"Verizon’s 2013 Data Breach Investigations Report (DBIR) provides truly global insights into the nature of data breaches that can help organizations of all sizes to better understand the threat and take the necessary steps to protect themselves. The breadth and depth of data represented in this year’s DBIR is unprecedented. It combines the efforts of 19 global organizations: law enforcement agencies, national incident-reporting entities, research institutions, and a number of private security firms — all working to study and combat data breaches. Over the years the number of contributors has grown. Since we started publishing the DBIR in 2008, our partners have contributed data information on more than 2,500 confirmed data breaches — totaling more than a billion compromised records."

2013 Internet Security Threat Report - "Key Findings:

• 42% increase in targeted attacks in 2012.
  
• 31% of all targeted attacks aimed at businesses with less than 250 employees.
  
• One waterhole attack infected 500 organizations in a single day.
  
• 14 zero-day vulnerabilities.
  
• 32% of all mobile threats steal information.
  
• A single threat infected 600,000 Macs in 2012.
  
• Spam volume continued to decrease, with 69% of all email being spam.
  
• The number of phishing sites spoofing social networking sites increased 125%.
  
• Web-based attacks increased 30%.
  
• 5,291 new vulnerabilities discovered in 2012, 415 of them on mobile operating systems."

"This report provides a detailed, current look at the nature of advanced threats targeting organizations today. Drawing on data gathered by FireEye® from several thousands of appliances at customer sites around the world, across 89 million events, this report provides an overview of the current threat landscape, evolving advanced persistent threat (APT) tactics, and the level of infiltration seen in organizations' networks today. Key findings include:

CRS - The 2013 Cybersecurity Executive Order: Overview and Considerations for Congress, March 1, 2013

"Secure deletion involves the use of special software to ensure that when you delete a file, there really is no way to get it back again. When you "delete" a file — for instance, by putting the file in your computer's trash folder and emptying the trash — you may think you've deleted that file. But you really haven't. Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty," meaning that it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the computer forensics experts can often even retrieve data that has been overwritten by newer files. Indeed, computers normally don't "delete" data; they just allow it to be overwritten over time, and overwritten again. The best way to keep those "deleted" files hidden, then, is to make sure they get overwritten immediately. Your operating system probably already includes software that can do this for you, and overwrite all of the "empty" space on your disk with gibberish (optionally multiple times), and thereby protect the confidentiality of deleted data. Examples include GNU Shred (Linux), Secure Delete (Mac OS X), and cipher.exe (Windows XP Pro and later)."

CRS - Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions. Eric A. Fischer, Senior Specialist in Science and Technology, November 9, 2012

"Browsers can be regarded as a kind of autonomous zone inside the operating systems of modern computers. A browser is a window to the online world, installed on each and every computer, powered with the ability to install and run additional apps on its territory. Of course, it grants access to a plethora of web-based apps: from online office editors to games. At the same time the majority of online threats come from the web as well. Vulnerabilities in web browsers and other popular programs are used by cybercriminals to infect systems and steal user data: quite often an infected web page triggers the attack. That is why keeping your chosen browser up-to-date is one of the most important tasks, since new versions plug security holes and provide new security features...Slightly less than 80% of Kaspersky Lab’s users have the latest version of a browser. It is important that our data is based on real usage statistics, and there is a chance that quite a lot of users, for example, use up-to-date Google Chrome, but have an outdated Internet Explorer installed, thus keeping a security hole open for attacks. At the same time, the number of users utilizing older or critically outdated browsers is very high. A 23% share for older browsers and 8.5% for obsolete versions represents millions of users. Such reluctance to upgrade is a key addition to the negative outlook on web-born threats.."

Trend Micro Incorporated Opinion Piece, September 2012 - Peter the Great Versus Sun Tzu

Via LLRX.com, Privacy Resources and Sites on the Internet - Marcus P. Zillman's guide is a comprehensive listing of both free and low cost privacy resources currently available on the Internet. It includes associations, indexes and search engines, as well as websites and programs that provide the latest technology and information on Web privacy. This guide will help facilitate a safer interactive environment for your email, your internet browsing, your health records, your data storage and file sharing exchanges, and internet telephony.

Measuring the Cost of Cybercrime. Ross Anderson, Chris Barton, Rainer Bohme, Richard Clayton, Michel J.G. van Eeten Michael Levi, Tyler Moore, Stefan Savage

"The Department of Homeland Security (DHS) Control Systems Security Program manages and operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to provide focused operational capabilities for defense of control system environments against emerging cyber threats...This report provides a summary of cyber incidents, onsite deployments, and associated findings from the time ICS-CERT was established in 2009 through the end of 2011..The most common infection vector for network intrusion was spear-phishing emails with malicious links or attachments. Spear-phishing accounted for 7 out of 17 incidents. At least one incident involved an infection from a removable USB device."

News release: "Check Point® Software Technologies Ltd...announced the results of a new ZoneAlarm report revealing differences in the use of computer security between Gen Y and Baby Boomers. The report, The Generation Gap in Computer Security, found that Gen Y is more confident in its security knowledge than Baby Boomers. However, 50 percent of Gen Y respondents have had security issues in the past two years compared to less-than-half of Baby Boomers. The broad adoption of digital media and social networking, combined with the increasing amount of sensitive data that is stored online, is making personal computer security more important than ever before. Yet the ZoneAlarm study reveals that 78 percent of Gen Y respondents do not follow security best practices while cybercriminals are launching new and more sophisticated attacks on consumers every day. In comparison, Baby Boomers are more concerned about security and privacy and twice more likely to protect their computers with additional security software."

Google Online Security Blog: "Approximately 12-14 million Google Search queries per day show our warning to caution users from going to sites that are currently compromised. Once a site has been cleaned up, the warning is lifted."

Industry Botnet Group Principles for Voluntary Efforts to Reduce the Impact of Botnets in Cyberspace

Computer World: "Ninety percent of the Internet's top 200,000 HTTPS-enabled websites are vulnerable to known types of SSL (Secure Sockets Layer) attack, according to a report released Thursday by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy and reliability problems. The report is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys, to analyze the strength of HTTPS implementations on websites listed in the top 1 million published by Web analytics firm Alexa."

News release: "The Information Commissioner’s Office (ICO) is urging consumers to take better care of their data, following an investigation into the trade in used hard drives. The ICO has published new guidance to help individuals securely delete personal information from their old devices. An investigation by the ICO found that one in ten second-hand hard drives sold online may contain residual personal information. An ICO survey also found that 65% of British adults now hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else. In December 2010, the ICO asked a computer forensics company – NCC Group – to source around 200 hard drives, 20 memory sticks and 10 mobile phones. The devices were mainly bought online from internet auction sites and some were sourced at computer trade fairs. The devices were then searched, initially without any additional software, and then interrogated using forensic tools freely available on the internet. The research found that, while 52% of the hard drives investigated were unreadable or had been wiped of data, 48% contained information and 11% was personal data. The amount of personal data found on the mobile phones and memory sticks was negligible. In total 34,000 files containing personal or corporate information were recovered from the devices. At least two of the hard drives contained enough information to enable someone to steal the former owner’s identity. The residual documents included scanned bank statements, passports, information on previous driving offences, and some medical details. A further four hard drives contained information about the employees and clients of four organisations, including individuals’ health and financial details."

• View the ICO’s report on unscrubbed hard drives (pdf)
  
• Read the full results of the ICO’s survey into attitudes about data destruction (Excel file)
  
• Read the ICO’s advice for individuals on how to securely delete their information from an old device

Identity Theft Reported by Households, 2005-2010: "Presents data on the nature of and trends in identity theft victimization among U.S. households from the National Crime Victimization Survey (NCVS). The NCVS defines identity theft as the misuse or attempted misuse of an existing credit card or another existing account or the misuse of personal information to open a new account or for other fraudulent purposes. Findings are based on experiences of all household members age 12 or older as reported by the head of household. The data brief examines changes in the percentage of households experiencing identity theft from 2005 to 2010. It describes differences in the types of identity theft experienced by households in 2010 compared to 2005, as well as changes in the demographic characteristics of victimized households. The brief also presents estimates on the monetary losses attributed to household victims of identity theft. Highlights include the following:

• In 2010, 7.0% of households in the United States, or about 8.6 million households, had at least one member age 12 or older who experienced one or more types of identity theft victimization.
  
• Among households in which at least one member experienced one or more types of identity theft, 64.1% experienced the misuse or attempted misuse of an existing credit card account in 2010.
  
• From 2005 to 2010, the percentage of all households with one or more type of identity theft that suffered no direct financial loss increased from 18.5% to 23.7%."

News release: "The FCC is launching the Small Biz Cyber Planner, an online resource to help small businesses create customized cybersecurity plans. This is the result of an unprecedented public-private partnership between government experts and private IT and security companies, including DHS, NCSA, NIST, The U.S. Chamber of Commerce, The Chertoff Group, Symantec, Sophos, Visa, Microsoft, HP, McAfee, The Identity Theft Council, ADP and others. The online tool is available at FCC.gov/cyberplanner. By almost any measure small businesses have an outsized impact on our economy and it is critically important that small businesses, a vibrant engine for job and idea creation, are secure using the many broadband enabled tools they need to efficiently run their businesses. According to a survey released in October, 2011 by Symantec and the National Cyber Security Alliance (NCSA), two-thirds of U.S. small businesses rely on broadband Internet for their day-to-day operations...This effort is part of an ongoing program to raise awareness about the cybersecurity risks to small businesses and to help these businesses become cyber-secure. Earlier this year, the FCC and a coalition of public and private-sector partners developed a cybersecurity tip sheet, which includes tips to educate business owners about basic steps they can take immediately to protect their companies. The tip sheet is available at FCC.gov/cyberforsmallbiz".

Information Security Continuous Monitoring (ISCM) for Information Systems and Organizations (NIST Special Publication [SP] 800-137)

All Your Clouds are Be­long to us – Se­cu­ri­ty Ana­ly­sis of Cloud Ma­nage­ment In­ter­faces - Juraj So­mo­rovs­ky, Mario Hei­de­rich, Meiko Jen­sen, Jörg Schwenk, Nils Grusch­ka, Luigi Lo Ia­co­no. In Pro­cee­dings of the ACM Cloud Com­pu­ting Se­cu­ri­ty Work­shop (CCSW), 2011.

"Symantec Corp. announced the results of the August 2011 Symantec Intelligence Report, now combining the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. This month’s analysis reveals that once more spammers are seeking to benefit from fluctuations in the turbulent financial markets, most notably by sending large volumes of spam relating to certain “pink sheets” stocks in an attempt to “pump” the value of these stocks before “dumping” them at a profit. In a pump-and-dump stock scam, spammers promote certain stocks in order to inflate the price as much as possible so that they may then be sold before their valuation crashes back to reality. The spam for these scams tries to convince the prospective mark that the penny stock is actually worth more than its valuation, or that it will soon skyrocket. Most of these claims are either misleading or false. A successful pump-and-dump spam campaign will artificially drive up the price of the stock to a point where the scammers decide to sell their shares. This usually coincides with them ending the spam campaign, which in turn reduces the interest in the stock, helping to drive its valuation back to the original low price."

News release: 1E, the global leader in IT efficiency software today announced the results of an independent study of IT professionals in the United States and United Kingdom into software efficiency. The study, commissioned in association with the International Association of Information Technology Asset Managers (IAITAM) and the Federation Against Software Theft Investors in Software (FASTIiS) conducted by Opinion Matters, revealed that software waste is endemic in organizations today, preventing cost efficiencies and unnecessarily draining IT budgets....The results of the software efficiency study were broadly similar in both territories. The study found that just 8 percent of UK organizations and 9 percent of US organizations systematically reclaim unused software licenses to save money. Respondents cited concerns about user reaction, business risk and lack of tools as reasons against action; however, the report found a clear financial imperative for every organization to do so:

• Almost three quarters of organizations (UK=68; US=71 percent) admit to having software waste
  
• An overwhelming majority (UK=92; US=83 percent) have undeployed software licenses, more commonly known as shelfware
  
• Four fifths (UK=80; US=84 percent) agree that there is more than $100 worth of installed but unused software per PC
  Furthermore, the study found that:
  
• On average, at least 10 percent of all software purchased is destined to become shelfware – at a cost of between $145-155 per user per year for each organization
  
• The majority of respondents (UK=85; US=72 percent) feel that software asset management is too complex and over two thirds in both the UK and US (66 percent) find preparing for vendor audits challenging
  
• Half (UK=50; US=52 percent) of enterprises still use spreadsheets to record software licenses
  
• Approximately one in ten (UK=9; US=12 percent) still use paper-based filing systems, while some (UK=14 percent; US=12 percent) staggeringly even admitted to not having a process in place at all."

Cyrus Nemati, CDT: "If you've been following our Take Back Your Privacy campaign, you've seen our weekly privacy tips. Each week, we offer readers a new way to protect their privacy online through plug-ins, browser tricks, programs, and general privacy best practices. While each tip has merit in its own right, there are a few tips that give you a great amount of control over your online privacy. Without further ado, here are Take Back Your Privacy's Top Five Privacy Tips."

