Data Protection & Privacy Watch

Facebook Privacy Criticised

2009-07-24T09:59:00.001+01:00

Social networking site Facebook does not do enough to protect personal information, according to the Canadian Privacy Commissioner.

The office of Jennifer Stoddart investigated the website's use of personal information and found that Facebook is not clear enough about how users can control their information or restrictive enough in limiting other companies' access to it.

In a detailed report, the investigation found that users were told on Facebook how to deactivate accounts, but not how to delete them and remove personal information from the Facebook servers. The commissioner's office said that the company needed to be more transparent.

Its complaint comprised 24 allegations ranging over 12 distinct subjects. These included: default privacy settings, collection and use of users' personal information for advertising purposes, disclosure of users' personal information to third-party application developers, and collection and use of non-users' personal information.

It found that on four subjects, including deception and misrepresentation and Facebook Mobile, there was no evidence of any contravention of the Canadian Privacy Law and concluded that the allegations were not well founded.

On another four subjects including default privacy settings and advertising, the assistant commissioner found Facebook to be in contravention of the Canadian Privacy Law, but concluded that the allegations were well founded and resolved on the basis of corrective measures proposed by Facebook in response to her recommendation.

With regards to the entry and retention of a user's date of birth, the commissioner found that Facebook to be in contravention of two principles relating to identified purposes that 'should be specified at or before the time of collection to the individual from whom the personal information is collected'.

She also stated that 'the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed'.

Facebook has since responded by agreeing to amend the language of the pop-up in question as follows: “Facebook requires all users to provide their real date of birth to encourage authenticity and provide only age-appropriate access to content. You will be able to hide this information if you wish, and its use is governed by the Facebook Privacy Policy.”

With regard to the controversial privacy settings, the commissioner found that Facebook did not do as much as it should to inform users about privacy settings at registration, as there is no direct link to the privacy settings and no upfront message about these settings.

It also found that Facebook's notification efforts relating to privacy settings fail to meet a reasonable standard in the circumstances, and needed to do more to ensure that new users can make informed decisions about controlling access to their personal information when registering.

The report claimed: “Facebook has given its users tools to control their personal information; it needs to ensure that users better understand these tools.”

In a summary of the investigation, the commissioner found no evidence that Facebook is wilfully misleading or deceiving users about the purposes for which it collects information or is obtaining consent through deception. It also claimed that an allegation of misrepresentation is not well founded.

However in its conclusion, it claimed that once implemented, Facebook's proposed corrective measure of its privacy policy will meet its recommendation and bring the organisation into compliance with the Canadian Privacy Law. It will follow up with Facebook on the status of its implementation of this measure within 30 days.

HSBC Fined £3.2m

2009-07-24T09:57:00.001+01:00

The fining of high street bank HSBC for losing customer data has been praised as a positive step.

HSBC was fined £3.2 million for a series of losses of customer data by the Financial Services Authority (FSA) after its Life division lost an unencrypted CD containing the details of 180,000 policyholders. The disk was sent by regular, unrecorded post and contained names, ages, sex, dates of birth and policy numbers.

Nick Lowe, regional director for Northern Europe at Check Point, claimed that the fine was a positive step towards ensuring confidential data is kept protected, whether stored or in transit.

Lowe said: “The biggest data loss of 180,000 customer details, occurred just three months after the massive HMRC breach and in identical circumstances. Hopefully the FSA's ruling and fine will encourage all companies to take more care with the data they hold.

“But it will take a long time before these safeguards are used by a majority of firms. In Spring 2009 our security survey found that over 50 per cent of public and private sector firms still do not have encryption in place to secure their data, so there is still much education to be done.”

Bernard Parsons, CEO of Becrypt, claimed that there is a need to understand the ways that such breaches can occur, how this could happen and also what can be done to circumvent this issue.

Parsons said: “This yet again highlights the need for organisations of all types to take stock of how they protect and handle data, particularly on removable forms of media, such as hard drives, memory sticks and so on. It also highlights the dangers of sending unprotected data via removable media, a solution is available today can quickly encrypt data and burn it onto a CD or other removable media therefore protecting the information whilst it is in transit.

“It's a classic people/processes/technology conundrum: human behaviour is unpredictable – mistakes happen or intentional malicious intent can circumvent best practice guidelines, this is where a solid information assurance policy can help protect an organisation's integrity, reputation and the data it holds.”

Social Networks Expose Lax Privacy Attitudes

2009-07-14T16:58:00.001+01:00

Are online social networking utilities, such as blogs, Facebook, Twitter, LinkedIn, and other popular services changing privacy rules for companies, as this article in Computerworld suggests, or are the social networking activities of employees simply exposing the poor privacy and security habits of companies?

The Ponemon Institute asked respondents about their social networking habits in a recent study and learned that, while 31% of employees said they access social networking sites while in the workplace, and 34% of those individuals said they have shared information about their place of employment on social networking sites, only 10% said their employer had a written social networking policy.

NHS computers hit by viruses as patient data is put at risk

2009-07-14T13:39:00.001+01:00

From SC Magazine

More than 8,000 NHS computers have been hit by computer viruses over the last year.

