Posts Tagged ‘United States’

President Obama’s cybersecurity plan – Part 2 Data Breach Notification Act

May 19th, 2011

Image via Wikipedia

Following up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.

Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.

First, the definition of Personally Identifiable Information, or PII:

  1. Full name plus any two of the following
    1. Address and phone number
    2. Mother’s maiden name
    3. Month, day, and year of birth
  2. Social Security Number (SSN), driver’s license number, passport number, alien registration number, or other government issued identification number
  3. Biometric data such as fingerprints, retinal scans, etc.
  4. Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes
  5. Any combination of the following
    1. First and last name or first initial and last name
    2. See item four above
    3. Security codes, access codes, passwords or source codes used to derive the aforementioned

The new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.

Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.

The proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.

If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.

After a data loss incident, organizations would be required to notify individuals by letter, phone or email.

Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.

States may pass laws requiring notifications to include information about identity theft/fraud prevention.

When more than 5,000 victims are involved, organizations would be required to do the following:

  • Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.
  • Notify all consumer credit reporting agencies of the victims within 60 days of discovery.

Businesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:

  • The breach contains, or is believed to contain, PII on 5,000 or more individuals.
  • The breach involves a database or network of databases that contain PII on 500,000 or more individuals.
  • The breach involves a database owned by the United States government.
  • The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.

Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.

The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.

Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.

Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.

It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.

Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.

Source :- http://nakedsecurity.sophos.com

  • White House Seeks National Data-Breach Notification Law (informationweek.com)
  • The U.S. Cyber Policy Blitz (technologyreview.in)
  • White House Wants Mandatory 3-Year Sentence for Critical Infrastructure Hackers (wired.com)
  • Does Obama Really Have an Internet Kill Switch? (pcworld.com)
  • How security chief’s bank details leaked (theage.com.au)
  • How big was the Epsilon data breach? (superconductor.voltage.com)
  • Five things companies must do to protect customer data (news.consumerreports.org)
  • U.S. Cybersecurity Proposal – A Plan about Plans: We Need More Action and Talent If We’re Serious about Securing Our Nation’s Data (lumension.com)
  • White House Releases Cybersecurity Plans (informationweek.com)
  • Is Sony Getting a Bad Rap on Its Data Breach? (pcworld.com)
Tweet

President Obama’s cybersecurity plan – Part 1 updates for law enforcement

May 18th, 2011

Image via Wikipedia

Last week President Obama announced his proposal for updates to US cyber-crime law. Chester Wisniewski have spent a significant amount of time poring over the legal documents to extract their meaning and provide my comments.

The proposed legislation is quite long and detailed, so I will begin with the changes that will impact law enforcement. These changes relate to what items are criminal and the penalties the courts may impose for breaking the law.

  • The Racketeer Influenced and Corrupt Organizations (RICO) Act would be updated to include organized computer criminals. This law was originally designed to target mafia-like crime syndicates and would now include their electronic equivalents.
  • The Computer Fraud and Abuse Act (CFAA) would be modified with new restrictions for judges during sentencing. Attacks against critical infrastructure would have a mandatory minimum sentence of three years.
  • Cyberattackers targeting critical infrastructure would not be eligible for probation or concurrent sentencing (unless it is the same crime) or eligible for a reduction of their sentences for multiple counts of the offense.
  • Maximum sentences would be changed from ten years to 20 for attacking US government systems related to defense, energy or foreign relations.
  • Maximum sentences would be changed from one year to three for unauthorized access to records or systems related to financial services, government systems or foreign/interstate communications. They would change from five years to ten if the purpose is private gain or commercial advantage or if the value of the information exceeds $5000.
  • Maximum sentences would be reduced from five years to one for unauthorized access to non-public government computers.
  • Maximum of 20 years for unauthorized access or exceeding authorization to obtain more than $5000 in a year’s time.
  • Maximum of 20 years for someone who “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer” resulting in more than $5000 in damages, tampering with medical systems, causing physical injury, causing a threat to public health and safety, interfering with systems related to defense, justice or national security, or ten or more computers in a one year period.
  • A maximum of life imprisonment for incidents that result in someone’s death.
  • Maximum of ten years for unauthorized access causing reckless damages.
  • Maximum of one year in prison for unauthorized access causing damages.
  • Maximum of ten years for “knowingly and with intent to defraud [trafficking] in any password or similar information through which a computer may be accessed without authorization.” This provision previously applied only to US government systems.
  • Maximum of ten years for extortion using a threat to attack/expose flaws in security.
  • A long list of changes related to the forfeiture of profits and assets in any way related to the aforementioned criminal activity.

The raising of maximum penalties gives American judges more flexibility and sends a very clear message to cybercriminals. However, the requirement for a three year minimum sentence for attacking critical infrastructure raises questions.

There are many shades of grey when it comes to unauthorized access to sensitive systems and mandatory minimums do not account for the edge cases that a judge can take into account.

The adjustments to the RICO statute are a welcome change and by including organized cybercrime provide new tools for law enforcement to treat electronic crimes just like any other.

