2007
    * Free Acrobat for Legal Professionals eSeminar on 1/25

    Covers PDF creation, security, Bates numbering, redaction, eFiling and more. Sign Up Here.

    January 17, 2007
    January 10, 2007
    * Cisco Announces Agreement to Acquire IronPort

    Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
    Related news:

  • News.com - "Cisco Systems' purchase of e-mail security specialist IronPort Systems is another sign that big-name vendors are taking over the spam fight, analysts say."

  • Press release: "RSA, The Security Division of EMC, announced today that its 24x7 Anti-Fraud Command Center (AFCC) has uncovered a new phishing kit being sold and used online by fraudsters. This new kit, a Universal Man-in-the-Middle Phishing Kit, is designed to facilitate new and sophisticated attacks against global organizations in which the victims communicate with a legitimate web site via a fraudulent URL set by the fraudster. This allows the fraudster to capture victims' personal information in real-time."
  • January 04, 2007
    * DOJ OIG Report on Protecting Laptop Security

    Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted), OIG-07-16 (PDF, 37 pages), January 4, 2007.

    December 26, 2006
    December 25, 2006
    * DoD Blocks Use of HTML Email and Outlook

    Federal Computer Week reported that the Department of Defense has banned the use of Outlook and receipt of HTML email due to threats posed by spyware and viruses.

    December 21, 2006
    * Consumer Reports Launches Online Electronics Reuse and Recycling Center

    Press release: "Consumer Reports' environmental website has
    launched an online Electronics Reuse and Recycling Center. The Center features thoroughly researched, unbiased, expert advice to help de-clutter your home and solve the huge and growing problem of electronics waste. It also features the results of a March 2006 nationwide, online survey including information about why people replace their electronics and what they did with their old equipment."

  • Related postings on e-waste
  • November 30, 2006
    * Guide to Securing Your IT Infrastructure

    From Bank System and Technology:

  • The Top 10 Information Security Myths - "If you buy into all of these commonly held beliefs, you'd better believe your data is at risk. We separate the facts from fiction."

  • Top 10 Most Overlooked Aspects of IT Security
  • November 29, 2006
    * New EU Communication on Spam

    Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

  • Related press release: "Sophos, a world leader in IT security, has published its latest report on the top twelve spam relaying countries over the third quarter of 2006. Sophos experts believe that a possible reason for America's increasing lead in relayed spam when compared to its closest rival, China, is the emergence of over 300 strains of the mass-spammed Stratio worm."
  • November 28, 2006
    * DOT Status Report on OIG Data Security

    Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."

    November 20, 2006
    * GAO Report On Need for Agency Policies to Test Information Security

    Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.

    November 16, 2006
    * Symantec Phish Report Network Opens to Consumers Worldwide

    Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."

  • See also "PhishTank...a free community site where anyone can submit, verify, track and share phishing data."
  • November 13, 2006
    * Court Shuts Down Media Motor Spyware Operation

    Press release: "A U.S. district court has shut down an operation that secretly downloaded multiple malevolent software programs, including spyware, onto millions of computers without consumers’ consent, degrading their computers' performance, spying on them, and exposing them to a barrage of disruptive advertisements. The Federal Trade Commission has asked the court to order a permanent halt to these deceptive and unfair downloads, and to order the outfit to give up its ill-gotten gains."
    Federal Trade Commission, Plaintiff, v. ERG Ventures

  • Ex Parte Temporary Restraining Order and Order to Show Cause

  • Complaint for Injunctive and Other Equitable Relief

  • November 12, 2006
    * Recycling of E-Waste Continues to Lag

    Follow-up to previous postings on e-waste, see this New York Times article, Clearing a path from desktop to the recycler, by Paul Vitello. "The Environmental Protection Agency estimates that people threw away 2.5 million tons of electronic equipment, known as e-waste, last year, about 10 percent of which was recycled."

    November 01, 2006
    * New DHS OIG Reports on Classified Laptop Computer Security

  • Improved Administration Can Enhance U.S. Customs and Border Protection Classified Laptop Computer Security, Unclassified Summary, OIG-06-64 (PDF, 3 pages) November 1, 2006.

