Saturday, January 30, 2010

Corporations' cyber security under widespread attack, survey finds

A survey of IT executives at corporations in 14 countries finds that more than half have seen 'high-level' attacks on their firms' computer systems. Even so, budgets for cyber security and IT have been cut in recent years, two-thirds of the respondents say.

Aound the world, corporations' computer networks and control systems are under "repeated cyberattack, often from high-level adversaries like foreign nation-states," according to a new global survey of information technology executives.

The attacks include run-of-the-mill viruses and other "malware" that routinely strike corporate defenses, but also actions by "high-level" adversaries such as "organized crime, terrorists, or nation states," a first-time global survey by the Center for Strategic and International Studies (CSIS) in Washington has found. More than half of the 600 IT managers surveyed, who operate critical infrastructure in 14 countries, reported that their systems have been hit by such "high-level" attacks, the survey concludes.

A large majority, 59 percent, said they believed that foreign governments or their affiliates had already been involved in such attacks or in efforts to infiltrate important infrastructure – such as refineries, electric utilities, and banks – in their countries.

Such attacks, the survey said, include sophisticated denial-of-service attacks, in which an attacker tries to so overwhelm a corporate network with requests that the network grinds to a halt.

But they also include efforts to infiltrate a company. Fifty-four percent of the IT executives said their companies' networks had been targets of stealth attacks in which infiltration was the intent. In two-thirds of those cases, the IT managers surveyed said company operations had been harmed.

The IT managers also believed that these "stealthy" attacks were conducted by "nation states" targeting their proprietary data, says the survey's main author, CSIS fellow Stewart Baker, in a phone interview. Mr. Baker is a cybersecurity expert formerly with the Department of Homeland Security and National Security Agency.

"It's all the same kind of stuff – spear-phishing, malware, taking over the network and downloading-whatever-you-want kind of attack," he says. "Over half of these executives believe they've been attacked with the kind of sophistication you'd expect from a nation state." csmonitor

Report: Companies unprepared for cybercrime

Many organizations are focused on stopping random hackers and blocking pornography when they should be concerned with bigger threats from professional cybercriminals, according to a new cybersecurity report.

A new Deloitte report offers insight into organizations' perceptions on cyber incidents.

In a survey conducted last year of 523 IT and security managers, top-level executives, and law enforcement personnel, hackers were rated the biggest threat, followed by insiders and foreign entities--probably because hackers are the "noisiest and easiest to detect," the 2010 CyberSecurity Watch Survey concluded.

However, attackers from nation-states and organized crime syndicates use more sophisticated techniques that can do more economic damage and go undiscovered, said the report, sponsored by Deloitte and conducted in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Center at Carnegie Mellon.

The report, which was released Friday, did not discuss who the hackers are exactly or whether they may be working for organized criminals or foreign governments. cnet

Why PCI compliance goes beyond - and is more important than - the PCI audit

When it comes to payment processing security, many organisations focus on passing the PCI compliance audit. Once that certificate is signed, their focus on payment processing security falls to the wayside.

This is a dangerous mindset, said Walt Conway, a Qualified Security Assessor and payment processing technology expert.

"CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach," Conway wrote in an article on "They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be." pivotalpayments

Docs to FTC: Change Red Flags Rule

The American Medical Association, American Dental Association and American Veterinary Medical Association have jointly written to Federal Trade Commission members asking that health professionals be excluded from the Red Flags rule.

The rule requires many businesses, including health care organizations, to take specific steps to minimize identity theft. These steps include identifying suspicious activity involving Social Security numbers, credit reports and other identifying information. This would involve new policies and procedures, and likely implementation of new data security and regulatory compliance software products.

The FTC has delayed enforcement of the Red Flags rule four times as various professions protest their inclusion. The compliance date now is June 1, 2010.

The three medical associations as individual groups have previously pushed for the exemption, saying Congress did not intend to include health professionals. The joint letter follows a recent court ruling that attorneys should be exempted from the rule. In the letter, the associations contend that considerations that led to a federal court decision that exempts attorneys also apply to health professionals. What follows is full text of the letter to FTC commissioners, dated Jan. 29:

"We are writing to you and to each member of the Federal Trade Commission in our capacities as President or Chief Executive Officer of the American Dental Association, the American Medical Association, the American Osteopathic Association, and the American Veterinary Medical Association. Together, our four organizations represent hundreds of thousands of licensed health care professionals (LHCPs) who would be subject to the Commission's Red Flags Rule (the Rule), 16 C.F.R., sec. 681, if the Rule is extended to LHCPs who accept payment after their services have been rendered. We are writing to request that the Commission make clear that, in light of the decision in American Bar Association v. FTC (D.D.C. No. 09-1636 (RBW)) (the ABA litigation), the Rule will not be applied to such professionals.

"Specifically, we request that the Commission take two actions:

1. Announce that the Rule will not be applied against LHCPs until at least ninety days after final resolution of the ABA litigation; and

2. Commit that, if the final resolution of the ABA litigation is that the Rule will not be applied to attorneys, the Commission will not apply the Rule to LHCPs either.

"In this letter, we will briefly set forth the basis for this request.

"Our associations have previously expressed the view individually that application of the Rule to health care professionals would exceed the scope of the Commission's authority under the enabling statute -- the Fair and Accurate Credit Transactions Act of 2003 (the FACT Act). In our previous communications, we have also explained why such application would increase the costs of health care and would impose burdens on our members - with little, if any, benefit to the public. Nevertheless, although it has postponed the effective date, the Commission has never disavowed the position that the Rule will be applied to LHCPs. healthdatamanagement

Google attack highlights 'zero-day' black market

The recent hacking attack that prompted Google's threat to leave China is underscoring the heightened dangers of previously undisclosed computer security flaws - and renewing debate over buying and selling information about them in the black market.

Because no fix was available, the linchpin in the attack was one of the worst kinds of security holes. Criminals treasure these types of "zero day" security vulnerabilities because they are the closest to a sure thing and virtually guarantee the success of a shrewdly crafted attack.

In this Jan. 26, 2010 photo, TippingPoint's Pedram Amini, manager of security research team and the company's zero day initiative, works at his desk in Austin, Texas. TippingPoint founded the Zero Day Initiative, a program for rewarding researchers for disclosing vulnerabilities like the recent programming flaw in Internet Explorer that was used to attack Google employees.

How did the perpetrators learn about the flaw? Likely, they merely had to tap a thriving underground market, where a hole "wide enough to drive a truck through" can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find.

"Zero days are the safest for attackers to use, but they're also the hardest to find," Silva said. "If it's not a zero day, it's not valuable at all."

The Internet Explorer flaw used in the attack on Google Inc. required tricking people into visiting a malicious Web site that installed harmful software on victims' computers.

The attack, along with a discovery that computer hackers had tricked human-rights activists into exposing their Google e-mail accounts to outsiders, infuriated Google and provoked a larger fight over China's censorship of the Internet content. Google has threatened to shut down its censored, Chinese-language search engine and possibly close its offices in China.

Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users' part.

Zero days refer to security vulnerabilities caused by programming errors that haven't been "patched," or fixed, by the products' developers. Often those companies don't know the weaknesses exist and have had zero days to work on closing the holes. sanluisobispo

Cyber crooks cashing in on iPad frenzy

Hackers and scammers are cashing in on iPad fever by luring the curious to booby-trapped websites with false promises of information about Apple's new tablet computer.