The addition of this statement:

“knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer”

appears to directly address today’s malware threat. Facing up to 20 years for what many consider to be mischief sets the record straight. Producing and spreading malware is a serious crime, and under this proposal, if you participate you could face serious penalties.

Source:- http://nakedsecurity.sophos.com

  • White House Wants Mandatory 3-Year Sentence for Critical Infrastructure Hackers (wired.com)
  • White House Cybersecurity Plan: What You Need To Know (huffingtonpost.com)
  • White House Releases Cybersecurity Plans (informationweek.com)
  • Obama gov wants 3 yrs porridge for infrastructure hackers (go.theregister.com)
  • Obama Administration Unveils Strategy For International Cybersecurity (blogs.abcnews.com)
  • Obama Pushes Cybersecurity Plan (pcworld.com)
  • U.S. unveils global cyberspace strategy (cbsnews.com)
  • US outlines global plan for cyberspace (seattletimes.nwsource.com)
  • US outlines global plan for cyberspace (msnbc.msn.com)
  • Obama calls for 3 year prison sentence for critical infrastructure hackers (americablog.com)
Tweet

Top 12 Spam Relaying Countries

May 12th, 2011
Zombie-process

Image via Wikipedia

There’s a zombie invasion going on – and it could have infiltrated your business, your home office, or even the corner of your bedroom.

Of course, it’s not the kind of zombies beloved by the movie theatres but instead the problem of compromised computers being controlled by a remote hacker.

Many members of the public still haven’t understood that spammers don’t use their own PCs to send spam – instead they create botnets of commandeered computers around the globe (also known as “zombies”), which can be used to relay spam, send out malicious links and even launch distributed denial-of-service attacks.

If they did understand the problem, maybe they would put more effort into protecting their computers.

Spam dashboard

Sophos has today published a new report, revealing the top twelve spam-relaying countries around the world. We call the list the “dirty dozen”, and because virtually all spam is sent from compromised PCs, it’s a pretty good indication of where the botnets have got the tightest hold.

The top twelve spam relaying countries for January – March 2011

1. USA 13.7%
2. India 7.1%
3. Russia 6.6%
4. Brazil 6.4%
5. S Korea 3.8%
6. United Kingdom 3.2%
7. Italy 3.1%
7. France 3.1%
9. Spain 2.8%
10. Germany 2.6%
11. Romania 2.5%
12. Poland 2.3%
Other 42.8%

Although the USA and UK contribution to the global spam problem has decreased in percentage terms, it is essential for organizations not to become complacent. Financially-motivated criminals are controlling compromised zombie computers to not just launch spam campaigns, but also to steal identity and bank account information.

Computer users must be educated about the dangers of clicking on links or attachments in spam mails – and many computers may already be under the control of cybercriminals. Businesses and computer users must take a more proactive approach to spam filtering and IT security in order to avoid adding to this global problem.”

Dirty monitorIn all, we counted spam being sent from an astonishing 229 countries around the world during the first quarter of 2011. So everyone, no matter where they live, should be taking more care of their personal computer’s protection.

For as long as spam continues to make money for the spammers, it will continue to be a global problem. Too many computer users are risking a malware infection that sees their computer recruited into a spam botnet. To combat the spammers, it’s not only essential for computer users to run up-to-date security software, they must also resist the urge to purchase products advertised by spam.

So, don’t add to the statistics, do your bit in the fight against spam and don’t allow your computer to become a zombie.

Keeping your security patches up-to-date, your anti-virus defences in place and having a good helping of common sense can help avoid your computer from being recruited by the bad guys.

Source :- http://nakedsecurity.sophos.com

  • The dirty dozen spam-relaying countries revealed (nakedsecurity.sophos.com)
  • Global Appetite for Spam Takes Asian Flavor (blogs.wsj.com)
  • Spam in the First Quarter of 2011 – Securelist (securelist.com)
  • US leads in spamming globally (aptantech411.wordpress.com)
  • Facebook spam prevention scam spreading like wildfire (go.theregister.com)
  • 9 Thoughts on Stepping Up Spam and Malware Enforcement (circleid.com)
  • How does Canada’s spam output fare globally? – Page 1 – Security (itworldcanada.com)
  • Relay Stent-Grafts Show Promise In Treatment Of Aortic Dissection Patients (medicalnewstoday.com)
  • Microsoft, Feds Bring Down BotNet Spam Ring, Boner Pill Emails Drop Almost 40% (geekologie.com)
  • China cleans up its spam problem (infoworld.com)
  • The Distribution of Botnets Since Rustock Went Down (circleid.com)
Tweet

Hours spent on Twitter? Don’t click on scam spreading virally on Twitter

May 9th, 2011
Image representing Twitter as depicted in Crun...

Image via CrunchBase

Another rogue application is spreading between unsuspecting Twitter users, claiming to tell you how many hours you have spent on on the network.

The messages all look pretty similar, and use a currently trending topic such as Richard Dawkins, Cheryl Cole landing the job of a judge on the US edition of “X Factor”, or it being Mother’s Day in the United States.

