Monday, 23 May 2011

President Obama's cybersecurity plan - Part 2 Data Breach Notification Act

President Obama's cybersecurity plan - Part 2 Data Breach Notification Act: "
ID theftFollowing up on yesterday's post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House's proposal for the National Data Breach Notification Act.

Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.

First, the definition of Personally Identifiable Information, or PII:


  1. Full name plus any two of the following

    1. Address and phone number
    2. Mother's maiden name
    3. Month, day, and year of birth

  2. Social Security Number (SSN), driver's license number, passport number, alien registration number, or other government issued identification number

  3. Biometric data such as fingerprints, retinal scans, etc.

  4. Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes

  5. Any combination of the following

    1. First and last name or first initial and last name
    2. See item four above
    3. Security codes, access codes, passwords or source codes used to derive the aforementioned

RolodexThe new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.

Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.

FTC fight back against ID theft logoThe proposal includes a 'safe harbor' provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.

If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.

After a data loss incident, organizations would be required to notify individuals by letter, phone or email.

Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.

States may pass laws requiring notifications to include information about identity theft/fraud prevention.

When more than 5,000 victims are involved, organizations would be required to do the following:


  • Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.

  • Notify all consumer credit reporting agencies of the victims within 60 days of discovery.

Police badgeBusinesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:


  • The breach contains, or is believed to contain, PII on 5,000 or more individuals.

  • The breach involves a database or network of databases that contain PII on 500,000 or more individuals.

  • The breach involves a database owned by the United States government.

  • The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.

Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.

The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.

Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.

Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.

It appears the Obama Administration and Howard Schmidt, the President's Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.

Why not download the 'The State of Data Security' report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.




" WELL DOES IT GO FAR ENOUGH - OR TO FAR - LEAVE YOUR COMMENTS ?

" The Roving Giraffe News Report " provided by Ace News

Google rolls out silent fix for Android security vulnerability

Google rolls out silent fix for Android security vulnerability: "

AndroidsThere's good news for any owners of Android devices worried about the recently announced security vulnerability that could allow allow unauthorised parties to snoop on your Google Calendar and Contacts information.


Google has already started rolling out a fix!


The issue had already been fixed in Android 2.3.4 (codenamed Gingerbread), but as we mentioned earlier this week over 99% of Android users are running earlier versions of the operating system.


Google has started to implement a server-side patch that addresses the issue for all versions of the Android OS. The great news is that it doesn't require a software update on the Android devices themselves - meaning the fix is automatic and worldwide. Effectively this is a silent fix.


The fix addresses a vulnerability with the use of authTokens for Google's Calendar and Contacts apps discovered by researchers at Germany's University of Ulm, but a similar issue with Picasa is still being investigated. If not fixed, the problems could mean that a hacker could snoop on your activity when you use an unencrypted WiFi hotspot and steal personal information.


Google reckons the work will be complete, and all devices secured from this vulnerability, within the week by forcing its servers to use an encrypted HTTPS connection when Android phones try to sync with them.


Here's what a Google spokesperson had to say:


'Today [May 18th] we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in calendar and contacts. This fix requires no action from users and will roll out globally over the next few days.'


So, it's a very good thing that this problem is being fixed. Of course, concerns still remain as to how easy it would be to fix a serious security vulnerability on the Android devices themselves, given that Google is so reliant on manufacturers and carriers to push out OS updates.





"

" The Roving Giraffe News Report " provided by Ace News

Microsoft study asserts social engineering more common than exploitation

Microsoft study asserts social engineering more common than exploitation: "

OK buttonEarlier this week Microsoft posted a blog entry showing statistics from their SmartScreen technology built into Internet Explorer (IE) 7, 8 and 9.


Their conclusions? One in every 14 downloads is malicious (of the malicious files that Microsoft is aware of) and this represents between two and five million malware attacks per day against IE users. Microsoft uses this to assert that users are falling prey to malicious downloads far more often than drive-by exploits.


While these statistics are fascinating, and very useful for those of us without the ability to collect this type of information, Microsoft is comparing apples to. . . nothing.


SmartScreen itself is unable to prevent exploits from convincing Adobe Reader, iTunes, Real Player, Adobe Flash, Java and other technologies from downloading malicious content, and Microsoft hasn't presented any data on how often exploits are actually being used.