  • Improved Administration Can Enchance Science and Technology Classified Laptop Computer Security, OIG-06-63, Unclassified Summary, (PDF, 3 pages) November 1, 2006.
  • October 27, 2006
    * Symantec Releases New Internet Security Threat Report

    "The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."

  • Symantec Internet Security Threat Report Volume X: September 2006 (120 pages, PDF)
  • October 13, 2006
    * Committee Report Finds Data Breaches Throughout Federal Government

    Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."

    Key Conclusions:

  • 1. Data loss is a government-wide occurrence.
  • 2. Agencies do not always know what has been lost.

  • 3. Physical security of data is essential.

  • 4. Contractors are responsible for many of the reported breaches.

  • October 13, 2006 - Staff Report Agency Data Breaches Since January 1, 2003

  • Agency Response Letters Part One

  • Agency Response Letters Part Two

  • Related postings on ID theft and cybercrime

  • OMB issued a memorandum of Recommendations for Identity Theft Related Data Breach Notification, from Clay Johnson, Deputy Director for Management, September 22, 2006

  • October 12, 2006
    * CMO Council Survey on ID Theft Tracks Growing Consumer Concern

    Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."

  • The CMO Council's full report is available for purchase, and an 18 page PDF version as follows: Secure the Trust of Your Brand - Assessing the Mindset of Consumers, 2006.
  • October 11, 2006
    * New Coalition Website Takes Aim Against Cybercrime

    Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]

    October 09, 2006
    * DHS OIG Audit of Agency Laptop Security

    (U) Office of Inspector General Laptop Computers are Susceptible to Compromise (Unclassified and Redacted) OIG-06-58 (PDF, 48 pages), released October 2, 2006.

    September 14, 2006
    * DOD OIG Audit of Information Assurance Weaknesses

    Department of Defense Office of the Inspector General -- Audit Summary of Information Assurance Weaknesses Found in Audit Reports Issued from August 1, 2005, through July 31, 2006 - Report No. D-2006-110 (PDF) - Date: September 14, 2006.

  • "This report summarizes information assurance weaknesses that the Government Accountability Office, the DoD Office of the Inspector General, the Army Audit Agency, the Naval Audit Service, and the Air Force Audit Agency reported between August 1, 2005, and July 31, 2006. It supports the Federal Information Security Management Act of 2002, which requires agencies submit to the Office of Management and Budget the results of an annual independent evaluation of the effectiveness of their information security programs and practices. The evaluation should include testing of the effectiveness of information security policies, procedures, and practices of a subset of the agency’s information systems and may be based, in whole or in part, on an audit, evaluation, or report relating to agency programs or practices. This report is the eighth information assurance summary report issued by the DoD Office of the Inspector General since January 1999."
  • * Operation Cyber Storm Report Released by DHS

    Press release: "The U.S. Department of Homeland Security (DHS) announced today the release of the Cyber Storm Public Exercise Report. The report details key findings from Cyber Storm which was the largest and most complex multi-national, government-led cyber exercise to examine response, coordination, and recovery mechanisms to a simulated cyber event within international, federal, state, and local governments and in conjunction with the private sector."

  • Fact Sheet: Cyber Storm Exercise

  • Department of Homeland Security, National Cybersecurity Division: Cyber Storm Exercise Report, September 13, 2006 (23 pages, PDF).

  • See also Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity, Full text GAO-06-1087T, and Highlights, September 13, 2006 - "DHS faces a number of challenges that have impeded its ability to fulfill its cybersecurity responsibilities, including establishing effective partnerships with stakeholders, demonstrating the value it can provide to private sector infrastructure owners, and reaching consensus on DHS's role in Internet recovery and on when the department should get involved in responding to an Internet disruption."
  • September 04, 2006
    * Guide to Collecting Evidence from a Running Computer

    SEARCH, The National Consortium for Justice Information and Statistics - Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, August 2006.

    August 23, 2006
    * China Downloading DoD Data According to Warfighting Info Tech Director

    Government Computer News: "China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD's Non-Classified IP Router Network)," said Maj. Gen. William Lord, director of information, services and integration in the Air Force's Office of Warfighting Integration and Chief Information Officer, during the recent Air Force IT Conference in Montgomery, Ala."