Twitter scam

Richard Dawkins --> I have spent: 23.8 hours on Twitter! See how much you have: [LINK]

#zabecca --> I have spent: 20.9 hours on Twitter! See how much you have: [LINK]

Vidal Sassoon --> I have spent: 33.4 hours on Twitter! See how much you have: [LINK]

#5factsaboutmymom --> I have spent: 33.4 hours on Twitter! See how much you have: [LINK]

Even though you may have seen one of your friends tweet out a message like this, you definitely shouldn’t click on the link. It will take you to a rogue third-party application which asks your permission to connect with your Twitter profile.

Twitter scam

If you do authorise the app it will be able to post messages to Twitter in your name, see who you follow on Twitter, grab your Twitter name and avatar, and update your profile. Now, why on earth would you want to give a complete stranger the ability to do that?

Unfortunately, you may be so desperate to find out how many hours they have spent on Twitter (after all, your friends appear to have already been though the process) that you will authorise the application.

Whereupon, the rogue application will tweet the offending message from your Twitter account. When I went through the process on a test Twitter account I run, I found that it tweeted out the message more than a dozen times in less than 30 seconds.

Twitter scam

You may not realise that this is happening, however, as the app is distracting you with a message saying it is processing your results. After some whirring away, it asks you to enter your email address to have your results sent to you.

Twitter scam

Stop right there! (if you haven’t already). Are you seriously going to give these complete strangers access to your email address too? They already know your Twitter account name, and can post to your Twitter page – now they’ll be able to email you as well!

Who knows what they might send you? Their plan might be to send you spam, a Trojan horse, or a phishing attack. They even have the cheek to say watch out for the message in your spam folder!

Twitter scam

I don’t know what the scammers plan to spam out to you, and it could – of course – be weeks or months before they do, but if you want to find out more follow me on Twitter at @gcluley.

These sorts of rogue applications appear to be popping up more and more on Twitter, whereas previously they were mostly seen only by Facebook users.

If you were unfortunate enough to grant a rogue applications access to your Twitter account, revoke its rights immediately by going to the Twitter website and visiting Settings/Connections and revoking the offending app’s rights.

Don’t make it easy for scammers to make money in this way, and always exercise caution about which third party apps you allow to connect with your social networking accounts.

Source :- http://nakedsecurity.sophos.com

  • Hours spent on Twitter? Don’t click on scam spreading virally on Twitter (nakedsecurity.sophos.com)
  • Unfollowed Me rogue application spreads virally on Twitter (pratyushkp.wordpress.com)
  • Twitter 11.6 Hours Survey Scam Spreading Virally (pratyushkp.wordpress.com)
  • 11.6 hours survey scam spreads like wildfire on Twitter (nakedsecurity.sophos.com)
  • Your Online Timer survey scam spreads rapidly on Twitter (nakedsecurity.sophos.com)
  • Profile Spy rogue application spreads virally on Twitter (nakedsecurity.sophos.com)
  • Lord Gaga video banned? Twitter rogue app spread by scammers (pratyushkp.wordpress.com)
  • Barred Lady Gaga video assault spreads on Twitter through rogue … (nigerianspam.com)
  • Virally spreading scam spreads over Twitter (go.theregister.com)
Tweet

Google Named Most Reputable Company in U.S

May 5th, 2011
Image representing Google as depicted in Crunc...

Image via CrunchBase

Google Inc an American public corporation is now recognized the world over as the fastest search engine. It is an easy to use free service that conveys relevant information in a matter of seconds to the user.

Harris Interactive poll asked about 30,000 people in the US to express their opinion on the 60 most visible companies in the US and rate them on the basis of 20 different categories like finance, leadership, social appeal etc.

Google has topped the list of the most reputed company in the US. Harris Interactive has rated Google with 84.05/100 which indicates excellent performance. Apple, Microsoft, Intel, Sony and Amazon are the other technology companies rated over 80 but Google tops them all.

Insurance, Banks and oil companies were rated the least and AIG was given the worst reputation with 47.77. BP, the company known for its worst oil spills followed next.

Google definitely enjoys total supremacy and has appealed to the masses even when government investigations and privacy concerns have tried to tarnish its image. It is also indicative of the fact that more and more people are connected to the web. Google’s product and service quality has made them accessible to millions.

Source:- http://www.clickindia.com

  • Google Named Most Reputable Company in U.S. (mashable.com)
  • Google named most reputable company in U.S. (cnn.com)
  • Google brand reputation tops all others in U.S. (news.cnet.com)
  • Google brand reputation tops all others in U.S. (news.cnet.com)
  • 11 Companies With The Worst Reputations In America: Harris Interactive (huffingtonpost.com)
  • Harris Interactive releases it’s list of the 10 worst companies in America (saltlakecitymortgage.wordpress.com)
  • Report: Google Most Reputable Corporation In U.S. (searchengineland.com)
  • Google takes top spot in reputation rankings; Apple, Intel, Amazon close behind (zdnet.com)
  • Google Most Reputable in Harris’ Annual RQ Poll (webpronews.com)
  • Google Boasts Pristine Reputation (adweek.com)
Tweet