An investigation by More4 News found that more than 8,000 viruses got through security systems, with 12 incidents impacting on patient care on computers analysed. The investigation requested information from every NHS trust in England to find out how many of their systems had allowed a computer virus to penetrate their network, with 75 per cent responding.

A number of trusts admitted in official reports and to More4 News that their networks were attacked because anti-virus systems were turned off or not properly applied. The viruses that More4 News found are also being used by hackers to steal personal information.

Last November the Mytob worm spread through three major London hospitals and overloaded networks, impacting services including accessing blood tests, X-ray and patient administration. The independent report into the incident at Barts and the Royal London concluded it was entirely avoidable.

In a statement to More4 News, the NHS said: "Electronic patient records systems are protected by the highest levels of access controls and other security measures. These levels of security are far higher than any which can be imposed on access to paper records or the majority of local NHS IT solutions."

Andrew Clarke, senior vice president, international at Lumension, said: “It is important to note that the NHS hasn't stood still for the last six months when it comes to updating its security defences. We've seen various NHS organisations, including NHS Scotland, looking for new security solutions to address both emerging threats and enforce data protection.

“It is now widely acknowledged that relying on an anti-virus only approach to security is inadequate defence. Although it still plays a role in helping to protect against the latest known security outbreaks, it is not able to defend against emerging threats on its own. After all, it is a reactive approach to security that relies on the application of thousands of security signatures before an outbreak occurs.”

Clarke advised supplementing AV protection with a whitelisting and taking a proactive approach to security to control applications.

ICO Praised for Taking Action Against Firm

2009-07-09T13:59:00.002+01:00

From SC Magazine

Reports of the Information Commissioner's Office (ICO) taking action against a company for failing to protect its customer data should be a wake-up call on the need for encryption.

Andrew Kahl, senior vice president of operations and co-founder of Credant Technologies, claimed that the ICO's action against a Kent-based insurance company for failing to protect data on around 2,100 of its policy-holders, reminds the industry of the need to encrypt private data, whether at rest or on the move.

Kahl said: “The firm blamed the data breach - which involved data going back as far as ten years - on a lack of staff training and poor data handling procedures, but the reality is that all firms need to adhere to IT security policies involving encryption of staff and customer's personal data.

“In addition, companies also need to enforce those encryption security policies using suitable IT systems. These systems act as an audit safeguard and can save companies money and embarrassment in the longer term.”

He also stated that he agreed with the ICO's comments that the case is a reminder that the appropriate safeguards should be in place to protect personal information and is very timely.

“The bottom line to all of this is that companies need to take care when handling private data. Data needs to be encrypted and the good news is that the technology required to do this need not cost the earth," said Kahl.

CISOs worried about insiders, data breaches

2009-06-24T13:12:00.001+01:00

From SC Magazine

Eighty per cent of CISOs believe their company's own employees and contractors are the greatest threat to company data, according to a new study conducted by security vendor NetWitness and audit and information security training company MIS Training Institute.

Conducted from 10th to 12th June at the sixth annual CISO Summit in Lisbon, Portugal, the survey of more than 60 information security professionals from across the world also found that just 18 per cent viewed external sources as the biggest threat to company data.

When asked how concerned about data breaches they were, 97 per cent of respondents said they were either “very concerned” or “concerned,” while just three per cent said they don't worry about their network "because it's secure," the survey found.

Meanwhile, based on respondents' answers, the survey showed that 59 per cent of sensitive data resides on Windows or Unix-based servers, 23 per cent on mainframes, eight per cent on end-user computers and another eight per cent with third parties. Eddie Schwartz, CSO of NetWitness, told SCMagazineUS.com on Monday that he thinks those stats are concerning because they illustrate that many companies store their most sensitive data in places not necessarily in direct control of data centre.

In a roundtable meeting where security pros gathered to discuss the survey findings, some talked about their inability to deploy the proper technologies to counter the threats of today, Schwartz said. Most agreed that due to competing demand from compliance and budget constraints, it was difficult to obtain the needed technology to face attacks at the application layer.

One attendee said organisations should get better visibility to monitor computers on their network and look for signs of communication with outside entities - and then stop that communication. Schwartz said that tactic is not necessarily easy, but it's a reasonably good defensive measure.

Protecting data from both internal and external threats, as well as meeting compliance demands and dealing with cost restrictions, are major concerns of customers, Doug Howard, chief strategy officer at security vendor Perimeter eSecurity, told SCMagazineUS.com on Tuesday.

“It's not an internal versus external problem, it's about protecting your core data and putting a layered approach,” Howard said.

Lost-Laptop Council Breached Data Rules

2009-06-23T17:02:00.000+01:00

From eweekeurope

Stolen laptops had unencrypted personal data - and Manchester City Council's response may not be enough.

Manchester City Council has been found in breach of the Data Protection Act after two unencrypted laptops were stolen from the town hall one of which contained details of 1,754 employees.

In a statement issued this week, the Information Commissioner's Office (ICO) released details of the incident which has resulted in the council signing a formal declaration to improve how it secures physical hardware as well as the information residing on such devices.

According to Sally-anne Poole, head of enforcement & investigations at the ICO, one of the stolen laptops contained personal details on members of staff in local schools from the Manchester area. "We urge all councils and their executive teams to take responsibility for treating data protection as a corporate governance issue affecting the entire organisation. They have to make sure that safeguarding the personal information of their staff is embedded in their organisational culture," she said.