  • See also: Warfighting integration reduces inaccuracy, inefficiency
  • August 21, 2006
    * AOL CTO Resigns Amid Continuing Fallout from Data Breach

    Repercussions continue from AOL release of user data -- from News.com: Three workers depart AOL after privacy uproar and commentary by Anita Ramastry, Privacy and Search Engine Data: A Recent AOL Research Project Has Perilous Consequences for Subscribers.

    August 16, 2006
    * Washington AG Sues Companies for Violation of Anti-Spyware Law

    Press release, August 14, 2006: "Washington State Attorney General Rob McKenna... announced the filing of Washington's second lawsuit under the state's computer spyware act. The state's suit accuses four California-based corporations of installing software that takes control of a consumer's computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."

  • Copy of the Movieland Complaint, (22 pages, PDF)


  • Related news and government documents:
  • April 18, 2006 press release: McKenna Announces Oregon Man to Pay Under Washington Spyware Law - $84,000 settlement first in state's Spyware Cleaner case

  • 2005 State Legislation Relating to Internet Spyware or Adware

  • 2006 State Legislation Relating to Internet Spyware or Adware

  • August 15, 2006
    * New National Survey on Enterprise Data Security Risks

    Ponemon Institute Releases National Survey on Confidential Data at Risk

  • "Stored data presents unique challenges for enterprise security, and the U.S. Survey: Confidential Data at Risk is a first-of-its-kind study on the topic. Derived from a national sampling of nearly 500 experienced information security practitioners, the survey reveals a number of key findings, including: 81 percent of companies surveyed reported the loss of one or more laptop computers containing sensitive information during the previous 12 months."
  • August 10, 2006
    * Treasury IG Report Details Increased Security Risks from Non Business Use of Email

    Inappropriate Use of Email by Employees and System Configuration Management Weaknesses Are Creating Security Risks, July 31, 2006, Reference Number: 2006-20-110 (20 pages, PDF). "We found e-mail messages that violated the IRS' personal use policy in the electronic mailboxes of 71 (74 percent) of 96 employees."

    August 07, 2006
    * StopBadware.org Begins Issuing Warnings to Google Users

    StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."

    August 04, 2006
    * Special Report on Department of Defense's Cyber Crime Center

    Special Report | Computer forensics: The new DNA

    July 27, 2006
    * DHS OIG Report on Enhancing Laptop Computer Security

    Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.

    July 24, 2006
    * New Blog Focuses on Tech Policy, Civil Liberties

    "CDT launched PolicyBeta, a new blog dedicated to expanding the dialogue about technology policy, civil liberties and preserving democratic values in the digital age. PolicyBeta will feature regular posts on issues ranging from domestic surveillance to spyware, and will provide CDT experts an opportunity to discuss in detail the latest trends and developments affecting the technology policy debate. CDT is encouraging journalists, technologists, academics and interested individuals to visit the blog regularly and participate in the discussion."

    July 18, 2006
    * Hearing on Phishing Remedies

    The Subcommittee on Financial Institutions and Consumer Credit, chaired by Rep. Spencer Bachus (AL), held a hearing today entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing." Government officials contend that access to Whois data is essential in the effort to combat cybercrimes, while privacy advocates maintain that access to data on domain name holders facilitates phishing, spam and other types of fraud.

  • Prepared Testimony
  • July 12, 2006
    * Forensic Investigation of State Department Computer Breaches Ongoing

    AP: "Computer break-ins at the State Department that caused broad disruptions in recent weeks apparently originated in the East Asia-Pacific region, a department spokesman said Wednesday."

  • Daily Press Briefing, Sean McCormack, State Department Spokesman
    Washington, DC, July 12, 2006
    : "First of all, the systems affected were unclassified computer systems...Our folks monitored this attempt and took immediate steps to prevent any loss of sensitive U.S. Government information. There is an ongoing forensic investigation to examine exactly what happened and to try to learn from that, but the initial findings of the investigation are that there was no compromise of sensitive U.S. Government information."
  • July 05, 2006
    * Most Large North American Organizations Subjected to Security Breaches

    Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."