The purpose of their post is to point out the success of Microsoft's reputation filtering they added in IE 9. While it is an interesting step forward, Microsoft's own statistics raise more questions than they answer.


Microsoft states that 90% of downloads do not trigger a warning, which implies that 1 in every 10 times I try to grab something I get a scary warning message. When I receive this scary warning message, there is a 30% to 75% chance that it is a false positive.


This reminds me of an article I wrote for Virus Bulletin last year about browser SSL certificate warnings. Considering the scary warning messages that browsers display to users and the frequency with which they are confronted with these warnings, we end up training our users to simply click through.


Users think, 'If this were truly dangerous, it would have simply been blocked, right?' Microsoft's statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.


Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?


Later in their post they claim that a typical user is presented this warning only two times per year. If that is true, that means users are only downloading 20 files per year and won't see this too often. I don't know anyone who only downloads 20 files per year.


These numbers just don't really add up.


Microsoft also points out that applications triggering the warning are not Authenticode signed most of the time. While the concept of digital signatures representing trustworthiness is at the heart of many security solutions, its implementation is often flawed.


As we saw with the Stuxnet worm last year, legitimate signing certificates that were 'trusted' were stolen and used by malware authors to increase their chances of bypassing security technologies.


I do not believe most computer users are equipped with the knowledge necessary to make good decisions regarding deeply technical problems. When they are confronted with a question attempting to stop them from making a mistake it is often viewed as an annoying roadblock.


Earlier this month we saw a large number of Apple Mac users falling victim to a fake anti-virus attack that required them to type their administrative password. Clearly users will jump through hoops when presented with the opportunity if they are being tricked into doing something they think they want to do.


As security experts we need to make safety online as black and white as possible. While SmartScreen is doing a great job at stopping known badware, I'm not convinced that reputation technologies that require users to make technological decisions are the right answer to the problem.





"

" The Roving Giraffe News Report " provided by Ace News

Hottest & Funniest Golf Course Video scam spreads virally on Facebook - beware!

Hottest & Funniest Golf Course Video scam spreads virally on Facebook - beware!: "

Yet another scam is spreading virally across Facebook, posing as a video in a scheme to make money for the confidence tricksters behind it.


The messages show what appears to be a thumbnail of a video showing a man standing closely behind a scantily clad woman to give her golfing advice.


The Hottest & Funniest Golf Course Video - LOL. Watch the Hottest & Funniest Golf Course Video Don\



The Hottest & Funniest Golf Course Video - LOL

[LINK]

Watch the Hottest & Funniest Golf Course Video Don\


Another version of the scam uses football rather than golf as the lure:


The Most Funniest & Hottest Footbal Video - Must Watch!


The Most Funniest & Hottest Footbal Video - Must Watch!

[LINK]

Watch the Funniest & Hottest Footbal Video - Must Watch!


The links in the messages we have seen so far have pointed to a webpage at blogspot.com, although this could - of course - be changed by the scammers in future variations.


If you make the mistake of clicking on the link in the hope that you might see a funny saucy video you will find that you have fallen straight into the scammers' trap - as your Facebook page has been updated to say that you also 'Like' the page, thus sharing it virally with all of your friends.


You will also be encouraged to complete an online survey for 'verification' purposes, which in reality only earns commission for the bad guys who kicked off the money-making scheme in the first place.


The Hottest & Funniest Golf Course Video survey


Unfortunately, when I tested the scam I found no evidence that Facebook's newly introduced security measures to intercept scams and warn of dangerous links had been effective.


How to clean-up the scam from your Facebook page


If you have been unfortunate enough to have been hit by this scam, here's how you clean-up.


Move your mouse above the offending entry on your Facebook page and you should see an 'X' appear in the top right hand corner of the post. You should now be able to mark the post as spam (which will remove it from your page).


Remove the post by marking it as spam


Unfortunately, this hasn't also removed the page from the list of pages you like, so you will need to edit your profile to manually remove it. You should find it listed under 'Activities and Interests'.


Unlike the offending webpage


Be sure to remove any other pages you don't recognise in that list also.


If you use Facebook and want to learn more about spam, malware, scams and other threats, you should join the Sophos Facebook page where we have a thriving community of over 80,000 people.


Hat-tip: Thanks to Naked Security reader Lars for first alerting us to this attack.





"

" The Roving Giraffe News Report " provided by Ace News