Poole added that the Data Protection Act clearly states that organisations must take appropriate measures to ensure that personal information is kept secure. "Manchester City Council recognises the seriousness of this data loss and has agreed to take immediate action. It has also agreed to implement an improved training programme, including regular refresher training for all staff,” she said.

But in a move that is supposedly meant to satisfy the ICO, but could appear to some security experts as a half-measure, the council has also claimed that it won't ban downloads of information to mobile devices but rather ensure that only "essential personal information will be downloaded onto mobile devices in the future".

Tools such as desktop and application virtualisation - provided by companies such as Citrix - are seen as one way to combat the problem of data loss by avoiding data from having to be downloaded locally onto mobile devices that could be lost or stolen. Rather, staff work on virtual desktops hosted on a central server or in the cloud which reduces the need to download data locally.

A spokesperson for the ICO said that it advocates that companies use the best technology possible to protect data but doesn't stipulate what that should be. In the case of Machester City Council, the spokesperson said that the organisation would be expected to put in place measures to prevent staff from simply deciding the data they wanted to download was "essential" and would instead have to have that decision signed-off by upper management in accordance with approaches stipulated by the Data Protection Act. "Staff would not simply be able to decide the data they needed was 'essential' and put it on data stick without asking anyone else," the spokesperson added.

ISACA backs power increase for ICO

2009-06-23T15:58:00.000+01:00

From Infosecurity Magazine

ISACA, the not-for-profit organisation that seeks to encourage best practice in the IT security industry, has given the `thumbs up' to plans to significantly increase the powers of the Information Commissioner's Office (ICO) later this year.

According to Vernon Poole, a member of ISACA's information security management committee and head of business consultancy for Sapphire, back in July 2008, as part of his outgoing report, Information Commissioner Richard Thomas criticised the EU data protection directive - which underpins the UKs Data Protection Act - for effectively showing its age.

Poole notes that reports now suggest that the Government will enhance the powers of the ICO, allowing it to raise penalties against data controllers, under Section 55A of the Data Protection Act.

Poole claims that, under Section 55A of the Act - which the Government has reportedly set an internal target for implementation on for later this year - the information commissioner will be able to impose penalties on companies that fail to protect their data, when that data is subsequently lost.

Current Government practice, he says, is to provide statutory guidance at least 12 weeks before the legislation comes into force.

The original plan, he adds, was for the penalties to be published in March of this year, ready for Section 55A of the Act to become law this month.

These dates have now passed, he says, but if the internal target is to pass the legislation amendment before the Parliamentary summer recess, then Section 55A could become law by the late Autumn of this year.

"This is good news as, at that stage, we will coming up on the second anniversary of the infamous loss of 15,000 pension customer details on a CD-ROM mailed between HMRC's offices in Newcastle and Edinburgh."

"That incident became the milestone which started off a chain of reports of data losses in the public and private sector in the UK and effectively triggered the amendments to the DPA we now know as Section 55A."

UK Home Office internet surveillance won't work

2009-06-23T15:38:00.000+01:00

From Infosecurity Magazine

In a briefing published on 17 June, the London School of Economics says that new Home Office internet surveillance proposals for the Interception Modernisation Programme won't work, have poor safeguards, and will be a costly option.

Professor Peter Sommer, a visiting professor in the Department of Management at the London School of Economics and Political Science - and a contributor to Infosecurity's webinar programme - says that the Home Office are right to be concerned about the impact on investigations of the ways in which criminals and others may use the internet.

However, he says, they are wrong to think that this can be done by light tinkering with existing legislation.

Current law, says Professor Sommer - such as the Regulation of Investigatory Powers Act, 2000 (RIPA) - is based on the old-fashioned telephone.

There are, he explains, two main powers: The first is a demand by a senior law enforcement official for 'communications data' - who called whom, when and for how long, in effect something like a detailed phone bill. ISPs retain all of this for 12 months in case law enforcement decide to ask for it.

"The second and much more intrusive power - a warrant to intercept the content, that is, eavesdropping on what is said - is granted not by judges but by the Home Secretary of the day."

"Moreover intercept material is inadmissible - it cannot be used or even be referred to in court."

According to Professor Sommer, with internet technology you have to collect everything and then throw away what the law does not allow you to have or use.

Against this backdrop, the LSE says that - at a practical level - the communications data/interception distinction will be impossible to interpret both for ISPs and the courts. Moreover, the Professor argues, the existing balance of protections against abuse will also be lost.

"We are also concerned that the Home Office is characterising its aims as maintaining an interception capability when police powers and capabilities to watch the public have increased significantly over the last 15 years."

"We need a full debate about the balance between threats to public safety, police powers, the effectiveness of safeguards, and cost."

Professor Sommer notes that the Home Office says the cost of the internet surveillance to taxpayers will be £2 billion, but provides no clue as to how this was calculated.

On top of this, he says, an additional burden is being placed on ISPs - the same people who, under the Digital Britain plans, are expected to provide the UK with high-speed internet connection as a cheap universal service.

The good news, Professor Sommer says, is that the Parliamentary All Party Privacy Group are holding hearings about the Interception Modernisation Programme this July, and that they are using the LSE's work as a starting point.