  • See also As data breaches pile up, OMB cracks down - Experts call for CIOs to have more authority
  • June 27, 2006
    * CDT Issues Spyware Enforcement Report

    Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."

  • A Report by the Center on Democracy and Technology: Spyware Enforcement (16 pages, PDF)

  • * Security Issues For Portable Devices Increase With Data Theft Reports

    WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work

  • Postings on ID theft and cybercime
  • June 26, 2006
    * OMB Memo on Protection of Sensitive Agency Information

    M-06-16, Protection of Sensitive Agency Information, June 23, 2006 (10 pages, PDF)

  • AP: Recent Government Security Breaches

  • Postings on ID Theft

  • June 22, 2006
    * 2006 Technology, Media and Telecommunications Security Survey

    The 2006 Technology, Media and Telecommunications Security Survey (16 pages, PDF), Deloitte Touche Tohmatsu: "Security has long been neglected in the Technology, Media & Telecommunications (TMT) industry and the problem continues today. The frequency and sophistication of the attacks are growing, yet many surveyed companies tend to treat security as a relatively minor issue. So where are TMT companies falling behind? More importantly, what can they do to address this increasingly significant problem?"

    June 19, 2006
    * Theft of Laptops With Personal Data Increasingly Common

    Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.

    June 17, 2006
    * Reliable But Not Readily Available Method to Destroy Hard Drive Data

    Researchers Find Technique to Quickly Erase Hard Drives: "Scientists at the Georgia Institute of Technology (Atlanta), working with L-3 Communications Corp. (New York), said they have developed a technique for quickly erasing hard-disk drives...The researchers concluded that permanent magnets are the best solution." [Slashdot]

    * Microsoft Security Response Center Blog

    Microsoft Security Response Center Blog

    June 10, 2006
    * Cyber Security Challenges at the Department of Energy

    Hearing, Cyber Security Challenges at the Department of Energy, June 9, 2006. [note: links to member statements and witness testimony not yet available - after an open session, there was a closed session to discuss security issues related to a previously unreported data breach.]

  • AP: DOE Computers Hacked; Info on 1,500 Taken
  • June 07, 2006
    * AOL Releases Free Home PC Security Program

    "Active Security Monitor is a software program that helps you determine how vulnerable your PC is to computer viruses, spyware and other dangers and learn what steps you can take to improve your protection. And if you have more than one PC in your home network, you can use Active Security Monitor to check the security status of your entire home network.' [Link]

    June 02, 2006
    * New Report on Enterprise Outbound Email Security

    Outbound Email and Content Security in Today's Enterprise, 2006 (free reg. reg'd): "Enterprises are becoming increasingly concerned about creating, managing and enforcing outbound email policies that ensure that messages leaving the organization comply with both internal rules as well as external regulations."

    June 01, 2006
    * Online Fraud Report 2006

    Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."

    May 18, 2006
    * FTC Guide For Protecting Consumer Wireless Networks

    Press release: "Wireless Internet access can free you from the confines of cords, but not from the need for security. Without taking the proper precautions, it's easy for others to use your wireless network connection to access the Internet, or even to access the information on your own computer. The Federal Trade Commission is introducing a new section of OnGuard Online to teach computer users how to protect their personal wireless network connections – and the computers on them – from unauthorized use. The information also is available in Spanish."

    May 15, 2006
    * Comparison of Major Search Engines Ranks Their Safety

    The Safety of Internet Search Engines (Google, Yahoo, MSN, AOL, Ask), May 12, 2006, by Ben Edelman and Hannah Rosenbaum.

  • "Abstract: We compare safety of leading search engines, using SiteAdvisor's automated Web site ratings. We find most leading search engines similar in the safety of the sites they link to, though MSN is the safest and Ask lags noticeably behind. Across search engines, we find sponsored results significantly less safe than search engines' organic results."