"Even before the first user could buy the latest and upcoming Apple technology, the iPad, cybercriminals are already making profit from its popularity," said Carolyn Guevarra of computer security firm Trend Micro.

Apple chief executive Steve Jobs on Wednesday revealed the company's latest device, a touchscreen tablet computer called the iPad. The iPad, which resembles an oversized iPhone, begins shipping worldwide in March.

Speculation and anticipation regarding Apple's latest creation built in the months prior to the iPad unveiling, only to be replaced afterward by intense online debate about the device's strengths and weaknesses.

"Sadly, this is just the kind of opportunity fraudsters like to exploit by poisoning search terms," Symantec security expert Candid Wueest told AFP on Friday.

"We can also expect to see iPad-related spam and phishing attacks hitting consumers hard over the coming weeks. We?d advise the curious to be on their guard."

Hackers and criminals "poison" online searches by rigging websites with words likely to be used as query terms to assure prominent ranking on results pages, according to Ivan Macalintal of Trend Micro.

When people seeking iPad insights interact with links on trick pages their machines are infected with "scareware" software that tries to get them to pay to fix computer virus problems that don't actually exist.


Monday, January 25, 2010

Data Breach Report: Malicious Attacks Doubled in 2009

Malicious criminal attacks have doubled, and the average cost of a data breach has increased to $204 per compromised record.

These are the headlines from the 5th annual "Cost of a Data Breach" study by the Ponemon Institute.

The study shows that the total cost of a data breach rose to $204 from $202 per compromised record. Dr. Larry Ponemon, President and CEO of the Ponemon Institute, says the increase is a "big deal" because it shows that data breaches continue to be a costly event for all organizations. The Ponemon Institute is a privacy and information security research firm based in Traverse City, MI.

According to the latest study, of the $204 associated with compromised records, $144 is linked to indirect costs including abnormal turnover or "churn" of existing and future customers. Ponemon says this compares to 2009's average per victim cost of $202, with an average indirect cost at $152 per breach victim. This year direct costs rose to $60 from $50 in 2009.

The study does not try to draw definitive conclusions, Ponemon says, but looks at broad trends. Data breaches have three root causes: third party mistakes, malicious attacks, or a negligent insider or systems glitch. Ponemon notes that 42 percent of all cases in the study involved third-party mistakes or flubs. These breaches are the most expensive, especially if they occur offshore, he says. "This could be because more investigation is needed, along with consulting fees."

The number of malicious or criminal attack-related breaches was 24 percent -- double the 12 percent of the 2009 study. "They are the most costly, and the types of attacks we found included botnet attacks and data-stealing malware," Ponemon says. "There is more to worry about because I see this as a growing category. This number of criminal attacks will continue to increase in the foreseeable future."

The cost of a malicious breach ($215) is higher than that of a negligent insider or systems glitch, which average $154 and $166.

This study does not include those "catastrophic" data breaches such as Heartland or TJX, says Ponemon. "We're looking at a cost model that is comparable for big data breaches, but not catastrophic data breaches such as Heartland or TJX," he notes. The comparison would skew the results to a much lower number. "Trying to compare a catastrophic data breach's numbers with a regular data breach would be like trying to compare the budgets of the United States to Haiti's," he adds. A data breach in this study ranges from 5,000 records, but less than 101,000 records. bankinfosecurity

'Trivial' Passwords Enabled Huge Hack

The hackers who stole and published 33 million passwords from the website in December needn't have bothered, a security company has revealed. Many of them were so trivial they could have been guessed anyway.

According to a new analysis of the hacked passwords, the most popular password used on the Rockyou site was '123456'. Ridiculously, the second most popular password was '12345' closely followed (in order) by '12345687', 'Password', 'iloveyou', 'princess', and the imaginative 'rockyou'.

To put the use of '123456' into perspective, it was used on 290,731 accounts out of the nearly 33 million, which sounds small until Imperva reveals that the top 20 passwords were all equally transparent, and around 20 percent of the 5,000 most popular passwords were "names, slang words, dictionary words or trivial passwords." In 20th place, 13,856 accounts secured themselves with the word 'QWERTY'.

Helpfully, Imperva puts this disastrous state of affairs into perspective in its downloadable report that should probably be required reading for companies that do not enforce password complexity. (See "The Art of Creating Strong Passwords" for tips.)

"If a hacker would have used the list of the top 5,000 passwords as a dictionary for brute force attack on Rockyou. com users, it would take only one attempt (per account) to guess 0.9 percent of the users passwords or a rate of one success per 111 attempts," say its authors.

"At this rate, a hacker will gain access to one new account every second or just less than 17 minutes to compromise 1,000 accounts. And the problem is exponential," which is a technical way of saying that it would have been trivial to hack into many of the accounts one by one even without the serious breach that compromised the whole database.

Such hacking would have had rewards beyond Rockyou -- it is believed that the same passwords on the Rockyou accounts were defaults for user webmail accounts on Gmail, Yahoo, Hotmail, and others.Imperva makes some common sense suggestions on how websites and users can be educated to minimise such unnecessary vulnerability. Put CAPTCHAS on sites -- they slow down brute forcing -- enforce password changes, make users adopt password complexity, and never store or ransmit passwords in the clear.

Businesses are also asked to pay attention to the blurring of work and leisure web browsing.

"Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like '123456'," said Imperva's CTO, Amichai Shulman. pcworld

Saturday, January 23, 2010

FTC's New Red Flags Rules: Are They the Right Cure at the Right Time?

Identity theft is a serious problem that causes its victims financial loss, inconvenience and mental suffering. Despite a wide range of different efforts to clamp down on identity theft, it continues to grow. A recent Federal Trade Commission report revealed that in 2008, the number of identity theft complaints exceeded 1.2 million, the highest number on record for any year since such complaints were tracked.

Medical identity theft, while far less prevalent than financial identity theft, is a major concern for consumers. It is thus not very surprising that legislators, consumer protection agencies and advocates continue to seek new ways to prevent identity theft of all kinds and mitigate the effects of identity theft when it does occur.

One of the most recent efforts to combat identity theft is FTC's Red Flags Rules, a result of the Fair and Accurate Credit Transactions Act of 2003. Among other requirements, FACTA required FTC to enact rules to require financial institutions and "creditors" to develop programs to assist the government in detecting, preventing and mitigating "red flags" of identity theft.

The rules were originally to take effect on Nov. 1, 2008, but were delayed several times -- first to May 1, 2009, then to Aug. 1, 2009, and then to Nov. 1, 2009. Most recently, FTC delayed the enforcement of the rules a fourth time, and they are now set to be enforced beginning on June 1, 2010.

Accordingly, with the latest implementation date looming, physicians are well advised to determine whether they are in compliance with the rules. For those who are subject to the rules, a failure to comply may result in civil monetary penalties and also could lead to less tangible losses, such as negative publicity and the loss of good will.

When Are Physicians Covered by the Rules?

Not all physicians will be subject to the rules. The duty to comply will hinge on whether a physician's activities fall within the law's definition of two key terms: "creditor" and "covered account." Physicians will be subject to the rules if they satisfy a two-part test.

First, the provider must be a creditor. Under the broad definition of creditor, a physician who renders medical services to a patient without taking full payment at the time of service but rather defers payment by billing the patient will be a creditor. The same holds true for a physician who renders medical services to a patient and accepts the patient's co-payment.