DOJ OIG: The Federal Bureau of Investigation's Ability to Address the National Security Cyber Intrusion Threat (Redacted Version), Audit Report 11-22, April 2011

Computerworld: 'Google is shedding some of the secrecy around its data center practices, with a new video that shows extensive security measures and the destruction of old hard drives to prevent leakage of customer data. Google "rigorously tracks the location and status" of each hard drive, destroying failed hard drives with a multistep process before gathering the mangled bits in boxes to send off to recycling centers. "One device that is used to destroy old hard drives is known as the crusher," the narrator of a Google video says. "A steel piston is pushed through the center of the drive and the platters are deformed, making them unreadable."

News release: "The Electronic Frontier Foundation (EFF) and Access have launched an international campaign for HTTPS Now, rallying consumers around the world to help us make web surfing safer. HTTPS (Hypertext Transfer Protocol Secure) protects web surfing by encrypting requests from a user's browser and the resulting pages that are displayed, but many websites default to using the unencrypted and vulnerable HTTP protocol. The HTTPS Now campaign takes a three-pronged approach to protecting web surfing, including distributing updated tools for people to use to protect their web browsing, taking an Internet-wide survey of the state of HTTPS deployment, and helping website operators implement HTTPS. As a first step, individuals using the web are encouraged to install HTTPS Everywhere, a security tool for the Firefox browser developed by EFF and the Tor Project. HTTPS Everywhere automatically encrypts a user's browsing, changing it from HTTP to HTTPS whenever possible."

Best Practices for Keeping Your Home Network Secure, April 2011.

News release: "Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the "Verizon 2011 Data Breach Investigations Report." These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices. The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report's launch in 2008. Yet this year's report covers approximately 760 data breaches, the largest caseload to date. According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action. The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Enabling Distributed Security in Cyberspace - Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action, March 23, 2011

News release: "The Ponemon Institute proudly presents the 2010 U.S. Cost of a Data Breach, the sixth annual study concerning the cost of data breach incidents for U.S.-based companies sponsored by Symantec Corporation. The average organizational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The study also found that for the second straight year organizations’ need to respond rapidly to data breaches drove the associated costs higher. The sixth annual Ponemon Cost of a Data Breach report is based on the actual data breach experiences of 51 U.S. companies from 15 different industry sectors."

News release: "The Federal Trade Commission, the nation’s consumer protection agency, released tips to help people protect their personal information while they use public wireless networks – Wi-Fi hotspots in coffee shops, libraries, airports, hotels, universities, and other public places. While convenient, public Wi-Fi networks often are not secure. When using wireless networks, it’s best to send only personal information that is encrypted – either by an encrypted website or a secure network. Encryption scrambles information sent over the internet into a code so that it’s not accessed by others. An encrypted website protects only the information sent to and from that site. A secure wireless network encrypts all the information sent over it. To determine if a website is encrypted, look for https at the beginning of the web address (the “s” is for secure), and a lock icon at the top or bottom of the browser window. Some websites use encryption only on the sign-in page, but if any part of the session isn’t encrypted, the entire account could be vulnerable. Look for https and the lock icon throughout the site, not just at sign in."

EPIC: "Facebook will now allow full-session HTTPS. The switch to encrypted cloud-based computing promotes privacy and security, particularly when users access Facebook from public Internet access points. Previously, Facebook only used HTTPS when users’ passwords were being sent to the site. Third party applications currently do not support HTTPS. Users can opt into HTTPS through their “Account Settings;” however, HTTPS is not yet the default. Facebook will use "social authentication, rather than traditional CAPTCHA, to deter hackers. EPIC has previously recommended the adoption of strong privacy techniques for cloud-based services. In 2009, EPIC filed a complaint with the Federal Trade Commission, urging an investigation into Google’s cloud computing services to determine the adequacy of privacy and security safeguards. Google subsequently established HTTPS by default for Gmail. For related information, see EPIC: Facebook, EPIC: Cloud Computing, and EPIC: Social Networking Privacy."

Federal Computer Week: "The White House's unclassified e-mail system is back up after an eight-hour outage, but the e-mail security problems may go deeper. It was disclosed February 4, 2011 that some officials alleged White House e-mails were the source of a cyberattack against British officials two months ago. Officials from the United Kingdom said today that alleged White House e-mail accounts were the source of a malware attack against U.K. government officials in late December, according to news report."

News release: "Most Federal employees go beyond baseline IT security requirements, according to a new survey by the Government Business Council, the research division of Government Executive Media Group, and CDW Government LLC (CDW-G), a leading provider of technology solutions to government, education and healthcare customers. While 97 percent of Federal employees are required by their agencies to use authentication measures such as passwords, security tokens and biometric identifiers, most take still more security precautions to protect agency data. Respondents noted that they proactively lock their screens when they are away from their computers and only use secure network connections and agency-issued machines to further secure information...The survey, underwritten by CDW-G in partnership with HP, conducted in September 2010, captured the views of 230 randomly selected Federal defense and civilian decision makers."

January 3, 2011 - M-11-08, UNCLASSIFIED - Initial Agency Self-Assessment Program for User Access to Classified Information in Automated Systems: "Each department or agency that handles classified information should assess the agency’s and its employees’ adherence to the policy issuances noted below, the requirements to safeguard classified information with an emphasis on their application in automated systems, and any process the agency has designed to detect purposeful misuse of information technology systems. If your agency does not have any of the required programs/processes listed, you should establish them."

Follow up to previous postings on WikiLeaks, via WaPo's Joby Warrick: "Investigations into the attacks concluded that government agencies had failed to share critical information that could have helped uncover the Sept. 11 plot. Because of that lapse, Congress tasked the Office of the Director of National Intelligence with pressuring key government agencies - including the Pentagon, the Homeland Security Department and the State Department - to find ways to rapidly share information that could be relevant to possible terrorist plots and other threats. The State Department, with its hundreds of diplomatic posts worldwide, was already making tens of thousands of classified cables available to intelligence and military officials with secret security clearances. But in 2005, the DNI and the Defense Department agreed to pay for a new State Department computer database that could allow the agency's cables to flow more easily to other users throughout the federal government. Net-Centric Diplomacy was launched in 2006 and tied into a giant Defense Department system known as the Secret Internet Protocol Router Network, or SIPRnet. Soon, nearly half a million government employees and contractors with security clearances could tap into the diplomatic cables from computer terminals around the globe...The State Department's new database quickly garnered praise as a model of interagency collaboration. The database was named a finalist for an Excellence in Government award in 2006...The flaws did not become apparent until much later. One of biggest problems: Sensitive cables were often dumped willy-nilly into the database regardless of whether they belonged there, according to two department officials familiar with the internal procedures for data storage."

WikiLeaks And The New Corporate Disclosure Crisis - Stephanie Nora White and Rebecca Theim: "If the scandals that have plagued corporate America in the past two years haven't gotten you thinking about your own company's vulnerabilities, then the latest revelations out of WikiLeaks certainly should. In an interview with Forbes' Andy Greenberg, WikiLeaks founder Julian Assange declared that half the documents that have been fed to the organization are from corporations, and that sometime early next year his organization plans what presumably will be the first of many corporate disclosures. It will begin with information about one of the nation's leading banks. The target is rumored to be Bank of America, and the bank's stock tumbled 3% shortly after the rumors were publicized. Got your attention now? WikiLeaks is promising to give a voice to the disenfranchised, disgusted and disillusioned within Corporate America, those who have knowledge of company behavior ranging from distasteful to criminal. "Companies turn people into leakers by their failure to listen, look and respond," says business consultant and author Margaret Heffernan, whose forthcoming book, Willful Blindness: Why We Ignore the Obvious at Our Peril, will tackle the issue. In other words, it will no longer be a company's general counsel who will decide if and when something is disclosed to the public. Now, it's any insider with a flash drive who's troubled or disgruntled by an organization's conduct. And the types of information WikiLeaks is disclosing can be more damaging--and memorable--than a traditional corporate crisis."

Escaping from Microsoft’s Protected Mode Internet Explorer - Evaluating a potential security boundary, November 2010

News release: "The Electronic Frontier Foundation (EFF) has launched a new version of HTTPS Everywhere, a security tool that offers enhanced protection for Firefox browser users against "Firesheep" and other exploits of webpage security flaws. HTTPS secures web browsing by encrypting both requests from your browser to websites and the resulting pages that are displayed. Without HTTPS, your online reading habits and activities are vulnerable to eavesdropping, and your accounts are vulnerable to hijacking... This new version of HTTPS Everywhere responds to growing concerns about website vulnerability in the wake of Firesheep, an attack tool that could enable an eavesdropper on a network to take over another user's web accounts -- on social networking sites or webmail systems, for example -- if the browser's connection to the web application either does not use cryptography or does not use it thoroughly enough...Other sites targeted by Firesheep that now receive protection from HTTPS Everywhere include Bit.ly, Cisco, Dropbox, Evernote, and GitHub. In addition to the HTTPS Everywhere update, EFF also released a guide to help website operators implement HTTPS properly."

State of the Internet 2010: A Report on the Ever-Changing Threat Landscape, CA Technologies Internet Security Business Unit
Internet Security Intelligence Report, October 2010

News release: [On September 22, 2010] the Federal Trade Commission told a Senate Subcommittee that it supports proposed legislation that would require many companies to use reasonable data security policies and procedures and require those companies to notify consumers when there is a security breach. In testimony before the Committee on Science, Commerce, and Transportation Subcommittee on Consumer Protection, Product Safety and Insurance, Maneesha Mithal, Associate Director for Privacy and Identity Protection at the FTC told the Subcommittee that problems with data security and breaches affect a wide array of both businesses and nonprofit organizations..
The testimony states that the agency suggests three additional measures that could be included in the proposed legislation to protect consumers. First, the provision that requires that companies notify consumers in the event of an information security breach should not be limited to entities that possess data in electronic form; second, the proposed requirements should be extended so that they apply to telephone companies; and third, the Commission suggests that the bill grant the agency rulemaking authority to determine circumstances under which providing free credit reports or credit monitoring may not be warranted."

"A Wall Street Journal investigation into online privacy has found that popular children's websites install more tracking technologies on personal computers than do the top websites aimed at adults."

The Impact of Competition on Technology Adoption: An Apples-to-PCs Analysis, Federal Reserve Bank of New York, July 2010, Number 462, by Adam Copeland and Adam Hale Shapiro

OIG-10-111 - DHS Needs to Improve the Security Posture of Its Cybersecurity Program Systems, September 8, 2010

Identity Theft Resource Center 2010 Breach List - Breaches: 435 Exposed: 13,329,706 - Report Date, 8/17/2010

Cisco 2010 Midyear Security Report - The impact of global security threats and trends on the enterprise

2010 Data Breach Investigations Report, A study conducted by the Verizon RISK Team in cooperation with the United States Secret Service

[Federal Register: July 28, 2010 (Volume 75, Number 144)] [Notices][Page 44216-44223]: "The Department of Commerce's Internet Policy Task Force is conducting a comprehensive review of the nexus between cybersecurity challenges in the commercial sector and innovation in the Internet economy. The Department seeks comments from all stakeholders, including the commercial, academic and civil society sectors, on measures to improve cybersecurity while sustaining innovation. Preserving innovation, as well as private sector and consumer confidence in the security of the Internet economy, are important for promoting economic prosperity and social well-being overall. In particular, the Department seeks to develop an up-to-date understanding of the current public policy and operational challenges affecting cybersecurity, as those challenges may shape the future direction of the Internet and its commercial use, both domestically and globally. After analyzing comments on this Notice, the Department intends to issue a report that will contribute to the Administration's domestic and international policies and activities in advancing both cybersecurity and the Internet economy."

News release: "The Federal Trade Commission testified [July 22, 2010] about FTC efforts to protect consumer privacy and commented on legislative proposals to improve privacy protections before the U.S. House Subcommittee on Commerce, Trade, and Consumer Protection of the Committee on Energy and Commerce. The testimony presented by David Vladeck, Director of the FTC’s Bureau of Consumer Protection, described the FTC’s law enforcement actions to hold companies accountable for protecting consumer privacy, focusing on data security, identity theft, children’s privacy, and protecting consumers from intrusive spam, spyware, and telemarketing. The testimony noted that the FTC has brought 28 actions charging businesses with failing to protect consumers’ personal information and 15 actions charging website operators with collecting information from children without parents’ consent. The FTC also has brought 15 spyware cases and dozens of actions challenging illegal spam, including an action against a rogue Internet Service Provider that resulted in a temporary 30 percent drop in spam worldwide. Finally, the FTC has brought 64 actions alleging violations of the Do Not Call Rule, resulting in violators paying almost $40 million in civil penalties and giving up nearly $18 million, including consumer redress."

"EPIC Executive Director Marc Rotenberg testified [July 15, 2010]before the House Committee on Science and Technology regarding Planning for the Future of Cyber Attack Attribution. In his prepared statement, Mr. Rotenberg discussed "the risks and limitations of a mandatory Internet ID that may be favored by some as a way to address the risk of cyber attack." He explained how such a proposal would implicate human rights and online freedom, and questioned the constitutionality of such a measure. EPIC recommended that efforts continue to focus on improving security standards, deploying encryption, and requiring federal agencies to remain transparent as they develop cyber security policies."