According to the LSE, the proposals from the Home Office to increase the capability of law enforcement and the intelligence agencies to collect and analyse the internet activities of all UK citizens can only work if entirely new laws are passed by Parliament.

In addition, says the LSE, the public also needs to be persuaded that the threats from terrorism and crime are so extensive as to justify ever greater levels of intrusion and expenditure.

Telephone companies and ISPs, the LSE notes, are already compelled to retain 'communications data' for all their customers, at least 70% of the population, for a period of 12 months.

Under the Home Office proposals - Protecting the Public in a Changing Communications Environment published in April - ISPs would be required to retain much more information and pre-analyse it.

The aim, says the LSE, is to enable the police and others to meet the challenges of the many new features of the internet.

These include web-based email, instant messaging, internet telephony, social networking and online gaming.

Infosecurity notes that the Home Office says it has abandoned plans to hold all relevant UK internet traffic in a large central database.

A copy of the LSE's study can be found here.

Parcelforce customer data revealed

2009-06-23T15:34:00.002+01:00

From Infosecurity Magazine

Parcelforce customers' names addresses and postcodes were available online after a system related to the company's mail tracker service failed.

Parcelforce has now rectified the problem and apologised to customers.

A BBC investigation revealed that when some customers entered their unique reference number for tracking a delivery, they gained access to other people's delivery details.

The BBC reported that in a period of 30 minutes,the system revealed details of parcels destined fora wide range of locations, including Cleveland, Swansea and Shanghai.

Name, postcode and signature details would allow fraudsters to steal someone's identity. The data breach breaks rules set by the Information Commissioner's Office (ICO).

A spokesperson for the ICO said,"Any organisation which processes personal information must ensure that adequate safeguards are in place to keep that information secure. This is an important principle of the Data Protection Act. Failure to protect personal details such as names, addresses and signatures could lead to information falling into the wrong hands and ultimately the loss of customers' trust and confidence."

The ICO said it will contactParcelforce"to establish how this security breach occurred and to find out what steps it will be taking to ensure that such a breach cannot happen again."Parcelforce said the problem hadbeen rectified and the service was back to normal last night. It also apologised.

This news item first appeared on Computer Weekly's website:
http://www.computerweekly.com/Articles/2009/06/19/236513/parcelforce-customer-data-revealed.htm

How to Protect Privileged Access to Critical Government Systems

2009-06-23T14:39:00.003+01:00

From eweek.com

As reports of major security breaches and thwarted attacks on government agencies continue to pile up, cyber-security has become a top-level priority. Federal agencies must ensure that the right people have the right amount of control over vital information. By establishing and implementing consistent security initiatives, Knowledge Center contributor Robert Grapes explains how federal agencies can employ a proactive approach to help prevent security breaches.

Despite being saddled with significant economic concerns, President Obama—recognizing the significant importance of cyber-security to the nation—ordered a 60-day review of United States information security and the systems that support Critical Infrastructure Protection (CIP)—or in this case, cyber CIP. This call to action recognizes that a failure to implement proper security measures can facilitate internal and external threats to the confidentiality, integrity and availability of the nation's critical infrastructure.

In January 2009, the U.S. Government Accountability Office (GAO) published the GAO-09-271 update to their High-Risk Series report, which outlines federal information and cyber CIP concerns. The report stated that protecting the federal government's information systems and the nation's critical infrastructure is a topline challenge, but this requires resolving deficiencies that have not yet been broadly identified.

The report also stated the importance of fully implementing effective security programs. The following challenges are too important to go unaddressed:

Challenge No. 1: Cyber-security as top-level priority
Earning cross-agency buy-in is critical for managing threats effectively, and for ensuring centralized and controlled access to vital information and systems.

Challenge No. 2: Establishing and implementing consistent security initiatives
Mandating policies can be a complex and daunting task, but with insufficient processes in place to enable full accountability, agencies become susceptible to internal and external threats.

Challenge No. 3: Preventing system disruption
Dynamic and complex technology environments—including virtualized, cloud computing or service-oriented infrastructures—make managing information access extremely difficult, requiring flexible controls and solutions to adapt and prevent interruptions (or worse).

Challenge No. 4: Improving warning capabilities
Access to critical information assets must be monitored and managed intensively in all facets of the organization. Implementing proactive warning systems can circumvent critical incidents, limiting exposure to agency credentials and vital information that can open the agency to extreme governance risks (both inside and outside its walls).

Challenge No. 5: Strengthening incident recovery
While mitigating occurrences is the first line of defense, the ability to recover from incidents quickly without exposing critical information and access needs to be improved upon. When events do arise, privileged information and access are compromised without a disaster recovery plan in place.

Government agencies by their very nature must be unfailingly vigilant in trusting secure information to external and internal resources—if only because the information they control can financially, legally or even physically endanger the public's well-being if it falls into the wrong hands.

How to protect vital information

By taking the following three simple steps, federal agencies can employ a proactive approach to prevent breaches and protect vital information assets—avoiding the devastation and havoc that even one rogue person can inflict. The three steps are:

Step No. 1: Know who has access to privileged information
Federal agencies must assess who has access to what data, enabling them to understand and manage access as appropriate.
Step No. 2: Apply appropriate policies to protect
sensitive information Federal agencies must create an actionable plan and put it into place, applying privileged passwords and access management controls throughout each level of information.
Step No. 3: Update security and access
credentials regularly to monitor and maintain control By implementing a regimented program to automatically update access management and passwords, federal agencies will ensure that the right people have the right amount of control over vital information.

