Description:
Data Privacy, Security and Compliance Research
Contents:
Alumni fume at privacy gaffe
EMAIL gremlins are causing embarrassment at Macquarie University, with graduates up in arms after the university accidentally sent 25,000 email addresses to its alumni mailing list.
In what would have to be one of the worst email privacy breaches in Australian history, the university's Alumni office sent every graduate in its database a copy of the full alumni mailing list.
The list was contained in an email titled "Macquarie Alumni - enter the draw to win the FREE $1,000 investments and more by NAB!".
Security officials say computer drive lost at Portland airport
Federal Homeland Security officials say a computer storage device that may have held personal information on current and former employees has been lost.
"We're relatively confident that thing got scraped into the trash, and it's gone," said Mike Irwin, federal security director at PDX.
Energy probes another data loss
The National Nuclear Security Administration is investigating the Energy Department to see whether the Los Alamos National Laboratory is complying with departmental security directives, according to a statement that NNSA Administrator Linton Brooks issued today.
The action came after police in New Mexico found what appeared to be information from the lab while arresting a man for possession of drug paraphernalia earlier this month, according to published accounts.
Business data breaches found to be more costly than thought
A new study reports that data breaches may cost companies even more than previously thought. The Ponemon Institute released its annual study on the cost of data breaches and found that they cost companies on average $182 per compromised record.
The institute arrived at the number by analyzing incidents involving 31 companies, all but one a Fortune 500 company. Institute Chairman Larry Ponemon said the companies choose to turn over their data on data breaches in hopes of gaining a benchmark of how they were doing.
IP Theft Up In First Half Of Year: Report
Counterfeits and intellectual piracy (IP) theft cost companies millions in the first half of 2006, according to a report released Tuesday.
An estimated 760 copyright and trademark intellectual property thefts in 69 countries between January and June 2006 cost companies nearly $700 million, up 7 percent from the year-ago period, according to Gieschen Consultancy's 2006 Mid-Year Counterfeit & Piracy Intelligence Report.
The study, based on statistics from the Business Action To Stop Counterfeiting And Piracy (BASCAP), a joint initiative with the International Chamber of Commerce, ranks the United States at the top of the list, citing 205 violations and $51.7 million in losses.
T-Mobile reports ID-theft risk
A laptop containing the Social Security numbers and other personal information of T-Mobile USA Inc. employees recently disappeared, putting as many as 43,000 current and former workers at risk of identity theft.
However, the company based in Bellevue, Wash., says there is no indication the laptop contained customer information.
Stolen laptop held personal data of thousands of Allina patients
A laptop computer containing the names and Social Security numbers of thousands of Allina Hospitals and Clinics obstetrics patients was stolen from a nurse's car Oct. 8, prompting alerts this week from the health-care provider to the patients.
Company spokesman David Kanihan said Thursday night that there has been no indication any data have been accessed. Two passwords are needed to access the information on the laptop, he said.
At U.S. Borders, Laptops Have No Right to Privacy
A LOT of business travelers are walking around with laptops that contain private corporate information that their employers really do not want outsiders to see.
Until recently, their biggest concern was that someone might steal the laptop. But now there’s a new worry - that the laptop will be seized or its contents scrutinized at United States customs and immigration checkpoints upon entering the United States from abroad.
Circle the wagons: Technologies to protect data from getting tapped, leaked or stolen
Government officials need an arsenal of weapons to protect digital assets, including tools that fortify databases, prevent sensitive information from leaving an agency and give laptop computer users secure access to corporate networks.
The rise in data security breaches at federal agencies and in the private sector has made security managers aware of the need to do more than secure networks with firewalls and expose intruders with intrusion-detection systems. Experts say security managers must focus on protecting databases and stopping data leakages by tracking the flow of data.
EU building info systems to help secure borders
Like the United States, the European Union is seeking to improve border security without putting undue burdens on travelers or shippers of goods. As part of that effort, the EU is enhancing or developing several systems to replace the aging Schengen Information System.