• Overseas Contingency Operations: Comparison of the Department of Defense's Overseas Contingency Operations Funding Requests for Fiscal Years 2010 and 2011, GAO-10-889R, July 06, 2010
• Cybersecurity: Key Challenges Need to Be Addressed to Improve Research and Development, GAO-10-466, June 03, 2010
• Expeditionary Fighting Vehicle (EFV) Program Faces Cost, Schedule and Performance Risks, GAO-10-758R, July 02, 2010

The future of cloud computing, by Janna Anderson, Lee Rainie, June 11, 2010

"With Google search over SSL, you can have an end-to-end encrypted search solution between your computer and Google. This secured channel helps protect your search terms and your search results pages from being intercepted by a third party. This provides you with a more secure and private search experience. To use search over SSL, visit https://www.google.com New window icon each time you perform a search. Note that only Google web search is available over SSL, so other search products like Google Images and Google Maps are not currently available over SSL. When you're searching over SSL, these properties may not appear in the left panel."

Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale

"The Symantec Internet Security Threat Report provides an annual overview and detailed analysis of Internet threat activity, malicious code, and known vulnerabilities. The report also discusses trends in phishing, spam and observed activities on underground economy servers...report sathe ys the U.S. was top country for malicious activity, making up 19% total."

• Internet Security Threat Report: Volume XV: April 2010
  
• Executive Summary: April 2010

Global Cyber Deterrence - Views from China, the U.S., Russia, India, and Norway by Tang Lan, Zhang Xin, Harry D. Raduege, Jr., Dmitry I. Grigoriev, Pavan Duggal, and Stein Schjølberg. Edited by Andrew Nagorski. April 2010

NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), Recommendations of the National Institute of Standards and Technology, Erika McCallister, Tim Grance, Karen Scarfone, April 2010.

• Intellectual Property: Observations on Efforts to Quantify the Economic Effects of Counterfeit and Pirated Goods, GAO-10-423, April 12, 2010
• U.S. Postal Service: Strategies and Options to Facilitate Progress toward Financial Viability, GAO-10-455, April 12, 2010
• Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements, GAO-10-202, March 12, 2010
• Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies, GAO-10-237, March 12, 2010

"How well prepared are IT professionals within U.S. government agencies to respond to foreign cyber threats? Will government initiatives, such as the Comprehensive National Cybersecurity Initiative and the creation of the U.S. National Cybersecurity Coordinator role, be effective in addressing the challenges facing U.S. critical IT infrastructure? What is the impact of compliance on security within the federal IT environment? Commissioned by Lumension, Clarus Research Group set about to answer these and other important questions facing federal IT in Lumension’s Federal Cyber Security Outlook for 2010: National IT Security Challenges Mounting study. Clarus Research Group interviewed over 200 federal IT decision-makers and influencers about endpoint operations, IT security and compliance issues."

"This report [by the Committee on Deterring Cyberattacks; National Research Council] is the first phase of a larger project to conduct a broad, multidisciplinary examination of deterrence strategies and their possible utility to the U.S. government in its policies toward preventing cyberattacks. This first phase identifies the key issues and questions that merit examination. The next phase will engage experts to prepare papers that address key issues and questions, including those posed here. This letter report provides basic information needed to understand the nature of the problem and to articulate important questions that can drive research regarding ways of more effectively preventing, discouraging, and inhibiting hostile activity against important U.S. information systems and networks."

Information Warfare Monitor: "The Information Warfare Monitor/ (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) and the Shadowserver Foundation announce the release of Shadows in the Cloud: An investigation into cyber espionage 2.0. The report documents a complex ecosystem of cyber espionage that systematically targeted and compromised computer systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries."

Follow up to postings on security issues and erasing hard drive, from Gizmodoa detailed article with accompanying screen shots and product references: "With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean...When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered."

• Information Security: Concerted Response Needed to Resolve Persistent Weaknesses, GAO-10-536T, March 24, 2010: "Without proper safeguards, federal computer systems are vulnerable to intrusions by individuals who have malicious intentions and can obtain sensitive information. The need for a vigilant approach to information security has been demonstrated by the pervasive and sustained cyber attacks against the United States; these attacks continue to pose a potentially devastating impact to systems as well as the operations and critical infrastructures that they support."
• Joint Strike Fighter: Significant Challenges and Decisions Ahead, GAO-10-478T, March 24, 2010
• Veterans' Disability Benefits: VA Has Improved Its Programs for Measuring Accuracy and Consistency, but Challenges Remain, GAO-10-530T, March 24, 2010
• Recovery Act: Officials' Views Vary on Impacts of Davis-Bacon Act Prevailing Wage Provision, GAO-10-421, February 24, 2010

Cisco 2009 Annual Security Report Highlighting global security threats and trends: "The Cisco® Annual Security Report provides an overview of the combined security intelligence of the entire Cisco organization. The report encompasses threat information and trends collected between January and December 2009. It also provides a snapshot of the state of security for that period, with special attention paid to key security trends expected for 2010."

• Cybersecurity: Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National Initiative, GAO-10-338, March 05, 2010
• Recovery Act: California's Use of Funds and Efforts to Ensure Accountability, GAO-10-467T, March 05, 2010
• Food Safety: FDA Should Strengthen Its Oversight of Food Ingredients Determined to Be Generally Recognized as Safe (GRAS), GAO-10-246, February 03, 2010

News release: "NetWitness, the world leader in advanced persistent threat detection and real-time network forensics, announced today that its analysts have discovered a dangerous new ZeuS botnet affecting 75,000 systems in 2,500 organizations around the world. The newly-discovered infestation, dubbed the "Kneber botnet" after the username linking the infected systems worldwide, gathers login credentials to online financial systems, social networking sites and email systems from infested computers and reports the information to miscreants who can use it to break into accounts, steal corporate and government information, and replicate personal, online and financial identities. NetWitness first discovered the Kneber botnet in January during a routine deployment of the NetWitness advanced monitoring solutions. Deeper investigation revealed an extensive compromise of commercial and government systems that included 68,000 corporate login credentials, access to email systems, online banking sites, Facebook, Yahoo, Hotmail and other social networking credentials, 2,000 SSL certificate files, and dossier-level data sets on individuals including complete dumps of entire identities from victim machines."

Security Labs Report Jul 2009-Dec 2009 Recap - "This report has been prepared by the M86 Security Labs team. It covers key trends and developments in Internet security over the last six months, as observed by the security analysts at M86 Security Labs. M86 Security Labs is a group of security analysts specializing in Email and Web threats, from spam to malware.
Key Points of this report:

Annual Threat Assessment of the US Intelligence Community for the Senate Select Committee on Intelligence, Dennis C. Blair, Director of National Intelligence, February 2, 2010

The quarterly APWG (AntiPhishing Working Group) Phishing Activity Trends Report analyzes phishing attacks reported to the APWG by its member companies, its Global Research Partners, through the organization’s website and by email submissions. APWG also measures the evolution, proliferation and propagation of crimeware drawing from the research of our member companies. In the last half of this report you will find tabulations of crimeware statistics and related analyses."

OPNAV NOTICE 5400, January 11, 2010: "Action will establish U. S. Fleet Cyber Command as an echelon II command to serve as the Navy Component Commander to United States Cyber Command upon its establishment. Interim reporting will be to United States Strategic Command. Command will provide for operational employment of the Navy's cyber, network operations, information operations, cryptologic and space forces, and serve as the Navy's Service Cryptologic Component Commander to the National Security Agency. U.S. Tenth Fleet. will be re-commissioned to control operations supporting U. S. Fleet Cyber Command.

DRAFT Security Requirements for Cryptographic Modules (Revised Draft): "The Revised Draft FIPS 140-3 is the second public draft of NIST’s proposed revision of FIPS 140-2. The Revised Draft was developed using the comments received on the first public draft, which was posted for public review and comment on July 13, 2007, and the FIPS 140-3 Software Security Workshop held on March 18, 2008. While the 2007 Draft proposed 5 levels of security, the Revised Draft FIPS 140-3 reverts to 4 levels of security as currently specified in FIPS 140-2. In contrast to the 2007 Draft, the Revised Draft also reintroduces the notion of firmware cryptographic module and defines the security requirements for it, limits the overall security level for software cryptographic modules to Security Level 2, and removes the formal model requirement at Security Level 4. Differences with the current FIPS 140-2 standard include limiting the overall security level for software cryptographic modules to Security Level 2, requirements for mitigation of non-invasive attacks at higher security levels, elimination of the requirement for formal modeling at Security Level 4, modified conditions for pre-operational/power-on self-tests, and strengthened integrity testing."

News release: "A new booklet released today by the Federal Trade Commission and other government agencies helps parents and teachers steer kids safely through the online and mobile phone worlds. Net Cetera: Chatting with Kids About Being Online was unveiled...by FTC Chairman Jon Leibowitz, U.S. Secretary of Education Arne Duncan, and Federal Communications Commission Chairman Julius Genachowski."

"New research quantifies the primary factors driving the cost of a lost or stolen laptop. Learn from Intel IT’s best practices."

OIG-09-101 - Vulnerabilities Highlight the Need for More Effective Web Security Management (Redacted), September 2009 (PDF, 21 pages)

National Law Journal: "The economy has employers extra jittery about company secrets getting out, so nervous that they're hiring staff just to monitor outbound e-mails. That's the conclusion of a recent study by Proofpoint, an Internet security and data loss prevention company, which found that 38 percent of large U.S. employers are monitoring outbound e-mail to prevent data leaks, up from 29 percent in 2008."

National Cybersecurity Awareness Month: "October marks the sixth annual National Cybersecurity Awareness Month sponsored by the Department of Homeland Security. The theme for National Cybersecurity Awareness Month 2009 is “Our Shared Responsibility” to reinforce the message that all computer users, not just industry and government, have a responsibility to practice good “cyber hygiene” and to protect themselves and their families at home, at work and at school. Americans can follow a few simple steps to keep themselves safe online. By doing so, you will not only keep your personal assets and information secure but you will also help to improve the overall security of cyberspace."

• How You Can Contribute to Cybersecurity Awareness
  
• Cybersecurity Awareness Events 2009
  
• Cybersecurity Resources

Sanitization and Disposal of Excess Information Technology Equipment (Report No. D-2009-104)

News release: "The Department of Homeland Security (DHS) and the Information Technology Sector Coordinating Council (IT SCC) today released the IT Sector Baseline Risk Assessment (ITSRA) to identify and prioritize national-level risks to critical sector-wide IT functions while outlining strategies to mitigate those risks and enhance national and economic security...The ITSRA validates the resiliency of key elements of IT sector infrastructure while providing a process by which public and private sector owners and operators can continually update their risk management programs. The assessment links security measures to concrete data to provide a basis for meaningful infrastructure protection metrics."

Follow up to previous postings on recovering data from discarded or resold computers and their hard drives, additional data and PC security ideas via PC Pro’s top 10 hard disk destruction methods.

PBS.org FRONTLINE - Ghana, Digital Dumping Ground: "When containers of old computers first began arriving in West Africa a few years ago, Ghanaians welcomed what they thought were donations to help bridge the digital divide. But soon exporters learned to exploit the loopholes by labeling junk computers "donations"...[What is on the hard drives from this junk PCs'?] There is private financial data...credit card numbers, account information, records of online transactions the original owners may not have realized were even there. Ghana is listed by the U.S. State Department as one of the top sources of cyber crime in the world. And it's not just individuals who are exposed. One of the drives the team has purchased contains a $22 million government contract. It turns out the drive came from Northrop Grumman, one of America's largest military contractors. And it contains details about sensitive, multi-million dollar U.S. government contracts. They also find contracts with the defense intelligence agency, NASA, even Homeland Security."

2009 Trust, Security & Passwords Survey Research Brief: "This global "snooping" survey is the third in a series of benchmark studies focused on identifying security and privacy trends among IT workers. Results are intended to raise awareness about the risks associated with powerful, and often unmanaged, privileged users and passwords. While seemingly innocuous, these accounts provide workers with "keys to the kingdom," allowing them to access critically sensitive information, no matter where it resides."

OIG-09-66 - DHS' Progress in Addressing Technical Security Challenges at Washington Dulles International Airport (Redacted), May 2009

Berkman Center for Internet & Society at Harvard University report: Enhancing Child Safety & Online Technologies: Final Report of the Internet Safety Technical Taskforce to the Multi-State Working Group on Social Networking of State Attorneys General of the United States in December of 2008.

News release: "A rogue Internet Service Provider that recruits, knowingly hosts, and actively participates in the distribution of spam, child pornography, and other harmful electronic content has been shut down by a district court judge at the request of the Federal Trade Commission. The ISP’s upstream providers and data centers have disconnected its servers from the Internet."

White House: Securing Our Digital Future, Melissa Hathaway, Cybersecurity Chief at the National Security Council, discusses securing our nation's digital future.

Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, May 04, 2009

News release: "The Federal Trade Commission today testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations."

"Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials...But protecting the electrical grid and other infrastructure is a key part of the Obama administration's cybersecurity review, which is to be completed next week. Under the Bush administration, Congress approved $17 billion in secret funds to protect government networks, according to people familiar with the budget. The Obama administration is weighing whether to expand the program to address vulnerabilities in private computer networks, which would cost billions of dollars more. A senior Pentagon official said Tuesday the Pentagon has spent $100 million in the past six months repairing cyber damage."