In conclusion, by taking the necessary steps to address these security challenges, federal agencies will be positioned for better governance, less risk and greater compliance. This will ultimately serve to protect the public's trust and keep national security risks at bay.

Facebook bloggers reveal way to peek at private profiles

2009-06-23T14:34:00.000+01:00

From SC Magazine

Two Facebook fans generated a load of free publicity for their new blog when, in their maiden post, disclosed a vulnerability in the social-networking website that could enable outsiders to view parts of profiles that are set to private.

On its FBHive blog, which went live on Monday, the pair revealed a bug in Facebook that can allow non-friends to view personal data on other members.

"With a simple hack, everything listed in a person's 'Basic Information' section can be viewed, no matter what their privacy settings are," they wrote. "This information includes networks, sex, birthday, hometown, siblings, parents, relationship status, interested in, political views and religious views."

The "interested in" section refers to whether a member is using Facebook to connect with friends, romantic partners, etc.

The two hackers did not explain how they were able to pry their way in but promised to release details in the next few days. As proof of their exploit, though, they displayed the "Basic Information" sections of Facebook founder Mark Zuckerberg, Digg founder Kevin Rose and Boing Boing blogger Cory Doctorow.

Security experts said that though this hack does not allow for the spread of malware, it could help perpetrate identity theft.

"You can't consider the information up there totally trusted and private," John Harrison, group product manager at Symantec Security Response, told SCMagazineUS.com on Monday. "I think people need to think twice about the information they put out there."

For example, Harrison said he lists his incorrect birth date on his Facebook profile. He added that Facebook offers users granular privacy options and recommended that members recheck their settings.

Facebook reportedly closed the hole, but a spokesperson there could not be reached. The operators of FBHive, which promises to discuss Facebook news and rumours on the new blog, also could not be reached.

Portable Panic: Evolution of USB Insecurity

2009-06-12T19:48:00.006+01:00

Download White Paper (pdf)

Once a mere novelty peripheral, USB storage devices are now as common as the mouse and keyboard. Analysts say by 2010 the market will have shipped 2.8 billion USB-enabled devices. Unfortunately, even as USB devices have evolved into useful storage media, they’ve also turned into a security nightmare for organisations. Infosecurity has released a whitepaper discussing the evolution of the security challenges for users of USB storage.

Access Security

2009-06-12T13:03:00.001+01:00

Businesses should look to a more creative method of access security

From SC Magazine

A more radical approach to access security is required for organisations and businesses.

Following Australia celebrating ‘change your password day' as part of its National e-Security Awareness Week, GrIDsure chairman Jonathan Craymer claimed that while the initiative should be commended, there is a need to not just look at changing passwords, but to change the entire system.

Craymer said that the belief that passwords are both free and secure is a ‘common myth', but this could not be further from the truth as the cost of a password reset can be extortionate.

Research from META Group and Gartner suggests that for an average organisation there are about 6.3 password-related helpdesk calls per user, per year and Forrester estimates that each call can cost businesses between $25-75 USD. For a lower cost estimate for a typical 1,000-user company, it could be spending between $157,500 and $472,500 on maintaining their ‘free' password system every year.

Craymer said: “GrIDsure has spoken to enough IT managers and users across the UK to know that they are fed up with so-called ‘strong passwords' that require a mixture of numbers and capitals.

“These passwords usually have to be changed every 60 days and can become impossible to remember, so staff often end up writing them on a post-it note and sticking it on their monitor or under their keyboard – and how secure is that?”

Craymer believed that businesses should not ‘continue to delude themselves by thinking passwords are a low cost and secure option for authenticating individuals on to PCs, smartphones and web-based portals. They must realise that there are much more secure, cheaper and manageable systems available'.

He pointed to tokenless two-factor authentication alternatives to passwords and PINs as a more secure, easier to use and cheaper solution.

Dynamic Data Obfuscation Comes to U.S.

2009-06-12T12:36:00.002+01:00

From eweek.com

Silos-Connect Technologies CEO Tony Cannizzo says notorious data breaches are leading people to overemphasize endpoint security, when it is equally important to secure data at its database source. Cannizzo says protecting data in databases goes beyond static encryption and requires a flexible approach to data obfuscation.

Thieves making off with laptops, hackers planting a Trojan in a store kiosk to send data to the Ukraine—these are the data breaches that gather the headlines. The result is an overemphasis on endpoint security, according to Tony Cannizzo, CEO of Silos-Connect Technologies, a distributor of database technology in Atlanta.

Securing the perimeter may be job one, but at least equally important is securing data at its source—in the enterprise database. To that end, Cannizzo asserts that protecting data in databases requires a flexible approach to data obfuscation, not simply the use of static encryption.

US family turned into advert

2009-06-11T17:43:00.004+01:00

In a surprising misuse of personal information, a US family found themselves being used in a Czech advert after a photo they posted on the internet was downloaded and used as on advertising poster in Prague the BBC reported today.

