EMAIL gremlins are causing embarrassment at Macquarie University, with graduates up in arms after the university accidentally sent 25,000 email addresses to its alumni mailing list. In what would have to be one of the worst email privacy breaches in Australian history, the university's Alumni office sent every graduate in its database a copy of the full alumni mailing list. The list was contained in an email titled "Macquarie Alumni - enter the draw to win the FREE $1,000 investments and more by NAB!".

Federal Homeland Security officials say a computer storage device that may have held personal information on current and former employees has been lost. "We're relatively confident that thing got scraped into the trash, and it's gone," said Mike Irwin, federal security director at PDX.

The National Nuclear Security Administration is investigating the Energy Department to see whether the Los Alamos National Laboratory is complying with departmental security directives, according to a statement that NNSA Administrator Linton Brooks issued today. The action came after police in New Mexico found what appeared to be information from the lab while arresting a man for possession of drug paraphernalia earlier this month, according to published accounts.

A new study reports that data breaches may cost companies even more than previously thought. The Ponemon Institute released its annual study on the cost of data breaches and found that they cost companies on average $182 per compromised record. The institute arrived at the number by analyzing incidents involving 31 companies, all but one a Fortune 500 company. Institute Chairman Larry Ponemon said the companies choose to turn over their data on data breaches in hopes of gaining a benchmark of how they were doing.

Counterfeits and intellectual piracy (IP) theft cost companies millions in the first half of 2006, according to a report released Tuesday. An estimated 760 copyright and trademark intellectual property thefts in 69 countries between January and June 2006 cost companies nearly $700 million, up 7 percent from the year-ago period, according to Gieschen Consultancy's 2006 Mid-Year Counterfeit & Piracy Intelligence Report. The study, based on statistics from the Business Action To Stop Counterfeiting And Piracy (BASCAP), a joint initiative with the International Chamber of Commerce, ranks the United States at the top of the list, citing 205 violations and $51.7 million in losses.

A laptop containing the Social Security numbers and other personal information of T-Mobile USA Inc. employees recently disappeared, putting as many as 43,000 current and former workers at risk of identity theft. However, the company based in Bellevue, Wash., says there is no indication the laptop contained customer information.

A laptop computer containing the names and Social Security numbers of thousands of Allina Hospitals and Clinics obstetrics patients was stolen from a nurse's car Oct. 8, prompting alerts this week from the health-care provider to the patients. Company spokesman David Kanihan said Thursday night that there has been no indication any data have been accessed. Two passwords are needed to access the information on the laptop, he said.

A LOT of business travelers are walking around with laptops that contain private corporate information that their employers really do not want outsiders to see. Until recently, their biggest concern was that someone might steal the laptop. But now there’s a new worry - that the laptop will be seized or its contents scrutinized at United States customs and immigration checkpoints upon entering the United States from abroad.

Government officials need an arsenal of weapons to protect digital assets, including tools that fortify databases, prevent sensitive information from leaving an agency and give laptop computer users secure access to corporate networks. The rise in data security breaches at federal agencies and in the private sector has made security managers aware of the need to do more than secure networks with firewalls and expose intruders with intrusion-detection systems. Experts say security managers must focus on protecting databases and stopping data leakages by tracking the flow of data.

Like the United States, the European Union is seeking to improve border security without putting undue burdens on travelers or shippers of goods. As part of that effort, the EU is enhancing or developing several systems to replace the aging Schengen Information System. That 10-year-old centralized database has not kept up with the EU's growth to 25 nations, with two more set to join in January. In addition, although SIS allows border agents to check travelers’ identities, it only contains biographical information. Telmo Baltazar, political justice, freedom and security counselor for the European Commission’s delegation to the United States, said the primary new system, called SIS II, will store biometric data and allow agents to search multimedia data. He said the new system will be more modular and flexible to adapt to changing requirements.

By the end of the year, the Homeland Security Department will issue draft regulations specifying how states should implement mandatory federal standards for driver's licenses. But several states have already gotten started. Jonathan Frenkel, director of law enforcement policy at DHS, said the draft regulations will better explain the broad mandates in the Real ID Act of 2005. The department is currently reviewing the regulations and will then send them to the Office of Management and Budget and other agencies for their input.

The Social Security Administration has begun issuing new secure identity cards to its employees and contractors, beating an Oct. 27 deadline imposed under Homeland Security Presidential Directive 12 (HSPD-12) by nine days. SSA is also the first agency to issue the cards, according to David Simonetti, a senior design architect at Jacob and Sundstrom, which is assisting SSA in deploying the personal identity verification (PIV) cards.

They call it the 'Johnny Carson attack,' for his comic pose as a psychic divining the contents of an envelope. Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

The European Union has approved a new agreement to share airline passenger data with U.S. law enforcement authorities. The deal settles, for now, a legal dispute that could have halted or at least seriously disrupted, trans-Atlantic flights between Europe and the United States. This is not, however, the last you will hear about the subject. The new agreement will expire in just nine months -- and while talks on a new, long-term passenger data-sharing pact will open later this year, I would not be surprised if next July brings yet another last-minute standoff pitting U.S. security concerns against Europe's no- nonsense privacy laws.

State Department officials will be issuing a Notice of Proposed Rule Making next week that lays out the architecture of a smart card that would be used under the Western Hemisphere Travel Initiative (WHTI). Frank Moss, the department’s deputy assistant secretary for passport services, said the intent is to create wallet-sized, secure People Access Security Services (PASS) cards – also known as passport cards – that would include radio frequency vicinity-read technology. He said such read technology is being used in other programs, such as Nexus, a joint U.S./Canadian traveler program to simplify border crossings for frequent travelers between the two countries.

I'd intended to use this issue to kick off a discussion on identity and anonymity and explore why anonymity might be useful, if there could be truly anonymous transactions online, the context of anonymity, and so on. We will get to that real soon, but while I was researching anonymity a press release crossed my inbox that was, literally, breathtaking. And it would be to anyone who has followed the discussions of privacy, security and even anonymity over the past year or two. The press release came from NCR and touted "RFID for branch banking". The document opens with: "NCR Corporation...demonstrated how radio frequency identification (RFID) can be used to make branch banking a more personalized experience."

FBI Director Robert Mueller said he supports a plan requiring Internet service providers to retain information on users' Internet activities. In a speech before the International Association of Chiefs of Police on Tuesday, Mueller praised law enforcement officials for adopting a resolution that would require ISPs to retain information in case it is needed for investigations.

A Southern California man has been indicted by a federal grand jury for alleged bank fraud involving hundreds of customers of Dollar Tree stores. Authorities said Parkev Krmoian is accused of using counterfeit ATM cards to make unauthorized withdrawals. Police said the cards Krmoias was using were actually gift cards that had been encoded with ATM card information.

In a keynote speech that was webcast at last month's Hack in the Box Security Conference in Kuala Lumpur, Malaysia, Bruce Schneier, chief technology officer of managed security services provider Counterpane Internet Security Inc., identified 10 trends affecting information security today. 1. Information is more valuable than ever. For example, Amazon.com Inc. relies on information to make purchasing of books easier through its one-click purchasing system. Similarly, when Internet retailer Pets.com went belly-up, the company's database of customers "was the only asset of value they had," he said.

End users -- god bless ‘em. You can’t live with ‘em -- but without them, you wouldn’t have a job. They’re the reason you have an IT infrastructure; they’re also the single greatest threat to the security of that infrastructure.

Federal agencies not only regularly lose personal identity data, but don't even always know what they've lost or how many Americans are affected, a recently-released House report claimed. According to the report issued by the House Government Reform Committee, which is chaired by Tom Davis (R-Va.), all 19 federal departments and agencies from which data was requested had lost or compromised personal information in the three-and-a-half years since January 2003. Some of the breaches were losses, others were the result of theft.

The public fears losing their fingers to ruthless biometric ID thieves in the fingerprint-controlled future, apparently. Or at least, so says Frost & Sullivan analyst Sapna Capoor, who argued unconvincingly that "A dead finger is no good to a thief." If you have a fingerprint scanner protecting your family jewels, your data might be safe, but what about your fingers?

Michael Chertoff, head of US Homeland Security, warned that people don't need to travel to a country with "-stan" in its name to become radicalized and commit acts of violence. Instead, they can now turn to the Internet. "They can train themselves over the Internet. They never have to necessarily go to the training camp or speak with anybody else and that diffusion of a combination of hatred and technical skills in things like bomb-making is a dangerous combination," Chertoff said at a conference of international police chiefs, according to Reuters. "Those are the kind of terrorists that we may not be able to detect with spies and satellites."

Criticized in the past for an initiative that would require the company to collect and catalog personal information about its customers, Microsoft on Wednesday released an internal document about how it protects customers' privacy in the hopes other companies will adopt similar practices. The company publicly published a 49-page document, called Microsoft’s Privacy Guidelines for Developing Software Products and Services, at the International Association of Privacy Professionals Privacy Academy 2006 in Toronto. The document can be found here. The

The European Union needs to consider adopting a solid legal framework to ensure that the use of radio frequency identification technology does not infringe on privacy, a top official of the European Commission, the executive branch of the EU, told an RFID conference Oct. 16. The EU also needs to standardize its RFID frequencies in the 865 to 868 MHz frequency band, according to a commission background paper presented at the conference. The commission said it expects to complete a draft spectrum decision by the end of this year.

A task force has issued a series of recommendations regarding privacy in justice information systems. The Privacy Technology Focus Group was chartered to examine the exchange of personally identifiable information, focusing on justice and public safety data. Last November, the Justice Department brought together a group of public- and private-sector specialists to look into privacy technology. The group’s working teams covered areas such as access and authentication, data aggregation and dissemination, and identity theft.

The securities firms that reported the breach have not confirmed the means by which accounts were accessed, but the Investment Dealers Association (IDA) pointed to pharming Web sites as another possible avenue. Only two accounts were affected, although the IDA said it was alerted by a U.S. regulator about a similar situation that happened there.

Hackers have breached the mailing list of the Congressional Budget Office (CBO), according to the agency. "There was limited breach of our list server that has since been patched and closed," said Melissa Merson, a CBO spokeswoman. "When people access a federal government computer, that's considered a possible criminal violation. So we've referred the matter to the appropriate law enforcement authorities, and it's under investigation."

Because equipment theft causes most data losses, agencies should use physical security to protect sensitive information, according to a new House Government Reform Committee report. "The vast majority of data losses arose from physical thefts of portable computers, drives and disks, or unauthorized use of data by employees," the Oct. 13 report states. Computer system hackers caused few breaches.

Federal contractors that agencies rely on for IT management services are responsible for many of the data breaches that agencies reported to the House Government Reform Committee, which today released its findings on past data loss across government. That is just one of the conclusions from the committee staff report, which also found that data loss occurs in all major agencies, and that those agencies don’t always know what was lost.

Most Irish IT departments now face regulatory compliance issues but this is clashing directly with the need for more efficiency, leading to increased technical challenges, resourcing problems and cost concerns, new research claims. A survey carried out by Unitech Systems, which polled 300 information managers from the top 1,000 companies in Ireland, found that 88pc of Irish organisations are affected by regulatory compliance. The three most common regulations to affect Irish businesses are the Data Protection Act (34pc), the Freedom of Information Act (22pc) and Sarbanes-Oxley (22pc). Basel II and FDA regulations figured much lower down the list, at 7pc and 2pc respectively. Just over a quarter of respondents (26pc) said their company must comply with US legislation.

The inventors of a new monitoring system that uses RFID tags claim it could improve airport security by tracking passengers as they mingle in the departure lounge. The plan is to issue an RFID (radio frequency identification) tag to every passenger at check-in so human traffic can be monitored throughout the airport via transponders and video cameras. Paul Brennan, an electrical engineer at University College London, heads the project, which features an RFID technology called Optag. Funded by the European Union, the technology is being developed by a consortium of European companies and the university. Brennan told Silicon.com that a prototype RFID tag will be tested in an airport in Hungary next month. Brennan said that if the trials in Hungary are a success and the technology attracts customers, it could arrive in airports within two years. Brennan said Optag has been designed to improve airport security by virtue of its ability to track the movement of suspicious passengers, which would enable security personnel to bar them from entering restricted areas.

According to the report, which was released Friday, 19 federal agencies have reported at least one loss of personally identifiable information since January 2003. In addition, those agencies don't always know what information has been lost or how many people could be affected because they aren't tracking those losses, the report said. "For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, 'the department did not track the content of lost, stolen, or otherwise compromised devices,' " the report stated.

The personal information - including some credit card and bank account numbers - of about 70,000 people who gave money to Brock University has been stolen from the school's computers by a hacker. Terry Boak, Brock's vice-president academic, said the digital intruder had the secret passwords needed to access the file listing of possibly every individual to ever donate to the university. "It wasn't just someone who hacked in by playing around with it," Boak said. "So, you start thinking about how these passwords were obtained."

ARLINGTON - The personal information of about 2,500 University of Texas at Arlington students was on two computers stolen from a faculty member's home last month, school officials said.

The majority of telecommuters are aware of the security dangers that go along with using mobile devices and remotely logging onto their employers' networks, yet their behavior for the most part contradicts this awareness, according to a study issued Monday by Cisco Systems and research firm InsightExpress. Of 1,000 teleworkers contacted across 10 countries, more than one of every five allows friends, family members, or other non-employees to use his/her work computer to access the Internet. The top five justifications for doing this were that workers didn't see anything wrong with it, their companies didn't mind, they didn't think that letting others use company-issued computers increases security risks, they doubted their companies would care, and their co-workers did it, too.

A new Cisco (Quote) sponsored global study of 1,000 remote workers indicates that IT workers may well be engaged in more insecure activities than they are willing to admit. Users are apparently aware of insecure activities, such as opening e-mail attachments from unknown senders; yet they still open the attachments and e-mails. The study, which was conducted by research firm InsightExpress, reveals a number of such security contradictions.

I teach computer security for a living. Last week, a class of mine asked which vendor had the best security. I responded that they all are pretty bad. If you aren't using OpenBSD or software by D.J. Bernstein, then every other product in the world is pretty bad in comparison. Most software contains numerous vulnerabilities, holes, and exploitable routines. Even ourThe sad state of computer security

Australian-based analyst Hydrasight has teamed up with Colorado-based researcher Enterprise Management Associates Inc. (EMA) to release a study on the current state of global enterprise information security.

A laptop computer loaded with personal information on 2,400 residents of the Camp Pendleton Marine Corps base has been lost, authorities said Friday. The computer was reported missing Tuesday by Lincoln B.P. Management Inc., which helps manage base housing. The company and Camp Pendleton are investigating. As of Friday, investigators had not found evidence that the data had been accessed, the base said in a statement.

The names and Social Security numbers of at least 400 air traffic controllers are missing from a computer at the Cleveland Air Route Traffic Control Center in Oberlin, a union official says. Bill Liberty, president of the facility's National Air Traffic Controllers Association unit, said he was told on Monday by Eric Fox, Oberlin's air traffic control manager, that a computer hard drive with the personal information was stolen.

A new survey showed this week that while archiving technology continues to be more prevalent in the data center, regulatory compliance is no longer the number one driver to adopt new archiving equipment and software. A survey sponsored by BridgeHead Software surveyed 350 IT managers about their archiving preferences and practices.

A privacy-advocacy group is suing the U.S. government for records concerning electronic-surveillance tools such as one that appears to be a successor to the FBI's abandoned Carnivore program. The Electronic Frontier Foundation said it is suing the Department of Justice because the FBI failed to respond in time to its Freedom of Information Act request for records on the DCS-3000 and Red Hook programs.