That 10-year-old centralized database has not kept up with the EU's growth to 25 nations, with two more set to join in January. In addition, although SIS allows border agents to check travelers’ identities, it only contains biographical information.
Telmo Baltazar, political justice, freedom and security counselor for the European Commission’s delegation to the United States, said the primary new system, called SIS II, will store biometric data and allow agents to search multimedia data. He said the new system will be more modular and flexible to adapt to changing requirements.
Real ID draft regs due by year's end
By the end of the year, the Homeland Security Department will issue draft regulations specifying how states should implement mandatory federal standards for driver's licenses. But several states have already gotten started.
Jonathan Frenkel, director of law enforcement policy at DHS, said the draft regulations will better explain the broad mandates in the Real ID Act of 2005. The department is currently reviewing the regulations and will then send them to the Office of Management and Budget and other agencies for their input.
Social Security Administration ahead of HSPD-12 deadline
The Social Security Administration has begun issuing new secure identity cards to its employees and contractors, beating an Oct. 27 deadline imposed under Homeland Security Presidential Directive 12 (HSPD-12) by nine days.
SSA is also the first agency to issue the cards, according to David Simonetti, a senior design architect at Jacob and Sundstrom, which is assisting SSA in deploying the personal identity verification (PIV) cards.
Researchers See Privacy Pitfalls in No-Swipe Credit Cards
They call it the 'Johnny Carson attack,' for his comic pose as a psychic divining the contents of an envelope.
Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.
The U.S. And E.U. Avoid A Mid-Air Collision -- Or Did They Just Postpone It?
The European Union has approved a new agreement to share airline passenger data with U.S. law enforcement authorities. The deal settles, for now, a legal dispute that could have halted or at least seriously disrupted, trans-Atlantic flights between Europe and the United States.
This is not, however, the last you will hear about the subject. The new agreement will expire in just nine months -- and while talks on a new, long-term passenger data-sharing pact will open later this year, I would not be surprised if next July brings yet another last-minute standoff pitting U.S. security concerns against Europe's no- nonsense privacy laws.
State to issue notice on passport cards
State Department officials will be issuing a Notice of Proposed Rule Making next week that lays out the architecture of a smart card that would be used under the Western Hemisphere Travel Initiative (WHTI).
Frank Moss, the department’s deputy assistant secretary for passport services, said the intent is to create wallet-sized, secure People Access Security Services (PASS) cards – also known as passport cards – that would include radio frequency vicinity-read technology. He said such read technology is being used in other programs, such as Nexus, a joint U.S./Canadian traveler program to simplify border crossings for frequent travelers between the two countries.
NCR's RFID for branch banking initiative raises eyebrows
I'd intended to use this issue to kick off a discussion on identity and anonymity and explore why anonymity might be useful, if there could be truly anonymous transactions online, the context of anonymity, and so on. We will get to that real soon, but while I was researching anonymity a press release crossed my inbox that was, literally, breathtaking. And it would be to anyone who has followed the discussions of privacy, security and even anonymity over the past year or two.
The press release came from NCR and touted "RFID for branch banking". The document opens with: "NCR Corporation...demonstrated how radio frequency identification (RFID) can be used to make branch banking a more personalized experience."
FBI Director, Police Chiefs Support Record Retention For Internet
FBI Director Robert Mueller said he supports a plan requiring Internet service providers to retain information on users' Internet activities.
In a speech before the International Association of Chiefs of Police on Tuesday, Mueller praised law enforcement officials for adopting a resolution that would require ISPs to retain information in case it is needed for investigations.
Man Indicted In Dollar Tree ATM Fraud Case - Hundreds Of Customers Reported Money Stolen
A Southern California man has been indicted by a federal grand jury for alleged bank fraud involving hundreds of customers of Dollar Tree stores.