This reminds me of a scene from National Lampoon's European Vacation where Clark Griswold's camcorder is stolen and an image of his wife in her underwear is then used in an illicit advert. Only this time the family photo was already out there on a publically visible website for anyone to download. This serves as another lesson in why you should always consider anything you upload onto the internet to be available for misuse.

Businesses see a huge rise in theft of sensitive data

2009-06-10T13:52:00.001+01:00

From SC Magazine

A third of IT workers have admitted to accessing unauthorised corporate information.

According to Cyber-Ark's Trust, Security and Passwords survey, the amount of IT staff that abuse their position to snoop around networks to access privileged, corporate information has risen by two per cent in the past 12 months. Meanwhile, 74 per cent of respondents stated that they could circumvent the controls currently in place to prevent access to internal information.

The most popular information to be viewed, or stolen in the event of them being fired, was the customer database, email server admin account and M&A plans, with 47 per cent claiming that they would take these. Forty six per cent would take a copy of the R&D plans, the CEO's password and financial reports. One in five companies admitted to having experienced cases of insider sabotage or IT security fraud, with 36 per cent suspecting that their competitors had received their company's highly sensitive information or intellectual property.

Udi Mokady, CEO of Cyber-Ark, said: "This survey shows that while most employees claim that access to privileged accounts is currently monitored and an overwhelming majority support additional monitoring practices, employee snooping on sensitive information continues unabated. Unauthorised access to information such as customer credit card data, private personnel information, internal financial reports and R&D plans leaves a company vulnerable to a severe data leak with the risk of financial or regulatory exposure and damage to its brand, or competitors obtaining critically important competitive information.

"Cyber-Ark is committed to raising awareness around the risk of unmanaged privileged accounts. While seemingly innocuous, these accounts provide workers with the ‘keys to the kingdom', allowing them to access critically sensitive information, no matter where it resides. Businesses must wake up and realise that trust is not a security policy; they have an organisational responsibility to lock down sensitive data and systems, while monitoring all activity even when legitimate access is granted."

However businesses are increasingly aware of the need to monitor privileged account access and activity, with 71 per cent of respondents indicating that privileged accounts are partially monitored. Ninety one per cent of those who are monitored admitted that they are 'okay with their employer's monitoring activities'. Despite these efforts, 74 per cent of respondents revealed that even with the controls being put in place to monitor them, they could still get around them, making current controls ineffectual.

Highlighting the ineffectiveness of current controls and access policies, 35 per cent of IT administrators admitted they were using their administration rights to snoop around the network to access confidential or sensitive information. The most common areas respondents indicated they access are HR records, followed by customer databases, M&A plans, layoff lists and lastly, marketing information.

The business risk of a lost laptop

2009-06-03T13:58:00.002+01:00

Download White Paper (pdf)

Dell Corporation and Ponemon Institute, LLC are pleased to report the results of the Business Risk of Lost Laptops in the United States, United Kingdom, Germany, France, Mexico and Brazil. The study was conducted to understand the risks to organizations’ personal and confidential information as the number of lost or stolen employee-assigned laptops increases. We also wanted to learn if there are significant differences in how companies in these different countries are addressing the business risk of lost laptops.

Ponemon Institute conducted a web-based survey of 3,100 information technology (IT) and IT security practitioners located in the United States, United Kingdom, Germany, France, Mexico and Brazil who have significant experience and are employed in the public or private sector. In this report, we provide a high-level comparative analysis of the findings from respondents in these six countries. Demographics of survey respondents are summarized at the conclusion of this report. Individual country-level reports are also available upon request.

Layoff's and Information Theft

2009-06-03T10:15:00.002+01:00

Over the past few months the streets have become filled with disenfranchised, unhappy former employees of major corporations. Vast swathes of white collar workers are being issued their P45's and shown the door. However in and age of good corporate citizenry, many organisations are offering voluntary redundancy programmes and allow their soon to be former employees continued privileges and access right up until departure day, which can sometimes be many weeks away. During this time any diligent employee trying to strengthen their market position is going to be hoarding IP like a squirrel in Winter.

Eweekeurope has put together an article on how to secure sensitive data before laying someone off. It covers 3 main areas:

How to Secure Sensitive Data Before a Layoff Occurs
Restrict Access to Information and Administrative Control
Prevent Electronic Messaging Data Leakage

Read the full article here

Google indexes details on thousands of credit cards

2009-06-02T17:01:00.000+01:00

From Infosecurity Magazine

Police in Victoria, Australia are investigating a potentially major security incident in which the stolen personal details of thousands of credit and debit card holders from Australia, Germany and the UK were posted to a blogging site and auto-indexed into the Google search engine.

According to the Australian newspaper, the card details may have originated from a card data skimming operation involving a holiday company, although the data's precise origin is unknown.
What is known, however, is that data files containing the skimmed payment card data were posted on a blog site, and then indexed in Google's search engine in late April.

This means that anyone keyword searching for card data using advanced Google search engine syntax would obtain access to the data, which is essentially a large identify theft starter kit, Infosecurity notes.

Data found in Google's search engine reportedly included card numbers of Amex, Visa and Mastercard accounts, together with their expiry dates, cardholder names, addresses, phone numbers and email addresses.

Australian police are quoted as saying the data probably originated from the skimming of card terminals and ATMs.

It remains unclear what the motive of the blogger, who has not been traced, was in posting the data.