European Union and U.S. negotiators have reached agreement on how to share information about passengers flying to the U.S. from Europe, a Finnish government spokesman said Friday. The new deal allows many more U.S. government agencies to access the data, which includes details such as a passenger's name, address and credit card details. The agreement replaces one that was thrown out on a technicality by Europe's top court in May.

Executives from the financial data transfer company Swift and the president of the European Central Bank faced tough questions in a European Parliament committee meeting Wednesday, about the illegal sharing of private data with U.S. authorities. ECB Chief Jean-Claude Trichet denied that the bank should have stepped in to prevent the breach of European data protection laws, saying that the bank could only advise the Society for Worldwide Interbank Financial Telecommunication SCRL (Swift). "We have no judicial competence in the field of data protection," he said.

The total number of records containing sensitive personal information involved in security breaches over the past two years now stands at 93,754,333, according to the Privacy Rights Clearinghouse. The updated tally includes thousands of instances of data exposure in the past month alone. The Privacy Rights Clearinghouse (PRC) says its running tally of data breaches shows nearly 94 million instances of data being exposed in less than two years of tracking such events, a veritable red flag of private information at risk. The PRC said its tally shows the total number of records containing sensitive personal information involved in security breaches now stands at 93,754,333.

Despite all of the press and political rhetoric regarding security concerns, only 29 percent of marketers say that their firm has a crisis containment plan in case of a security breach, according to the findings of a CMO Council report, "Secure the Trust of Your Brand: How Security and IT Integrity Influence Corporate Brands." Without such a plan and other security strategies in place, companies are at risk of losing hundreds of millions of dollars in market value and through loss of reputation and brand trust, according to Scott Van Camp, CMO council editorial director and author of the study. The Council uncovered that although that percentage of marketers responded that they have a plan in place, 49 percent of business executives say they do, van Camp says. "That could show a disconnect between the business executives and the marketing people." Rather than such a disconnect, consistency in security and privacy is needed across the enterprise, according to van Camp. Marketers must take a proactive role in ensuring that security policies and messaging are aligned in the organization, from the executive suite, across business lines, through the marketing organization, and down to the rank and file.

A man in India offered to sell the front man of a Channel 4 sting operation the credit card details of 200,000 people, the programme Dispatches will reveal tonight. The programme makers were inspired by a sting operation mounted on an Indian call centre last year by The Sun newspaper, in which a man allegedly sold the bank details of 1,000 British people to a journalist. The Sun story helped stoke a backlash against outsourcing to India. The Sun was subsequently accused of duping its quarry and fabricating the story about fraud in India.

The Port of Seattle announced today that six computer disks, containing personal information for 6,939 people who work for employers at Seattle-Tacoma International Airport, are missing. "We have no reason to believe that the information has been misused by anyone," said Mark Reis, managing director at Sea-Tac. "However, we do not know at this time whether the disks were misplaced, or were removed from Port property."

"Encryption is the ultimate protection mechanism, because even if someone ". gains access "they will not be able to read the data without further breaking the encryption." Is this quote from the Payment Card Industry (PCI) Data Security Standard enough to make your company leap into database encryption with both feet? Encryption is a powerful security tool, and nearly every compliance standard or industry regulation addresses data security in some manner, often at least implying a role for encryption. For instance, the Gramm-Leach-Bliley Act (GLBA) requires organizations must "insure the security and confidentiality of customer records and information," and California's SB 1386 breach-notification law states that any breach of the security of unencrypted personal information must be disclosed. But before you make the leap, there are some fundamental considerations. Database encryption can be put into two broad categories: communication encryption and field encryption.

You've followed all of the security compliance guidelines, but the auditor still isn't satisfied. How can I be certain, he asks, that no one -- not even IT -- has tampered with this data? A startup company thinks it may have the answer. Kinamik, a venture capital-backed venture out of Barcelona, Spain, next week will open the doors on a third-party technology that collects, aggregates, time-stamps, encrypts, and stores audit-sensitive data as it is created or altered.

The Internal Revenue Service has not done enough to protect the privacy of more than 130 million taxpayers, according to a Treasury Department Inspector General's report released Oct. 3. The agency has conducted privacy impact assessments (PIAs) on less than half of its computer system and does not adequately monitor its own application of privacy laws, according to the report from the Treasury IG For Tax Administration.

As I mentioned in previous columns, there’s a new set of draft documents from the Computer Security Resource Center of the National Institute of Standards and Technology (NIST). In addition, SP 800-86, "Guide to Integrating Forensic Techniques into Incident Response" by Karen Kent, Suzanne Chevalier, Tim Grance and Hung Dang has reached final-version stage. The PDF file is available for download.

A draft publication from the National Institute for Standards and Technology highlights some of the security and privacy risks associated with radio frequency identification technology. Some of the risks involved can be serious. The threat can extend from the RFID tags to central databases on an agency's network, according to the report. But NIST experts are not trying to scare agencies from using the technology.

The Defense Logistics Agency's network of 19 distribution sites can now track supplies with radio frequency identification technology, the agency announced Tuesday. RFID tagging will give the Defense Department global awareness of all military assets by using a unique identification to track each parcel as it moves through the military supply chain.

The communications network used to transmit medical data for the government's Medicare and Medicaid programs has security vulnerabilities that could expose patients' medical data and other personal information, according to a report released Tuesday. The report, released by the U.S. Government Accountability Office (GAO), identified 47 weaknesses in the way the Centers for Medicare and Medicaid Services (CMS) used a WAN (wide-area network) operated by contractor AT&T. CMS uses the network to transmit claims data -- including patient names, dates of birth, Social Security numbers, addresses and medical information -- to health-care facilities, contractors, financial institutions, and state Medicaid offices.

The Indian business process outsourcing industry is once again under attack for compromising the personal details of global clients. The Sunday Times has claimed — quoting an investigative report by Channel 4, to be telecast on October 5 — that credit card data and passport and driving license numbers are being stolen from Indian call centres and sold to the highest bidder. This time, unlike in the Karan Bahree and HSBC-like cases where BPO employees were in the firing line, the charges are against middlemen.

Data retention and deletion represent two sides of the same issue as companies grapple with their legal and regulatory responsibilities. Which electronic records must you save, and when should you delete them--for good? It's not just a legal and ethical consideration for employees, but also a critical security and storage management challenge for IT professionals. So why aren't companies paying more attention?

PayPal agreed Thursday to pay $3.5 million to consumers and $1.7 million to 28 states to settle a pair of lawsuits that charged the electronic payment provider didn't adequately inform users how it was protecting their financial data. The San Jose, Calif. subsidiary of online auctioneer eBay also promised to streamline its user agreement and provide more information about its data protection programs.

Which would be more likely to suffer data theft, a university or financial institution? If you've been reading the news lately, you probably said "university." But in New York, it's a different story. Nearly half of the 64 data breach incidents reported in the state between March and May of this year were by financial institutions and insurance companies -- not educational institutions, according to a researcher who's gathering the data. Only three of the 64 incidents were reported by schools, he says.

A group of university computer scientists are launching a research project to better protect data stored in radio-based smart tags. The project's goal is to prevent cyber thieves from cracking the tags and stealing personal data. Such tags, which include but are not limited to passive RFID systems, are used in a growing number of applications, from automatic vehicle toll collection to accessing medical records.

Internet auction house eBay will make changes to its site after discussions with the UK's Information Commissioner and civil rights group Privacy International. ZDNet UK has learnt that eBay has agreed to make changes to its Web site to make it easier for users to close accounts and track personal e-commerce transactions, following a complaint by Privacy International. The Information Commissioner's Office (ICO) has confirmed that changes are being made. "We have been corresponding with eBay and it has now taken steps to ensure its accounts are easier to close, by making changes to the My eBay page," said an ICO spokesman.

The state Division of Motor Vehicles is notifying 16,000 motorists that someone broke into the agency's driver's license office in Louisburg and took a computer containing their personal information. The computer was used to store information for driver's licenses issued over the past 18 months, between March 2005 and Sept. 10, according to the DMV. The information includes names, addresses, dates of birth, driver's license numbers, Social Security numbers and, in some cases, immigration visa information, DMV officials said.

Schuyler Cole needed an accessory for his Palm Treo 600 smartphone, so the Haleiwa, Hawaii, resident fired up his Web browser last month and ran a Google search. After scanning the search results, he purchased the inexpensive item -- a USB cable used to synchronize the Treo's settings with his personal computer -- from Cellhut.com, the first online store displayed in the results that looked like it carried the cable. The site featured a "Hackersafe" logo indicating that the site's security had been verified within the past 24 hours. Later that day, information from Cole's purchase --- including his name, address, credit card and phone numbers, and the date and exact time of the transaction --- were posted into an online forum that caters to criminals engaged in credit card and identity theft. Ostensibly, the data on Cole was posted as an enticement to other fraudsters lurking on the forum who might be interested in buying large numbers of similar records.

A global survey has found Canadian companies are more concerned with protecting their reputations than their global competitors when they spend on information security. According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent. "Poor information security that loses data such as customer profiles can seriously affect a company's brand," says Greg Murray of PricewaterhouseCoopers. "The cost of handling the public relations issues associated with losing customer identities can be devastating."

A global survey has found Canadian companies are more concerned with protecting their reputations than their global competitors when they spend on information security. According to the 2006 Global State of Information Security survey, 53 per cent of Canadian companies surveyed said their reputation was driving their information security spending. The global average was 41 per cent.

The Electronic Frontier Foundations, an advocacy group for online privacy, has released six tips for consumers who would prefer to remain as anonymous as possible when using search engines. Concern over privacy and the use of online search was heightened last month when Internet service provider AOL acknowledged publishing the search histories of 650,000 users on its Web site. Even though the users' names were withheld, The New York Times and others discovered the identities of several of them.

Complying with a plethora of state privacy laws is tough. Focus on their common elements. All the time, it seems, another state is coming up with a new law for protecting consumers' sensitive data. At least 23 have passed a security breach notification law, and these laws are far from uniform. The result is a bevy of regulations du jour and a daunting challenge for information security and compliance professionals. More than a few times I have been well on my way to meeting the privacy requirements for one state, only to find out another state has passed similar rules, but with additional mandates. Security breach laws vary as to who should be notified, what constitutes personal information, and most importantly, when notification should occur. Do we notify each time data has been accessed without authorization, or only when we believe the data is at risk?

A bill that would require all federal agencies to strengthen their protection of sensitive information has passed the House and now moves on to the Senate. The language is part of a larger bill, the Veterans Identity and Credit Security Act of 2006. Rep. Tom Davis (R-Va.), who introduced the measure applying to all agencies, said he will try to move the language separately if the Senate does not act on the bill.

Storage managers in the U.S. may have finally come to grips with Sarbanes Oxley, but if their firms want to do business in Europe they should brace themselves for even more compliance headaches over the next few years. (See AMR Sees $6B in SOX Spending and IDC: 'Users, Do Your Homework'.) Like the U.S., countries within the European Union have been hard at work tightening their own financial and homeland security regulations, bringing yet more complexity to the lives of already pressured IT pros.

Legislation that would require federal agencies to disclose data breaches involving sensitive information was introduced in the House Monday by Rep. Tom Davis, R.-Va., chairman of the House Government Reform Committee. Such a bill would put government agencies on par with businesses, which are required by a patchwork of state laws to notify their customers in such cases. The measure, HR 6163, would amend the Federal Information Security Management Act to direct the White House Office of Management and Budget to establish procedures for agencies to follow if personal information is lost or stolen. The legislation also would require that individuals be notified if their personal information could be compromised by a breach of data security at a federal agency. Agency CIOs would be expected to ensure that their staffs comply with information security laws and that equipment containing sensitive information is accounted for and secured.

A U.S. Senate bill that prohibits impersonating someone to obtain their telephone records without permission is not strong enough, a top House of Representatives lawmaker told Reuters Tuesday. Privacy of telephone records has gained attention since computer and printer maker Hewlett-Packard Co. admitted that investigators it hired obtained telephone records of board members, employees and journalists without their permission to help discover who was leaking information from board meetings.

The ability to use tiny USB memory sticks to download and walk away with relatively large amounts of data has already made the ubiquitous devices a potent security threat in corporate environments. Now, the emergence of USB flash drives that can store and automatically run applications straight off the device could soon make the drives even more of a security headache. Demonstrating the potential danger, Hak.5, a security-related podcast, earlier this month showed how a USB memory stick can -- in just a few seconds -- be turned into a device capable of automatically installing back doors, retrieving passwords or grabbing software product codes.

About 73 percent of corporate board members in a recent survey said that board chairpersons should have the power to use any legal means to identify the source of confidential leaks. Fifty-three percent said they believed it is permissible to follow individuals as they travel inside and outside of a company, and 53 percent said they believe it is permissible to obtain and review phone records if pretexting is legal, according to a recent survey conducted by the Ponemon Institute.

AT&T Inc. (T.N: Quote, Profile, Research), which has been questioned by regulators about the Hewlett-Packard Co. (HPQ.N: Quote, Profile, Research) media leak scandal, said on Friday it updated security requirements for its customer service workers. The changes were part of an ongoing effort to better protect customer information, according to an AT&T spokesman. He would not say if the update was related to the controversy over HP using false identities to obtain phone records as it investigated boardroom leaks.

There is news that thousands of current and former GE employees could be at risk for identity theft. A company employee's laptop computer was recently stolen from his locked hotel room while he was traveling on business.

Berry College President Dr. Stephen R. Briggs informed the campus community of a potential security breach this morning. College officials were notified late Monday afternoon that student information included on applications for need-based federal aid filed during the 2005-06 academic year has been misplaced by an external financial aid consultant on Friday. This data, including student name, Social Security number and reported family income, involves 2,093 students or potential students who submitted a Free Application for Federal Student Aid (FAFSA) to Berry in 2005-06. Of those, 1,322 are currently enrolled at the college.

Burglars entered the heavily guarded Kenya Revenue Authority (KRA) offices at Times Tower and stole computers containing crucial information. The computers were taken from the 14th floor, which houses the income tax section. The intruders also ransacked drawers and vandalised the offices.

Six notebook computers with data on about 9,000 patients have been stolen from Nagasaki University Hospital of Medicine and Dentistry in Nagasaki, a university official said. The data contained names, gender, dates of birth, and diagnoses of people who visited the hospital's hematology division since the early 1990s, the official said. The computers were stolen sometime between 11 p.m. on Sept. 14 and 8 a.m. the next day. The university reported the case to the police immediately, the official said.

Amid seemingly endless reports of lost laptops, some states have written laws that give companies a break if they encrypt data, letting them go without reporting a loss. Yet encryption can be costly and complicated, which has companies exploring not just what's available today but what's on the horizon that could make it easier and more effective. Some big changes on the way involve desktop encryption. Windows Vista BitLocker Drive Encryption is the future of encryption for Microsoft users. The data protection feature is scheduled for inclusion with the Enterprise and Ultimate versions of the forthcoming Windows Vista operating system, as well as in Windows Longhorn server. It's designed to protect data on PCs and servers that have been lost or stolen, or whose hard drives missed out on a thorough scrubbing before being decommissioned or resold.

Over the last several years, well-publicized security breaches have been causing enterprises to develop security policies in order to protect their brands from the damaging publicity surrounding such an event. The only feasible approach to securing information is to take an encrypted, data-level approach to security. Anything less leaves companies, customers and partners at risk. It used to be that armed guards, locked file cabinets and vaults were the tools for securing currency, as businesses operated in a physical world. Today, information is the currency of the global economy, as consumers pay through electronic card swipes, employees are paid through direct deposit, and businesses sell a good deal of their wares online. More than ever before, companies are now challenged to find ways to protect "currency" as it is exchanged with people inside and outside secure corporate networks.

