Archive for the ‘Uncategorized’ Category

President Obama’s cybersecurity plan – Part 2 Data Breach Notification Act

Published by pratyushkp on May 19th, 2011 - in Uncategorized

Image via Wikipedia

Following up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.

Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.

First, the definition of Personally Identifiable Information, or PII:

  1. Full name plus any two of the following
    1. Address and phone number
    2. Mother’s maiden name
    3. Month, day, and year of birth
  2. Social Security Number (SSN), driver’s license number, passport number, alien registration number, or other government issued identification number
  3. Biometric data such as fingerprints, retinal scans, etc.
  4. Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes
  5. Any combination of the following
    1. First and last name or first initial and last name
    2. See item four above
    3. Security codes, access codes, passwords or source codes used to derive the aforementioned

The new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.

Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.

The proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.

If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.

After a data loss incident, organizations would be required to notify individuals by letter, phone or email.

Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.

States may pass laws requiring notifications to include information about identity theft/fraud prevention.

When more than 5,000 victims are involved, organizations would be required to do the following:

  • Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.
  • Notify all consumer credit reporting agencies of the victims within 60 days of discovery.

Businesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:

  • The breach contains, or is believed to contain, PII on 5,000 or more individuals.
  • The breach involves a database or network of databases that contain PII on 500,000 or more individuals.
  • The breach involves a database owned by the United States government.
  • The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.

Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.

The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.

Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.

Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.

It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.

Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.

Source :- http://nakedsecurity.sophos.com

  • White House Seeks National Data-Breach Notification Law (informationweek.com)
  • The U.S. Cyber Policy Blitz (technologyreview.in)
  • White House Wants Mandatory 3-Year Sentence for Critical Infrastructure Hackers (wired.com)
  • Does Obama Really Have an Internet Kill Switch? (pcworld.com)
  • How security chief’s bank details leaked (theage.com.au)
  • How big was the Epsilon data breach? (superconductor.voltage.com)
  • Five things companies must do to protect customer data (news.consumerreports.org)
  • U.S. Cybersecurity Proposal – A Plan about Plans: We Need More Action and Talent If We’re Serious about Securing Our Nation’s Data (lumension.com)
  • White House Releases Cybersecurity Plans (informationweek.com)
  • Is Sony Getting a Bad Rap on Its Data Breach? (pcworld.com)

Facebook comment-jacking? OMG! I Can’t believe JUSTIN Bieber did THIS to a girl

Published by pratyushkp on April 30th, 2011 - in Uncategorized

It’s starting to seem like Facebook can’t win against those who wish to use their service to scam, spam and simply cause trouble. Over the last day or so, a new type of attack has been spreading using the phrase “OMG! I Can’t believe JUSTIN Bieber did THIS to a girl”.

It leads to a page asking you to verify a simple math problem to “prevent bots from slowing down the site”. In actuality, it is another clickjack-type scheme in which you are asked to type the answer into a box.

Comment-jack security check

It doesn’t matter what you type, because it’s a social engineering trick. What you are actually typing is a comment that is used to share the link with your friends on Facebook. You can see the tooltip that says “Add a Comment” in the screenshot.

This bypasses Facebook’s recent attempt at detecting likejacking fraud. Links you comment on are not using the same mechanisms that Facebook is monitoring when you click “Like”.

Many moons ago, the first Facebook attacks started with illegitimate applications asking for permission to access your wall and spread their messages by spamming your friends through wall posts. While this worked well, it was a bit easy for Facebook to track down and remove the bogus apps.

Early in 2010 we saw the first attempts at likejacking. This technique involves layering one image over the top of a Like button and tricking the victim into clicking something that appears to play a video or a continue button, when in fact they are clicking the Like button hidden underneath.

Facebook Bieber scam wall post

More recently we have seen the attackers trying lots of new techniques. In the past few months we have seen them tagging people in photos they are not in to get you to click, inviting people to fake events and even making you an administrator of a Facebook page that isn’t yours.