Police say that have closed down the blogging pages with the data and are now working with Google to remove the data from its index caches.

Tweets of Hate

2009-06-02T14:48:00.006+01:00

It has long been known that employers trawl the net looking for information about their prospective new employees. Facebook, MySpace and other social networking sites give employers an insight into an individuals lifestyle, friends and sometimes their political and religious affiliations. However the rise of instant social messaging services such as Twitter opens up a whole new world of insight into an individual.

Would you employ someone who was a racist, an extremist or a bigot? How about someone who harbours extreme views about violence? Probably not, but until recently the only way to find out if someone held these beliefs was to use extensive psychometric profiling or hire a private investigator. Now it would seem, all we need to do is hop over to twitter to find out whats in the minds of our employees. A quick search on twitter into the shooting of abortion doctor George Tiller in the US revealed some incredible hate filled posts and some very unpleasant views.

Crap, I always forgot hashtags. I'm happy Tiller's dead. - Jennifer Waite, Selah,
Washington
UPDATE... Doctor George Tiller was aborted today in his 204th trimester - aren't paybacks a b***h - Punch
oh HAPPY DAY! Tiller the baby killer is DEAD! - Samantha Pelch
George Tiller the baby killer was shot dead this morning. God bless the gunmen who hopefully won't be caught. - readnwatchchris, Creedmor. NC
was George Tiller the baby killers brain scrambled the way he scrambled full term fetuses.. one can only hope - Brad S
Infamous baby killer George Tiller gunned down at (irony) church. Why do I not feel sorry for him? Have fun at Judgment Day. - James Fiddler
tiller the baby killer shot dead...wow. is it insensitive of me to say what goes around comes around? - Brad M. Negulescu Cleveland.
George Tiller the Baby Killer shot dead. May he rot in Hell. - Amy Strong
Tiller Baby Killer was shot and killed this morning Justice has been served. - Shirl Ledeux
Thinking about "Tiller the baby killer" He now knows the wages of sin is death. - Dianne McDowell
May Tiller rot in Hell , infanticide is the murder of babies, he WAS a provider of death like Hitler, Bundy the list goes on.... - Dennis, A People Voip Company
Burn in hell George Tiller - mikedanben Sparta, NJ (41.005501,-74.672)
No need to pray for George Tiller. We know he went straight to hell!!!!! - Laurie D. Bailey Olive Branch, MS
Good ridence to Tiller - babies will not be murdered because he is now gone. Wonder how he likes hell! - Jay Emess, Southern, NJ Karma is a beautiful thing. Cheers to the hero who sent George Tiller where he belongs... straight to hell. - Matthew Kamar
omg!george tiller abortion dr. was killed n his church parkn lot! hell yea! - Sarah Gulick, Wtichita, Ks
George Tiller: Burning in Hell for the last three hours. - darthdilbert Kettering, Oh
Hmm, I know it's wrong, but I feel like the Late-Term Abortion Doctor George Tiller, got what was he deserved..... - Mary Keogh London England
Boom Boom Boom. George Tiller was served a very very late term abortion this morning.
- Chad Coleman, coeur d'alene, Id

A few more added 6:54 PM Pacific Time
Guy shoots a Dr. to death in Church. Me I'm willing to bet that Jesus was his co-pilot. - jeremyawhitman
Tiller the Killer goes to Church and ends up in Hell - mshellisright, Tulsa
Tiller the Baby Killer is finally dead....God took care of what needed to be done.... - Cynthia Wrench
The left-wing nutjobs don't understand that Tiller the baby killer was not human. No human kills babies, only monsters. Good riddance - Sami Shamieh, Walnut Creek, CA
I guess Obama the Messiah can't resurrect Tiller the baby killer. - Sami Shamieh, Walnut Creek, CA
The person who shot Tiller the baby killer simply excercised a man's right to choose. - Sami Shamieh, Walnut Creek, CA
the killing of tiller the baby killer was JUSTICE, not murder. - eqbt
Glad someone offed Tiller. Baby Killer. - Kat, Kansas

And as was discussed just a few days ago, once something is on the internet, it's on there forever.

ICO claims that DP should be taken more seriously

2009-06-02T12:53:00.002+01:00

From SC Magazine

Companies should look at data protection in the same way that they do with risk assessment.

Speaking at the launch of the BCS and ISAF personal data guardianship code, assistant commissioner at the Information Commissioner's Office, Jonathan Bamford claimed that it had been 'a privilege to see the industry that has gone into this document' and that 'it does say something that solutions are not all technological ones, some are human, there needs to be different aspects and pleased that there is a clear message coming through.'

Bamford claimed that the public had seen, via various data loss incidents, how vulnerable their details are and he had seen the public's confidence in data protection 'take a real beating in the last few years'.

“As society's confidence has eroded and we look at what can go wrong, this code tries to get into areas all of the way down the chain. There is no single silver bullet to dealing with risk, it is almost like a mosiac as in order to get whole picture, organisations have to understand their responsibilities. This has to come from the top.”said Bamford.

He further claimed that as the 'Facebook generation' is now looking after data, there needs to be a better awareness of protection overall.

Bamford said: “People are key to making change, they set out responsibilities and different stages by setting the right standards and setting out the message on how they need to live up to the responsibilities. I hope many will follow lead with their data guardianship.”