Almost a third of company directors surveyed have admitted to stealing corporate information, with memory sticks making theft easier than ever. In a survey of 1,385 business people, 29 per cent of company directors admitting to stealing confidential corporate information when they left a company. The survey, conducted by polling company YouGov on behalf of software firm Hummingbird, found that 24 per cent of the thefts involved using memory sticks or MP3 players to move data and 18 per cent used email. The information was revealed as part of Hummingbird's Information Management Survey, which assesses the way in which firms are coping with increases in information sources.

The results of an international cyberwar game that involved Australia were released by the U.S. Department of Homeland Security's National Cyber Security Division last week. Dubbed Cyber Storm, the game was conducted in February this year and simulated a campaign to "affect or disrupt multiple, critical infrastructure elements within the energy, information technology, transportation and telecommunications sectors." Australia was represented by the Attorney General's department in the four-day event which involved more than 110 public, private and international organizations as part of efforts to protect critical infrastructure.

Each agency should assemble a core management team to plan and oversee the response to any data breach that could result in identity theft, according to a Sept. 20 memo from the Office of Management and Budget. That recommendation is from a recent report of the Identity Theft Task Force of which Attorney General Alberto Gonzales is chairman. OMB distributed the report and its memo to agency leaders.

Federal agencies have been losing laptop computers, including those with personal data, without public notification and sometimes undetected by the government. Agencies are finding out now, and disclosing the information, because House Government Reform Committee chairman Tom Davis (R-Va.) requested summaries of data breaches over the last several years. As a result, the situation requires a strong governmentwide policy on public notification, including strengthening legislation he has introduced, Davis said.

People who attended Purdue University in 2000 were being notified of a security breach that might have resulted in unauthorized access to identifying information, including Social Security numbers. University officials discovered the incident this month during a check of a workstation in the chemistry department. The incident involved a file dated Feb. 4, 2000, that contained Social Security numbers, names, e-mail addresses and other information for nearly 2,500 students.

Using clues obtained from a YouTube video and a simple four-word Google search engine query, a criminal can find step-by-step instructions for how to hack into and take control of thousands of ATMs scattered around the United States. Following up on a CNN report out of Virginia Beach, Va., here as a YouTube video, that a man reprogrammed an ATM at a gas station to dispense $20 bills instead of $5 bills, a New York-based security researcher did some old-fashioned online sleuthing and discovered that the operator manual for that specific model of ATM could be legally obtained in about 15 minutes.

As the U.S. government prepares to complete a conversion to the controversial RFID-based electronic passports, traditional paper-only IDs are still available for a few months to those listening to the raging debate over security and privacy concerns swirling around the electronic documents. Many security experts are still questioning whether e- passports, which have a 10-year life span, have enough security built in to survive a decade of hackers and technology advancements while protecting e-passports users from data theft, identity theft and other security and privacy intrusions. "If the government is right, this will be the first time in the history of mankind that a perfectly secure application will be produced. Of course it will be hacked," says Bruce Schneier, a noted security guru, author and CTO of Counterpane Internet Security.

The Commerce Department has lost 1,137 laptop computers since 2001, most of them assigned to the Census Bureau, officials said Thursday night. No personal information has been known to have been improperly used. The number of people affected could not be determined, officials said, in what was the latest in a series of data losses at government agencies that have raised concerns about identity theft. "All of the equipment that was lost or stolen contained protections to prevent a breach of personal information," Commerce Secretary Carlos M. Gutierrez said in a statement. "The amount of missing computers is high, but fortunately, the vulnerability for data misuse is low."

Thursday September 21, 4:19 pm ET By Brian Bergstein, AP Technology Writer BOSTON (AP) -- Insert your own punch line: Hewlett-Packard Co., the technology company facing federal and state investigations for spying on board members and journalists, is co-sponsor of an award for "privacy innovation." Nominees are currently being accepted for the fourth annual HP/IAPP Privacy Innovation award, which Hewlett-Packard gives in conjunction with the Maine-based International Association of Privacy Professionals. According to the award's Web site, the prize was created to honor "strong and unique contributions to the privacy industry." "At present, there is not sufficient recognition for organizations that have embraced privacy as a competitive advantage, and as a business/governmental imperative," the site states. Previous winners of the award have included eBay Inc., Microsoft Corp., Sprint Nextel Corp. and two Canadian provincial offices. No one from HP is a judge. Two IAPP directors did not immediately return a call seeking comment Thursday, nor did an HP spokesman. HP is facing multiple investigations into the company's surveillance of directors, employees and journalists as it sought the source of boardroom leaks to the media. HP investigators posed as other people to obtain their phone records and sent at least one reporter monitoring "spyware" in an e-mail. An HP director quit in protest of the methods and another resigned after being outed as a leaker. Questions about HP's methods led the board chair, Patricia Dunn, to agree to cede the post in January, though she plans to remain a director. One place to read about all this is none other the Privacy Innovation award's Web site. It contains a long list of privacy-related stories in the news, including the HP affair.

If you have a passport, now is the time to renew it -- even if it's not set to expire anytime soon. If you don't have a passport and think you might need one, now is the time to get it. In many countries, including the United States, passports will soon be equipped with RFID chips. And you don't want one of these chips in your passport. RFID stands for "radio-frequency identification." Passports with RFID chips store an electronic copy of the passport information: your name, a digitized picture, etc. And in the future, the chip might store fingerprints or digital visas from various countries. By itself, this is no problem. But RFID chips don't have to be plugged in to a reader to operate. Like the chips used for automatic toll collection on roads or automatic fare collection on subways, these chips operate via proximity. The risk to you is the possibility of surreptitious access: Your passport information might be read without your knowledge or consent by a government trying to track your movements, a criminal trying to steal your identity or someone just curious about your citizenship.

The European Commission has published proposals for a law change that would force telecoms firms to notify regulators and customers of all breaches of their data security. A similar law in California has resulted in a stream of data breaches being made public. In a consultation on changes to the EU framework on telecoms regulation the EC proposes that all providers of "electronic communications networks or services" be forced to notify customers and regulators of any breaches of security that would result in their personal data being made available to others. The current EU Directive only instructs network providers to notify customers of security risks. It does not cover security breaches.

As many as 500 current and former employees of San Francisco's Howard, Rice, Nemerovski, Canady, Falk & Rabkin may be at risk of identity theft after a laptop computer containing confidential employee pension plan information was stolen from an auditor. The firm sent a notice to current and former partners, associates and staff in mid-August alerting them of the security breach. "Given the circumstances of the theft, we think it is highly unlikely that the laptop was purloined because the thief knew that Howard, Rice employee names and Social Security numbers were resident on the computer," the letter stated. "Nonetheless, we want to treat this potential information breach with utmost caution."

Microsoft announced it has created a hotfix that patches a bug in one of the dozen August security updates which could corrupt users' data. Customers must contact Microsoft to get the hotfix. The MS06-049 update, which was released Aug. 8 to correct a flaw in the Windows 2000 kernel, can ruin data on NTFS formatted drives when the PC is using Windows' own file compression. Files larger than 4K that are either created or back up can be corrupted, and become unreadable. Microsoft issued a hotfix, but has not made it available to the general public. Instead, as is its practice with hotfixes, Microsoft requires users who want the patch to call the company.

Ethics are of incredible importance in the security field. Scott Granneman looks at recent examples of poor security decisions made at HP, Diebold, Sony, and Microsoft. Joel and Ethan Coen make some of the most inventive and clever movies in Hollywood history. With a record like Raising Arizona, Blood Simple, Barton Fink, Fargo, and The Big Lebowski, how could anyone argue? One of their absolute best, however, has got to be Miller's Crossing (1990), a gangster film filled with betrayals, violence, and a wonderful slang that is a joy to hear.

Computer tapes containing the private health and welfare records of "hundreds of thousands" of British Columbians were discovered missing from the government's main data centre in Victoria last year and have never been found, according to a confidential government investigation obtained by the Vancouver Sun. Poor record-keeping at the facility, which is run by Telus, means it's impossible to confirm exactly what happened to the 31 tapes, although the report speculates they were most likely destroyed in error or borrowed by a government staffer who forgot to return them. However, the report warns that their disappearance is serious and "may have resulted in the inadvertent disclosure of the data contents."

The Florida National Guard was conducting a security review Thursday after a laptop computer assigned to one of its soldiers was stolen in a car burglary. No classified information was on the computer stolen Tuesday from a soldier’s personal vehicle, said Florida Department of Military Affairs spokesman Jon Myatt. The laptop contains training and administrative records - including social security numbers - of up to 100 Florida National Guard soldiers.

The data breaches noted below have been reported because the  personal information compromised includes data elements useful to  identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included  the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure  under state laws. The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches, not necessarily the number of *individuals* affected. Some individuals may be the victims of more than one breach, which would affect the totals.

IBM on Tuesday unveiled new technology it says will help curb the growing problem of businesses exposing, either through theft or carelessness, sensitive consumer data routinely stored on their computer networks. The technology, newly embedded in the company's TS1120 storage system, works to encrypt Social Security numbers, credit card information, and other customer data archived on magnetic tape--the most common type of storage media in use by businesses today. The goal is to make the data inaccessible to thieves and others who wrongfully come into possession of such tapes. "It's useless to whoever gets it," says Andy Monshaw, general manager of IBM's system storage group.

The Department of Homeland Security has quieted some but not all the concerns that have kept many U.S. companies from voluntarily submitting critical infrastructure information (CII) to the agency. The DHS badly needs private sector input in order to increase the utility of its National Asset Database (NADB), the registry of nearly 80,000 facilities and assets in the U.S. which could be targeted by terrorists. The DHS issued a final rule on Sept. 1 on how it plans to protect CII it validates as protected CII (PCII). Four days later, Robert Stephan, assistant secretary for infrastructure protection, briefed representatives of select companies at an invitation-only meeting at the U.S. Chamber of Commerce. Andrew Howell, vice president of homeland security for the chamber, said the final rule corrects many of the problems his members had with the interim rule, which was published in February 2004.

Government and private-sector efforts to build a nationwide health information infrastructure are ignoring the issues posed by secondary uses of data from patients’ records, according to a new report from the American Medical Informatics Association (AMIA). Although most hospitals, physicians and patients don’t know about it, the report states, "A multimillion-dollar industry based on the sale of health and heath-related data has prospered and appears to be growing."

Facebook on Friday tightened privacy controls for a controversial news feed feature, as founder Mark Zuckerberg apologized to hundreds of thousands of angry users, saying the social-networking site "really messed this one up." While apparently well intentioned, the feature launched this week sparked protests among Facebook users who objected to its automatic broadcasting of members' activities on the site to everyone in their social circles. Two online petitions gathered a total of more than 700,000 signatures from members demanding that Facebook pull the plug on the new feature. In addition, a one-day boycott of the site was called for Sept. 12, and members were organizing a Monday demonstration at the company's Palo Alto, Calif., headquarters.

Second Life, the fast-growing online site where hundreds of thousands of people play out fantasy lives online, has suffered a computer security breach that exposed the real-world personal data of its users. Linden Lab, the San Francisco-based company behind the Second Life site, said in a letter to its 650,000 users this weekend that its customer database, including names, addresses, passwords and some credit card data, had been compromised. All users - or residents in Second Life parlance - are being required to request a new password. Some 286,000 residents have used the site in the past 60 days, according to a count on the home page at http://www.secondlife.com/.

The agency responsible for safeguarding the nation's airports from terrorists has its own security problem after a contractor accidentally mailed documents containing Social Security numbers of former Transportation Security Administration (TSA) employees to the wrong addresses. In the latest privacy breach to affect a government entity, Accenture, an outsourcer responsible for personnel management at TSA, sent 1,195 documents to the wrong former employees, USA Today reported. The forms, sent to employees after they leave a government job, usually list sensitive information that could be used to steal identities, such as Social Security numbers, birth dates and salary. TSA spokeswoman Ann Davis could not be reached for comment today by SC Magazine. But another agency representative told USA Today last week that the breach was "an administrative error, and the contractor has taken steps to ensure it's not repeated."

Security executives from around the country converged in Boston this week to hear how their peers are tackling enterprise security and managing risk. The Security Standard conference, hosted by Network World and other IDG publications, examined such issues as regulatory compliance, dealing with internal and external threats, working with law enforcement and establishing security best practices.

Despite a veritable avalanche of negative publicity for companies this year that got caught with improperly-handled consumer information, preliminary findings from the Retail Systems Alert Group show that most retailers do not have any formal procedures in place to deal with protecting confidential consumer details. One of the authors of that report, Steve Rowen, who also serves as the senior editor for the group's Extended Retail Industry Journal, said there are many possible excuses for the absence, but it needs to change.

Five major credit card companies Thursday announced the formation of an independent body to oversee the development and maintenance of the Payment Card Industry (PCI) data security standard. American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International have thrown their weight behind the newly formed PCI Security Standards Council. Aimed at retailers and companies that process credit-card data, the PCI standard is a set of technology requirements for securing networks and applications, protecting cardholder data, maintaining a vulnerability management program, and regularly validating compliance via a third-party assessment. It was designed to consolidate what in the past have been a bunch of different security guidelines from credit card companies.

The National Institutes of Standards and Technology has released new draft guidelines for recovering data evidence from mobile phones. The draft covers phones with features that are “beyond simple voice communication and text messaging and their technical and operating characteristics,” NIST said. The guide outlines some of the reported examples of evidence, including text message logs and location tracking, and ways to access material, such as studying software authentication weaknesses, identifying and examining cell phone memory cards, and asking service providers for additional information about a phone. The guide also breaks down the memory structure of cell phones and call data analysis.

Personal information on 2.6 million past and current Circuit City credit card holders was mistakenly thrown out as trash, a division of J.P. Morgan Chase has said. Chase Card Services said on Thursday that it mistakenly tossed out computer tapes with the personal information of Circuit City card holders. It said it believes the tapes, inside a locked box, were compacted, destroyed and buried in a landfill.

If you put stock in a recent survey from Symantec, the company behind the Norton line of computer protection software, 57 percent of computer users who store personal data on their PC’s conscientiously back it up. Those people can feel very good about themselves, because the same survey found that a quarter of computer users have lost computer data like documents, photos and music files, most commonly when the computer crashes.

When it comes to data classification and search, IBM has adopted a "grow your own" stance via Java-based development tools called the Unstructured Information Management Architecture (UIMA). But a project in the Cape Breton region of Nova Scotia could yield something more generally useable. IBM is working with a local company called ADM Solutions (no Website), Cape Breton University, and the Cape Breton Regional Police Services, all of Sydney, Nova Scotia, to create a system that stores, classifies, and searches police crime data.

IT security professionals are struggling to detect and prevent data breaches, according to the results of a recent survey of 853 U.S. security executives conducted by the Ponemon Institute LLC. Nearly two-thirds of security executives said they have no way to prevent a data breach, while most respondents said their organizations lack the accountability and resources necessary to enforce data security policy compliance, according to the Elk Rapids, Mich.-based think tank. The study, conducted in June and July, was sponsored by Palo Alto, Calif.-based security firm PortAuthority Technologies Inc.

Federico Biancuzzi surveys statements from some of the world's largest software companies about vulnerability disclosure, interviews two security companies who pay for vulnerabilities, and then talks with three prominent, independent researchers about their thoughts on choosing a responsible disclosure process. In three parts.

The Compliance Security Council, made up of the Institute of Internal Auditors, the Computer Security Institute, and Symantec, has been tracking what's working and what's not, says James Hurley, executive director of research for the Security Compliance Council and a director of research at Symantec.