Follow up to April 5, 2009 posting Senate Staff Working Draft of Cybersecurity Act of 2009, see this related CRS report: Comprehensive National Cybersecurity Initiative (CNCI): Legal Authorities and Policy Considerations, March 10, 2009

Treasury Inspector General for Tax Administration, Progress Has Been Slow in Implementing Federal Security Configurations on Employee Computers, March 27, 2009, Reference Number: 2009-20-055

• Bank Secrecy Act: Federal Agencies Should Take Action to Further Improve Coordination and Information-Sharing Efforts, GAO-09-227, February 12, 2009
• Emergency Management: Actions to Implement Select Provisions of the Post-Katrina Emergency Management Reform Act, GAO-09-433T, March 17, 2009
• Global War on Terrorism: DOD Needs to More Accurately Capture and Report the Costs of Operation Iraqi Freedom and Operation Enduring Freedom, GAO-09-302, March 17, 2009
• Information Security: Securities and Exchange Commission Needs to Consistently Implement Effective Controls, GAO-09-203, March 16, 2009
• International Trade: Effective Export Programs Can Help In Achieving U.S. Economic Goals, GAO-09-480T, March 17, 2009
• Oil and Gas Leasing: Federal Oil and Gas Resource Management and Revenue Collection in Need of Comprehensive Reassessment, GAO-09-506T, March 17, 2009
• Tax Compliance: Offshore Financial Activity Creates Enforcement Issues for IRS, GAO-09-478T, March 17, 2009

WSJ: "The government's coordinator for cybersecurity programs has quit, criticizing what he described as the National Security Agency's grip on cybersecurity. Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA's central role in cybersecurity is "a bad strategy" because it is important to have a civilian agency taking a key role in the issue. The NSA is part of the Department of Defense."

The Electronic Frontier Foundation (EFF) launched its Surveillance Self-Defense project today -- an online how-to guide for protecting your private data against government spying. EFF created the Surveillance Self-Defense site to educate Americans about the law and technology of communications surveillance and computer searches and seizures, and to provide the information and tools necessary to keep their private data out of the government's hands. The guide includes tips on assessing the security risks to your personal computer files and communications, strategies for interacting with law enforcement, and articles on specific defensive technologies such as encryption that can help protect the privacy of your data."

Data Loss Risks During Downsizing As Employees Exit, so does Corporate Data, February 23, 2009

News release: "President Obama has directed the National Security and Homeland Security Advisors to conduct an immediate review of the plan, programs, and activities underway throughout the government dedicated to cyber security. This 60-day interagency review will develop a strategic framework to ensure that U.S. Government cyber security initiatives are appropriately integrated, resourced and coordinated with Congress and the private sector. "The national security and economic health of the United States depend on the security, stability, and integrity of our Nation’s cyberspace, both in the public and private sectors. The President is confident that we can protect our nation’s critical cyber infrastructure while at the same time adhering to the rule of law and safeguarding privacy rights and civil liberties," said Assistant to the President for Counterterrorism and Homeland Security John Brennan. Melissa Hathaway, who has served as Cyber coordination Executive to the Director of National Intelligence, will lead the review and will serve as Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils during the review period."

News release: "...experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime. Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale. The impact of these errors is far reaching. Just two of them led to more than 1.5 million web site security breaches during 2008 - and those breaches cascaded onto the computers of people who visited those web sites, turning their computers into zombies."

The Top 25 Errors are listed below in three categories:

• Category: Insecure Interaction Between Components (9 errors)
  
• Category: Risky Resource Management (9 errors)
  
• Category: Porous Defenses (7 errors)

CDT news release: "The Supreme Court Wednesday dealt the final blow to the government's 10-year campaign to place onerous restrictions on Internet content. The Court declined to hear the government's appeal of lower court rulings [3rd U.S. Circuit Court of Appeals Decision in COPA February 22, 2008] that declared the Child Online Protection Act as unconstitutional. COPA passed in 1998 but was never enforced due to immediate court challenges on First Amendment grounds. Since COPA was passed there have been at least three major commissions or studies that have concluded that education and voluntary technology tools are the most effective way to protect kids online. These approaches are the ones Congress and the President should pursue to enhance Internet safety."

News release: "The Federal Financial Institutions Examination Council (FFIEC) issued guidance today for examiners, financial institutions, and technology service providers to identify risks, evaluate controls, and assess risk management practices related to remote deposit capture (RDC) systems. RDC enables customers to make deposits from their homes or businesses instead of taking the deposits to their financial institutions. Digital information captured at the home or business is transmitted to the financial institution or its service provider for clearing and settlement. Financial institutions might also use RDC in their branches and automated teller machines (ATMs) to facilitate deposit processing. When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers’ funds. However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution’s commercial or retail customers, or by customers of other financial institutions domestically and abroad."

"The Global state of information security survey 2008 is a worldwide security survey by PricewaterhouseCoopers, CIO Magazine and CSO Magazine. It was conducted online from March 25 to June 26, 2008. Readers of CIO and CSO Magazines and clients of PricewaterhouseCoopers from around the globe were invited via email to take the survey. The results discussed in this report are based on the responses of more than 7,000 CEOs, CFOs, CIOs, CSOs, vice presidents and directors of IT and information security from 119 countries. Thirty-nine percent (39%) of respondents were from North America, twenty-seven percent (27%) from Europe, seventeen percent (17%) from Asia, fifteen percent (15%) from South America, and two percent (2%) from the Middle East and South Africa."

SecurityFocus: "Google posted...a handbook for Web developers that highlights the key security features and quirks of major Web browsers. The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses."

Follow up to previous postings on recovering data from discarded or resold computers and their hard drives, from the FTC: "Computers are a popular gift during the holiday season. People with a new computer often wonder about the best way to get rid of the old one. OnGuardOnline.gov, the computer safety Web site managed by the Federal Trade Commission, has some tips to make this task easier – and more secure. Passwords, health information, and other sensitive personal data should be saved elsewhere and erased off the old computer. This protects consumers’ privacy and safeguards them from identity theft. People who use their computers for work should check with their employers regarding the legal requirements businesses must comply with to secure and dispose of data. To learn more, including how to save and erase data, see Computer Disposal."

Treasury Inspector General for Tax Administration: Unauthorized and Insecure Internal Web Servers Are Connected to the Internal Revenue Service Network, August 26, 2008. Reference Number: 2008-20-159

Transmittal Letter: "The insider threat to critical infrastructures constitutes a real and significant threat because of the potential a trusted insider has to inflict serious damage, including cascading and cross-sector effects and economic interruptions from critical infrastructure service losses. While many critical infrastructure operators have programs or measures in place addressing this threat to some degree, others do not fully understand or appreciate the threat posed by insiders, both to their company and also to our Nation. The Report provides recommendations for government policy to help improve the security posture of U.S. critical infrastructures against this threat. The recommendations include low-cost, easily implemented policy solutions for near term effect. The NIAC recommends that policy makers move swiftly to implement the near term improvements and increase the security of our critical infrastructures."

D-2008-114 Accountability for Defense Security Service Assets With Personally Identifiable Information, July 24, 2008 (Project No. D2007-D000LC-00042.000)

"Research released...by instant messaging experts, ProcessOne, revealed that 72% of UK businesses have banned the use of public instant messaging (IM) software, such as MSN, AIM and Yahoo!, because of security fears. These fears include the ability for employees to download the software without the IT department’s knowledge and potentially use it to send confidential information outside the business. This is despite the fact that 74% of those surveyed say that they think IM could provide valuable collaboration benefits to their organisation; indicating that at the moment, security fears are overriding the opportunity that UK businesses have to increase collaboration and business productivity."

News release: "Today, the Office of Management and Budget (OMB) released the Trusted Internet Connections (TIC) Initiative Statement of Capability Evaluation Report highlighting the Federal government’s rapid progress toward strengthening IT security. This was achieved by reducing external connections, including Internet points of presence from over 4,300 reported in January 2008, to a target of less than one hundred."

Draft SP 800-124, Guidelines on Cell Phone and PDA Security, July 2008.

"Cell phones and personal digital assistants (PDAs) have become indispensable tools for today's highly mobile workforce. Small and relatively inexpensive, these devices can be used for many functions, including sending and receiving email, storing documents, delivering presentations, and remotely accessing data. While these devices provide productivity benefits, they also pose new risks to an organization’s security.

This document provides an overview of cell phone and PDA devices in use today and offers insights into making informed information technology security decisions on their treatment. The document gives details about the threats and technology risks associated with these devices and the available safeguards to mitigate them. Organizations can use this information to enhance security and reduce incidents involving handheld devices."

Draft Guide to Bluetooth Security, July 9, 2008, SP 800-121.

Airport Insecurity: The Case of Lost Laptops - Key Findings Prepared by Larry Ponemon, sponsored by Dell, June 30, 2008

• FOIA Facts: My Proposals for the FOIA: Following up on the passage earlier this year of the OPEN Government Act of 2007, FOIA expert Scott A. Hodes make two proposals absent from the law, but which would help FOIA requesters. — Published June 29, 2008
• 60 Gadgets in 60 Minutes - Three techie gurus (Barbara Fullerton, Ed Vawter, and Dina Dreifuerst) take you on a whirlwind, freewheeling virtual trip of the latest, greatest, fun, fanciful, must have gadgets available now and in the near future. — Published June 24, 2008
• Competitive Intelligence - A Selective Resource Guide - Sabrina I. Pacifici's revised and updated pathfinder focuses on leveraging selected reliable, focused, free and low cost sites and sources to effectively profile and monitor companies, markets, countries, people, and issues. This guide is a "best of list" of web and database products, services and tools, as well links to reliable sources produced by governments, academia, NGOs, the media and various publishers. — Published June 1, 2008

Proofpoint’s Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008 report - ["the survey was fielded in the US, UK, France, Germany and Australia to explore global concerns.]

"Email remains the most important medium for communications both inside and outside the enterprise. But the convenience and ubiquity of email as a business communications tool has exposed enterprises to a wide variety of legal, financial and regulatory risks associated with outbound email. Enterprises continue to express a high level of concern about creating, managing and enforcing outbound messaging policies (for email and other communication protocols) that ensure that messages leaving the organization comply with both internal rules, best practices for data protection and external regulations. In addition, organizations remain very concerned about ensuring that email (and other electronic message streams) cannot be used to disseminate confidential or proprietary information...The results show that data protection concerns are not confined to the US and that globally, email, webmail, FTP, blogs message boards, media sharing sites and social networking sites are a source of concern as well as real-world risk for IT professionals working in large enterprises."

Audit Initiated of the Web Applications Security in Air Traffic Control Systems, June 02, 2008. Project ID: 07F3018F000

"Summary: The Office of Inspector General is initiating an audit of web applications security in air traffic control (ATC) systems in response to a request made by the U.S. House of Representatives Committee on Transportation and Infrastructure. The objectives of this audit are to determine whether: (1) web applications used in supporting ATC operations are properly secured to prevent unauthorized access to ATC systems, and (2) FAA’s network intrusion–detection capability is effective in monitoring ATC cyber security incidents.

Secure web browsing with the OP web browser, Chris Grier, Shuo Tang, and Samuel T. King, Department of Computer Science, University of Illinois at Urbana-Champaign

Yahoo Search Blog: "Today, we're announcing the beta release of SearchScan, a new feature from Yahoo! Search that helps protect users from viruses, spyware and spam. We've heard from users that security and privacy continue to be major concerns when they are online. We've also learned that solutions that require downloads and constant updating are less than ideal. To tackle the problem, we partnered with McAfee to build a feature that provides a safer and hassle-free search experience to all users...How does it work? SearchScan leverages McAfee's SiteAdvisor technology to alert users if risky websites appear in Yahoo! Search results. Starting today, SearchScan will be turned on by default for all users in the U.S., Canada, UK, France, Italy, Germany, Australia, New Zealand, and Spain..."

Jeff Stein, CQ National Security Editor - excerpt: "Hundreds of employee laptops are unaccounted for at the U.S. Department of State, which conducts delicate, often secret, diplomatic relations with foreign countries, an internal audit has found.

As many as 400 of the unaccounted for laptops belong to the department’s Anti-Terrorism Assistance Program, according to officials familiar with the findings.

The program provides counterterrorism training and equipment, including laptops, to foreign police, intelligence and security forces.

Ironically, the Anti-Terrorism Assistance Program is administered by the State Department’s Bureau of Diplomatic Security (DS), which is responsible for the security of the department’s computer networks and sensitive equipment, including laptops, among other duties. It also protects foreign diplomats during visits here.

Freedom of the Cyber Seas - "How lessons from the U.S. government's response to pirates in the early 1800s can help the next president of the United States improve information security," Aaron Turner & Michael Assante, April 10, 2008.

"With stories surfacing on news channels regularly about lost or stolen data or the ability to recover data from discarded or resold computers and their hard drives, Computerworld decided to look at some cheap methods of removing that sensitive data from your hard drive permanently. And, what better place to look than YouTube?"

Inadequate Security Controls Over Routers and Switches Jeopardize Sensitive Taxpayer Information, March 26, 2008. Reference Number: 2008-20-071

DOE OIG Inspection Report: Office of Intelligence and Counterintelligence Internal Controls Over the Department of Energy's Sensitive Compartmented Information Access Program, March 2008 - "We concluded that Office of Intelligence and Counterintelligence did not have adequate internal controls over its Sensitive Compartmented Information (SCI) access program."