Authorities said Parkev Krmoian is accused of using counterfeit ATM cards to make unauthorized withdrawals. Police said the cards Krmoias was using were actually gift cards that had been encoded with ATM card information.
Ten security trends worth watching
In a keynote speech that was webcast at last month's Hack in the Box Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief technology officer of managed security services provider Counterpane Internet Security Inc., identified 10 trends affecting information security today.
1. Information is more valuable than ever. For example, Amazon.com Inc. relies on information to make purchasing of books easier through its one-click purchasing system. Similarly, when Internet retailer Pets.com went belly-up, the company's database of customers "was the only asset of value they had," he said.
The Ten Most Dangerous Things Users Do Online
End users -- god bless ‘em. You can’t live with ‘em -- but without them, you wouldn’t have a job. They’re the reason you have an IT infrastructure; they’re also the single greatest threat to the security of that infrastructure.
Feds Often Clueless After Data Losses
Federal agencies not only regularly lose personal identity data, but don't even always know what they've lost or how many Americans are affected, a recently-released House report claimed.
According to the report issued by the House Government Reform Committee, which is chaired by Tom Davis (R-Va.), all 19 federal departments and agencies from which data was requested had lost or compromised personal information in the three-and-a-half years since January 2003. Some of the breaches were losses, others were the result of theft.
Steal my ID, steal my fingers - the public gets nervous
The public fears losing their fingers to ruthless biometric ID thieves in the fingerprint-controlled future, apparently. Or at least, so says Frost & Sullivan analyst Sapna Capoor, who argued unconvincingly that "A dead finger is no good to a thief."
If you have a fingerprint scanner protecting your family jewels, your data might be safe, but what about your fingers?
US: Terrorists telecommuting to work
Michael Chertoff, head of US Homeland Security, warned that people don't need to travel to a country with "-stan" in its name to become radicalized and commit acts of violence. Instead, they can now turn to the Internet. "They can train themselves over the Internet. They never have to necessarily go to the training camp or speak with anybody else and that diffusion of a combination of hatred and technical skills in things like bomb-making is a dangerous combination," Chertoff said at a conference of international police chiefs, according to Reuters. "Those are the kind of terrorists that we may not be able to detect with spies and satellites."
Microsoft releases guidelines for customer privacy
Criticized in the past for an initiative that would require the company to collect and catalog personal information about its customers, Microsoft on Wednesday released an internal document about how it protects customers' privacy in the hopes other companies will adopt similar practices.
The company publicly published a 49-page document, called Microsoft’s Privacy Guidelines for Developing Software Products and Services, at the International Association of Privacy Professionals Privacy Academy 2006 in Toronto. The document can be found here.
The
EU needs RFID privacy regs, study finds
The European Union needs to consider adopting a solid legal framework to ensure that the use of radio frequency identification technology does not infringe on privacy, a top official of the European Commission, the executive branch of the EU, told an RFID conference Oct. 16.
The EU also needs to standardize its RFID frequencies in the 865 to 868 MHz frequency band, according to a commission background paper presented at the conference. The commission said it expects to complete a draft spectrum decision by the end of this year.
Justice task force looks into privacy
A task force has issued a series of recommendations regarding privacy in justice information systems.
The Privacy Technology Focus Group was chartered to examine the exchange of personally identifiable information, focusing on justice and public safety data. Last November, the Justice Department brought together a group of public- and private-sector specialists to look into privacy technology. The group’s working teams covered areas such as access and authentication, data aggregation and dissemination, and identity theft.
IDA clients suffer security breach
The securities firms that reported the breach have not confirmed the means by which accounts were accessed, but the Investment Dealers Association (IDA) pointed to pharming Web sites as another possible avenue.
Only two accounts were affected, although the IDA said it was alerted by a U.S. regulator about a similar situation that happened there.
Brief: Congressional Budget Office mailing list hacked
Hackers have breached the mailing list of the Congressional Budget Office (CBO), according to the agency.