  • May 10, 2006
    * Committee Report to Accompany the Data Accountability and Trust Act

    "The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]

    * FTC Settles Complaint With Company Over Lax Security of Consumer Data

    FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

  • In the Matter of Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens; File No. 052 3117
  • May 08, 2006
    * Strategies to Create and Manage A Corporate Info Security Policy

    Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).

  • See also Current IT: Issues Survey Report, 2006 - Security and Identity Management edges out Funding IT as the top strategic challenge, while Disaster Recovery/Business Continuity reemerges. by Barbara I. Dewey, Peter B. DeBlois, and the EDUCAUSE Current Issues Committee.

  • April 30, 2006
    * PC Users Guide to Fixing Problems Without Tech Support

    PCWorld: Never Call Tech Support Again! "Why suffer though hours on hold when you can solve the problem yourself? Whether your PC won't boot, keeps crashing, is infested with adware, or can't get to the Net, we'll help you fix it."

    April 28, 2006
    * The Ins and Outs of Spyware

    The Ins and Outs of Spyware [15 pages, PDF] April 24, 2006: "Lesley Herring discusses what spyware is, categories of spyware, types of spyware, symptoms of spyware, research sites to find out more information, prevention techniques, and removal tools in this contribution."

    April 27, 2006
    * Buyers of New Macs Can Now Recycle Old PCs For Free

    Following up on previous e-waste postings, Apple announced on April 21, 2006 a Free Computer Take-Back Program "...offering free computer take-back and recycling with the purchase of a new Macintosh® system beginning in June. US customers who buy a new Mac® through the Apple Store® or Apple's retail stores will receive free shipping and environmentally friendly disposal of their old computer as part of the Apple Recycling program. Equipment received by the program in the US is recycled domestically and no hazardous material is shipped overseas."

  • Apple's recycling programs and industry-leading environmental policies

  • * EPA OIG Fact Sheet on Critical Infrastructure Security

    EPA Needs to Better Implement Plan for Protecting Critical Infrastructure and Key Resources Used to Respond to Terrorist Attacks and Disasters. Information on the initiatives in the full report is sensitive homeland security information and is not available to the [At a Glance - 1 page, PDF]

    April 17, 2006
    * Alternative Methods Needed For Password Security

    Those Pesky Passwords - Too many and too complicated to remember, passwords make users crazy and incur help desk expense. What should you do about it? by Larry Ponemon:

  • "Passwords as a security measure do not seem to be working. In Ponemon Institute's newly released Perceptions about Passwords study, most respondents report that in the past two years they have forgotten a password or PIN and had to have it reset by a company. Moreover, a majority of respondents had to have their password or PIN reset at least three times in the past two years. Many respondents reported that they have to recall five or more uniquely defined passwords or PINs on a routine basis."
  • March 08, 2006
    * EU Seminar Report: Trust In the Net

    From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).

    * Internet Security Threat Report Finds Increase in Crimeware

    Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.

  • Press release: "This volume of the Internet Security Threat Report offers an overview of threat activity that took place between July 1 and December 31, 2005. In this edition, the new threat landscape is shown to be increasingly dominated by attacks and malicious code that are used to commit cybercrime, criminal acts that incorporate a computer or Internet component. Attackers have moved away from large, multipurpose attacks on network perimeters and toward smaller, more focused attacks on client-side targets."

  • See also Internet "cloaking" emerges as new Web security threat

  • February 28, 2006
    February 27, 2006
    * Phishing, Pharming, Key Logging, DDOS Attacks Require Net Users to Remain Vigilant

    New York Times: Cyberthieves Silently Copy Your Passwords as You Type

  • USA Today, Increasing Web attacks disrupt commerce

  • Related postings on cybercrime
  • February 21, 2006
    * Security Issues Escalate With Popularity of Handheld Devices

    New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of handheld devices and pocket PCs increases. Pre-emptive security options are available however, as this article describes.

    February 19, 2006
    * Managing Cybersecurity Resources

    Managing Cybersecurity Resources: A Cost-Benefit Analysis "details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity (Lawrence A. Gordon and Martin P. Loeb), this comprehensive exploration presents:

  • Key issues that impact the management of cybersecurity resources
    An economic framework for achieving sufficient cybersecurit