Lest We Remember: Cold Boot Attacks on Encryption Keys, J. Alex Haldermany, Seth D. Schoenz, Nadia Heningery, William Clarksony, William Paulx, Joseph A. Calandrinoy, Ariel J. Feldmany, Jacob Appelbaum, and Edward W. Felteny. Princeton University, Electronic Frontier Foundation, Wind River Systems. February 21, 2008.

• Introductory blog post


• Frequently asked questions


• Experiment guide


• Videos and images


• Abstract: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remanence and report that remanence times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them."

CODENOMICON White Paper - Wireless Security: Past, Present and Future, by Sami Petäjäsoja, Tommi Mäkilä, Mikko Varpiola, Miikka Saukko and Ari Takanen, Version 1.0, February 1st, 2008

Educational Security Incidents (ESI) Year in Review - 2007: "By Adam Dodge - Posted on February 10, 2008: "The ESI Year in Review - 2007 examines all of the information security incidents occurring at colleges and universities around the world as reported in the news during 2007. 2007 marked a significant change for information security incidents reported in the news. Among the changes are an increase in both the number of incidents reported and the number of institutions reporting a breach as well as the addition to new categories such as incident type "Employee Fraud" and information type "Username and Password".

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

Department of Commerce OIG - Census Has Improved Accountability for Laptops and Other Personal Property, But Additional Improvements Are Needed -- Audit: Census-18387-1 [PDF] Report

"Cisco® today announced key findings from its annual global study on remote workers' security awareness and online behavior, indicating how they can inadvertently heighten risks for themselves and the companies they work for. The study's findings are prompting Cisco security executives to offer recommendations to information technology (IT) professionals on how to protect their companies against threats and maximize the business benefits of distributed and mobile workforces."

"Criminals are hard at work thinking up creative ways to get malware on your computer, warns the Federal Trade Commission. With appealing Web sites, desirable downloads, and compelling stories, these criminals try to lure consumers to links that will download malware, especially on computers that don’t use adequate security software. Then, they use the malware – malicious software – to steal personal information, send spam, and commit fraud. A new publication from the FTC has information that could help consumers protect their computers against malware and reclaim their computer and electronic information if malware is already on their computer. The publication, Minimizing the Effects of Malware, provides tips on spotting malware, and urges consumers to act immediately if they suspect their computer is affected by malware."

Press release: "Congresswoman Betty McCollum (MN-04), has sent a letter to the Government Accountability Office asking that it reopen its investigation of the privacy and national security risks posed by government agencies reselling used magnetic data tapes that may once have contained large amounts of sensitive personal and government information. Researchers working for Imation, an Oakdale, MN-based corporation that produces magnetic data tapes, were able to recover a wide range of sensitive information from used data tapes that were supposedly wiped clean before being re-sold. Using readily available equipment and information, Imation investigators found out where the tapes originated and recovered bank account numbers, expense reports, employee tax and benefit information, and other sensitive data."

Department of Commerce Breach Notification Response Plan, September 28, 2007 (21 pages, PDF)

SP 800-53 A - DRAFT Guide for Assessing the Security Controls in Federal Information Systems: "NIST announces the release of Draft Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems. This final public draft provides comprehensive assessment procedures for all security controls in NIST Special Publication 800-53 (as amended) and important guidance for federal agencies in building effective security assessment plans. Comments will be accepted until January 31, 2008...Final publication of NIST Special Publication 800-53A is expected in March 2008."

Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress, Updated November 15, 2007. "Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could
secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security...This report discusses options now open to nation states, extremists, or terrorist groups for obtaining malicious technical services from cybercriminals to meet political or military objectives, and describes the possible effects of a coordinated cyberattack against the U.S. critical infrastructure."

"...the Identity Theft Resource Center (ITRC) has been tracking security breaches for the past three years, looking for patterns, new trends and any information that may help us better protect data and assist companies in their activities...In 2006, there were in excess of 315 publicized breaches affecting nearly 20 million individuals. Based on ITRC’s categorization, the breaches break down as follows: 29% government/military agencies; 28% from educational institutions; 22% from general businesses; 13% from health care facilities / companies; and 8% from banking / credit / financial services entities. In 2005, there were 158 incidents affecting more than 64.8 million people."

101 Best Web Freebies - BusinessWeek.com scoured the Internet for the most useful free products and services available online that you probably don't know about, by Douglas MacMillan. This 45 screen slideshow includes graphics and links to recommended products by category - tech tools, personal finance, career, entertainment, print media, research, health, online learning, PC security.

McAfee Avert Labs Top 10 Threat Predictions for 2008, Authors: McAfee Avert Labs, USA November 16, 2007.

Press release, November 15, 2007: "IT security and control firm Sophos has revealed new research into the use of other people's Wi-Fi networks to piggyback onto the internet without payment. The research, carried out by Sophos on behalf of The Times, shows that 54 percent of computer users have admitted breaking the law, by using someone else's wireless internet access without permission. According to Sophos, many internet-enabled homes fail to properly secure their wireless connection with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an Internet Service Provide (ISP) for their own. In addition, while businesses often have security measures in place to protect the Wi-Fi networks within their offices from attack, Sophos experts note that remote users working from home could prove to be a weak link in corporate defenses."

Optimizing Investments in Security Countermeasures: A Practical Tool for Fixed Budgets, by Jonathan Caulkins and Nancy R. Mead, September/October 2007 edition of IEEE Security and Privacy Magazine. "In the article, the team presents a tool and methodology they developed for software engineers and their clients to help them make security decisions when resources are limited."

CDT: "As it seeks models to address the mounting issues surrounding online behavioral targeting, the Federal Trade Commission (FTC) should begin by applying the principles it developed to guide its anti-spyware enforcement efforts, CDT said today. In comments submitted to the FTC in advance of its upcoming "town hall" meeting on behavioral advertising, CDT pointed out that the FTC's principles -- which center around the core concept that consumers should have ultimate control over their computers -- are directly applicable to behavioral advertising. In addition to filing its own comments, CDT also joined with other public interest advocates in offering a list of important questions the FTC must address over the course of the two-day meeting."

National Institute of Standards and Technology, Computer Security Division: "SP 800-44 version 2, Guidelines on Securing Public Web Servers, is published as final. It is intended to aid organizations in the installation, configuration, and maintenance of secure public Web servers. It presents recommendations for securing Web server operating systems, applications, and content; protecting Web servers through the supporting network infrastructure; and administering Web servers securely. SP 800-44 version 2 also provides guidance on using authentication and encryption technologies to protect information on Web servers."

"Two of the key findings from this year’s Global Security Survey revolve around an organization’s people and a paradox that has been around for years. The weakest link in an organization’s security is its people. An organization’s people include employees, customers, third parties and business partners. And of those people, the highest number of breaches are perpetrated via the customer. Even though information security incidents are grabbing the attention of business executives and boards, these individuals do not yet feel that they “own” the problem. In their estimation, the execution of solutions is the mandate of IT. This information security paradox has been alive and well for years; the 2007 security survey confirms just how widespread it is."

Press release: "The FTC today told the Senate Committee on Commerce, Science & Transportation Subcommittee on Interstate Commerce, Trade and Tourism that it has a robust record in protecting consumers and preserving competition in the marketplace...Speaking for the Commission, Chairman Deborah Platt Majoras said that much of the work of the FTC’s Bureau of Consumer Protection has been devoted to data security and identity theft, technology risks to consumers, fraud in the marketing of health care products, financial practices, telemarketing fraud, and enforcement of the National Do Not Call Rule."

August 31, 2007: Draft Special Publication 800-28 Revision 2 Guidelines on Active Content and Mobile Code (60 pages, PDF)

Analysis of Loss of Control Over Sensitive Personally Identifiable Information and Follow-up Actions to Strengthen its Protection, August 28, 2007. Correspondence (23 pages, PDF)

August 29, 2007: "NIST announces the publication of Special Publication (SP) 800-95, Guide to Secure Web Services (128 pages, PDF). SP 800-95 seeks to assist organizations in understanding the challenges in integrating information security practices into Service Oriented Architecture (SOA) design and development based on Web services. The publication also provides practical, real-world guidance on current and emerging standards applicable to Web services, as well as background information on the most common security threats to SOAs based on Web services. SP 800-95 presents information that is largely independent of particular hardware platforms, operating systems, and applications. Supplementary security devices (i.e., perimeter security appliances) are considered outside the scope of this publication. Interfaces between Web services components and supplementary controls are noted as such throughout this publication on a case-by-case basis."

Erickson, K., & Howard, P. (2007). A case of mistaken identity? News accounts of hacker, consumer, and organizational responsibility for compromised digital records. Journal of Computer-Mediated Communication, 12(4), article 5.

"Consumers can take many measures to make their laptop secure from hackers, viruses, and other potential threats, such as installing firewalls, updating antivirus software, and using strong passwords. Now, the Federal Trade Commission is offering tips for protecting laptops from theft."

"The risk associated with using the Internet remains high. Our State of the Net assesses the likelihood and impact of four leading online hazards, listed in order of incidence, based on the survey by the Consumer Reports National Research Center and our follow-up investigation."

Press release: "If Assistant Professor of Communication at the University of Washington Phil Howard's calculations prove true, by year's end the 2 billionth personal record -- some American's social-security or credit-card number, academic grades or medical history -- will become compromised, and it's corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year."

Press release: "The FBI’s Internet Crime Complaint Center (IC3) today released its annual Internet Fraud Crime Report. From January 1 through December 31, 2006, the center received 207,492 complaint submissions. These filings were composed of fraudulent and non-fraudulent complaints primarily related to the Internet and included many different fraud types to include auction fraud, non-delivery, and credit/debit card fraud, as well as non-fraudulent complaints, such as computer intrusions, spam/unsolicited email..."

Press release: "...the Department of Commerce's United States Patent and Trademark Office (USPTO) released a report that concludes that the distributors of five popular filesharing programs repeatedly deployed features that they knew or should have known could cause users to share files inadvertently. The report, Filesharing Programs and "Technological Features to Induce Users to Share, identifies five features in recent versions of five popular filesharing programs that could cause users to inadvertently distribute to others downloaded files or their own proprietary or sensitive files. "Computer programs that can cause unintended filesharing contribute to copyright infringement, and they threaten the security of personal, corporate, and governmental data," noted Jon Dudas, under secretary of commerce for intellectual property-the Bush Administration's point person on copyright policy."

E-Commerce Times:

Follow up to February 19, 2007 posting, Google Publishes Study on Failure Rates of Hard Disk Drives, from the 5th USENIX Conference on File and Storage Technologies and Awarded Best Paper, Disk Failures in the Real World: What Does an MTTF of 1,000,000 Hours Mean to You?

A Comprehensive Emergency Management Program - A Model for State and Territorial Courts 2007 , February 2007 (187 pages, PDF).

Failure Trends in a Large Disk Drive Population, Eduardo Pinheiro, Wolf-Dietrich Weber, Luiz André Barroso, 5th USENIX Conference on File and Storage Technologies (FAST 2007), 2007

The Federal Bureau of Investigation’s Control Over Weapons and Laptop Computers Follow-Up Audit, Audit Report 07-18, February 2007

2007-P-00008 EPA Could Improve Controls Over Mainframe System Software [Report PDF - 35 pages] [At a Glance -PDF] January 29, 2007.

Convergence of Physical and Cyber Technologies and Related Security Management Challenges Working Group Final Report and Recommendations (PDF, 42 pages), January 19, 2007 and Transmittal Letter (PDF, 2 pages), January 19, 2007.

Federal Chief Information Officer Council Strategic Plan FY 2007-2009 (28 pages, PDF), January 17, 2007.

LexisNexis press release: "Most office workers use workplace technology for personal reasons; many may be ignoring employer policies, new research shows...Despite the fact that nearly one-half (45%) of office workers have been explicitly informed their at-work technology usage is monitored, a majority still use their employers’ technology resources for personal reasons, according to a new survey conducted by Harris Interactive®..."

Covers PDF creation, security, Bates numbering, redaction, eFiling and more. Sign Up Here.

Press release, January 4, 2007: "Cisco today announced a definitive agreement to acquire the privately held company, IronPort Systems, Inc. of San Bruno, Calif. IronPort is a leading provider of messaging security appliances, focusing on enterprise spam and spyware protection."
Related news:

Improved Administration Can Enhance U.S. Customs and Border Protection Laptop Computer Security (Redacted), OIG-07-16 (PDF, 37 pages), January 4, 2007.

2006: The Year in Security -Online attacks, spam, and sneaky cybercrime top list of year's most common security issues.

Federal Computer Week reported that the Department of Defense has banned the use of Outlook and receipt of HTML email due to threats posed by spyware and viruses.

Press release: "Consumer Reports' environmental website has
launched an online Electronics Reuse and Recycling Center. The Center features thoroughly researched, unbiased, expert advice to help de-clutter your home and solve the huge and growing problem of electronics waste. It also features the results of a March 2006 nationwide, online survey including information about why people replace their electronics and what they did with their old equipment."