While protecting yourself may not be as simple as not clicking anything that says “OMG!” that isn’t a bad start. Be skeptical, understand that messages from your friends may not in fact have been sent to you willingly, and if you are really tempted to click, take a short timeout to conduct a Google/Bing search.

As of the time of this writing some of the YouTube videos this scam leads to have been removed by YouTube. However, one video that is still working has over 525,000,000 views since February and thousands of comments in the last 24 hours — in other words, since this Facebook scam has been making the rounds.

To stay up to date on the latest threats, follow us on Facebook. For advice on how to configure your profile to protect your privacy check out This recommendations for Facebook settings.

Source :- http://nakedsecurity.sophos.com

  • Audi has most engaged Facebook fans, beats out Justin Bieber (autoblog.com)
  • This Lesbian Actually Is Justin Bieber (queerty.com)
  • David Beckham Hangs Out With Justin Bieber (Kinda) (pinkisthenewblog.com)
  • I can’t believe a GIRL did this because of Justin Bieber (zdnet.com)
  • Justin Bieber’s cell phone number? Nope, it’s a Facebook scam (sophos.com)
  • Why Justin Bieber Is An Online Marketing Guru (keepthepeakunique.com)
  • I Discovered Justin (burnadvertising.wordpress.com)
  • OMG: Justin Bieber Goes Bald! (thehollywoodgossip.com)
  • SHOCKER: Justin Bieber’s Lookalike Is a Girl (odditycentral.com)
  • Guy who took a picture of his face for 8 years FouTube Facebook scam (nakedsecurity.sophos.com)

For Students, What Is the “Facebook Effect” on Grades?

Published by pratyushkp on April 29th, 2011 - in Uncategorized

Social media has several effects on academic work— some more positive than others. But what is social networking’s overall impact on college students’ performance?

According to data gathered from several sources by OnlineEducation.net, Facebook and Twitter are used to great benefit — sometimes. Students welcome online engagement and resources; around 75% of student respondents said they’d like to do some online collaboration for class, in fact.

Also, social media may have a positive impact on students’ sense of themselves in the community. Social media-using students were twice as likely as other students to feel well-liked by their peers and to participate in extracurricular activities. And 20% more of Facebook-using students (as compared to students who didn’t use Facebook) said they felt connected to their school and community.

However, negative effects abound. Students who use Facebook and hit the books simultaneously found their multitasking led to 20% lower grades than those of their more focused peers. Facebook-using students also made less money during school from part-time work, putting in around five hours per week as opposed to 16 hours per week for a typical, unplugged counterpart.

Not only do grades and finances suffer, but students might actually end up feeling more depressed or lonely. Almost half of students believe they are sadder than their friends on Facebook, and 25% of college students have shown signs of severe depression in their status updates at one time or another.

In a word, the results are inconclusive. But with around 96% of all college students on Facebook, only the most dedicated academics would consider giving up social media for a slightly better GPA.

In the comments, we’d like to know what impact social media had or has on your academic work. And if your college career pre-dates social media, how do you think college is better or worse because of Facebook?

Source -: http://mashable.com

  • For Students, What Is the “Facebook Effect” on Grades? (mashable.com)
  • ‘Facebook effect’ on grades? (sse4m.wordpress.com)
  • Social Media Tools for Education (taraprogram2011.wordpress.com)
  • Students: Facebook Might Be Good for Your Social Life, But Bad for Your Pocket (chinwag.com)
  • How Social Media Use Affects Students (johndierckx.wordpress.com)
  • Encouraging Academic Faculty to Start Using Social Media (case.typepad.com)
  • Facebook: communication outlet for college parents (jou2100.wordpress.com)
  • The Friendster Wake: Remembering the Late Social Media Site (blogher.com)
  • Grade me on Facebook (jocelyncarroyo.wordpress.com)
  • Wiki FYE Drumbeat Final-Cody, Eli, Matt (aucommstudies.wordpress.com)
© Social Media Blog
CyberChimps WordPress Themes