Under the second part of the test, a physician must offer or maintain covered accounts for patients to be subject to the rules. According to the rules, a covered account is one that a creditor offers or maintains for personal, family or household purposes and that involves multiple payments or transactions. Any other account the creditor offers or maintains for which there is a reasonably foreseeable risk to patients of identity theft also falls under the definition. A physician, who is a creditor, must have a continuing relationship with the patient before the patient's account is considered a covered account.

What Do the Rules Require?

Physicians who are covered under the rules are required to develop, implement and maintain a written identity theft prevention program designed to detect, prevent and mitigate identity theft. FTC defines a "red flag" as a "pattern, practice, or specific activity that indicates the possible existence of identity theft."

At a minimum, the rules require the program to provide policies and procedures to:

•Identify red flags: A physician who is subject to the rules must implement a program to identify patterns, practices or specific activities that indicate the possible risk of identity theft. These items are known as "red flags." There is no "one size fits all" approach to identifying red flags. Covered physicians, as well as all others who are covered by the rules, must identify those red flags that are relevant to their particular practice or business.

•Detect red flags: Physicians covered by the rules must also establish and implement policies and procedures to detect those red flags in their day-to-day operations. Red flags may be identified in a number of different areas of practice. For example, a physician may identify a red flag when verifying a patient's identity, monitoring certain transactions and/or processing changes of address.

•Respond to red flags: The compliance program must, commensurate with the degree of risk posed, address the risk of identity theft to the individual patient and the financial institution or physician. The regulation provides an illustrative list of appropriate measures that may be used to respond to red flags.

•Updating the program: The physician should periodically update its program based on experiences with identity theft, changes in the methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, changes in accounts offered and maintained, and changes in business arrangements.  ihealthbeat

How safe is Internet Explorer?

Is Microsoft's Internet Explorer browser unsafe? Should you reconsider using it?

Last week Google announced that its subsidiary in China, along with many other companies, have been targets of a very sophisticated cyber attack. The news created a big buzz in the media and around the political world because it seemed to pit Google against China. From the consumers point of view, the worrisome news is that one of the security holes that the attackers used was found in the Internet Explorer browser, arguably the most popular browser in the world.

Attackers were able to insert malware code into user computers running Internet Explorer which enabled them to access personal Gmail accounts. The malware code has since been made public and this exploit is available to anyone now interested in putting it to nefarious use, which could include going beyond just reading your Gmail account.

" I believe this is the largest and most sophisticated cyber attack we have seen in years," said George Kurtz, chief technology officer at McAfee in his blog. "What really makes this a watershed moment in cyber security is the targeted and coordinated nature of the attack with the main goal appearing to be to steal core intellectual property."

Microsoft has since admitted the existence of this security hole and recommends that browser security zone be set to high. But unfortunately, this does not prevent all malware codes that might compromise your security. Furthermore, it removes many features from the browser and restricts its use. The company released a security patch for Internet Explorer 6 and claims it effects only that version of the browser, but researchers have succeeded using the exploit on versions 7 and 8. walletpop

Wednesday, January 20, 2010

DIY cybercrime kits power growth in Net phishing attacks

Do-it-yourself cybercrime kits are driving a surge in Internet-borne computer infections.

DIY kits have been a staple in the cyberunderground for some time. But now they've dropped in price and become more user-friendly.

"If you know how to download music or a movie you have the necessary experience to begin using one of these kits," says Gunter Ollman, senior researcher at security firm Damballa.

Indeed, newbie cybercrooks and veterans alike are using DIY kits to carry out phishing campaigns at an accelerated rate, security researchers say. They've been blasting out fake e-mail messages crafted to look like official notices from UPS (UPS), FedEx (FDX) or the IRS; or account updates from Vonage, Facebook or Microsoft Outlook (MSFT); or medical alerts about the H1N1 flu virus.

The faked messages invariably ask the recipient to click on a Web link; doing so infects the PC with a banking Trojan, a malicious program designed to steal financial account logons. Often, the PC also gets turned into a "bot": The attacker silently takes control and uses it to send out more phishing e-mail.

The rapid development and aggressive marketing of DIY cybercrime kits has emerged as a big business. "It's possible that the people creating and selling these kits may be the same groups already profiting from cybercrime, and they could see this as yet another revenue stream," says Marc Rossi, Symantec's (SYMC) manager of research and development. Generally sold for $400 to $700, the kits come with everything you need to begin infecting PCs. Selling software is legal; what you do with it can get you in trouble. usatoday

Tuesday, January 19, 2010

PayPal Spoof Email Alert!

Do not click any links or respond in any way to an email that looks like this!

Subject line: Attention! Your PayPal account has been violated!
From: "PayPal Inc."
To: undisclosed-recipients

Dear PayPal Member,

Attention! Your PayPal account has been violated!

Someone with ip address tried to access your personal account!

Please click the link below and enter your account information to confirm that you are not currently away

You have 3 days to confirm account information or your account will be locked.

Click the link below to activate your account:


Thank you for using PayPal.

The PayPal Team

Please do not reply to this e-mail. Mail sent to this address cannot be answered.

For assistance, Log In to your PayPal account and choose the "Help" link in the footer of any page.

PayPal Email ID PP059

Companies Fight Endless War Against Computer Attacks

The recent computer attacks on the mighty Google left every corporate network in the world looking a little less safe.

Google’s confrontation with China — over government censorship in general and specific attacks on its systems — is an exceptional case, of course, extending to human rights and international politics as well as high-tech spying. But the intrusion into Google’s computers and related attacks from within China on some 30 other companies point to the rising sophistication of such assaults and the vulnerability of even the best defenses, security experts say.

“The Google case shines a bright light on what can be done in terms of spying and getting into corporate networks,” said Edward M. Stroz, a former high-tech crime agent with the F.B.I. who now heads a computer security investigation firm in New York.

Computer security is an ever-escalating competition between so-called black-hat attackers and white-hat defenders. One of the attackers’ main tools is malicious software, known as malware, which has steadily evolved in recent years. Malware was once mainly viruses and worms, digital pests that gummed up and sometimes damaged personal computers and networks.

Malware today, however, is likely to be more subtle and selective, nesting inside corporate networks. And it can be a tool for industrial espionage, transmitting digital copies of trade secrets, customer lists, future plans and contracts.

Corporations and government agencies spend billions of dollars a year on specialized security software to detect and combat malware. Still, the black hats seem to be gaining the upper hand.

In a survey of 443 companies and government agencies published last month, the Computer Security Institute found that 64 percent reported malware infections, up from 50 percent the previous year. The financial loss from security breaches was $234,000 on average for each organization.

“Malware is a huge problem, and becoming a bigger one,” said Robert Richardson, director of the institute, a research and training organization. “And now the game is much more about getting a foothold in the network, for spying.”

Security experts say employee awareness and training are a crucial defense. Often, malware infections are a result of high-tech twists on old-fashioned cons. One scam, for example, involves small U.S.B. flash drives, left in a company parking lot, adorned with the company logo. Curious employees pick them up, put them in their computers and open what looks like an innocuous document. In fact, once run, it is software that collects passwords and other confidential information on a user’s computer and sends it to the attackers. More advanced malware can allow an outsider to completely take over the PC and, from there, explore a company’s network.

With this approach, the hackers do not need to break through a company’s network defenses because a worker has unknowingly invited them inside.