From Bank System and Technology:

Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

Status Report on OIG Data Security via the Data Security Portal: "Our November 21, 2006, status report notes several important developments, including the fact that as a result of our investigation in cooperation with the Federal Bureau of Investigation and the Miami-Dade County Police Department, two individuals have been arrested for their alleged roles in a small Miami-area laptop theft ring. While the OIG's laptops have not been recovered, there has been no credit fraud resulting from the laptop thefts and we believe that the risk of credit fraud in the future is very low. A firm hired to perform data breach analysis has failed to find any misuse of information on the laptops, and will continue to analyze the information..."

Information Security: Agencies Need to Develop and Implement Adequate Policies for Periodic Testing. Full text, GAO-07-65, and Highlights, October 20, 2006.

Press release: "Symantec Corp...announced the opening of the Symantec Phish Report Network to consumers worldwide. As one of the world's leading antifraud communities, the Symantec Phish Report Network, launched in May 2006, allows member companies to contribute and receive fraudulent Web site addresses that they can use in their antiphishing solutions to help protect users from online fraud. Consumer input further helps the Symantec Phish Report Network's fight against online fraud and will aid in preventing other computers users from becoming victims."

Press release: "A U.S. district court has shut down an operation that secretly downloaded multiple malevolent software programs, including spyware, onto millions of computers without consumers’ consent, degrading their computers' performance, spying on them, and exposing them to a barrage of disruptive advertisements. The Federal Trade Commission has asked the court to order a permanent halt to these deceptive and unfair downloads, and to order the outfit to give up its ill-gotten gains."
Federal Trade Commission, Plaintiff, v. ERG Ventures

Follow-up to previous postings on e-waste, see this New York Times article, Clearing a path from desktop to the recycler, by Paul Vitello. "The Environmental Protection Agency estimates that people threw away 2.5 million tons of electronic equipment, known as e-waste, last year, about 10 percent of which was recycled."

"The Symantec Internet Security Threat Report offers analysis and discussion of threat activity over a six-month period. It covers Internet attacks, vulnerabilities, malicious code, phishing, spam, security risks, and future trends. The tenth version of the report, released September 25, is now available."

Press release: "In a report released today, Reps. Davis and Waxman summarize information provided to the Committee by 19 federal departments and agencies regarding the loss or compromise of personal information since January 2003. The report finds that every agency has experienced at least one such breach and that the agencies do not always know what information has been lost or how many individuals could be affected."

Key Conclusions:

Press release, October 4, 2006: "As information security concerns among consumers and other customer constituencies rise, just 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to findings of a major research initiative by the Chief Marketing Officer (CMO) Council. Without such a plan and other security strategies in place, companies are at risk of losing hundreds of million of dollars in market value and loss of reputation and brand trust, according to the study's findings."

Launched today, the Take a Byte Out of Cybercrime website: "Led by the beloved McGruff character, the National Crime Prevention Council, the CMO Council and FAME have joined forces to bring together one of the largest and most influential coalitions of private and public companies whose primary goal is to teach millions of consumers how to identify, report and protect themselves against cyber crime." [download the tip sheets]

(U) Office of Inspector General Laptop Computers are Susceptible to Compromise (Unclassified and Redacted) OIG-06-58 (PDF, 48 pages), released October 2, 2006.

Department of Defense Office of the Inspector General -- Audit Summary of Information Assurance Weaknesses Found in Audit Reports Issued from August 1, 2005, through July 31, 2006 - Report No. D-2006-110 (PDF) - Date: September 14, 2006.

Press release: "The U.S. Department of Homeland Security (DHS) announced today the release of the Cyber Storm Public Exercise Report. The report details key findings from Cyber Storm which was the largest and most complex multi-national, government-led cyber exercise to examine response, coordination, and recovery mechanisms to a simulated cyber event within international, federal, state, and local governments and in conjunction with the private sector."

SEARCH, The National Consortium for Justice Information and Statistics - Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community, August 2006.

Government Computer News: "China has downloaded 10 to 20 terabytes of data from the NIPRNet (DOD's Non-Classified IP Router Network)," said Maj. Gen. William Lord, director of information, services and integration in the Air Force's Office of Warfighting Integration and Chief Information Officer, during the recent Air Force IT Conference in Montgomery, Ala."

Repercussions continue from AOL release of user data -- from News.com: Three workers depart AOL after privacy uproar and commentary by Anita Ramastry, Privacy and Search Engine Data: A Recent AOL Research Project Has Perilous Consequences for Subscribers.

Press release, August 14, 2006: "Washington State Attorney General Rob McKenna... announced the filing of Washington's second lawsuit under the state's computer spyware act. The state's suit accuses four California-based corporations of installing software that takes control of a consumer's computer by launching aggressive and persistent pop-ups that demand payment for a movie download service."

Ponemon Institute Releases National Survey on Confidential Data at Risk

Inappropriate Use of Email by Employees and System Configuration Management Weaknesses Are Creating Security Risks, July 31, 2006, Reference Number: 2006-20-110 (20 pages, PDF). "We found e-mail messages that violated the IRS' personal use policy in the electronic mailboxes of 71 (74 percent) of 96 employees."

StopBadware.org Blog: "We're entering a new phase here at StopBadware.org. Google—which is one of our partners—will present people with a warning before they visit websites that have been reported to StopBadware.org as sites that distribute badware. These warnings currently link to a general page on StopBadware.org, but as we finish researching sites, we'll replace the general page with one of our individual website reports (see an example here). Hopefully this next step will bring us that much closer to fulfilling our mission of providing people with reliable, objective information about downloadable applications in order to help them make better choices."

Special Report | Computer forensics: The new DNA

Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.

"CDT launched PolicyBeta, a new blog dedicated to expanding the dialogue about technology policy, civil liberties and preserving democratic values in the digital age. PolicyBeta will feature regular posts on issues ranging from domestic surveillance to spyware, and will provide CDT experts an opportunity to discuss in detail the latest trends and developments affecting the technology policy debate. CDT is encouraging journalists, technologists, academics and interested individuals to visit the blog regularly and participate in the discussion."

The Subcommittee on Financial Institutions and Consumer Credit, chaired by Rep. Spencer Bachus (AL), held a hearing today entitled "ICANN and the Whois Database: Providing Access to Protect Consumers from Phishing." Government officials contend that access to Whois data is essential in the effort to combat cybercrimes, while privacy advocates maintain that access to data on domain name holders facilitates phishing, spam and other types of fraud.

AP: "Computer break-ins at the State Department that caused broad disruptions in recent weeks apparently originated in the East Asia-Pacific region, a department spokesman said Wednesday."

Press release: "CA today announced a new security survey of 642 large North American organizations which shows that more than 84% experienced a security incident over the past 12 months and that the number of breaches continues to rise. According to the findings, security breaches have increased 17% since 2003. As a result, 54% of organizations reported lost workforce productivity; 25% reported public embarrassment, loss of trust/confidence and damage to reputation; and 20% reported losses in revenue, customers or other tangible assets. Of the organizations which experienced a security breach, 38% suffered an internal breach of security."

Press release: "CDT's report charts the important cases against spyware distributors and identifies the statutes applied, June 26, 2006."

WSJ free feature: Laptop Lockdown - Companies Start Holding Employees Responsible for Security Of Portable Devices They Use for Work

M-06-16, Protection of Sensitive Agency Information, June 23, 2006 (10 pages, PDF)

The 2006 Technology, Media and Telecommunications Security Survey (16 pages, PDF), Deloitte Touche Tohmatsu: "Security has long been neglected in the Technology, Media & Telecommunications (TMT) industry and the problem continues today. The frequency and sophistication of the attacks are growing, yet many surveyed companies tend to treat security as a relatively minor issue. So where are TMT companies falling behind? More importantly, what can they do to address this increasingly significant problem?"

Yet another report today about the theft of a laptop from the home of a government employee, this time involving info on D.C. government personnel. The issue of why so many institutions have not implemented proper security measures, such as encryption on digital media removed from the office, remains baffling.

Researchers Find Technique to Quickly Erase Hard Drives: "Scientists at the Georgia Institute of Technology (Atlanta), working with L-3 Communications Corp. (New York), said they have developed a technique for quickly erasing hard-disk drives...The researchers concluded that permanent magnets are the best solution." [Slashdot]

Microsoft Security Response Center Blog

Hearing, Cyber Security Challenges at the Department of Energy, June 9, 2006. [note: links to member statements and witness testimony not yet available - after an open session, there was a closed session to discuss security issues related to a previously unreported data breach.]

"Active Security Monitor is a software program that helps you determine how vulnerable your PC is to computer viruses, spyware and other dangers and learn what steps you can take to improve your protection. And if you have more than one PC in your home network, you can use Active Security Monitor to check the security status of your entire home network.' [Link]

Outbound Email and Content Security in Today's Enterprise, 2006 (free reg. reg'd): "Enterprises are becoming increasingly concerned about creating, managing and enforcing outbound email policies that ensure that messages leaving the organization comply with both internal rules as well as external regulations."

Press release: "A new cyber security study released today highlights the difference between perception and reality of consumers' awareness of online scams and their actual online behavior. While 87 percent of consumers polled said they were confident they could recognize fraudulent e-mails, 61 percent failed to identify a legitimate e-mail. Most respondents categorized all e-mails in the study as fake, even though one of them was legitimate. The Online Fraud Report has been sponsored by the National Cyber Security Alliance (NCSA), a central clearinghouse for cyber security awareness and education for home users, small businesses and the education community, and Bank of America."

Press release: "Wireless Internet access can free you from the confines of cords, but not from the need for security. Without taking the proper precautions, it's easy for others to use your wireless network connection to access the Internet, or even to access the information on your own computer. The Federal Trade Commission is introducing a new section of OnGuard Online to teach computer users how to protect their personal wireless network connections – and the computers on them – from unauthorized use. The information also is available in Spanish."

The Safety of Internet Search Engines (Google, Yahoo, MSN, AOL, Ask), May 12, 2006, by Ben Edelman and Hannah Rosenbaum.

"The Committee on Energy and Commerce, to whom was referred the bill (H.R. 4127) to protect consumers by requiring reasonable security policies and procedures to protect computerized data containing personal information, and to provide for nationwide notice in the event of a security breach, having considered the same, report favorably thereon with an amendment and recommend that the bill as amended do pass." [House Report 109-453 - Part 1 - Data Accountability and Trust Act (DATA), Ordered to be printed May 6, 2006]

FTC press release: "A title company that promised consumers it maintained "physical, electronic and procedural safeguards" to protect their confidential financial information, but tossed consumer home loan applications in an open dumpster, agreed to settle Federal Trade Commission charges that its inadequate storage and disposal procedures for sensitive consumer information violated federal laws. The settlement with Nations Title Agency, Inc., Nations Holding Company, and Christopher M. Likens bars deceptive claims about privacy and security policies, and requires that they implement a comprehensive information security program and obtain audits by an independent third-party security professional every other year for 20 years."

Building and Implmenting a Successful Information Security Policy, by John J. Pak, May 8, 2006 (25 pages, PDF).

PCWorld: Never Call Tech Support Again! "Why suffer though hours on hold when you can solve the problem yourself? Whether your PC won't boot, keeps crashing, is infested with adware, or can't get to the Net, we'll help you fix it."

The Ins and Outs of Spyware [15 pages, PDF] April 24, 2006: "Lesley Herring discusses what spyware is, categories of spyware, types of spyware, symptoms of spyware, research sites to find out more information, prevention techniques, and removal tools in this contribution."

Following up on previous e-waste postings, Apple announced on April 21, 2006 a Free Computer Take-Back Program "...offering free computer take-back and recycling with the purchase of a new Macintosh® system beginning in June. US customers who buy a new Mac® through the Apple Store® or Apple's retail stores will receive free shipping and environmentally friendly disposal of their old computer as part of the Apple Recycling program. Equipment received by the program in the US is recycled domestically and no hazardous material is shipped overseas."

EPA Needs to Better Implement Plan for Protecting Critical Infrastructure and Key Resources Used to Respond to Terrorist Attacks and Disasters. Information on the initiatives in the full report is sensitive homeland security information and is not available to the [At a Glance - 1 page, PDF]

Those Pesky Passwords - Too many and too complicated to remember, passwords make users crazy and incur help desk expense. What should you do about it? by Larry Ponemon:

From Viviane Reding, Member of the European Commission responsible for Information Society and Media, "Safety on the Net" (7 pages, PDF), (09/02/06).

Symantec Internet Security Threat Report, Volume IX: March 2006 Highlights.

Outsmarting the Online Privacy Snoops - Internet privacy controversies drive interest in tools for anonymous Web surfing.

New York Times: Cyberthieves Silently Copy Your Passwords as You Type

New York Times: Too Many New Gadgets, Too Much Information at Risk: Loss, theft and viruses are major issues as corporate use of handheld devices and pocket PCs increases. Pre-emptive security options are available however, as this article describes.

Managing Cybersecurity Resources: A Cost-Benefit Analysis "details guidelines for using sound and measurable principles of cost-benefit analysis, as a compliment to gut instinct, to efficiently allocate and manage cybersecurity resources within your organization. Written by two globally acknowledged leaders in the increasingly critical area of cybersecurity (Lawrence A. Gordon and Martin P. Loeb), this comprehensive exploration presents:

Responding to Security Incidents on a Large Academic Network: by Jamie Riden 02/14/06 (9 pages, PDF). "This paper describes a series of security incidents on a large academic network, and the gradual evolution of measures to deal with emerging threats."