A primary reason corporate data security breaches occur is that companies do not know where their sensitive or confidential business information resides within the network or enterprise systems. This lack of knowledge, coupled with insufficient controls for data stores, poses a serious threat for both business and governmental organizations. Moreover, the danger doesn’t stop at the network, but includes employees’ and contractors’ laptop computers and other portable storage devices. Consider, for example, a recent data breach involving the U.S. Department of Veterans Affairs (VA) and the loss of veteran records that were stored on an employee’s laptop computer. Records contained the names and Social Security numbers of almost 27 million living veterans. According to the press, this laptop was stolen from the employee’s home office—which resulted in huge remediation costs and reputation damage for the VA and federal government.

Google Inc., which refused in the past year to hand over user search data to U.S. authorities fighting children's access to pornography, said yesterday that it was complying with a Brazilian court's orders to turn over data that could help identify users accused of taking part in online communities that encourage racism, pedophilia and homophobia. The difference, it says, is scale and purpose. The Justice Department wanted Google's entire search index, billions of pages and two months' worth of queries, for a broad civil case. Brazil, by contrast, is looking for information in specific cases involving Google's social networking site, Orkut. "What they're asking for is not billions of pages," said Nicole Wong, Google associate general counsel. "In most cases, it's relatively discrete -- small and narrow."

A medical lab is notifying patients that a computer with sensitive personal information was stolen from its Prospect Plains Road sample-collection center. LabCorp is identifying patients who may have had their names and Social Security numbers on a computer stolen from its Monroe Patient Service Center and notifying those people by mail, said Pamela Sherry, LabCorp's senior vice president of corporate communications. "We have no reason to believe the information is being used improperly," Sherry said.

Thousands of city employees could be at risk of identity theft following the theft of a laptop computer from a city contractor, and a delay of more than a year in reporting the theft to the proper personnel within the company, according to a release from the Mayor’s office. Nationwide Retirement Solutions, the provider of deferred compensation services for City of Chicago employees has notified the city that a laptop computer containing personal information about customers was stolen from the home of one of its employees, according to the release. NRS, which has provided services for city employees since 2004, is notifying affected individuals by letter and offering free credit-monitoring service for a year, which includes $25,000 of identity theft insurance, according to the release.

A bank has been ordered to pay a $50 million settlement for buying more than 650,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles. The Electronic Privacy Information Center, which filed an amicus brief in favor of the plaintiffs, announced the decision this week. EPIC said Fidelity Federal Bank & Trust bought 656,600 names and addresses for use in direct marketing and the purchase violated the Drivers Privacy Protection Act. The federal law was enacted in 1994, before a vast number of "find people" sites were popular on the Internet. It aims to protect drivers from having their personal information distributed because stalkers and other criminals had used motor vehicle records to locate victims.

If an attacker gains access to authorized user privileges to break into your network, it'll cost you more than a malware attack. That's what a new report released today by Trusted Strategies concludes: The average cost per event to an organization hit with stolen account privileges was $1.5 million, versus $2,400 for a virus attack, according to the report, which analyzes real data from publicly disclosed cybercrime cases.

Since July of 2005, attrition.org has been tracking data loss and data theft incidents not just from the United States, but across the world. Our archives go back to the year 2000, and with over 142 MILLION records compromised in over 300 incidents across six years, we would finally like to introduce a very basic and rudimentiary database that will assist others in tracking these incidents.

Most used smartphones and PDAs for sale online are loaded with sensitive data ranging from banking records to corporate emails that can easily be retrieved by hackers and data thieves, it was alleged today. According to a sampling by mobile security software provider Trust Digital, much of this sensitive information is retained in the Flash memory of the devices because of a widespread failure to perform the advanced hard reset required to delete data. Trust Digital claimed that its engineers were able to recover nearly 27,000 pages of personal, corporate and device data from nine out of 10 mobile devices purchased through eBay for the project.

A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006. The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions.

High-profile data security breaches make headlines. That means that in an election year you can expect to see plenty of politicians proposing data security legislation. The last time headlines spurred legislation aimed at regulating a business crisis, CIOs found themselves spending millions on Sarbanes-Oxley compliance. Every day it seems the media reveals another new nightmare. A data tape is stolen from a truck. A hard drive is stolen from an office. In May, thieves stole a laptop from the Maryland home of an analyst with the Department of Veterans Affairs. Although officials claimed the laptop had been recovered and they were confident no data was compromised, the theft still put 26.5 million veterans and current military members at risk of identity theft.

Most used cell phones and PDAs contain personal information that their former owners neglected to adequately delete, Trust Digital, a McLean, Va. security firm reported Wednesday. Trust Digital examined a small sample of used phones and personal data assistants purchased from sellers on the eBay online auction site, and recovered data from 9 out of 10 of the devices. "The file system on your cell phone or PDA is just like the one on your PC's hard drive," said Norm Laudermilch, the chief technology officer at Trust who restored the data. "If you delete a file, you're not really overwriting the data. All it's doing is changing the index of the file system, or the file's pointers."

Still smarting from the failure of its old IT systems, the Federal Bureau of Investigation Tuesday gave a public demonstration of its Investigative Data Warehouse (IDW) and bragged that the 659 million-record counterterrorism database functions well. At a meeting in Washington, the FBI said the system had been developed by Chiliad Inc. of Amherst, Mass., whose president and CEO Paul McOwen attended the demonstration.

Since it was launched in February, the Malware Distribution Project (MD: Pro) has amassed a vast archive of malware code samples. Its pricey access fees and rigorous vetting process are intended to keep dangerous digital weaponry from falling into the wrong hands, but some believe the access restrictions are tedious and detrimental to the information security community. MD: Pro bills itself as a vast archive of downloadable malware, created to help the security fight back against digital desperados and their wares. It claims to differentiate itself from other archive sites such as Milw0rm and the French Security Incident Response Team (FrSirt) by not only offering access to standard malware, but also undetectable malware and compiled binaries.

With the launch of Google's hosted application suite earlier this week and the ongoing beta test of Microsoft Office Live, online application delivery appears ready to challenge the desktop computing model that has dominated since the 1980s. But like the traditional desktop environment, Web applications have security problems. Last week, more than 60 new Web application vulnerabilities were found, according to the SANS Institute's latest @RISK bulletin. Compare that to the number of vulnerabilities found last week in Windows (2), Mac OS (2), and Linux (3), Internet Explorer (2), third party Windows apps (9), or cross-platform apps (16). "Web applications tend to be written less tightly than other applications," says Alan Paller, director of research for computer security organization at the SANS Institute, though he notes that Google's code review process is probably more rigorous than that of an average online startup. Google's apps are not among those listed in @RISK as being vulnerable. Douglas Merrill, VP of engineering at Google, acknowledges that the programming methodology for Web apps isn't as mature as the desktop application programming model. "Anytime you have a new piece of technology, you will find more problems with it," he says.

The Education Department is a victim of data exposure for the second time in less than a month. DTI Associates, a professional services contractor based in Arlington, Va., acknowledged that two laptop computers were stolen Aug. 11 from its Washington, D.C., office on K Street. The laptops contained information on 43 reviewers who were assessing grant applications for Education’s Teacher Incentive Fund, said Bruce Rankin, vice president of DTI.

Fresh on the heels of a string of highly publicized, corporate data breaches, 63% of respondents to a new data security study said they don't believe they can prevent such breaches. "This group came out much, much more negative than I ever expected," said Larry Ponemon, the founder and chairman of the Ponemon Institute, an Elk Rapids, Mich.-based firm that looks at information and privacy management practices in business and government. "They said they're bad at detecting [breaches], but even worse at preventing [breaches]." The 11-page study (PDF), National Survey on the Detection and Prevention of Data Breaches, which was released Monday, is based on responses from 853 IT professionals, including senior executives, information security managers and others. The study was sponsored by PortAuthority Technologies, a Palo Alto, Calif.-based vendor of information leak prevention software.

AT&T has notified close to 19,000 customers that their personal data was compromised over the weekend, leaving them at risk for identity fraud. Priscilla Hill-Ardoin, the company's chief privacy officer, said in a statement that digital miscreants hacked one of its computer systems and gained access to credit card information and other personal data. The security breach primarily affects customers who used AT&T's online store to buy DSL equipment. In response to the breach, the San Antonio-based company notified victims' credit card companies and closed the section of its online store used to purchase DSL products. AT&T also notified customers of the breach by phone, email and traditional mail and offered to pay for credit monitoring services for those affected.

A laptop computer that might contain personal identity information on 193 people with commercial driver's licenses was stolen in Baltimore this week, transportation officials said. The laptop was stolen Tuesday from a government-owned vehicle and was reported stolen to police, according to the Federal Motor Carrier Safety Administration, a part of the Department of Transportation.

Oakley Networks next week is expected to introduce an appliance that lets customers scan content to detect disclosure of sensitive information. The appliance, called CoreView, is based on traffic-monitoring equipment gained through Oakley’s acquisition of Inetd.com in May for an undisclosed price. Tom Bennett, vice president of marketing at Oakley, says the CoreView appliance can watch for outbound transmission of sensitive information, such as Social Security numbers or intellectual property. Competitors in data-leak prevention products — sometimes called extrusion detection — include PortAuthority, Reconnex, Vontu and Vericept.

AT&T has filed suit in a federal court to block data brokers from the unauthorized use of telephone records. Two dozen data brokers were cited in the litigation filed in the San Antonio court Wednesday, the telecommunications giant said. AT&T said the legal action was designed to give it the means to use e-mail addresses and Internet Protocol addresses that will lead to the identity of the data abusers. AT&T said it would then issue injunctions against the violators as well as to seek damages.

Verizon Wireless this week accidentally distributed a file with limited details on more than 5,000 customers outside the company, potentially giving identity thieves a toehold. The Microsoft Excel spreadsheet file was e-mailed on Monday and includes names, e-mail addresses, cell phone numbers and cell phone models of 5,210 Verizon Wireless customers, going by a copy of the file obtained by CNET News.com. All of the customers have Motorola Razr phones, according to the spreadsheet. The spreadsheet was inadvertently sent to about 1,800 people, all Verizon Wireless subscribers, according to a follow-up e-mail apologizing for the gaffe that the mobile carrier sent on Thursday. The Excel file was attached to an ad for a Bluetooth wireless headset, instead of the electronic order form that was supposed to be sent.

AT&T Inc. today sued 25 unnamed data brokers, accusing them of fraudulently gaining access to about 2,500 customers' calling records. The lawsuit, filed in a U.S. District Court division in San Antonio, said the "John Doe" defendants often collected information for use in legal or domestic disputes. AT&T said the data brokers used a method known as "pretexting," or setting up online accounts by using identification data such as Social Security numbers. Through the online accounts, the brokers obtained access to customer information, including calling records. No driver's license numbers or sensitive financial data was accessible, however, the company said. AT&T said the lawsuit was a step toward identifying the perpetrators by using e-mail addresses and IP addresses and toward seeking damages.

The U.S. Department of Education leaked personal information for as many as 21,000 people over the course of two days earlier this week. A glitch caused by the deployment of a software upgrade at the department affected the part of the Web site that handles federal student loans. Between Sunday night and Tuesday, when borrowers went online to either make a loan payment or update their personal information, they were shown sensitive information about other borrowers when they clicked on "update." The glitch revealed people's names, loan balances, birth dates, addresses, telephone numbers, and Social Security numbers, says department spokeswoman Jane Glickman.

Wireless Internet allows computer users to go online from almost anywhere - such as in the library, on the lawn or in a dormitory lounge on a college campus. But university students, faculty and staff who set up their own wireless connecting points, called "hot spots," may be putting themselves and the school's network at risk, computer security officials said. The University of Iowa recently discovered 80 unauthorized access points to its wireless network in an audit of nine academic buildings. These so-called rogue access points were probably set up by faculty or staff impatient for wireless service, which covers only 15 percent of campus, said Jane Drews, information technology security officer for the U of I.

A laptop containing home care information on 28,000 patients has been stolen from the car of a nurse who works for Royal Oak, Mich.-based Beaumont Hospitals, according to a statement from the hospital. The laptop was in the nurse's car, which was stolen in Detroit on Aug. 5 after the nurse had finished seeing patients. The vehicle was later recovered, but the laptop was missing. The computer contained personal and health information of Home Care patients who had received care over the previous three years, the hospital said. The Home Care staff uses laptops to document patient care; The data on the stolen laptop -- a Dell Latitude model -- includes patient names, addresses, birth dates, medical insurance information, Social Security numbers and personal health information relating to their home care services. The computer does not include information on services received at the Beaumont Hospitals or other Beaumont outpatient services, the hospital said.

Insurance giant Aflac said Monday that a laptop computer containing personal information on hundreds of customers was stolen from an agent's car in the Greenville area. The computer contained names, addresses, Social Security numbers and birth dates of 612 policy holders, said spokeswoman Laura Kane. After the theft was reported, the Columbus, Ga.-based company notified all affected customers in a letter dated Aug. 11. Kane said the insurer, also known as American Family Life Assurance Co., believes the computer was taken by an opportunistic thief, not someone who was after the data on it.

A laptop containing home care information on 28,000 patients has been stolen from the car of a nurse who works for Royal Oak, Mich.-based Beaumont Hospitals, according to a statement from the hospital. The laptop was in the nurse's car, which was stolen in Detroit on Aug. 5 after the nurse had finished seeing patients. The vehicle was later recovered, but the laptop was missing. The computer contained personal and health information of Home Care patients who had received care over the previous three years, the hospital said.

Fiberlink on Monday announced its Managed Information Protection Service security service. The offering lets network managers monitor and control how data is used by mobile and remote employees. Fiberlink integrated Verdasys Technology’s software with its Extend360 client software to protect customers against insider threats to corporate data and intellectual property. The managed service allows customers to set policies on how mobile users can access, view and manipulate data from their mobile device.

Symantec is making it easier for companies to comply with new government regulations requiring them to find and present files to external legal teams during litigation proceedings. With Monday's release of Enterprise Vault Discovery Accelerator 6.0, an extension of the Cupertino, Calif.-based vendor's email and file archiving solution, Symantec has simplified the process of searching through archived corporate data to find specific files, which has traditionally created headaches for companies during the discovery phase of lawsuits. When a company is sued, it must go through the process of collecting all data stored on its network that could contain evidence related to the case, which can be very expensive, especially for larger companies. In December, new rules for managing this process - known as electronic discovery, or eDiscovery - will take effect. While Enterprise Vault automates the capture and retention of documents that go through the email system, Discovery Accelerator 6.0 lets companies search through multiple Enterprise Vault databases to find the specific files that are relevant to a lawsuit, said Nick Mehta, senior director of product management at Symantec.

Web developers at Unspam Technologies Inc. have created a new tool that helps consumers protect their privacy by sending erroneous search data to AOL, Ask, Google, MSN, and Yahoo on their behalf. Unspam CEO Matthew Prince said Lost In The Crowd took one week to build. The company built the tool in response to the recent AOL Inc. debacle, where thousands of subscribers found their search data had spilled onto the Internet. Lost In The Crowd randomly generates queries to confuse anyone who might look through future search records. Users download a search engine bookmark from Lost In The Crowd before going to the search engine and clicking on the bookmark.

United States and European authorities, looking for more tools to detect terrorist plots, want to expand the screening of international airline passengers by digging deep into a vast repository of airline itineraries, personal information and payment data. A proposal by Homeland Security Secretary Michael Chertoff would allow the United States government not only to look for known terrorists on watch lists, but also to search broadly through the passenger itinerary data to identify people who may be linked to terrorists, he said in a recent interview. Similarly, European leaders are considering seeking access to this same database, which contains not only names and addresses of travelers, but often their credit card information, e-mail addresses, telephone numbers and related hotel or car reservations.