Another approach, one used in the Google attacks, is a variation on so-called phishing schemes, in which an e-mail message purporting to be from the recipient’s bank or another institution tricks the person into giving up passwords. Scammers send such messages to thousands of people in hopes of ensnaring a few. But with so-called spear-phishing, the bogus e-mail is sent to a specific person and appears to come from a friend or colleague inside that person’s company, making it far more believable. Again, an attached file, once opened, unleashes the spy software.

Other techniques for going inside companies involve exploiting weaknesses in Web-site or network-routing software, using those openings as gateways for malware.

To combat leaks of confidential information, network security software looks for anomalies in network traffic — large files and rapid rates of data transmission, especially coming from corporate locations where confidential information is housed.

“Fighting computer crime is a balance of technology and behavioral science, understanding the human dimension of the threat,” said Mr. Stroz, the former F.B.I. agent and security investigator. “There is no law in the books that will ever throw a computer in prison.” nytimes

Monday, January 18, 2010

Demystifying PCI-DSS and PA-DSS Compliance For Web Hosting Customers

Considering it's almost impoosible to demystify it for web hosts themselves this may be a tall order. But I'll try...

First thing first, the difference between PA-DSS and PCI-DSS. These two things have exactly two things in common.

1. They are both Digital Security Standards (thus the DSS in their names)

2. They are both overseen by the PCI Security Council

Second, a website and/or webhost can not be PA-DSS compliant. PA-DSS compliance is only for software providers that make Payment Applications (the PA in the name) that are online and exposed to the credit card number. For the webhosting world this primarily includes Shopping Cart providers but also includes terminals and other payment apps where they're exposed to credit card numbers.

Third, PA-DSS is coming up upon it's mandatory deadline, all related software providers must be PA-DSS compliant no later than July 1, 2010. This date has no relation to PCI Compliance. Technically anyone accepting credit cards online ALREADY has to be PCI Compliant.

Fourth, being PCI-Compliant has almost nothing to do with passing a scan. Yes most online merchant are Level 4 merchants from a PCI perspective and most of them only need to fill out the SAQ and pass a quarterly scan. What I normally see is that most business owners fill out the SAQ and don't take it seriously, they routinely just answer everything yes and then assume because they pass a scan that they're good to go. This is something like casually filling out your income tax forms and assuming you're good to go. You're only good to go until the trouble begins.

Part of filling out the SAQ is being an officer of the company and verifying your company is following these proceedures and that it's network architecture is as described. If there's a breach it's the officer and the company who are going to be in a very tough spot as the responsibilities for the breach fall on to them and can easily put them out of business.

So what do you have to do to be PCI Compliant even if I'm a small company? I'm not a QSA (Qualifed Security Assesor, essentially an approved PCI auditor) so this advice should all be gone over with your QSA, but I've been going through this process long enough to know a little bit and here's what I know are must haves thus far:

1.From a hosting perspective your network needs to have a minimum of three separate machines.

•Your webserver which needs to (obviously) sit behind a secure firewall

•Your transaction database server which needs to be a different machine and it must be on the otherside of another firewall from the webserver

•Your encryption keys database server which needs to be on a different machine than your transactions and also through a different firewall.

2.Your machines need to have their security patches kept up to date

There's a whole lot more to PCI compliance than just those two items, but these two items when it comes to hosting are must haves, what probably goes without saying is you really can't get all the moving parts you need to be PCI compliant and pay only $10 a month for it. thewhir

Saturday, January 16, 2010

Attack Code Used to Hack Google Now Public

The dangerous Internet Explorer attack code used in last month's attack on Google's corporate networks is now public.

The code was submitted for analysis Thursday on the Wepawet malware analysis Web site, making it publicly available. By Friday, it had been included in at least one publicly available hacking tool and could be seen in online attacks, according to Dave Marcus, director of security research and communications at McAfee.

The attack is very reliable on Internet Explorer 6 running on Windows XP, and it could possibly be modified to work on more recent versions of the browser, Marcus said. "The game really changes now that it's hosted publicly," he said.

A hacker could use the code to run unauthorized software on a victim's computer by tricking them into viewing a maliciously crafted Web page.

That's apparently what happened at Google late last year, when hackers were able to get into the company's internal systems. According to people familiar with the incident, 33 other companies were also targeted by the attack, including Adobe Systems. pcworld

Friday, January 15, 2010

AP Exclusive: Network Flaw Causes Scary Web Error

Alarming network glitch makes the Internet lose track of who is who on Facebook

A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information.

The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn't appear the users could have done anything to stop it. The problem adds a dimension to researchers' warnings that there are many ways online information — from mundane data to dark secrets — can go awry.

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It's not clear whether such episodes are rare or simply not reported. But experts said such flaws could occur on e-mail services, for instance, and that something similar could happen on a PC, not just a phone.

"The fact that it did happen is proof that it could potentially happen again and with something a lot more important than Facebook," said Nathan Hamiel, founder of the Hexagon Security Group, a research organization.

Candace Sawyer, 26, says she immediately suspected something was wrong when she tried to visit her Facebook page Saturday morning.

After typing into her Nokia smart phone, she was taken into the site without being asked for her user name or password. She was in an account that didn't look like hers. She had fewer friend requests than she remembered. Then she found a picture of the page's owner.

"He's white — I'm not," she said with a laugh.

Sawyer logged off and asked her sister, Mari, 31, her partner in a dessert catering company, and their mother, Fran, 57, to see whether they had the same problem on their phones. abcnews

Debit-Card 'Skimming' Scams

Three steps to take to protect your account data from getting into the wrong hands

Whether by choice or necessity, American consumers are increasingly relying on debit rather than credit cards. Debit card spending has risen steadily, growing from 47.7 percent of purchases made with plastic in 2003 to 58.9 percent in 2008 and it is expected to surpass 67 percent by 2013, according to the Nilson Report, a newsletter that tracks the consumer payment industry.

When you use a debit card, the money is immediately taken from your checking account. While using debit guarantees that you pay as you go, these cards have downsides, including a growing appeal to thieves. "As economic conditions have worsened, there's been a noticeable increase in all types of card fraud," says Avivah Litan, an analyst specializing in fraud detection and prevention at Gartner Research in Stamford, Conn. "But ATM and debit-card fraud is the top area of concern we're hearing about from banks all over the world."

Unlike credit-card thieves, who usually charge merchandise and then resell it to come up with money, people who create counterfeit ATM or debit cards by stealing your PIN and other account data can simply pull cold cash from your bank account. Using a technique known as skimming, they set up equipment that captures magnetic stripe and keypad information when you input your PIN at ATM machines, gas pumps, restaurants, or retailers.

Here's how you can protect yourself:

Don't Type in Your Pin at the Pump

Be especially vigilant at gas stations, Litan says. "Gas pumps are notorious for skimming because they're produced by only a couple of different manufacturers, and if someone gets the key to one from a disgruntled employee, they can insert a skimming device inside the pump where it can't be seen," she says. She recommends using a credit card rather than a debit card when you fill your tank.

If you must use a debit card at the gas pump, choose the screen prompt that identifies it as a credit card so that you do not have to type in your PIN. The purchase amount will still be deducted from your bank account, but it will be processed through a credit-card network, which will give you greater protection from liability if fraud does occur. This is because card issuers typically have "zero liability" policies for both debit and credit cards, but sometimes exclude PIN-based transactions from that protection.