"The goal of National Computer Security Survey (NCSS) is to produce reliable national and industry-level estimates of the prevalence of computer security incidents (such as denial of service attacks, fraud, or theft of information) against businesses and the resulting losses incurred by businesses. The first national survey of thousands of businesses is being conducted in 2006. Sponsors: U.S. Department of Justice, Bureau of Justice Statistics and the U.S. Department of Homeland Security, National Cyber Security Division (NCSD)."

Related government documents:

Press release: "The Federal Deposit Insurance Corporation (FDIC) today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised. Identity theft continues to be one of the fastest growing crimes in the United States, and has ranked as one of the top consumer concerns for the past several years. Identity theft is evolving in more complicated ways that make it harder for consumers to protect themselves, and easier for criminals to set up virtual storefronts on the Internet to sell confidential personal information."

Press release: "The National Association of State Chief Information Officers (NASCIO), which represents the chief information officers (CIOs) of the states, and the Metropolitan Information Exchange (MIX), an association of county and municipal CIOs, have released findings from a pair of surveys of state and local government cybersecurity preparedness."

New 2005 FBI Computer Crime Survey (19 pages, PDF). "The survey, developed and analyzed with the help of leading public and private authorities on cyber security, is based on responses from a cross-section of more than 2,000 public and private organizations in four states."

"After an extensive public comment period and review, the Anti-Spyware Coalition has released the Final Working Report of the Spyware Definitions. In addition, ASC has released a number of supporting documents, including a Vendor Dispute Resolution Process, a Glossary and a set of Safety Tips for Users."

"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."

Malware - Future Trends, by Dancho Danchev,10/01/06 (26 pages, PDF).

From InformationWeek, this straight forward guide for PC users takes you through a five step process to identify and eliminate problems before they overtake you.

Report to Congress on the Benefits of the President's E-Government Initiatives, January 6, 2006. (183 pages, PDF)

According to a CNET News.com article by Declan McCullagh, pledges by many U.S. Senators not to use cookies on their e-gov sites have, in at least 23 instances, gone unfulfilled. This is in following with recent news about the use of tracking technology on other e-gov sites, including the White House and NSA.

Spy? Where?: Understanding Spyware, by Benny C. Rayner, 03/01/06 (14 pages, PDF): "Spyware is a pest no matter which way you think about it. Whether it’s causing you to have numerous pop-ups or it is consuming all of your system resources; spyware is a menace to be reckoned with."

Congress Ready to Tackle Tech Issues in 2006 - Spyware, data security, and telecom reform will be on the agenda next year.

How to Write Better Passwords, by Sarah D. Scalet

Press release: Phishing attacks aimed at identity theft now affect roughly one in four Americans (23%) each month, according to the second annual AOL/National Cyber Security Alliance (NCSA) Online Safety Study (11 pages, PDF). Additionally, more than two-thirds of consumers (70%) who received such scam e-mails thought they were from legitimate companies, putting them at high risk of losing sensitive personal information to identity thieves or criminals. The AOL/NCSA Online Safety Study is the largest study of its kind, sending technical experts into hundreds of typical homes to examine personal computers for known security risks and threats."

Following up on previous postings about phishing, the New York Times yesterday published an article, Gone Spear-Phishin' detailing the extent, impact and intent of cybercriminals who launch Trojans to steal the data of individuals and corporations, for both profit and personal reasons.

Windows OneCare Team Blog: "WOC is devoted to helping users' get their machines in a secure and healthy state."

The Twenty Most Critical Internet Security Vulnerabilities (Updated)~ The Experts Consensus, Version 6.0 November 22, 2005

FTC press release: "An operation that uses the lure of free lyric files, browser upgrades, and ring tones to download spyware and adware on consumers' computers has been ordered to halt its illegal downloads by a U.S. District Court at the request of the Federal Trade Commission. The court also halted the deceptive downloads of an affiliate who helped spread the malicious software by offering blogs free background music. The music code downloaded by the blogs was bundled with a program that flashed warnings to consumers who visited the blog sites about the security of their computer systems. Consumers who opted to upgrade by clicking, downloaded the spyware onto their computers."

Following up on previous postings related to security risks associated with discarding PC hard drives, the parallel environmental toll of the expanding amount of e-waste generated by constant hardware upgrades, via the The Basel Action Network (BAN):

Hale, Robert V., Wi-Fi Liability: Potential Legal Risks in Accessing and Operating Wireless Internet. Santa Clara Computer and High Technology Law Journal, Vol. 21, p. 543.

"Microsoft has teamed up with the National Cyber Security Alliance (NCSA) to help increase Internet security through a month-long awareness-raising campaign that provides information and sponsored events for consumers, small businesses, educators, and families. This year, the National Cyber Security Awareness Month campaign begins October 1, 2005...Events for this year's campaign include conferences and workshops in several cities across the U.S. For more information and a list of events, visit the NCSA Web site."

The Global State of Information Security 2005

Symantec Internet Security Threat Report, Volume VIII, September 2005 (requires free registration): "The Symantec Internet Security Threat Report is an analysis and discussion of Internet security activity over the past six months. It covers Internet attacks, vulnerabilities, malicious code, and future trends. This edition of the Threat Report, covering the first six months of 2005, marks a shift in the threat landscape. Attackers are moving away from large, multipurpose attacks on network perimeters and towards smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers. Unlike traditional attack activity, many current threats are motivated by profit. They often attempt to perpetrate criminal acts, such as identity theft, extortion, and fraud."

"OnGuardOnline.gov provides practical tips from the federal government and the technology industry to help you be on guard against Internet fraud, secure your computer, and protect your personal information."

How to Combat Spyware in Corporate Environments - "A vendor contribution from Panda Soft on Spyware...Spyware downloaded to companies can steal confidential information, reduce the performance of the IT infrastructure, due to the resources used by non work-related activity and loss of employee productivity, who have to deal with changes to system settings and unwanted advertisements." (20 pages, PDF)

"The new National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) will make it easier for system administrators and other security professionals to learn about vulnerabilities and how to remediate them. The NVD is a comprehensive database that integrates all publicly available U.S. government resources on vulnerabilities and provides links to many industry resources. NVD is built upon a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities and Exposures." [NIST Alert]

From the New York Times, The Rise of the Digital Thugs chronicles the under-reported, yet growing, threat to corporations from "cyber extortionists" seeking bribes in return for withholding data and information obtained by breaching networks.

Related reference:

From the Univ. of Maryland Center for Public Policy and Private Enterprise, The CSI/FBI Computer Crime and Security Survey, by Lawrence A. Gordon, Martin P. Loeb, William Lucyshyn and Robert Richardson, 2005 (26 pages, PDF).

Security Guide for Small Business - "This guide helps explain why security is important to your business and outlines steps to better security."

Spyware - Guidance on Mitigating Risks From Spyware FIL-66-2005, July 22, 2005

From WSJ free content, Information Security - Where the Dangers Are: The threats to information security that keep the experts up at night -- and what businesses and consumers can do to protect themselves.

Information Security: Department of Homeland Security Needs to Fully Implement Its Security Program GAO-05-700, June 17, 2005. Highlights.

Alert Overview: "The United States Computer Emergency Readiness Team (US-CERT) has received reports of an email based technique for spreading trojan horse programs. A trojan horse is an attack method by which malicious or harmful code is contained inside apparently harmless files. Once opened, the malicious code can collect unauthorized information that can be exploited for various purposes, or permit computers to be used surreptitiously for other malicious activity. The emails are sent to specific individuals rather than the random distributions associated with a phishing attack or other trojan activity...These attacks appear to target US information for exfiltration. This alert seeks to raise awareness of this kind of attack, highlight the important need for government and critical infrastructure systems owners and operators to take appropriate measures to protect their data, and provide guidance on proper protective measures."

A press release on the new Pew Internet and American Life Project Report released this afternoon: "Spyware and the threat of unwanted programs being secretly loaded onto computers are becoming serious threats online. Nine out of ten internet users say they have adjusted their online behavior out of fear of falling victim to software intrusions. Unfortunately, many internet users' fears are grounded in experience - 43% of internet users, or about 59 million American adults, say they have had spyware or adware on their home computer. Although most do not know the source of their woes, 68% of home internet users, or about 93 million American adults, have experienced at least one computer problem in the past year that are consistent with problems caused by spyware or viruses."

From the FTC: The US SAFE WEB Act - Protecting Consumers from Spam, Spyware, and Fraud, released July 1, 2005

As a follow-up to my previous posting, NY AG Sues Net Marketer For Installing Spyware on Millions of PCs, see this press release dated June 14, 2005:

Consumer Reports WebWatch Investigations - Wireless Networks Offer Flexibility, Potential Snooping, offers a quick overview of security issue and makes recommendations on enabling safety solutions for home and on the road.

AP reported that an audit revealed Montana state agencies failed to scrub the hard drives of state computers containing personal data (including social security numbers, income tax reports and medical records) prior to donating, selling and otherwise transferring their ownership.

FTC press release today: FTC, Partners Launch Campaign Against Spam "Zombies": "The Federal Trade Commission and 35 government partners from more than 20 countries have targeted the technology trick used by illegal spammers to tap into consumers' home computers and use them to send millions of pieces of illegal spam. Spammers use hidden software that allows them to hijack consumers' home computers and route spam through them. By routing their emails through "zombie" computers, the spammers are able to hide the true origin of the spam from consumers and make it more difficult for law enforcement to find them. Consumers often do not discover that they, themselves, have been sending spam."

Antispyware legislation redux: HR 29 and HR 744 were passed yesterday with only one and four dissenting votes respectively.

Words to know: Spyware - Further develop your understanding of spyware by reviewing these terms and how they relate to each other.

Information Security: Federal Agencies Need to Improve Controls over Wireless Networks GAO-05-383, May 17, 2005. Highlights.

Press release: Microsoft to Deliver Automated, All-in-One PC Health Service for Consumers

This NewScientist.com article suggests that Teamwork will beat the spammers by using a social network to identify spam in a dynamic, collaborative effort.

Senate Commerce Committee on Spyware, May 11 2005

Two recent articles worth review that cite a number of recent surveys, along with accompanying statistics, detailing corporate security leaks. The more general article is from Internetnews.com and notes that Gartner Group research identifies 70% of security breaches as orginating from within organizations. This LabRat Magazine article provides additional references on data leaks as well as technical specifications related to securing documents.

Declan McCullagh interviewed Harvard net researcher extraordinare Ben Edelman about his ongoing work to identify and inform the public about spyware and adware.

Related reference:

Press release from May 3, 2005: "Webroot Software, the leading provider of anti-spyware software and other security technologies for consumers and enterprises, today released the anti-spyware industry's first comprehensive report on spyware, The State of Spyware Report (reg. req'd), an in-depth
review and analysis of the impact of spyware, adware and unwanted software on consumers and enterprises."

Press release: "More than 600 new Internet security vulnerabilities were discovered during the first quarter of 2005, according to the SANS Institute and a team of experts from industry and government. This group has identified the most critical vulnerabilities disclosed in Q1 that pose critical risks that need to be addressed through patching and other defensive actions. Individuals and organizations that do not correct these problems face a heightened threat that remote, unauthorized hackers will take control of their computers and use them for identity theft, for industrial espionage, or for distributing spam.."

802.11 Wireless Security Primer - Presentation by John MacMichael (84 pages, PDF)

Spyware Installation Methods, by Benjamin Edelman, updated April 11, 2005. "This page indexes installation methods used by spyware programs and other unwanted software."

From tom's networking (Jim Ray's links), this article reviews and documents a recent FBI demonstration of how quickly experts can hack a 128-bit WEP (wired equivalent privacy) key.

eWeek reports on a class action lawsuit against DirectRevenue claiming that the company "deceptively downloaded harmful and offensive software..." [PDF via Broadbandreports.com]

Keyloggers Foiled In Attempted $423 Million Bank Heist

"Here at the Microsoft Security Response Center, we investigate thousands of security reports every year. In some cases, we find that a report describes a bona fide security vulnerability resulting from a flaw in one of our products; when this happens, we develop a patch as quickly as possible to correct the error. In other cases, the reported problems simply result from a mistake someone made in using the product. But many fall in between. They discuss real security problems, but the problems don't result from product flaws. Over the years, we've developed a list of issues like these, that we call the 10 Immutable Laws of Security. Don't hold your breath waiting for a patch that will protect you from the issues we'll discuss below. It isn't possible for Microsoft—or any software vendor—to "fix" them, because they result from the way computers work. But don't abandon all hope yet—sound judgment is the key to protecting yourself against these issues, and if you keep them in mind, you can significantly improve the security of your systems." [Link]

On March 2, I referenced several sources advocating destroying hard drive platters as the only reliable means of permanently wiping the data. As a follow-up, take a look at this movie gallery of shredding demonstrations that includes CD's/floppy discs, computer circuit boards, and whole computers (requires Flash player). [blogdex]

Press release: "Symantec has been granted U.S. patent number 6,851,057 for a system that enables the detection of complex viruses, worms, and spyware. The technology, "data driven detection of viruses," is employed throughout Symantec's portfolio of industry-leading information security solutions at the desktop, server, and gateway for both consumers and enterprises."