The Homeland Security Department has good control over the physical security of its radio frequency identification (RFID) systems, but the department needs to address some related vulnerabilities before those systems are completely secure, according to the department’s inspector general. One problem is that DHS does not have a departmentwide policy for how its various agencies should manage and protect systems that use RFID, and some agencies apparently have not bothered to develop their own policies. Without those policies, DHS can’t be sure that agencies have effective control, the IG said in a recent report.

Earlier this month AOL publicly released a data trove: 500,000 search queries culled from three months of user traffic on its search engine. The company claimed it was trying to help researchers by providing "anonymized" search information, but experts and the public were shocked at how easy it was to figure out who had been searching on what. Apparently, AOL's anonymizing process didn't include removing names, addresses and Social Security numbers. Although the company has since apologized and taken the data down, there are at least half-a-dozen mirrors still out there for all to browse.

AOL Chief Technology Officer Maureen Govern resigned on Monday and two other employees were fired in the online release of personal information on hundrends of thousands of subscribers, a snafu that sparked condemnation from privacy advocates and calls for government regulation. In addition, AOL, a unit of Time Warner Inc., instituted new rules for the handling of subscribers' personal information, according to employee memos issued by Jonathan Miller, chairman and chief executive of AOL. The company made the two memos available to the media.

Chris Gladwin, a software designer and businessman in Chicago, had time on his hands after selling his company, the online music store Music Now, in 2004. So he decided to digitize all of the music, photos and paper detritus that he had been meaning to organize for years. After he was finished, he discovered that he had 27 gigabytes of data--equivalent to a library of 22,000 books--that he was eager to protect. "I wondered, 'what are my options?'" he said, "and I realized that none of them were that good."

A $17 million project is evaluating whether enough common ground exists in 50 sets of state health privacy laws to support one national health records exchange. It might be a long shot Digging into electronic medical records An executive order calls for establishing a national system for exchanging electronic medical records by 2014. But first, variations in states’ policies and business practices on health information security and privacy must be accommodated or pre-empted. But pre-emption could discourage patients from seeking treatment, privacy advocates say. A survey released last fall by the California HealthCare Foundation found that:

A stolen laptop might cost a company $1,000 or more to replace. But losing control of the information contained in that portable computer is far more costly - as companies in Colorado and nationwide are finding out. Matrix Capital Bank had two laptops stolen from its downtown Denver headquarters. The company has since spent "in excess of $50,000" responding to security issues, said Michael McCloskey, chief operating officer of Matrix Bancorp Inc.

The World Privacy Forum has filed a Federal Trade Commission (FTC) complaint against AOL, saying the company violated its own privacy policy by releasing the search records from hundreds of thousands of its members. The World Privacy Forum, a privacy advocacy group, asked the FTC to investigate AOL's release of search records this year, to fine AOL a "substantial" amount of money and to order AOL to provide free credit counseling to any members who had their personal data exposed in AOL's release of the search records. The World Privacy Forum's complaint, filed Wednesday, came two days after the Electronic Frontier Foundation (EFF), a privacy and civil liberties advocacy group, filed a similar complaint with the FTC.

Chevron may have pocketed record profits of $4.35 billion in the most recent quarter, but that wasn't enough to protect the names and Social Security numbers of potentially tens of thousands of employees. The San Ramon oil giant sent an e-mail to U.S. workers Monday warning that a laptop computer "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans." The e-mail offered no details about the theft but told workers that "upon learning of this incident, we immediately ensured that law enforcement was informed and began risk mitigation steps."

About 1,200 employees at Williams-Sonoma may be at risk of identify theft after a laptop computer containing personal information was stolen from an auditor. The San Francisco home-furnishing chain sent an e-mail to current and former employees earlier this month alerting them to the theft. "Although the information contained on the computer was not encrypted, it was password protected," the letter stated. "Despite this level of protection, the potential does exist that your personal information may be accessed and/or disclosed by unauthorized individuals."

The inspector general's office at the Department of Transportation disclosed yesterday the theft of another laptop from one of its agents in Florida, the second such report in less than a week. Barbara L. Barnet, the special agent in charge of the Miami office, discovered in April that her laptop had been stolen from a locked room during an agency-sponsored anti-fraud conference in Orlando, acting Deputy Inspector General Theodore P. Alves said yesterday. "The police report does indicate that there were case files on the computer," Alves said. "The police report also indicates that they were not encrypted, although the computer was password-protected."

If you think stolen laptops are a threat to your organization, you'd better double-check the PCs and hard drives you've sold, trashed, or given away. In a newly-published study of more than 300 hard drives obtained in auctions and computer fairs all over the world, university researchers found "an alarming level of sensitive information" remains on second-hand long after they are disposed of.

Unisys, the Veterans Affairs Department’s Office of Inspector General and the FBI have announced a reward of as much as $50,000 for information leading to the recovery of a company desktop computer reported missing on Aug. 7 from Unisys headquarters in Reston, Va. The computer’s hard drive contains personal information regarding about 20,000 veterans treated at VA medical facilities in Pittsburgh and Philadelphia in the past four years. Unisys has a contract to monitor the data for insurance claims processing. A company statement said, "There is no evidence to indicate that the individual or the individuals responsible for the disappearance of the computer had any knowledge of the content of the information stored on the computer."

Using stolen personal identification and account numbers, thieves have withdrawn hundreds of thousands of dollars from the bank accounts of consumers who used debit cards at Dollar Tree stores in California and southern Oregon, police departments in the two states said. In Oregon, consumers have reported losing $250,000 from unauthorized withdrawals during the past month, said Lt. Tim George, a spokesman for the Medford, Ore., Police Department. The withdrawals, he said, were made from automated teller machines in southern California.

Bank account details belonging to thousands of Britons are being sold in West Africa for less than £20 each, the BBC's Real Story programme has found. It discovered that fraudsters in Nigeria were able to find internet banking data stored on recycled PCs sent from the UK to Africa. The information can be found on a PC's hard disk, which is easy to access if the drive is not wiped before sending.

Privacy advocates and search industry watchers have long warned that the vast and valuable stores of data collected by search engine companies could be vulnerable to thieves, rogue employees, mishaps or even government subpoenas. Four major search companies were served with government subpoenas for their search data last year, and now once again, privacy advocates can say, "We told you so." AOL’s misstep last week in briefly posting some 19 million Internet search queries made by more than 600,000 of its unwitting customers has reminded many Americans that their private searches " for solutions to debt or bunions or loneliness " are not entirely their own.

Companies are still selling on old hard drives without taking the slightest precaution to wipe business-sensitive data first, a study has found. The BT-funded research, carried out by the University of Glamorgan in Wales, analyzed 317 hard drives purchased second-hand in the U.K., Australia, Germany and the U.S. About 35% to 40% of these turned out to come from businesses, 23% of which contained enough information to identify the specific company that had owned them using only off-the-shelf analysis tools. A shocking 5% held sensitive business information.

Web search leader Google Inc., which stores vast amounts of data on the Web surfing habits of its users, sees government intrusions rather than accidental public disclosures of data as the greatest threat to online privacy, its chief executive said Wednesday. CEO Eric Schmidt told the Search Engine Strategies industry conference here that Google had put all necessary safeguards in place to protect its users' personal data from theft or accidental release. His remarks followed last weekend's discovery by online privacy sleuths that AOL, a key Google search customer, had mistakenly released personally identifiable data on 20 million keyword searches by its users. But Schmidt said a more serious threat to user privacy lay in potential demands on Google by governments to make the company give up data on its customers' surfing habits.

AOL's release of subscribers' search data is an unprecedented event that could spark a change in Internet privacy rules or it could spark a series of lawsuits, according to experts. Parry Aftab, executive director of wiredsafety.org, which claims to be the world's largest Internet safety and help group, said that if AOL violated its own privacy policy: "A lot of lawyers are going to be looking at the damages here. What were they thinking?"

People concerned their personal information may have been accessed following the theft of a laptop from Vassar Brothers Medical Center inundated a call center fielding inquiries, hospital officials said. "They were overwhelmed with the number of calls today," Dave Ping, vice president for strategic planning and business development, said during a conference call with the Journal Thursday.

A laptop containing the personal identification information of about 133,000 Florida residents was stolen from a government-owned vehicle July 27 in the Miami area, Transportation Department officials announced Aug. 9. The individuals affected include: *People in the Miami-Dade County area who hold Florida commercial driver's licenses (CDLs). *Florida residents who hold Federal Aviation Administration airman certificates. *People who obtained their personal Florida driver's licenses or CDLs from the Largo licensing facility. The personal information includes names, Social Security numbers, birthdates and addresses. There is no financial or medical information on the laptop PC.

The Transportation Department inspector general's office removed the encryption on a laptop containing the personal information of 133,000 Florida residents about two weeks before it was stolen late last month from a government-owned Chevrolet Blazer parked outside a Miami area cafeteria. Acting Transportation Department Inspector General Todd Zinser said Wednesday that the data is routinely encrypted but it was removed as part of software upgrades, despite an Office of Management and Budget request for all government mobile computer devices containing sensitive information to be encrypted. The laptop is a Dell Latitude model and is believed to contain four databases with the names, Social Security numbers, dates of birth and addresses of 42,792 Florida pilots, 80,667 Miami-Dade County commercial driver's license holders, 9,005 individuals who obtained their personal driver's licenses in the Tampa area and another 491 drivers who obtained their commercial driver's license in the Tampa area.

Organizations and individuals are still leaving critical data on disks later sold on through online auctions and computer fairs, according to a new study. The research carried out by BT, the University of Glamorgan in Wales and Edith Cowan University in Australia found payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, financial details including bank and credit card accounts on hard drives purchased from a number of sources.

The World Privacy Forum, an advocacy group, blasted AOL for mistakenly releasing data about 20 million search queries conducted by roughly 658,000 of its users during a three month period from March to May. The records, posted on a company Web page from July 31 to August 6, do not include personally identifiable information. The company has acknowledged, however, that search queries themselves can sometimes include personal information. The WPF called AOL's mistake "a gross violation of its users'privacy" and said that some of the search queries that were released did in fact include individuals' names, Social Security numbers, driver's license numbers, addresses and insurance and banking information.

Researchers at Kaspersky Lab in Germany have discovered a message board with hundreds of stolen credit card numbers and other sensitive data, including ATM and credit card pin numbers, names and addresses of cardholders, email addresses, and other account details. The site had been posting the information since August 2005 and, as of last week, there were 60 additional stolen accounts on the site, which contained over 300 credit card numbers, Kaspersky virus analyst Magnus Kalkuhl blogged this week.

Securing stored data involves preventing unauthorized people from accessing it as well as preventing accidental or intentional destruction, infection or corruption of information. While data encryption is a popular topic, it is just one of many techniques and technologies that can be used to implement a tiered data-security strategy. Steps to secure data involve understanding applicable threats, aligning appropriate layers of defense and continual monitoring of activity logs taking action as needed.

At first glance, end users generally don't see regulatory compliance as their top security priority. In fact, according to the 2006 VARBusiness Market Insight Report, a survey of more than 600 midmarket and enterprise IT decision makers, regulatory compliance didn't crack the top three highest spending priorities among companies of all sizes. What did? The executives ranked compliance-focused spending behind investments in security infrastructure, backup and disaster recovery, and networking infrastructure.

A Freedom of Information enquiry by silicon.com has uncovered the number of laptops stolen from key UK government departments over the past year, raising questions and concerns about sensitive data falling into the wrong hands. The worst affected department was the Ministry of Defence. It reported 21 laptops were stolen between July 2005 and July 2006. The Home Office in total suffered 19 stolen laptops over the past year. Perhaps most worrying among those losses were four laptops stolen from the Identity and Passport Service. The Core Home Office unit suffered seven stolen laptops, while HM Prison Service had eight laptops stolen. The Department of Trade and Industry told silicon.com it had 16 laptops stolen over the past year, while the Department for Work and Pensions reported it had nine laptops stolen. The Department of Health said it had lost 18 laptops, though couldn't clarify whether these were lost or stolen.

The Department of Veterans Affairs acknowledged today reports that a subcontractor, hired to assist in insurance collections for the VA’s medical centers in Pittsburgh and Philadelphia, has reported a desktop computer containing personal information on some veterans missing from its offices. The "VA’s inspector general, the FBI and local law enforcement are conducting a thorough investigation of this matter," VA Secretary Jim Nicholson said in a statement this afternoon.

AOL on Monday admitted exposing the personal search data of 658,000 people, and issued an apology for what it called a "screw up." AOL, a unit of Time Warner Inc., made the information available for download through its its research site. The people were randomly chosen among users of AOL's search engine from March through May. Each record was stripped of the person's screen name, which was replaced with a number. While its unclear how long the information was available, it was on the site at least since Saturday and taken down on Sunday.

Those who rely on smooth, interactive Web applications like Google Maps and Outlook Web Access may not realize it, but the behind-the-scenes glue holding them together is a combination of programming languages that have come to be known as Asynchronous JavaScript and XML, or Ajax. Unfortunately, attackers have realized that Ajax-based applications are easily exploitable, paving the way for plenty of damage and financial gain. The threat will only get worse and make life more difficult for IT security professionals, Billy Hoffman, lead research engineer with Atlanta-based SPI Dynamics Inc., warned Thursday during a presentation at Black Hat USA 2006. Companies are in a big hurry to add Ajax-based programs to their Web sites to increase functionality, which he said in turn leads to the development of Web applications that are haphazardly thrown together by inexperienced programmers.

Google, Microsoft and Yahoo are among the members of an industry group that will set guidelines for identifying invalid or fraudulent clicks, a source of major problems with advertisers who complain Internet companies unfairly charge them, organizers said Wednesday. The Click Measurement Working Group is a joint effort of the Interactive Advertising Bureau and the Media Rating Council. The group also includes Ask.com, which is owned by IAC/InterActiveCorp; LookSmart and others. Currently, there is no industry-wide method used by Internet companies and advertisers to count clicks and identify invalid or fraudulent ones. As a result, numbers gathered by the two sides separately often differ, leading advertisers to complain that they've been overcharged.

Three years after it first tested how effective the U.S. Customs and Border Protection (CBP) was in screening people entering the United States at land border crossings, the Government Accountability Office retraced its steps and found security there is still full of holes. Using fake identification documents created with commercial software, GAO agents found it was just as easy today to pass through border crossings. Sometimes CBP agents didn’t even look at the documents. GAO has run periodic tests in the past few years that show CBP officers are unable to effectively identify fake documents, said Gregory Kurtz, managing director of GAO’s forensic audits and special investigations, before a Senate Committee on Finance panel Wednesday. U.S. citizens currently don’t need to show their passports to enter the United States from Western Hemisphere countries. They can use birth certificates, baptismal records and a driver’s license or other photo identification instead.

The West Virginia Division of Rehabilitation Services is warning clients that one of its laptop computers containing their personal information has been stolen. The information includes clients' names, addresses, Social Security numbers and telephone numbers. The computer has been missing since July 24, said Tracy Carr, a spokeswoman for the agency in Kanawha County. The agency sent clients a letter on July 26 informing them of the theft.

A laptop computer stolen last month from a Belhaven College employee contained names and Social Security numbers of college employees, leaving them vulnerable to identity theft. Belhaven College President Roger Parrott confirmed Tuesday the stolen computer contained some personal information on employees. But Parrott said he didn't know how many of the private school's roughly 300 employees' personal information was compromised by the theft. Parrott notified faculty and staff of the situation in a memo July 25.