Stick With ATMs Located at Banks

To reduce your risk at ATMs, use machines at banks rather than in convenience stores, airports, or any isolated locations, advises Darrin Blackford, a spokesman for the U.S. Secret Service, which investigates financial crimes involving interstate commerce. "A thief has to be able to attach and retrieve a skimming device to use the data it's gathered," he says. "And that's more likely to happen in nonbank settings where there's less traffic and no surveillance cameras."

That doesn't mean that bank ATMs are immune, however. In August 2008, Wachovia Bank reported that several debit-card "identities" were stolen when a skimming device was placed on an ATM at a branch in Cape Coral, Fla.

"It's often hard to spot skimmers," Blackford says. "But if you notice a change at an ATM you use routinely, such as a color difference in the card reader or a gap where something appears to be glued onto the slot where you insert your card, that's a warning sign you'd want to report to the bank that owns the machine."

There's More Than One Way to Plug Enterprise Data Leaks

Even if leaked data is never used to commit fraud or used for identity theft, data breaches can cost companies millions of dollars and a great deal of trust among customers and partners. Within a couple of years, all financial organizations will have to take data leakage prevention very seriously.

Success is just a matter of knowing the right "secrets." Download the free eBook, "The Edge of Success: 9 Building Blocks to Double Your Sales." You will discover the fastest, most effective ways to grow your business and still have time to live your life.

Data leakage prevention (DLP) is a topic that has been getting a lot of attention lately. Keeping sensitive data from leaving the network has quickly risen to the top of many IT and compliance officers' lists of priorities.

DLP will likely be the first thing most organizations spend their 2010 information security budgets on.

The Problem

Any time sensitive data gets into the hands nonauthorized individuals, it can constitute a data security breach. Malicious employees may take and use sensitive customer or employee information to commit fraud, identity theft or sell to others for quick, easy money. Careless and untrained employees also make mistakes that lead to breaches.

All data security breaches must be publicly disclosed, which often leads to negative public perception, loss of customers, expensive damage control, class-action lawsuits, and more.

Data breaches can cost companies million of dollars, even if the data is never used to commit fraud or used for identity theft. technewsworld

Conn. AG sues Health Net over ‘ethically unacceptable’ data breach

In what he is calling a “historic” lawsuit, Connecticut’s attorney general has filed suit against Health Net of Connecticut for a data breach jeopardizing the personal information of 446,000 of its members.

The suit by Richard Blumenthal alleges that the insurer failed to effectively supervise and train its workforce on policies and procedures concerning the appropriate maintenance, use and disclosure of protected health information. It also names UnitedHealth Group and Oxford Health Plans, who were not responsible for the breach, Blumenthal noted, but recently acquired ownership of Health Net of Connecticut.

In November 2009, the insurer notified officials in three states about a missing disk drive at its Shelton, Conn., office that contained the personal information of 1.5 million members. A spokesman for the company told that the drive contained personal information gathered over a seven-year period for 446,000 members in Connecticut, about 340,000 members in New Jersey and New York, and the remainder from Arizona.

The company said while the drive was discovered missing in May 2009, it took a “detailed forensic review” to discover what was on the drive and that the information cannot be accessed without special software.

In a statement to, Health Net said it has received a copy of the lawsuit and “is in the process of reviewing it.

“We will continue to work cooperatively with the Connecticut Attorney General on this matter,” the company said.

Haiti disaster brings out charity scams

How to be sure your donation goes to the right place

The devastation is complete, the magnitude of human suffering incomprehensible, the needs immense. The people of Haiti, victims of serial disasters in recent years that now pale in comparison to Tuesday's powerful earthquake, urgently need your help.

But be careful, especially if you are about to make a donation using your credit card. Experts say scammers already are at work -- and you must not allow your heart to get ahead of your head.

Their top three tips:

•When it comes to your credit card number, don't let your guard down, even in response to a disaster as mammoth as the Haitian earthquake and situations as dire as those confronted by survivors. Never give out your credit card number or other personal information to people who reach you through unsolicited telephone calls. Keep in mind that we all remain vulnerable to identity theft.

•Funnel your donations through major, well-known relief organizations -- and, if you are doing this over the Internet, make sure that the link really connects to that group. Verify the legitimacy of charities by using Web sites such as the Better Business Bureau's Wise Giving Alliance, which provides a robust portfolio of tools for donors, Charity or the American Institute of Philanthropy, which has compiled a list of recommended Haitian relief organizations.

•Do not respond to unsolicited e-mails -- and never click on a link that is included in such an e-mail. If you believe that you or others have been victimized by an online scam related to the Haitian disaster or any other event, federal authorities urge you to file a report with the Internet Crime Complaint Center.

The importance of these tips (more follow below) cannot be overemphasized, especially now and in coming weeks, as the full extent of the ruin and agony in Haiti becomes known -- and as scammers elevate their efforts to prey on well-intentioned donors.

One leading indicator: The FBI said it began receiving reports of suspicious activity within hours of the first reports of Tuesday's earthquake. Another indicator: Thousands of people were defrauded by bogus "charities" in the wake of Hurricane Katrina's assault on New Orleans in 2005.

Past tragedies and natural disasters have prompted individuals with criminal intent to solicit contributions purportedly for a charitable organization and/or a good cause.

-- FBI Warning!

"The FBI today reminds Internet users who receive appeals to donate money in the aftermath of Tuesday's earthquake in Haiti to apply a critical eye and do their due diligence before responding to those requests," the agency said in a statement.

"Past tragedies and natural disasters have prompted individuals with criminal intent to solicit contributions purportedly for a charitable organization and/or a good cause."

The Better Business Bureau's Wise Giving Alliance, several state attorney generals and consumer advocates have also sounded similar warnings.

"Not only do Americans need to be concerned about avoiding fraud, they also need to make sure their money goes to competent relief organizations that are equipped and experienced to handle the unique challenges of providing assistance," said Art Taylor, president and chief executive officer of the Wise Giving Alliance.

Said Stephen Brobeck, executive director of the Consumer Federation of America, which represents 280 national, state and local consumer organizations: "Only give to charities you know well and trust." creditcards

Agency fights cyber spies

AUSTRALIA'S electronic spy agency is repelling 200 cyber attacks a month on critical Defence networks, as foreign hackers try to gain access to our military secrets.

The shadowy Defence Signals Directorate has also been called in by other arms of government to deal with hundreds more cyber security threats.

Defence Minister John Faulkner revealed the scale of the online assault facing Australia at the opening of the DSD's new $14 million Cyber Security Operations Centre in Canberra.

"Cyberspace is a battlefield itself," he said. "Cyber intrusions on government, critical infrastructure and other information networks are a real threat to Australia's national security and national interests."

With a staff of 51 hi-tech spooks, growing to 130 within five years, the frontline cyber warfare centre will fight attacks on critical government and civilian networks. heraldsun

Thursday, January 14, 2010

CIO Lays Out Incentive Game Plan

Hospitals may well wish to hire a consultant to help them wade through the meaningful use rules and formulate a strategy for compliance. But John Halamka, M.D., gave the industry a 25-point cheat sheet for that strategy via a Jan. 3 posting on his Web blog,

Halamka is CIO of Beth Israel Deaconess Medical Center and Harvard Medical School, co-chair of the HIT Standards Committee, chair of the Healthcare Information Technology Standards Panel and an emergency physician. healthdatamanagement

Health Net Sued for HIPAA Violations

Connecticut Attorney General Richard Blumenthal has filed a lawsuit charging Health Net of Connecticut Inc. with violations of the HIPAA privacy and security rules following a large breach of identifiable medical records and Social Security numbers.