"There was limited breach of our list server that has since been patched and closed," said Melissa Merson, a CBO spokeswoman. "When people access a federal government computer, that's considered a possible criminal violation. So we've referred the matter to the appropriate law enforcement authorities, and it's under investigation."
Theft causes most data losses, report finds
Because equipment theft causes most data losses, agencies should use physical security to protect sensitive information, according to a new House Government Reform Committee report.
"The vast majority of data losses arose from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees," the Oct. 13 report states. Computer system hackers caused few breaches.
Data held by feds, vendors at risk
Federal contractors that agencies rely on for IT management services are responsible for many of the data breaches that agencies reported to the House Government Reform Committee, which today released its findings on past data loss across government.
That is just one of the conclusions from the committee staff report, which also found that data loss occurs in all major agencies, and that those agencies don’t always know what was lost.
Compliance affecting efficiency in IT - survey
Most Irish IT departments now face regulatory compliance issues but this is clashing directly with the need for more efficiency, leading to increased technical challenges, resourcing problems and cost concerns, new research claims.
A survey carried out by Unitech Systems, which polled 300 information managers from the top 1,000 companies in Ireland, found that 88pc of Irish organisations are affected by regulatory compliance. The three most common regulations to affect Irish businesses are the Data Protection Act (34pc), the Freedom of Information Act (22pc) and Sarbanes-Oxley (22pc). Basel II and FDA regulations figured much lower down the list, at 7pc and 2pc respectively. Just over a quarter of respondents (26pc) said their company must comply with US legislation.
New RFID tech would track airport passengers
The inventors of a new monitoring system that uses RFID tags claim it could improve airport security by tracking passengers as they mingle in the departure lounge.
The plan is to issue an RFID (radio frequency identification) tag to every passenger at check-in so human traffic can be monitored throughout the airport via transponders and video cameras.
Paul Brennan, an electrical engineer at University College London, heads the project, which features an RFID technology called Optag. Funded by the European Union, the technology is being developed by a consortium of European companies and the university. Brennan told Silicon.com that a prototype RFID tag will be tested in an airport in Hungary next month.
Brennan said that if the trials in Hungary are a success and the technology attracts customers, it could arrive in airports within two years.
Brennan said Optag has been designed to improve airport security by virtue of its ability to track the movement of suspicious passengers, which would enable security personnel to bar them from entering restricted areas.
Report: Data loss widespread at government agencies
According to the report, which was released Friday, 19 federal agencies have reported at least one loss of personally identifiable information since January 2003. In addition, those agencies don't always know what information has been lost or how many people could be affected because they aren't tracking those losses, the report said.
"For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, 'the department did not track the content of lost, stolen, or otherwise compromised devices,' " the report stated.
Hackers steal personal information from Brock University computers
The personal information - including some credit card and bank account numbers - of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker.
Terry Boak, Brock's vice-president academic, said the digital intruder had the secret passwords needed to access the file listing of possibly every individual to ever donate to the university.
"It wasn't just someone who hacked in by playing around with it," Boak said. "So, you start thinking about how these passwords were obtained."
UTA alerts students to identity-theft threat (Univ of Texas at Arlington)
ARLINGTON - The personal information of about 2,500 University of Texas at Arlington students was on two computers stolen from a faculty member's home last month, school officials said.
Teleworkers Know (And Ignore) Security Risks, Study Says
The majority of telecommuters are aware of the security dangers that go along with using mobile devices and remotely logging onto their employers' networks, yet their behavior for the most part contradicts this awareness, according to a study issued Monday by Cisco Systems and research firm InsightExpress.
Of 1,000 teleworkers contacted across 10 countries, more than one of every five allows friends, family members, or other non-employees to use his/her work computer to access the Internet. The top five justifications for doing this were that workers didn't see anything wrong with it, their companies didn't mind, they didn't think that letting others use company-issued computers increases security risks, they doubted their companies would care, and their co-workers did it, too.
Home
|
|