More than 10,000 Australian computers have been infected by a trojan virus - invisible to most anti-virus software - that is transmitting their owners' private details to identity thieves. The Australian Tax Office confirmed yesterday that 178 taxpayers had unwittingly revealed their tax file numbers while lodging tax returns online. These people had been notified and were being offered new tax file numbers, a spokesman said. The Tax Office was warned of the infection by the Australian Computer Emergency Response Team (Auscert), which has been issuing similar warnings to banks and other large organisations whose clients' details have been compromised.

Cal Poly has notified 3,020 current and former students that their names and Social Security numbers were on a laptop computer stolen earlier this month from a physics professor's San Luis Obispo home. Cal Poly used names and Social Security numbers on class lists before 2004, according to Vicki Stover, campus information security officer.

Reading blogs via popular RSS or Atom feeds may expose computer users to hacker attacks, a security expert warns. Attackers could insert malicious JavaScript in content that is transferred to subscribers of data feeds that use the popular RSS (Really Simple Syndication) or Atom formats, Bob Auger, a security engineer with Web security company SPI Dynamics, said Thursday in a presentation at the Black Hat security event here. The problem doesn't affect only blogs--any kind of information feed using any kind of format could potentially be used to transmit malicious content to a subscriber, Auger said. People, for example, subscribe to mailing lists and news Web sites via RSS, he said, noting "this is about the entire concept of Web feeds."

As reports of data being compromised in agencies’ information technology systems mount, policy-makers are responding with efforts to clamp down. Recent cases involving the Department of Veterans Affairs, the Energy Department and the Navy that have exposed personal data, including Social Security numbers, have raised fears of identity theft. The Office of Management and Budget issued a memorandum July 12 detailing the steps agencies should follow to report security incidents. Rep. Tom Davis (R-Va.) introduced a bill also calling for a mandatory reporting process, while DOE issued

Cisco introduced today a configuration-management suite designed to help companies understand the state of each device on their networks and map them to regulatory requirements. The suite, called Proactive Automation of Change Execution, or PACE, includes two new products, two existing products and three consulting services. It's designed to enable detailed compliance reporting for all network changes, and monitors and analyzes the network configuration for things like security vulnerabilities and network resiliency, while also providing control over logins and passwords.

When compliance auditors dig deep, a company's technology infrastructure, processes and policies need to stand up to intense scrutiny. Companies are looking to technology to prove that they are compliant with Sarbanes-Oxley (SOX), Europe's Basel II, HIPAA and a host of other industry- and country-specific regulations. Ultimately, automating compliance efforts should lead to a company's being able to legally defend how it's managing and protecting information, according to James Kobielus, principal analyst with Sterling, Va.-based Current Analysis Inc. Companies should consider how their processes and infrastructure will stand up to "forensic analysis," he said.

An employee of U.S. Citizenship and Immigration Services distributed the personal and private employment information of thousands of her fellow workers last week, raising concerns that those responsible for granting visas and other immigration benefits could be exposed to outside influence.     Top officials at CIS and the Department of Homeland Security, of which CIS is a part, spent last weekend and this week evaluating the extent of the security breach for the 8,700 employees of CIS.

Personal information on 72 worker's compensation claimants was stolen from Sentry Insurance and later sold over the Internet, the company said. The data sold included names and Social Security numbers but not medical records, Sentry said. Data on an additional 112,198 claimants was also stolen but there is no evidence it was sold, the company said.

Move over HIPAA, SOX, and PCI. There's a new security compliance standard in town. After nearly three years of consideration, the North American Electric Reliability Council (NERC) has finalized its Critical Infrastructure Protection (CIP) specifications, which require all major utilities on the continent to meet a set of security standards or face financial penalties. The first compliance deadlines are set for the second quarter of 2009.

A laptop stolen from a payroll auditor contains personal information regarding about 12,000 current and former Armstrong World Industries Inc. employees, the company said. The data includes home addresses and phone numbers, Social Security numbers and how much the people were paid. A two-page letter sent by Armstrong last week said the company was not aware of any misuse of the information, and that a password was required to access it on the computer. The laptop was stolen from a locked car belonging to a Deloitte & Touche LLP employee, Armstrong said.

Two laptop computers with personal information on about 31,000 Navy recruiters and their prospective recruits were stolen from Navy offices in New Jersey in June and July, the Navy disclosed on Wednesday. It was the third time in little more than a month that personal data on Navy personnel has been lost or unintentionally released publicly over the Internet.

A new Government Accountability Office report concludes that privacy laws do not fully protect personal data when sold by information resellers. GAO suggests that Congress tighten the laws and provide civil penalties to enforce them. The report, released today, examines how financial institutions such as banks, securities firms and credit card companies, use personal data obtained from information resellers. Agency officials assessed documents and interviewed major resellers and financial institutions for almost a year.

A laptop computer containing personal information on more than half a million New York state workers has been found after it disappeared May 9 from the offices of a third-party data management company. In a statement today, the company -- Chicago-based CS Stars -- said the laptop belonging to the New York Special Funds Conservation Committee "has been found and secured."

A newly discovered trojan is taking advantage of the growing popularity of Mozilla's Firefox, claiming to be a browser extension to infect PCs. The trojan, called FormSpy by McAfee, is downloaded to PCs already infected with the Downloader-AXM trojan, according to McAfee. Downloader-AXM contacts servers to download malicious software without user knowledge, according to McAfee.

Attacks where criminals hold kidnapped data for ransom are becoming more sophisticated, a security company said Tuesday. It's only a matter of time before hackers have the upper hand. Although "ransomware" remains relatively rare, Moscow-based Kaspersky Labs stressed in a recently-published report that the threat is quickly increasing. "This is the highest point [in ransomware] we've ever seen," said Shane Coursen, senior technical analyst with Kaspersky. "In the number of new instances of ransomware, not in the volume of attacks, we're seeing more types of this than ever before.

With CIOs in the financial sector coming under increasing pressure to lock down their data, more vendors are touting data forensics as a way to avoid embarrassing and costly storage snafus. (See Enterprises Suffer Breaches and Breaches Stress Need to Improve.) Today, John Mathon, one of the co-founders of business intelligence vendor Tibco, took the wraps off his new company, Mathon Systems, which aims to reduce users' data security worries. (See Mathon Offers Risk Software.) Elsewhere, legal services firm Litigation Solution Inc. plans to launch a new Forensic Vault service to copy data from firms' desktops and portable computers as a in case of future litigation

The watch list that is intended to keep suspected terrorists from entering the United States is too vague and cumbersome to help Homeland Security Department agents quickly weed out legitimate travelers, the agency's inspector general says. Travelers whose names are similar to those on the watch list can be questioned and held for hours before being admitted into the country, according to a report released Monday by Homeland Security Inspector General Richard L. Skinner. That results in "an extremely inefficient use" of border officers' time, Skinner's report concluded.

A 46-year-old man has been charged with stealing the membership database held at the American College of Physicians (ACP) in Philadelphia. William Bailey Jr. of North Carolina, faces a maximum sentence of 55 years in jail and $2.75 million in fines if found guilty of accessing the database and downloading contact details of 80,000 members. Bailey runs a website called dr-411[dot]com, which sells professional organization member databases, including addresses and email addresses for doctors, dentists, lawyers and estate agents. Bailey's website, currently not active, contained adverts for email databases, one of which read, "Physician Email Database - 20,350 emails for $399."

The names, addresses and Social Security numbers of as many as 540,000 injured workers have been lost, and the state and a contracted company are trying to protect the workers from identity theft. In New York, company and state officials said Monday that the data was on computer hardware that is missing from a secured facility of the company, Chicago-based CS Stars, an independent insurance brokerage. Most of the workers are New Yorkers from across the state who are in two special funds of the workers' compensation system. One group is all workers who have a second injury and another is all workers who have a past injury that creates new problems, said state Workers Compensation Board spokesman John Sullivan. The state-owned personal computer provided to CS Stars, "cannot be located," according to a letter the company sent to the people whose information was lost.

Researchers in Amsterdam say they have completed a device that prevents radio frequency identification tags from being read. The university professor overseeing the project says the goal is to protect people from a technology that is gaining wide acceptance but has the potential to compromise consumer privacy. RFID chips, as small as a gain of sand, are being embedded in people, money, passports, and clothing from T-shirts to shoes. They're being used to monitor vehicle traffic, track inventory and livestock, identify missing pets, and help pharmaceutical companies fight counterfeit drugs. Vrije Universiteit Professor Andrew Tanenbaum said this week that the PDA-size handheld device " dubbed RFID Guardian -- beeps, warning a person when a RFID scanner is near and trying to read a chip embedded in a piece of clothing the person might be wearing, for example. "Industry thinks nothing about invading your privacy," Tanenbaum said. "European banks plan to put RFID in money, larger bills. That means a robber can walk down the street with a scanner to find out how much money you have in your pocket and determine who will make the best target." The RFID Guardian runs on a 550-Mhz XScale 32-bit processor with 64 MB of Ram that functions as the central nervous systems. XScales are often found in PDA and cellular phones, said Tanenbaum. The protocol stack was written in C to run on top of eCos, an open-source operating system.

Privacy & American Business’ In-Depth Special Report analyzes who’s affected and how the laws differ. July 20, 2006//Hackensack, NJ: The increasing number of data breaches and constituent concern over identity theft are pushing state legislators to take direct action. So far, 34 states have passed legislation to protect consumers once a security breach occurs. But, they are not all the same. How states define a "breach," how and when consumers must be notified, and which security procedures should be set in place are all covered in this must-read electronic issue of Privacy & American Business (P&AB). "Given this state law coverage," said Dr. Alan Westin, President & Publisher, P&AB, "how companies can enhance their data security systems, employee training and oversight programs is now a major challenge to consumer businesses of all sizes." To Notify or Not To Notify? Whether a company that experiences a data breach must take action, and when, depends on the state. This special P&AB In-Depth Report found that "some states operate under the ‘no notification required unless there is reasonable harm’ standard," such as Connecticut and Delaware. Other states like California and Georgia, on the other hand, require that consumers be notified immediately upon learning about any breach. "These new laws raise many issues , primarily how companies are being asked to buttress waning consumer trust - which lies at the heart of compliance," said Lorrie Sherwood, Executive Director, P&AB. "This report is so important to business because understanding how the laws differ from state to state is essential in helping companies with offices and branches across several states to form overall strategies for compliance." To Receive Your Copy Today For a copy of this special issue or to become a P&AB subscriber, visit www.pandab.org to download the order form, or contact Diane Gamgochian at info@pandab.org or (201) 996-1154.

The Energy Department finalized a rule that essentially requires all employees and contractors to give up any expectations of privacy when using agency computers. DOE's rule, which will become effective Aug. 18, also specifies that members of the public who interact with DOE computers via e-mail likewise have no promise of privacy.

Rep. Tom Davis (R-Va.) introduced today legislation that would require federal agencies to notify the public when they have data breaches involving sensitive information. The bill would amend the Federal Information Security Management Act, and is a response to several recently reported data thefts, including one at the Energy Department that did not become publicly known for more than a year.

AT&T will pay a $550,000 settlement to end an investigation into its handling of customers' telephone information. The company recently agreed to pay the money on behalf of SBC, which acquired AT&T and adopted its name. The companies cooperated with the enforcement bureau of the Federal Communications Commission during an investigation into whether customer confidentiality was breached. The payment, due within 30 days, does not constitute an admission of wrongdoing, according to language in the agreement.

The department has come under heavy criticism recently -- and become the butt of jokes by late-night comedians -- due to its decision in May to cut urban antiterror funding to major metropolitan areas and an inspector general's report last week that found a national database of vulnerable targets rife with locations that pose no security risk. The IG cited more than 32,000 assets out of about 72,000 in the database that "are not nationally significant," including a Mule Day Parade in Columbia, Tenn.; an Old MacDonald's Petting Zoo in Woodville, Ala.; an Amish popcorn factory in Berne, Ind.; a bean festival in Mountain View, Ark.; and the Kangaroo Conservation Center in Dawsonville, Ga.

First, the good news: IT administrators have a ton of data about information security. The bad news, of course, is that IT administrators have a ton of data about information security. The proliferation of events and alerts from a wide variety of security systems, services, and applications is causing headaches for IT administrators and stirring a growth market for security information management tools, according to a new report from Dark Reading.

SecureWorks announced that it has seen a dramatic increase in the number of hacker attacks attempted against its banking, credit union and utility clients in the past three months using SQL Injection. "From January through March, we blocked anywhere from 100 to 200 SQL Injection attacks per day," said SecureWorks CTO Jon Ramsey. "As of April, we have seen that number jump from 1,000 to 4,000 to 8,000 per day," said Ramsey. "The majority of the attacks are coming from overseas," said Ramsey. "And although we certainly see a higher volume with other types of attacks, what makes the SQL Injection exploits so worrisome is that they are often indicative of a targeted attack." This is a type of attack where the hacker has targeted a particular organization, versus a worm which spreads indiscriminately.

Microsoft Corp. on Tuesday announced it was acquiring privately owned Winternals Software, an Austin, Texas developer of recovery and data protection tools, and the host of the well-known Sysinternals free toolset. Winternals co-founder Mark Russinovich will join Microsoft's Platforms and Services group as a technical fellow, the Redmond, Wash. giant said in a press release. Bryce Cogswell, the company's other co-founder, will head to Microsoft's Core Operating Systems division as a software architect.

Does everyone at your company know what data shouldn't be stored on laptops or removable storage devices? Do they know where they can and can't take these devices? Is there a clear company policy on data that needs to be encrypted?

Agencies must now report even suspected breaches of personal information within one hour of discovery, according to an Office of Management and Budget policy memo. The memo revises a policy that set various reporting deadlines based on the incident.

The White House has set an early August deadline for government agencies to encrypt sensitive data after the embarrassing theft of millions of veterans' personal information, but experts warn a quick technology fix will not cure security problems. While encryption and other security technology can help, slipshod handling of data and equipment, poor training and the slow moving government bureaucracy are seen as the main causes of vulnerability.

On the surface, the results of the 11th annual CSI/FBI Computer Crime and Security Survey are positive, with fewer companies reporting financial loss from data breaches compared to last year. But a majority of companies are still reluctant to report security breaches to law enforcement, suggesting that the survey isn't capturing the full extent of the problem. The Computer Security Institute (CSI) and the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad released its 2006 report Thursday after surveying 616 computer security practitioners in U.S. corporations, government agencies, financial and medical institutions and universities. The average loss reported by respondents was $167,713, an 18% decrease over last year's average loss of $203,606.

The Markle Foundation released its third and final report today on how to improve information sharing while protecting civil liberties and enhancing national security. The Markle Task Force on National Security in the Information Age released the report, "Mobilizing Information to Prevent Terrorism: Accelerating Development of a Trusted Information-Sharing Environment" at the Brookings Institution, a liberal think tank in Washington, D.C.

An inexpensive handheld electronic reader can access the information by touching the experimental chips, which might be placed on a painting, a photo, a bracelet or virtually anything else. The stored information might include video, sound and text. Company officials were cautious about potential commercial applications, but said the technology might be used to store audio that could be read back from photographs, for example. Or, it could be used to read and modify electronic medical information in a medical patient’s ID bracelet.

U.K. companies must protect customer data even if it sends the data overseas for outsourcing. The British Information Commissioner's Office said this week that companies are responsible for data protection. They can be punished for breaches, no matter where they occur and no matter how the information gets out. The ICO recently issued new, more strict guidelines, for protecting personal information under the Data Protection Act.