Blumenthal's office believes this is the first lawsuit by a state's chief legal officer since the HITECH Act last year gave state attorneys general authority to prosecute HIPAA privacy and security violations.

Parent company Health Net in Los Angeles last November reported to insurance officials in four states the disappearance in May of a hard drive with protected health information on 1.5 million members, including 446,000 in Connecticut. The data was not encrypted, but Health Net said it is invisible without the use of specific software. The company attributed the delay in reporting the breach to a lengthy forensic investigation to determine what information was on the hard drive.

In the lawsuit, Blumenthal charges Health Net did not have adequate legal grounds to delay notifying members of the breach and that the delay constituted an unfair trade practice under state law. "Under information and belief, no law enforcement agency determined that the notification to affected Connecticut residents would have impeded a criminal investigation and requested that the notification be delayed," according to the suit.

Blumenthal is seeking a court order blocking Health Net from further HIPAA violations and requiring encryption of all protected health information on portable electronic devices. He also seeks civil fines.

New federal rules mandated under the HITECH Act require "timely" notification of certain breaches of health information. The rules were effective in September and have a compliance deadline of Feb. 22, 2010. healthdatamanagement

Microsoft's browser flaw exposed Google to hackers

Microsoft says a security flaw in its Internet Explorer browser played a role in the recent computer attacks against Google and at least 20 other companies.

In a Thursday alert confirming the weakness, Microsoft said the security hole can be closed by setting browser's Internet security zone to "high." The world's largest software maker may also issue an update to fix the problem. seattletimes

Wednesday, January 13, 2010

Haitian earthquake relief: What to know before you donate

Following the devastating earthquake in Haiti, many generous people are eager to help by donating. If you’re among them, make sure you’re giving to a legitimate organization that‘s in a position to actually provide assistance, warns the Better Business Bureau Wise Giving Alliance, a charity watchdog.

Scammers often respond to disasters quickly by setting up fake charities and registering Web addresses in various combinations that sound like legitimate groups or that seem related to the disaster.

Another concern is that some bona fide charities seeking donations may not be in a position to help in Haiti, immediately or long-term. Some groups don’t actually have an on-the-ground presence in the country. Some merely collect money on behalf of other organizations, the BBB warns. And some charities spend little on their charitable programs, compared to fund-raising or administration.

• Give to a well-known, top-rated organization. The White House Web site is recommending that those who want to help immediately with the relief effort donate to the American Red Cross International Response Fund, which responds to international disasters. It says you can donate $10 through your cell phone by texting "HAITI" to "90999." When donating to the Red Cross or any group, be sure to indicate whether you want to be contacted by email or otherwise, if given that option. With some groups, you may have to opt out to avoid being sent additional info that you may not want.

Another charity watchdog, Charity Navigator has posted a list of 31 charities that can help, including the American Red Cross. You can use the group’s interactive world map to find an expanded list of top-rated groups that provide assistance to Haiti. As of Wednesday, it had listed 44 organizations. Charity Navigator also provides tips for giving in a crisis and for protecting yourself from online charity scams.

• Beware of email appeals or phone calls. Unsolicited email or calls may come from scammers trying to sound like they’re a legitimate, well-known charity. Don’t click on links in email. Instead, use a Web search to find a specific organization or, if you know the URL, type it directly in your browser. Sometimes legitimate groups hire direct mail or telephone telemarketers who take a substantial portion of the donation. It’s always best to give directly to an organization that you know can help and bypass any middleman. Consumer Reports

Deadlines for data security requirements

This advisory provides a brief summary of new data security requirements with effective and enforcement dates in early 2010 that will affect innumerable businesses.

State Data Security Developments

January 1, 2010: New Amendment to Nevada Privacy Law
A new amendment to Nevada privaQQcy law that became effective January 1, 2010 requires companies doing business in Nevada that accept payment cards to comply with the Payment Card Industry Data Security Standards (“PCI DSS”).

The new amendment also requires QQthat other data collectors doing business in Nevada encrypt personal information contained in certain kinds of transmissions and when stored on a data storage device.

While Nevada appears to be the QQfirst state to require such compliance, others may follow.

March 1, 2010: Massachusetts Security Regulation Affecting All Companies with Personal Information of Massachusetts Residents

Under the Massachusetts Security QQRegulation (201 CMR 17.00) (the “Regulation”), every person or company that owns or licenses certain personal information about a Massachusetts resident must develop, implement, maintain and monitor a comprehensive written information security program (“WISP”).

The applicability of the Regulation QQis very broad, extending to any company that has personal information of Massachusetts residents, whether or not the company is doing business in Massachusetts. The Regulation does not exempt any industry, sector or out-of-state business, and does not exempt a de-minimus number of Massachusetts customers, employees or other residents. Compliance is required by March 1, QQ2010.

Federal Data Security Developments

February 17, 2010: Expanded Reach of Federal HITECH Act Protecting Health Information
The HITECH Act imposed substantial QQparts of the HIPAA privacy rule and the HIPAA information security rule directly on business associates.

HITECH imposed changes to the QQ“minimum necessary rule” for the use and disclosure of protected health information for uses and disclosures other than treatment, with the limited data set serving as a “safe harbor” pending further regulations. The Act also requires covered entities to provide patients with a copy of their electronic protected health information (“PHI”) in electronic format, or to transmit electronic PHI to other providers in electronic format at the patient’s request. Also, new restrictions on the use and disclosure of protected health information for marketing purposes will take effect. Covered entities should have new business associate agreements in place that reflect new privacy and security requirements by this date.

February 22, 2010: Full Enforcement of Health Data Breach Notification Rules
Full enforcement of the HIPAA data QQbreach notification rule for covered entities and business associates will begin on February 22, 2010. Similarly, the Federal Trade Commission will begin enforcing the data breach rules applicable to personal health record vendors and their contractors on February 22, 2010.

June 1, 2010: Broad Upcoming Federal Requirements – Red Flags Rule
The federal Red Flags Rule (16 CFR QQ681.1) requires that financial institutions and “creditors” (which is very broadly defined) develop and implement written Identity Theft Prevention Programs in order to detect, prevent, and mitigate identity theft.

For financial institutions, comQQpliance has been required since November 28, 2008.
For “creditors” that maintain “covQQered accounts,” the Red Flags Rule will go into effect June 1, 2010. The term “creditor” is broadly defined, causing concern that the Red Flags Rule reaches entities other than traditional financial institutions or creditors that engage in regular loans or advances, including businesses that offer forbearance in the collection of debts or bills, or which allow multiple or extended payments for goods or services that have been previously provided.

European Data Security Developments
In addition to complying with US data protection, most US companies with subsidiaries in the European Union need to be aware of the data protection laws in the EU, enforcement, and the penalties for non-compliance. There are new penalties for data protection violations and breaches in Germany, and a proposal for increased penalties pending in the UK, as noted below. Further, those publicly traded firms implementing whistleblowing programs for subsidiaries in the EU in order to comply with two important US laws, the Sarbanes-Oxley Act of 2002 and the Foreign Corrupt Practices Act, should also take note of recent important whistleblower decisions, guidelines or directions in France, Denmark, Sweden, Portugal, Austria, and Hungary.