BCS Launches Personal Data Guardianship Code

2009-06-02T12:49:00.003+01:00

The British Computer Society (BCS) and Information Security Awareness Forum (ISAF) have launched the personal data guardianship code.Working on five key principles; accountability, visibility, consent, access and stewardship, the intention is to instruct and offer constructive guidance on data protection. The BCS claim that the code 'identifies the principles and responsibilities on which best practice is based.'

Speaking at the launch, BSC deputy president Elizabeth Sparrow claimed that after weeks of revelations regarding MP's expense claims, it was easy to forget how things were a year ago when there was 'such alarm and concern over the loss of data'.Sparrow said: “The British public are highly aware and highly mistrustful of those that hold their personal information and the awareness of data protection is high, in a recent survey only 50 per cent knew what it meant while 90 per cent had heard of it.”She further claimed that one of the key intentions of the code was an aim to change the culture in government towards the impact it will have on citizens, to raise awareness and create a code to give practical help in guiding principles.

From the BCS Website:

Every organisation which handles personal data should have in place specific rules and procedures that protect the rights of data subjects.This Personal Data Guardianship Code is intended to help organisations and the people in them who handle personal data understand their individual responsibilities.It aims to promote best practice and provide 'common sense' guidance, in the same way that the Highway Code provides guidance to motorists to enable them to drive safely for the benefit of both themselves and other road users. This is a code of good practice that encompasses discharging your legal duties.Please note: This Code is not intended to be legal advice and where the reader is unsure about any aspect of the DPA or other Acts and regulations they should seek legal advice or visit the website of the Information Commissioner.

Personal Data Guardianship Code - PDF version (2.4 Mb)

One In Five Businesses Break The Data Protection Act

2009-06-02T09:54:00.001+01:00

And BSI has a new standard out that might help everyone pull their socks up

From eweekeurope

Almost one in five businesses has breached the Data Protection Act (DPA) at least once, and nearly two-thirds do not train their staff on the issue, according to a survey by BSI.

Nearly a fifth of businesses have breached the Data Protection Act, according to a survey of 500 small and medium sized businesses, carried out by BSI - the British Standards Institution - which is today publishing a data protection Standard, for the treatment of the personal information which businesses hold about staff and customers.

Some of these breaches involved leaking personal information to third parties, while others involved holding personal information improperly or without the owner's consent. The survey does not specify how many of the breaches involved data leaks, but half the companies that admitted to a breach said they had probably breached it many times, and another 18 percent of the sample admitted they did not know whether they had breached the Act or not.

Despite this situation, 65 percent of businesses provide no data protection training at all for their staff, according to the survey, and in half of them there was no-one with responsibility for data protection. The report turned up other worrying facts, with 18 percent of businesses saying that "data protection is less of a priority in the current economic climate".

The new British Standard for the management of personal information, BS 10012, is intended to provide a framework for companies complying with the Act. The Standard, "Data protection - Specification for a personal information management system" is being launched at today's Data Protection Forum meeting in London.

Five million small and medium sized businesses in the UK handle vast amounts of personal data and the survey showed they need to get their act together, and the problem may be dealing with the complexity of the regulations, said Mike Low, Director of standards at BSI: "A third of businesses stated that the complexity of the legislation restricts their compliance with the DPA. The new standard addresses this and many other issues, providing organisations with a framework for maintaining and improving compliance and demonstrating that they are handling personal information responsibly."

Originally formed as the British Standards Institution, to ratify national standards in all areas, BSI has been making a name for itself in business management standards, which are often accepted as international ISO standards which BSI markets worldwide under the name BSI Group. These standards include areas like quality (ISO 9001, developed from BS 5750) and security management, (ISO 27001, developed from BS 7799).

Like these estalbished standard, BS 10012 does not prescribe exact methods, but explains best practice and sets a framework. Any kind of organisation can use it to create their own tailored management system, said Low. Experts from industry, government, academia and consumer groups contributed to the standard, and comments from the public were gathered during a three month public comment period before the final version was published today.

The research on data breaches was conducted on its behalf by Opinion Matters.

Unencrypted Laptop Lost

2009-06-01T13:28:00.000+01:00

Reposted from SC Magazine

The loss of a laptop that contained the personal data of around 109,000 British people could have been prevented with encryption.

Michael Callahan, senior vice president of Credant Technologies, claimed that the loss of personal details, including names, addresses, national insurance numbers and salary plus bank data from The Pensions Trust could have been avoided if the laptop used by the organisation's contractor had used onboard encryption.

He claimed that the cost of the hardware stolen in these types of incidents is frequently outweighed by the potential financial consequences of the data loss.

Callahan said: “The fact that the trust is a not-for-profit organisation does not mean that it can bypass any of the stringent IT security safeguards or require similar controls to be implemented by its contracting companies.

“Basically the data held on the laptop should have been protected by the highest possible levels of encryption, given the potentially serious consequences that could result from the loss of this type of information.”

The BBC reported that payroll software provider NorthgateArinso was using the information in internal training.
“It is to be hoped that the firm will now review is procedures on using live data in training situations, and also start beefing up its IT security procedures, including applying a policy of encrypting all private data, whether at rest or in transit," said Callahan.