Radio frequency identification technology is receiving some welcome attention this week from worldwide standards groups and governments in Europe and United States. In one important development, Sen. John Cornyn (R-Texas) and Sen. Byron Dorgan (D-N.D.) will co-chair a RFID Caucus set to take place in Washington, D.C. on Thursday. U.S. government officials are trying to stay on the leading edge of RFID research and development by pushing back hype and better understanding the technology. "It's a collaborative effort between industry and government that will help officials better understand what the technology can and can't do," said Erik Michielsen, director at ABI Research.

Reports of a hack into U.S. State Department IT systems raises concerns about data security in the federal government to a whole new level. Unlike the laptop thefts that have plagued the Veterans Affairs and Agriculture departments, Federal Trade Commission, and Internal Revenue Service in recent months but gave thieves access to a finite amount of information, the State Department faces the daunting task of clearing up a breach that reportedly gave attackers access to data and passwords that could open the door to future attacks. The June computer break-ins and subsequent discovery limited Internet access at many State Department locations, including its Washington headquarters, and inside the Bureau of East Asian and Pacific Affairs, the Associated Press reported Wednesday. Word of the attacks comes at a particularly delicate time for the State Department, which has been involved in critical diplomatic negotiations with North Korea following that country's testing of nuclear missiles earlier this month.

William Sams, the CIO of Ohio University in Athens, Ohio, has submitted his resignation weeks after the university disclosed a series of information security breaches that exposed the personal information of tens of thousands of students and alumni. Sams will continue in his role until a replacement is found, according to a statement  on the university’s Web site.

If you think your company has actually experienced fewer security violations in the last year than it did the year before, and lost less money as a result, you're not crazy. In fact, according to a new report that will be issued tomorrow by the FBI and the Computer Security Institute, you may even be normal.

IBM and Marnlen RFiD announced a new collaboration on the next critical step of enabling consumer privacy protection for RFID tags -- the potential production of smart radio frequency identification (RFID) labels using IBM Research's Clipped Tag privacy technology and Marnlen's state-of-the-art label manufacturing facilities. The Clipped Tag technology, developed at IBM's Watson Research Center, allows consumers to tear off a section of the tag. This reduces the tag's read range to just a few inches, protecting consumer privacy while maintaining the benefits of the technology, such as product authentication or recalls. IBM and the Toronto-based Marnlen RFiD have agreed to explore the future use of the Clipped Tag technology for radio frequency tagging labels. Marnlen manufactures custom and standard flexible RFID labels at its production line in Markham, Ontario where its new high-speed RFID label converting equipment is in production. Labels containing RFID tags are being used in a wide range of industries to streamline shipping and inventory systems, track valuable parts and equipment and to authenticate products.

More than one-third of employers have eliminated a candidate after digging up "digital dirt," according to ExecuNet. In a recent survey of 100 executive recruiters, 35 percent said they dropped a job candidate because of information uncovered online. That is up from 26 percent just one year ago, according to ExecuNet, an executive job search and recruiting network.

CISOs looking for guidance from the National Infrastructure Protection Plan (NIPP) released on June 30 by the Department of Homeland Security (DHS) may be scratching their heads for some time to come. The final NIPP (.pdf), published after two earlier drafts were savaged by IT industry officials for downplaying the increasing risk from cyberattacks, at least glancingly mentions the imperative of protecting networks and servers. However, critics say that for what is intended to be a comprehensive risk management framework for the nation's infrastructure, details are skimpy and emphasis is lacking. Thomas Lehner, director of public policy for the Business Roundtable, a lobbying group for Fortune 500 CEOs, said he was encouraged that the final NIPP included more references to cybersecurity. He cited document language basically stating that the interconnected and interdependent nature of the nation's critical infrastructure and key resources makes it problematic to address the protec¬tion of physical and cyber assets independently.

Illinois became one of the first states in the nation to make it illegal to pretend to be an account holder in order to gain cell phone records and other personal information, according to the Electronic Privacy Information Center. EPIC praised Gov. Rod R. Blagojevich this week for signing a law outlawing the practice as part of the state's ongoing efforts to protect consumer privacy. While cell phone pretexting has gained much public attention, Illinois' new law also applies to accessing other types of accounts to gain personal information, including OnStar data, a person's physical location, dating service information and post office boxes.

The buying and selling of customer data is a multibillion-dollar, unregulated business that's growing larger by the day. Companies are selling information about you, and your company is probably selling data about its customers. Consumers are growing more concerned amid an endless string of data thefts and losses. Want a list of 3,877 charity donors in Detroit? USAData will sell it to you for $465.24. How about 3,797 cat owners in Peoria? Available for $455.64. Interested in data on graduating high school seniors? The College Board sells that to 1,700 colleges and universities for 28 cents a kid. Then there are those who obtain cell phone and credit card records illegally and sell them to private investigators, law enforcement, and angry spouses planning a divorce. It's a messy situation that's attracting the attention of legislators and government agencies. Businesses could find them- selves in a jam if they aren't careful how they buy, sell, and handle customer data; if they don't live up to their published privacy policies; and if they don't protect that data with ironclad security.

NEWARK, N.J.--In closing arguments, the prosecution told the jury Monday that the former systems administrator accused of planting a logic bomb on the UBS PaineWebber network four years ago thought he had committed the perfect crime -- mixing revenge with a scheme to cash in on the destruction he was causing. Assistant U.S. Attorney Mauro Wolfe gave his closing arguments to the jury in U.S. District Court here for more than two hours Monday. He told jurors that Roger Duronio, the defendant in this computer sabotage case, was the man with the motive, the means, and the ability to do the crime. And on top of that, copies of the trigger for the logic bomb were found in his home. Duronio faces four federal criminal charges in connection with the March 4, 2002, attack on UBS that took down nearly 2,000 servers and crippled its brokers' ability to do business. The trial has moved into its sixth week. The defense will have its turn at closing arguments Tuesday morning, and then the government will have an opportunity for a shorter rebuttal argument.

Why are business technology professionals so ambivalent about IT security? They acknowledge that the threats to computer systems keep growing in number and sophistication, yet they think they've got the problem under control. For the naively confident, there could be costly consequences for their companies and customers. InformationWeek Research's ninth annual Global Security Survey, conducted in partnership with Accenture in May and June, shows across-the-board threats to business computing environments. Fifty-seven percent of U.S. companies surveyed report being hit by viruses in the past year, 34% by worms, and 18% by denial-of-service attacks. Network attacks and ID theft were experienced by 9% and 8%, respectively. It's no wonder that 48% of the 2,193 security professionals and business technology managers who completed the survey say managing the complexity of security is their top challenge.

In the past year, 84 percent of enterprises, as well as state and local governments, reported some type of security breaches, according to a new survey released by Computer Associates International. The survey also found that security breaches have increased 17 percent in the last three years, according to the survey released by the Islandia, N.Y., IT management software company on July 5.

As I have detailed in several columns for this site, many security breaches and data thefts have recently occurred at companies and government agencies within the United States. In this column, I'll turn to another related, and also worrisome data security problem: Thefts of personal data that occur overseas or "offshore," as major American corporations outsource their data processing and customer service operations to other countries to cut costs. I'll inquire whether U.S. customers have any legal recourse if they are victims of identity theft resulting from these security breaches. In addition, I'll argue that Congress should take a hard look at this problem - but I'll also suggest that, in the end, self-regulation by the multinationals that are outsourcing the data may be the best solution.

Every IT manager could use an extra hand. Outsourcing security responsibilities is how many businesses fill gaps in their IT resources to keep up with the growing threats they face. Outsourcing proves especially valuable to small and midsize businesses that lack the resources to manage firewalls, antivirus efforts, and intrusion detection and prevention around the clock, something bigger businesses usually can do more easily.

DETROIT - The Bush administration Monday asked a federal judge to dismiss a lawsuit challenging the National Security Agency's domestic eavesdropping program, arguing that defending the four-year-old wiretapping program in open court would risk national security. In arguments before U.S. District Judge Anna Diggs Taylor in Detroit, the American Civil Liberties Union Monday renewed its call for a court order that would force the government to suspend its program of intercepting without a court order the international phone calls and e-mails of U.S. citizens.

Use of radio frequency identification tags within the U.S. Visitor and Immigrant Status Indicator Technology program has been applied with privacy protections but has not been adequately configured and tested to ensure that those protections are effective, according to a new report from the Homeland Security Department inspector general. The RFID tags currently are being used on Form I-94 documents issued to foreign visitors at several U.S. land ports of entry. As of December 31, 2005, US Visit had issued 149,414 RFID-enabled Form-I-94s to travelers, DHS Inspector General Richard Skinner said.

Joe Morales, a prosecutor in Denver, can remember when crack came to his city in the 1980’s. Gangs set up on Colfax Avenue and in the Five Points neighborhood, and street crime - murders and holdups - grew. When methamphetamine proliferated more recently, the police and prosecutors at first did not associate it with a rise in other crimes. There were break-ins at mailboxes and people stealing documents from garbage, Mr. Morales said, but those were handled by different parts of the Police Department. But finally they connected the two. Meth users - awake for days at a time and able to fixate on small details - were looking for checks or credit card numbers, then converting the stolen identities to money, drugs or ingredients to make more methamphetamine. For these drug users, Mr. Morales said, identity theft was the perfect support system.

Large numbers of companies are taking risks with data protection, because they are not aware of the requirements of the law. Nearly half (44%) of companies use live data in test environments -- something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware. Half the directors (48%) were only 'vaguely familiar' with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated. A further "83% used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing," said Ian Clarke, world wide enterprise solutions director at Compuware.

Hackers have penetrated internet banking facilities and gained access to the accounts of clients of three major banks, the Cape Times reported on Tuesday. Its website said hackers had in the past three months gained access to the online accounts of clients from First National Bank, Standard and Absa banks.

University of Tennessee system officials are notifying around 36,000 employees and other individuals affiliated with UT that a hacker has broke into a computer that held personal information about them. "Although we have no indication the hacker accessed or used the personal information, we are taking the precaution of notifying everyone whose information was on the database and urging them to take steps to protect themselves," said Brice Bible, assistant vice president for information technology.

Automatic Data Processing, one of the world's largest payroll service companies, confirmed to ABC News that it was swindled by a data thief looking for information on hundreds of thousands of American investors. According to a company spokeswoman, ADP provided a scammer with personal information of investors who had purchased stock through brokerages that use ADP's investor communications services. Initial reporting indicates that these firms include a number of brand-name brokers, including Fidelity Investments and Morgan Stanley. A Fidelity spokesman says the data breach compromised 125,000 of the 72 million active accounts at the brokerage.

A new password-stealing Trojan targeting players of the popular online game "World of Warcraft" hopes to make money off secondary sales of gamer goods, a security company warned Tuesday.

Security MattersWhen technology serves its owners, it is liberating. When it is designed to serve others, over the owner's objection, it is oppressive. There's a battle raging on your computer right now -- one that pits you against worms and viruses, Trojans, spyware, automatic update features and digital rights management technologies. It's the battle to determine who owns your computer.

Layer 7 Technologies on Tuesday said it has added the ability to enforce rules across its line of XML security products for service-oriented architectures, a reflection of the industry's move toward more mature security. The enhancement is included in the 3.5 Security operating system, an upgrade of the OS for Layer 7's SecureSpan family of XML gateways and firewalls. The new version was unveiled Tuesday at the Interop conference in Las Vegas, Nev.

The federal government is intervening in a lawsuit over the National Security Agency's surveillance program and trying to get the case dismissed. The Electronic Frontier Foundation filed a class action lawsuit in California in January, accusing AT&T of cooperating with the NSA surveillance program. The U.S. Department of Justice responded last week with a notice stating it plans to intervene in order to protect military and state secrets privilege and request dismissal.

IBM Corp. says it has developed a feature limiting the distance a radio frequency identification chip embedded in a tag can transmit information.
The Clipped Tag gives consumers the option to disable RFID tags on items after purchase and enables companies to use the information on the tag to identify product returns or recalls, an IBM executive said in an interview with TechWeb.

Personal technology has a way of working its way into corporate settings, often to the benefit of workers and to the dread of IT staffers who must support and secure the technology, or--at the very least--monitor its use. While cell phones and PDAs have proven their value as business tools, security concerns over USB-pluggable memory drives may outweigh any benefits they provide to the workplace.

Iron Mountain Inc., a Boston data-storage firm, apologized yesterday for losing personal data, including Social Security numbers, for thousands of Long Island Rail Road employees.

LONDON, UK – A new study finds that European businesses are unable to deal with the vast amount of data generated from security devices such as firewalls and anti-virus software. The study, sponsored by Micromuse -- which was recently acquired by IBM – reports that almost a third (30%) of IT directors questioned admitted that the amount of security data generated is far too great for them to examine to identify potential security threats.

The National Institute of Standards and Technology released technical guidelines on how federal agencies should manage security logs. The guidelines cover log generation, transmission, storage, analysis and disposal.

Management vendors at Interop (all the headlines from the show) will be looking to help companies address compliance requirements with automated tools. LogLogic plans to announce a version of its compliance suite for data regulated by the Payment Card Industry (PCI) standard. The suite, priced starting at $9,999 and available now, collects logs generated by credit card transactions and creates reports and alerts based on the data, company officials say. These reports help companies ensure and prove that they are in compliance with PCI, a standard developed by credit card issuers to protect credit card information that includes detailed technical requirements.

The Social Security numbers of potentially millions of registered voters in Ohio were included on CD-ROMs distributed to some 20 political campaign operations in recent months as campaigns geared up for spring primary election races. The problem was discovered Tuesday when one of the political campaigns contacted the Ohio secretary of state’s office to say that the personal data was on the discs, even though it wasn’t requested, said James Lee, a spokesman for Secretary of State J. Kenneth Blackwell.

WASHINGTON -- An intruder gained access to a Defense Department computer server and compromised confidential health care insurance information for more than 14,000 people, the department said Friday. William Winkenwerder Jr., the assistant defense secretary for health affairs, said the affected individuals have been advised by letter that the compromise of personal information could put them at risk for identity theft.

MasterCard International said today it is responding to a "potential" security breach at a U.K.-based retailer – but would not confirm whether any of its cardholders were affected. "Because this is an ongoing investigation, we cannot disclose specific details regarding the incident or comment, other than to say that we are cooperating and we have notified the banks that issue MasterCard cards to monitor for any suspicious account activity and take the necessary steps to protect cardholders," read a MasterCard statement issued today.

Smart phones, iPods and USB memory sticks are posing a real risk for businesses, warn security experts. Just over half of companies take no steps to secure data held on these devices, found a UK government-backed security survey. Now security firms are developing ways to help firms control access to the confidential data held on the gadgets.

The government needs to establish clear lines of authority and clarify responsibility for an effective national information assurance policy, former presidential adviser Paul Kurtz said Thursday. "We have a growing body of law and regulation bearing on information security," Kurtz said at the GovSec conference in Washington. But, "we are not ready for a major disruption of the information infrastructure today, and we have a long way to go to get there."

Morgan Stanley customers in the UK are the latest to have been hit by a major security breach that has resulted in thousands of MasterCard credit card details being stolen by fraudsters. silicon.com yesterday exclusively revealed how at least 2,000 MasterCard holders have had their credit card details compromised.

Health insurer Aetna on Wednesday said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. The data includes names, addresses and Social Security numbers, spokeswoman Cynthia Michener said. No personal banking information or health claim data was on the laptop, she added. The members are employees of two companies that are Aetna customers, the company said in a statement. Michener said the two companies had asked that their names not be disclosed.