United Kingdom
Pending the outcome of a recent QQMinistry of Justice consultation, the Information Commissioner’s Office (ICO) in the UK may be given increased statutory powers to impose fines up to £500,000.

This would apply when the ICO is QQsatisfied that: (i) there has been a serious breach of one or more of the data protection principles of the organizations; and (ii) the breach was likely to cause substantial damage/distress, i.e., if the breach was deliberate or the organization knew or should have known there was a risk, such as by the reckless handling of personal data.

As some data breaches may include QQindividual names in other countries, the fine levels of those authorities become increasingly important.

The German Federal Parliament QQpassed comprehensive amendments to the Federal Data Protection Act, effective September 1, 2009, that cover a broad variety of data protection issues and give fine authority of € 50,000 for simple violations and € 300,000 for serious violations.

The data protection authorities QQhave been given these new powers to enable them to impose higher fines for failure to comply with data protection requirements, especially on the security side. lexology

Tuesday, January 12, 2010

Data Breaches: The Insanity Continues

In 2009, the Identity Theft Resource Center Breach Report recorded 498 breaches, less than the 657 in 2008, more than the 446 in 2007. Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

ITRC collects information about data breaches made public via reliable media and notification lists from various governmental agencies. There are breaches that occurred in 2009 that never made public news. So rather than focus on a question without an answer, ITRC used percentages to analyze the 498 breaches recorded this year looking for any changes or new trends. (Both raw numbers and percentages have been provided in all charts).

The main highlights are:

paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)

business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far

malicious attacks have surpassed human error for the first time in three years

Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

In 2009, the business sector increased to 41% of all the publicly reported breaches. While there are some small statistical changes in the other sectors, business continues to increase for the fifth year in a row. The financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches.

The ITRC Breach Report recorded more than 222 million potentially compromised records in 2009. Of those, 200 million are attributed to two very large breaches. Before obsessing with record count, however, one should be aware that in more than 52% of the breaches publicly reported, NO statement of the number of records exposed is given. Therefore, it is unknown how many total records may have been exposed due to breaches in 2009.

The ITRC Breach Report also monitors how breaches occur. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Insanity might well be defined as repeating the same action again and again, and expecting a different outcome. With that in mind:

Insanity 1 - Electronic breaches: After all the articles about hacking, and the ever growing cost of a breach, why isn’t encryption being used to protect personal identifying information? Proprietary information almost always seems to be well protected. Why not our customer/consumer personal identifying information (PII)?

Insanity 2 - Paper breaches: Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII? Do we dare ask that those laws be actually enforceable? Perhaps we are waiting for paper breaches to reach 35% of the total.

Insanity 3 - Breaches happen: Deal with it! You will get notification letters. Breach notification does not equal identity theft. Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website. This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.

Insanity 4 - A Breach is a Breach: Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.” If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?” Some companies might say “no.”

Insanity 5 - Data on the Move: You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years. But, really! This is 100% avoidable, either through use of encryption, or other safety measures. Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.” With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace. idtheftcenter

Hackers take aim at Facebook users

Kimberly Potts calls Facebook her "lifeline" to her son Justin, who is serving in Iraq with the 101st Engineer Battalion of the Army National Guard. It's helped her stay in contact with him, to see photos of his Thanksgiving dinner and Christmas.

But late last month it also served as a gateway to scammers, who attempted to steal access to credit cards and bank accounts from the Potts family and many of Justin's friends. Justin's Facebook page had been hacked by criminals.

In West Newbury, friends of Pentucket High School senior Matt McCarthy, who died suddenly during a hockey practice, did what thousands of people do — they set up a Facebook page to honor their friend's memory. Within days it had been savaged by posters from other parts of the country who posted swastikas, racial epithets and vicious comments. The page, which had been open to all, was quickly shut off from the public and the hurtful posts were stripped.

With more than 200 million users, Facebook has become a wildly popular forum for people to find old friends, learn about their personal information and keep in touch. But it's also been heavily mined by scammers and used for bullying and taunting.

Users like Kimberly Potts and investigators like Newburyport Police Inspector Brian Brunault say people should be cautious.

"Everything is dark on the Internet," Brunault said, noting he's investigating a case of a Newburyporter whose Facebook account was hacked and identity was stolen. Facebook is inundated with complaints and subpoenas from those who have had problems on the site, he said.

"It takes virtually weeks if not months to get returns on these things," Brunault said. "There is harassment on there, cyber bullying, people post as other people to start trouble and then the thread gets connected and more people jump on board." eagletribune

Monday, January 11, 2010

Red Flags Compliance: 3 Common Deficiencies - Jeff Kopchik, FDIC

It's been over a year now since banking regulators began examining institutions for compliance with the Identity Theft Red Flags Rule. What have been the common deficiencies, and what will examiners be expected in year two?

Kopchik was the Team Leader of the FDIC's 2004 study "Putting an End to Account-Hijacking Identity Theft." He was the FDIC's primary representative on the FFIEC staff working group that drafted the 2005 guidance on Authentication in an Internet Banking Environment. Kopchik was also involved in interagency rulemaking efforts to comply with the Fair and Accurate Credit Transactions (FACT) Act, and was involved in the creation and implementation of the Gramm-Leach-Bliley Act (GLBA) interagency information security guidelines, supervisory guidance on customer notice, FFIEC Business Continuity Planning Booklet, and FDIC guidance on wireless networks. Read interview.

Keeping a Step Ahead of the Virtual Enemy

Asked what worries him the most about safeguarding government IT systems, Philip Reitinger demurs. "It's not a question of what worries me most; it is a question of the opportunities we have got," Deputy Undersecretary Reitinger, the top cybersecurity official at the Department of Homeland Security, said in an interview with (transcript below).

"We are connecting more and more systems, creating an increasingly complicated environment," Reitinger said. "The attackers are getting better and better and we are depending more on those systems from day to day to make sure that our very way of life can continue, that the ways we work and play will continue and we will be able to be successful."

Reitinger maintains the government's cyber defenses are getting better. "We need to continue to improve because the hackers and the bad guys have continued to improve and there are a lot of areas for improvement, but we are making significant efforts to do so," he said.

In the first of a two-part interview, Reitinger concedes the challenge will be tough because of a dearth of qualified information security experts, but explains steps the government is taking to eventually eliminate that skills gap. Also, Reitinger addresses:

•The need to develop innovative, collaborative approaches, not only among federal agencies, but between the government and the private sector to meet the human resources needs to safeguard government systems.

•How much risk the government faces by not having a sufficient number of cybersecurity professionals.

•Why, even when the government didn't have a permanent cybersecurity coordinator, the White House addressed the government's information security needs. govinfosecurity

Judge Approves Settlement Of Data-Breach Claims Vs Countrywide

A U.S. District Court judge in Kentucky on Wednesday gave preliminary approval to a settlement between Countrywide Financial Corp. and millions of customers whose financial data was exposed in a security breach, the Associated Press reports Thursday. The settlement calls for Countrywide, now owned by Bank of America Corp. (BAC), to give as many as 17 million victims of the breach free credit monitoring--includng anyone who obtained a mortgage and anyone who used Countrywide to service a mortgage before July 1, 2008. A consumer would be allowed up to $50,000 in reimbursements from Countrywide for each instance of identity theft. A "fairness hearing" in the case is scheduled for July in Louisville, Ky.