On February 23, 2005 the UK Home Office launched ITsafe "to provide both home users and small businesses with proven, plain English advice to help protect computers, mobile phones and other devices from malicious attack."

Killing Phish.

"Leading IT companies including Cisco Systems, Microsoft, and Symantec are promoting a rating system that will standardize the measurement of the severity of software vulnerabilities." [Link]

VoIP Leaders Form Alliance for VoIP Security Research and Testing: "The industry's first Voice over Internet Protocol (VoIP) Security Alliance was launched today in conjunction with leading VoIP vendors, providers, security researchers, and thought leaders to discover and reduce VoIP security risks. A complete list of members can be accessed at www.voipsa.org."

Law Barring Junk E-Mail Allows a Flood Instead. Another article joins the chorus complaining about the failure of the CAN-SPAM Act to stem the tide of junk email, and highlights how industry, government and advocacy groups continue to do battle against the threats. From the perspective of the spammers however, it is a lucrative business, facilitated by using offshore servers as well as "network zombies."

New Research Shows That Identity Theft Is More Prevalent Offline with Paper than Online:

Press release: "A poll (686 respondents) conducted by WatchGuard Technologies, Inc...reveals that two-thirds of IT managers and administrators believe spyware will be the number one threat to network security over the next twelve months. Spyware is a growing category of malicious software that installs on a computer without the user's knowledge and it can secretly gather information about a person or organization...Sixty-six percent of those questioned said that spyware will pose a greater threat to their networks than viruses or phishing attacks in 2005."

Securing Your Starbucks Experience, by Wayne Rash. See also this related article by Wayne,
Five Tips For Boosting Wireless Security.

Newly published research from Ben Edelman: see Investors Supporting Spyware. He lists US companies who produce spyware, their investors and how much venture funding was provided to each project (along with links to relevant SEC filings).

A Primer on Fighting Spyware, by Walter S. Mossberg (from the WSJ, reprinted by Webroot Software, whose product, Spy Sweeper, is recommended in this article.) I run SpyBot Search and Destroy daily on my home PC, and tested Spy Sweeper which indicated that my risk was "low." Remain diligent about using one, or more, of the recommended applications, as often as you can.

In this comparison of MS AntiSpyware vs Ad-Aware vs SpyBot, Microsoft's beta application receives high marks for form, features and function.

Press release: Technology experts and scholars foresee a bigger role for the internet in people's personal and work lives in the next decade:

"Ecycling" Government Computers Under Recycling Electronics and Asset Disposition Services: "For the first time, EPA is awarding contracts to help the entire federal government recycle or properly dispose of computers and other electronic equipment. The new program will prevent hazardous substances inside these items from entering landfills. For example, each computer monitor contains six pounds of lead. All of this equipment contains components that can be reused in the current marketplace or recycled."

Terminating Spyware With Extreme Prejudice chronicles efforts to be rid of spyware and adware programs using the extreme method of reformatting a PC hard drive, after all other avenues had failed.

"CleanSoftware.org is a resource to help Windows users find the best free daily-use software, free from nasties: adware, spyware, harmful/intrusive components, and threats to privacy." (via Slashdot) Versions of the software included are accompanied by red, yellow and green dots indicating the level of reliability.

From the RedSiren press release: "A new survey of computer security professionals reveals that while many of them believe that the time they need to comply with increased government regulations has cut into their ability to secure their computer networks, they also admit that those networks are safer as a result."

From EPIC, Top Ten Consumer Privacy Resolutions.

This straight forward guide from PC World describes why you need to use a firewall, how they work, and hardware and software options.

A trio of PowerPoint presentations providing resources on the following timely issues:

"Some anti-spyware companies use confusing ads, and our tests show their $20-$60 products are less effective than free competitors." [Link]

From Ars Technica this two part article on spyware -

From the press release: "The AOL/ NCSA Online Safety Study (9 pages, PDF) – conducted by technical experts in the homes of 329 typical dial-up and broadband computer users – found that most computer users think they are safe but lack basic protections against viruses, spyware, hackers, and other online threats. In addition, large majorities of home computer users have been infected with viruses and spyware and remain highly vulnerable to future infections. Yet at the same time, most keep sensitive personal and financial information on their computers."

From email security provider CipherTrust, this report details research on the origin, method of dissemination, and targets of phishing attacks.

"GetNetWise is a public service brought to you by a wide range of Internet industry corporations and public interest organizations. The GetNetWise coalition wants Internet users to be only "one click away" from the resources they need to make informed decisions about their and their family's use of the Internet."

Update to 10/08/04 posting, FTC Files Case Against Two Companies Who Market Spyware, that included a link to the complaint, see the 10/12/04 FTC press release, FTC Cracks down On Spyware Operation, for additional comments.

The SPY Act, H.R. 2929, To protect users of the Internet from unknowing transmission of their personally identifiable information through spyware programs, and for other purposes, was approved today by the House. See the accompanying House Report 108-619.

The State of Information Security, 2004, A Worldwide Study Conducted by CIO Magazine and PricewaterhouseCoopers (Executive Summary).

From Reuters, news that two bills have been ordered reported by the House Judiciary Committee:

From InformationWeek, Special Report: Readers Take The Offensive Against Spyware. Includes the following articles:

Recovering from a Trojan Horse or Virus, August 12, 2004.

Spyware Warrior - Waging the war against spyware

Security at your fingertips

PestControl, a PC security company, today launched the Center for Pest Research, offering consumers a range of resources to assist in the effort to combat spyware. The site offers updated spyware analysis, whitepapers, how-to guides to identify, locate and eliminate "pests," and an searchable Alphabetical Index to 21,109 Pest Descriptions."

This AP article provides practical advise on how to formulate and secure the passwords which are increasingly necessary to access network applications and websites, whether at work, for consumer transactions or general enlightenment.

From Websense's fifth annual Web@Work survey, April 26: "92 Percent of Organizations with at Least 100 Employees Have Been Contaminated With Spyware, Yet Only Six Percent of Employees Believe They Have Been Infected."

"The Center for Information Policy (CIP), University of Maryland, is a multidisciplinary research center that analyzes and provides solutions to current policy issues relating to the convergence of information and technology...Privacy, intellectual property and information security are just a few of the areas where CIP offers independent, unbiased quality analysis, advice and proposals for action."

From yesterday's FTC Spyware Workshop, the Consumer Software Working Group Examples of Unfair, Deceptive or Devious Practices Involving Software, "endorsed by a broad coalition of software companies, Internet service providers, anti-spyware technology vendors, and consumer groups convened by the Center for Democracy and Technology (CDT)."

The BBC reports that the results of recent surveys of London commuters, requesting their PC login passwords in exchange for chocolate, were that a majority of respondents provided them without hesitation. Must be really good chocolate! In addition, the survey established that pet names are all too often passwords of choice, and are also willingly shared. Scroll to the end of the article and review the reader comments as well.

"SecurityDocs.com is a directory of information security articles, white papers, and other documents that information security professionals find useful." The site currently links to 1710 information papers in 88 categories that include Laws and Regulations, Wireless Security, Intrusion Detection, and Computer Security 101. [Hot Links]

From the press release: "The Corporate Governance Task Force of the National Cyber Security Partnership (NCSP) today released a management framework and call to action to industry, non-profits and educational institutions, challenging them to integrate effective information security governance (ISG) programs into their corporate governance processes."

A useful checklist of safety recommendations from the FTC, Better Business Bureau and the National Cyber Security Alliance focuses on issues that include password and virus protection, using firewalls and updating security patches, the risks of file sharing, the utility of encryption, and employee education.

From the Washington Post, Online Financial Crime Headed From Bad to Worse. Worms, viruses and browser flaws will all continue to pose security risks for enterprise wide networks and home users alike in 2004.

Rep. Adam Putnam, (R-Fla.) in conjunction with the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, issued a comparison chart, using an A through F grading scheme, to evaluate government agency information security in 2002 and 2003. It should be noted that the governmentwide average rose from an F to a D this past year. Feel more secure now! See this Federal Computer Week article for more details as well as to review a copy of the chart.

From the Center on Democracy and Technology (CDT), a new report, Ghosts in Our Machines: Background and Policy Proposals on the "Spyware" Problem" offers a straight-forward review of how spyware programs operate, how to locate and disable them, and federal laws that in some measure address this technology, albeit with less than satisfactory results for consumers. In conjunction with this report, the CDT has launched a Campaign Against "Spyware" in an effort to gather information from consumers which will then become part of a complaint to be filed with the FTC.

New worm variant targets identity data:

The House Energy and Commerce Committee Telecommunications and the Internet Subcommittee held a hearing on November 6 entitled, Computer Viruses: The Disease, the Detection, and the Prescription for Protection:

"Microsoft Corp. today announced the creation of the Anti-Virus Reward Program, initially funded with $5 million (U.S.), to help law enforcement agencies identify and bring to justice those who illegally release damaging worms, viruses and other types of malicious code on the Internet. Microsoft will provide the monetary rewards for information resulting in the arrest and conviction of those responsible for launching malicious viruses and worms on the Internet. Residents of any country are eligible for the reward, according to the laws of that country, because Internet viruses affect the Internet community worldwide." [Link]

Microsoft's new Windows Server 2003 allows users to implement digital rights management applications for Word, Excel and PowerPoint documents as well as Outlook emails. [Link] See my previous posting on this new version here.

The Great American Privacy Makeover:

According to PCWorld.com, Microsoft may institute automatic security updates via a default option.

See H.R. 3159 [Report No. 108-305], To require Federal agencies to develop and implement plans to protect the security and privacy of government computer systems from the risks posed by peer-to-peer file sharing.

The Electronic Frontier Foundation's new report, Trusted Computing: Promise and Risk:

From PCWorld.com, this article has some useful information about malicious applications that can bypass your firewall and clutter your computer screen with unwanted ads and plug-ins. Suggested solutions include the use of programs, available in free and fee versions, that identify and delete stealthware (including Spybot Search & Destroy and Ad-aware 6).

Sleuths Try to Stay Step Ahead of Online Worms. Computer security and antivirus companies around the world are working to stay one step ahead of viruses that are increasingly impacting corporations, government agencies and home users. These "virus sleuths" are also assisting the FBI to track down and minimize the damage from malicious worms such as the recent SoBig.F.

Princeton University computer science professor, author, security expert, and of course, blogger (his blog is called Freedom to Tinker, Ed Felten warns in this interview of "A collision is happening between creativity and protecting intellectual property."

Resources and news of note on Super DMCA legislation ("to combat broadband and communications piracy") that is proliferating at the state level, driven in large measure by relentless lobbying on the part of the Motion Picture Assocation of America (MPAA), and which, for the most part, is based on the organization's proposed model legislation. The Broadband & Internet Security Task Force, an industry sponsored organization, is also a key player in the effort to enact such legislation.

From the American Library Association (ALA), see this 'Super' DMCA State Legislation Table. Via Tech Law Advisor, this commentary on pending Florida legislation (H79 and S1078) contends the legislation "would take away your right to potentially own or operate a TiVo, network firewall, or WiFi device. Not to mention your right to privacy..."

From the Chronicle for Higher Education, a Michigan grad student moved his research on information hiding techniques (steganography) to a server in the Netherlands for fear of prosecution under Michigan's Public Act 672, which prohibits conduct with regard to telecommunications access devices.

And from Information Week, this article about software developer Tom Liston's network security application to fight worms, called LaBrea. Mr. Liston has been directly impacted by Super DMCA legislation enacted on January 1, 2003 in Illinois, such that he felt compelled to remove his software from public access via the Hackbuster site, on April 16.

Key logging software has been around for quite awhile. Companies use it to 'virtually' stand over the shoulders of employees and read every letter typed on their keyboards. But this software is also used by hackers to commit identity theft, as was the case with nefarious installations on the computer systems of major universities throughout the country, as reported this past June.

Anti-key logging programs are available to detect monitoring (SpyCop and Anti-keyloggers are two examples). However, TechTV reports that a "black code" written into the key logging programs causes PCs to crash when the defensive software is detected.

As promised, the FTC has introduced a new web site and mascot in an effort to promote safe use of the Internet by parents as well as children. Hence, I suppose, the use of Dewie, the biped turle mascot, holding a laptop computer.

This Wired article details the data security issues inherent in the sale or donation of used PCs, even those whose hard drives have been removed. Personal or corporate data can be pirated even "from the RAM chips and CPU core."

The FTC announced today that they will unveil a new mascot called Dewie on September 26, at the Privacy2002 conference. Can't wait!

From the White House, this 65 page PDF draft report is divided into 5 content areas: Home User and Small Business; Large Enterprises; Critical Sectors (federal government, state and local government, higher education and private sector); National Priorities; and Global.

Public comments on the Draft Strategy to Secure Cyberspace will be accepted until November 12, 2002, via feedback@who.eop.gov.

Two brief but useful related resources on PC security are: Cybersecurity and You: Five Tips Every Consumer Should Know, and A Cybersecurity Primer: Links and Resources for Computer Users.

See also, Bush's computer 'culture of security' relies on users, September 19, 2002.