A Bank of America spokeswoman said the settlement is "in the bank's best interest" to avoid additional legal expenses. WSJ

E-mail passwords easy prey for hackers

There's not much authorities can do to prevent hackers from determining computer users' e-mail passwords, U.S. experts say.

Hacker services, usually based overseas, openly advertise that for as little as $100, they can find out what someone's e-mail password is and provide it to buyers, who can then use it to monitor the private communications of estranged spouses, family members or whomever they choose, the Washington Post reported Monday.

Orin Kerr, a law professor at George Washington University and a former trial attorney in the Justice Department's computer crime section, told the Post that while U.S. law prohibits hacking into e-mail, it's only a misdemeanor without further criminal activity. And as such, it is a low priority item for the FBI. US News

Personal data susceptible to hackers

Hackers are to blame for most thefts of credit card numbers, medical records and other information of a million Massachusetts residents, The Boston Globe said.

The newspaper, citing state documents, said all the breaches happened in the past two years.

"Many thousands" of them had been reported from June to November and included confidential information from major institutions such as Blue Cross Blue Shield of Massachusetts and JPMorgan Chase Bank, the Globe said

Some of the information ended up in the wrong hands because of the theft of a laptop computer or loss of computer data tape. But most breaches can be traced to hacker breaking into computer networks, the Globe said.

Businesses and other institutions must develop a "culture of security" to protect the sensitive documents they control, said Barbara Anthony, undersecretary of consumer affairs and business regulation.

All such institutions are required to inform customers and state regulators about any breaches in security that might cause identity theft. Breaches include the leak of names, and numbers for Social Security, driver's license, bank account, and credit or debit cards, the newspaper reported.

"In 60 percent of the cases, the breaches were due to criminal acts. Forty percent were negligence," said Anthony of 807 breach notifications received by the state by November. US News

Major Insurance Company Announces Security Breach

If your health insurance is through BlueCross BlueShield of Tennessee, your personal information may have been exposed.

Blue Cross will be contacting customers this week whose personal information was exposed when hard drives were stolen. Someone stole 57 hard drives from a storage closet at one of their training centers near Chattanooga. BlueCross Blue Shield continues to investigate what happened. newschannel5

Heartland to pay up to $60M for Visa data breach

Heartland Payment Systems Inc., a New Jersey-based payments processor, has agreed to pay up to roughly $60 million to cover losses caused to Visa Inc. credit and debit cardholders as a result of a huge 2008 security breach, the companies have announced.

The settlement agreement is contingent upon acceptance by financial institutions representing 80 percent of the eligible issuers' U.S. accounts that Visa says were put at risk during the Heartland intrusion, which Heartland disclosed in January 2009 had exposed more than 130 million credit and debit card numbers.

Hacking Takes Lead as Top Cause of Data Breaches

Hacking has topped human error as the top cause of reported data breaches for the first time since such tracking began in 2007, according to the Identity Theft Resource Center's 2009 Breach Report.

In its report, titled "Data Breaches: The Insanity Continues," the non-profit ITRC found that 19.5 percent of reported breaches were due to hacking, with insider theft as the second most common cause at 16.9 percent. For the past two years, "data on the move," a typically human-error loss of a portable devices such as laptops or even briefcases, was the most common reported cause.

The ITRC is careful to note that its statistics are based on incomplete data, as differing laws and practices among different states mean that some breaches are not reported publicly, and the cause of the breach is not listed for about one third of those that are reported.

But according to the data available, the number of reported data breaches dropped since 2008, but was still more than in 2007. Last year, there were 498 breaches recorded by the ITRC, with 657 in 2008 and 446 in 2007.

With 41.2 percent of reported breaches, the business sector was the most likely to suffer a breach. But "the financial and medical industries, perhaps due to stringent regulations, maintain the lowest percentage of breaches," according to the report. pcworld

Sunday, January 10, 2010

Should HIPAA compliance be outsourced?

CynergisTek, a computing and security consultant, reported on its blog recently that HIPAA compliance audits will be increased this year, thanks to a contract the government signed with PriceWaterhouseCoopers.

I admit that the significance of this went right by me at first. Then I went, “whaah?”

The government’s enforcement process has just been privatized.

Admittedly there is a huge backlog of audits. CynergisTek reports that the government has a list of over 100 active complaints concerning lax HIPAA compliance, which have to be checked out before anyone knocks on your door.

According to iHealthBeat, PWC is going to review 10-20 organizations under the one-year contract, so unless someone has an outstanding complaint against you you’re probably safe.

But the knock will come, CynergisTek promises. Oh, they work in that area and will be glad to hear from you.

Perhaps you think nothing of this. Nothing gets done on law enforcement until the government hires some private firm to do it. The assumption is the private firm will do it efficiently.

But I know how much a good PWC auditor costs, and I know how much the average civil service auditor makes. I guarantee the latter costs less, unless PWC itself is outsourcing this work to India or someplace.

And would it be too much to ask for the public, or at least the industry, to get a gander at that contract? On what basis is PWC being paid? What is their incentive? Is it a fixed price per audit, is it hourly, or is it based on the fines they collect?zdnet

HIPAA Authentication Strategies

Some health care organizations have yet to take significant action to comply with the original HIPAA privacy and security rules, which were never vigorously enforced. Now that those rules have been beefed up under the American Recovery and Reinvestment Act, with increased enforcement and tougher penalties, many observers expect more hospitals, physician groups and others to gear up their data security assurance efforts.

Under the updated rules, state attorneys general now have the right to enforce the HIPAA privacy and security regulations. Plus, those harmed by a security breach can seek financial damages, Borten says. "I can just see the lawyers getting ready," she says. "We are going to see a real ramping up of complaints now as a result of all the changes."

Two Key Steps
Of course, the best way to comply with the privacy and security rules is to make sure only authorized individuals have access to patient information. Borten argues that all organizations should encrypt all patient data and adopt two-factor user authentication, such as a password paired with a fingerprint scanner. But she contends that many-perhaps most-organizations have yet to take either step.

And any data security effort should start with a thorough risk assessment, as required under federal law, notes Eric Nelson, privacy practice leader at the Lyndon Group, a Newport Beach, Calif.-based consulting firm.

What technologies are needed to ensure patient data is secure depends on the size of the organization, Nelson says. "A small group practice where only a few people have access to the information probably doesn't need a high-tech security solution," Nelson says. "It could be as simple as encrypting the information on the computers and installing locks on the doors. A large organization is a completely different matter."

The updated federal regulations, in fact, do not specify the security technologies providers must use. "The law says that if you don't want to have to notify the government of security breaches, then you should use new technologies to prevent breaches," Borten notes. "But I regret that the law doesn't require the use of the technologies."

As they ramp up efforts to implement clinical information systems, many hospitals, clinics and other provider organizations are investing in a variety of user authentication technologies to help safeguard clinical information.

These include:

* biometric systems, such as fingerprint scanners, iris scanners or palm vein pattern detectors;

* hardware tokens, small devices, often in the form of a key fob, that generate random passwords that then must be typed;

* proximity badges containing chips that, when placed next to a reader, automatically confirm the user's ID;

* phone-based authentication, which uses a clinician's telephone, cell phone, pager or PDA to help verify their identity; and

* adaptive authentication, which uses specialized software to assess a user's risk potential and pose a series of questions based on personal information they've provided.

In many cases, providers are pairing two-factor authentication with single sign-on systems, which enable physicians, nurses and others to access all appropriate systems once they authenticate themselves.