A new national survey of top-ranked universities and colleges shows these schools' online privacy policies aren't nearly as stellar as their scholastics. Many fail to properly secure sensitive data and to adequately explain just what happens to information provided during online transactions. "Privacy is a lot more than just data breaches," explained Mary J. Culnan, a management and IT professor at Bentley College in Waltham, Mass., who lead the study done with MBA candidate Thomas J. Carlin. "Another element is letting people know how their information is being used."

Security researchers and legal experts have voiced concern this week over the prosecution of an information-technology professional for computer intrusion after he allegedly breached a university's online application system while researching a flaw without the school's permission.

Leveraging HP Services’ expansive global reach and RFID implementation expertise, and BEA’s industry-leading BEA WebLogic® RFID products, the two companies have agreed to provide complete, standards-based RFID solutions designed to help manufacturers, retailers, distributors, transportation and other industry customers streamline supply chain operations and realize a wide range of business benefits. BEA and HP are building a comprehensive portfolio of RFID solutions targeting four key areas: Retail Operations and Asset Management – to help enhance retail operations and supply chain management with RFID; RFID Compliance and Tagging Solution for Suppliers – to provide a low-risk, cost-effective way to meet RFID mandates and establish the foundation for an adaptive, digital supply chain; Reusable Asset Tracking – to help track and trace high-value reusable assets, including roll cages, racks, totes and containers; Safe and Secure Supply Chain – to help track and secure the flow of goods across the entire supply chain and ensure compliance to RFID regulatory guidelines.

BellSouth unveiled last week a service that allows its business DSL customers to encrypt outgoing e-mail for enhanced security and privacy. BellSouth Secure Mail works with customers' Microsoft Outlook or Outlook Express e-mail software to encrypt and deliver confidential information over the Internet. Unencrypted e-mail can be intercepted, read and changed by hackers without a recipient's knowledge, BellSouth says.

The increasing use of e-mail by consumers and businesspeople alike is making it a more attractive target for hackers and criminals, according to a study from IronPort Systems' Threat Operations Center that looks at the ancillary costs of dealing with spam. The study, "Internet E-mail Traffic Emergency: Spam 'Bounce' Messages Are Compromising Networks," found that "bounce messages" -- those that get returned to the sender -- make up 11 percent of all "hostile mail," including spam, viruses and phishing messages. E-mail users often receive notifications saying, "The message you sent could not be delivered because it contained a virus." But often, these notices come from an address the user doesn't know or has never sent mail to.

Oracle is readying a new add-on to its enterprise database software that will give users more control over how their data is accessed. Called Database Vault, the software will be introduced Wednesday at Oracle's Collaborate 06 User Group Conference, in Nashville, Tenn. The product includes new security mechanisms that can be used to place further restrictions on what certain privileged users, such as database administrators (DBA), can do, said Wynn White, senior director of security and identity management with Oracle. "What we're announcing here is the industry's first database security solution to restrict superuser and privileged user access," he said.

The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.

The Homeland Security Department has successfully tested e-passports in a live environment, the department’s second in command announced today. The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program tested e-passports and e-passport readers at San Francisco International Airport from Jan. 15 to April 15, said Michael Jackson, DHS’ deputy secretary, in a statement.

The Department of Health and Human Services has quietly made an agreement with the Homeland Security Department to share personal information about airline passengers in an effort to deal with a potential pandemic. A spokeswoman for the Centers for Disease Control and Prevention confirmed the deal’s existence, but CDC, HHS and DHS officials would not comment on its details. CDC has been trying to enact a regulation that would allow it to collect airline passenger information to manage a potential pandemic. That proposal has drawn criticism from airlines, travel agents and privacy advocates. The groups have been filing opposing comments since November 2005. HHS apparently made the agreement to obtain much of the airline passenger data from DHS before CDC issued its proposed rule.

After a high-profile security breach exposed personal data about thousands of customers, LexisNexis found that being forthright was the best approach, according to a company executive. By being forthcoming with the public and victims the company survived with minimal impact, said Leo Cronin, LexisNexis senior director for information security, Tuesday at the Infosec Europe 2006 conference in London. The security breach hit LexisNexis, which is owned by Reed Elsevier PLC, early last year. "I think that's why we were so successful in dealing with this," Cronin said of the decision to be open and direct about the breach. LexisNexis is breaking its silence over the incident to help educate and get feedback about approaches to breaches, he said.

As web apps are becoming more secure stolen laptops have become among the easiest ways to break into corporate networks. High profile firms such as Fidelity and Ernst and Young along with celebrities such as Kevin Costner have lost laptops over recent months. Concern over these thefts has focused on the exposure of data left on these devices. But the potential to use stolen kit to lift user credentials also poses a grave risk.

Online fraudsters and data thieves are more frequently using bot networks to get home and business PCs to do their bidding, with some estimates of the number of infected systems as high as 47 million.

A national survey of privacy practices found that only 65 of the top 236 doctoral universities and liberal arts colleges in the U.S. have privacy notices linked to their home page, in spite of the fact that almost all of these schools engage in practices that put individuals’ privacy at risk.

Is IM use in your enterprise a security risk? Many organizations can’t answer that question because they don’t know how their employees use IM. For perspective, consider this: IM use in the enterprise is rampant, and the number of IM aficionados continues to grow. Enterprise IM users currently number 40 million, reports IDC, which anticipates 140 million IM users by 2009.

In response to growing customer concern over the security of their data, EMC Corporation, the world leader in information management and storage, today unveiled a comprehensive, information-centric approach to helping organizations secure their critical information. As part of its growing portfolio of security-enhanced products and services, the company also announced the EMC Assessment Service for Storage Security and the availability of digital rights management software through its recent acquisition of Authentica, Inc.

A crook used stolen credit card information to buy a laptop computer after an Edmonton company dumped 2,606 credit and debit card sales receipts in an unlocked dumpster, says the Information and Privacy Commissioner's office. Monarch Beauty Supply came to the attention of Information and Privacy Commissioner Frank Work last September after Edmonton city cops advised that someone had turned over documents containing personal information from the Monarch Beauty Supply store in west Edmonton. The documents included the store's daily financial records along with customer credit and debit sales receipts containing customers' names, credit card numbers, expiry dates, customers' signatures and debit card numbers.

PC users hoping to sell or donate their used computers should be forewarned: There is likely personal information remaining on them. A recent Symantec examination of five used PCs purchased at pawn shops showed their previous owners failed to completely erase the hard drives, giving the research team access to sensitive data, including Social Security numbers, real estate transactions, bank account information and company directories. "The key problem here is that customers don't view their computers as an extension of their wallets from the perspective of protecting their identity," said Eoghan O'Donnell, the company official responsible for transaction security in Symantec's Consumer Products and Solutions division. "Would you ever throw away your wallet without removing your money, bank and credit cards first? I don't think so."

Spam blogs are a big headache for Taylor Bayouth. He wants the Web site he founded, tBlog.com, a combination social network and blog publishing platform, to parse the words of its more than 200,000 members to update their profiles every time they post. Bayouth believes the "thought matching" system would be unique. But one of the biggest roadblocks he faces - besides competing against much bigger competitors, like MySpace.com - is the amount of spam blogs that hit his site. "Spam is our No. 1 enemy," he says. "This is what we battle with on a daily basis. Spam could literally just kill this thing."

ATLANTA, Georgia (CNN) -- A bomb scare that led authorities to evacuate security checkpoints at Atlanta's Hartsfield-Jackson International Airport on Wednesday was the result of a "software malfunction," Transportation Security Administration Director Kip Hawley said. While screening carry-on luggage, a TSA employee identified the image of a suspicious device but did not realize it was part of routine testing for security screeners because the software failed to indicate such a test was under way, Hawley said.

WHITE PLAINS, New York (AP) -- New York's Westchester County has enacted a law designed to limit identity theft by forcing local businesses to install basic security measures for any wireless network that stores customers' credit card numbers or other financial information.

Research carried out this Easter outside Victoria Station in London has found that 81 percent of people were willing to part with all the personal information needed to steal their identity for the chance to win an Easter egg. The survey by Infosecurity Europe was carried out to raise awareness of the dangers of giving personal information to strangers who could then commit identity theft. The researchers presented the survey as research into the significance of Easter, telling commuters that if they took part in the survey they would be entered into a drawing for an Easter egg bonanza worth £60 ($110).

Electronic records of nearly 200,000 people, from students to corporate recruiters, have been accessed illegally at the University of Texas' McCombs School of Business, the university announced Sunday. UT President William Powers Jr., speaking at a hastily called news conference, urged anyone with ties to the business school to take steps to guard against identity theft, the unauthorized use of someone's personal information to obtain goods, services, loans and the like.

Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the U.S. may be needlessly placing their customers at risk to online thieves, a noted security researcher warned Thursday. At issue are the user login areas that can be found on banking sites such as Chase.com and Americanexpress.com, which ask users to submit their user ID and password information. Although these forms may be encrypted, they do not use authentication technology to prove they are genuine, according to Johannes Ullrich, chief research officer at the SANS Institute.

20.04.2006 - The Government is set to complete a project to begin including biometric information in all passports by October. The project is expected to cost €8.8m this year. The new biometric passport incorporates several security features. A special code is used to write data to the microchip, which is protected by a secure electronic ‘key’. An additional access code guards against electronic eavesdropping or ‘skimming’ of information on the microchip.

The departments of Health and Human Services and Homeland Security have a secret agreement to exchange airline passenger information as part of a Centers for Disease Control and Prevention plan to help combat pandemic flu, the Air Transport Association (ATA) said in a filing with the CDC. Barry Steinhardt, director of the Technology and Liberty Program at the American Civil Liberties Union said that such an agreement raises serious privacy concerns and appears to violate an agreement between the United States and the European Union. That agreement limits the exchange of foreign carrier passenger information to help combat terrorism and crime.

Federal prosecutors charged a San Diego-based computer expert on Thursday with breaching the security of a database server at the University of Southern California last June and accessing confidential student data. A statement from the U.S. Attorney for the Central District of California names 25-year-old Eric McCarty as the person who contacted SecurityFocus last June with news of a flaw in the Web server and database system used to accept online applications from prospective students. SecurityFocus notified the University of Southern California of the vulnerability and worked with the university to close the flaw before publishing an article about the issue.

An Oregon man was fined $84,000 for scamming users with bogus security warnings that led them to a phony anti-spyware program, the Washington state attorney general said Tuesday. In January, both Microsoft Corp. and Attorney General Rob McKenna filed lawsuits against Secure Computer of White Plains, N.Y. for allegedly selling the bogus anti-spyware program Spyware Cleaner. Three men were also charged with advertising the software: Zhijian Chen, of Portland, Ore.; Seth Traub, of Portsmouth, N.H.; and Manoj Kumar, from Maharashtra, India.

Telecommuting has become a way of life as more companies let employees work from home to do jobs that might otherwise be done on corporate premises. As a result, IT managers are adapting security policies to encompass home PCs.

Three years after federal rules governing privacy of patients’ medical records went into effect, compliance seems to have declined, according to an annual survey conducted by the American Health Information Management Association (AHIMA).

MANHASSET, N.Y. — As many as 25 million wireless phone subscribers in North America could be using their mobile phones as mobile wallets by 2011, according to a report by market research firm In-Stat. In-Stat (Scottsdale, Ariz.) reported that unlike M-commerce, the mobile transaction concept touted in the 1990s that never took hold, the mobile wallet is a more versatile application that includes elements of mobile transactions, as well as other items one may find in a wallet, such as membership cards, loyalty cards, and other forms of identification.

Don't worry about Boot Camp exposing Apple Computer Inc.'s operating system to malware, viruses and worms, says a Gartner Inc. analyst who insists Apple's move to Intel processors will not expose the system to security vulnerabilities, at least not today.

More than four years after the September 11 terrorist attacks, the U.S. government still lacks adequate policies and procedures for sharing sensitive and terrorism-related information, according to a Government Accountability Office report issued today.

Code Green Networks, a startup founded in 2004 by brothers and former SonicWall co-founders Sreekanth Ravi and Sudhakar Ravi, in early April began shipping a content security appliance designed to help companies protect against sensitive information leaks. The Content Inspection appliance identifies sensitive data in corporate networks and monitors outbound traffic to ensure that it’s not being sent outside the company. The appliance can detect data in any language, including non-Roman alphabets, and in more than 370 file formats, said Sreekanth Ravi, chairman and CEO of Code Green, Sunnyvale, Calif. “If you look at information leaks, the greatest damage to companies comes from unstructured information such as source code and business plans,” he said. The appliance uses pattern matching and a proprietary technology known as deep content fingerprinting to find confidential information and determine if someone is trying to send it out, identifying entire documents as well as fragments. The appliance can be set up to audit and log incidents, and before the end of the year, it will be able to automatically block confidential content from being sent out through e-mail, IM and other protocols such as FTP, said Chip Hay, senior vice president of marketing and customer care at Code Green.

The head of the country’s program to weed out terrorists from foreign visitors laid out his wish list today of the security features he would like to see in proposed new documents for U.S. travelers.

The Homeland Security Department has successfully tested e-passports in a live environment, the department’s second in command announced today.
The U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program tested e-passports and e-passport readers at San Francisco International Airport from Jan. 15 to April 15, said Michael Jackson, DHS’ deputy secretary, in a statement.
The test processed 1,938 e-passports. The United States, Australia, New Zealand and Singapore participated.

ARLINGTON, Va.--Future government-issued travel documents may feature embedded computer chips that can be read at a distance of up to 30 feet, a top Homeland Security official said Tuesday, creating what some fear would be a threat to privacy.

An FBI investigation has concluded that no consumer credit or debit card information was stolen from a New Hampshire state computer server in February because a suspect Cain & Abel password recovery program found on the hardware had never been activated.
In an announcement on Friday, New Hampshire Attorney General Kelly Ayotte said that the FBI probe determined that no data theft occurred because the program, which can be misused by hackers for malicious purposes, was never run. "As a result of this finding, the state has concluded that it is very unlikely that any credit card or debit card information was accessed by identity thieves," Ayotte said in a statement.

Telecommuting has become a way of life as more companies let employees work from home to do jobs that might otherwise be done on corporate premises. As a result, IT managers are adapting security policies to encompass home PCs.
Last year an estimated 8.9 million telecommuters worked from home three or more days each month during regular business hours, according to IDC. A quarter of them worked exclusively from home. At places where home-based work has become the norm, IT managers say a key concern is ensuring each telecommuter's PC, typically granted remote access to a corporate LAN, keeps pace with office security guidelines.

Security software vendor Kaspersky Labs joined the ranks of anti-malware specialists introducing applications designed for use on mobile devices with the launch of its new beta technology for smart phones running the Symbian operating system. Whether such tools should be in demand by enterprises remains a topic of debate among industry watchers.

What you don't know about the security of your information systems can hurt you and probably already has. But how much information about security flaws is too much? Anything you're told about a software vulnerability, the villains surely will pick up, too.

Joe Christensen walked in the doors at CardSystems Solutions last July, charged with establishing a program to help the beleaguered payment processing company earn compliance with the Payment Card Industry (PCI) security standard.

Hackers weren't to blame for all of the data breaches in 2005--some were pulled off by old-fashioned, sticky-fingered thieves.

SELLING "naked" computers, or computers without operating system, will be banned in Beijing, a senior official with Beijing Copyright Bureau said on Thursday.
The ban will take place by the end of the year and is aimed at further protecting software intellectual property, Wang Yefei, deputy director of the bureau, said at a press conference.
Government departments shall not purchase computers without legitimate software, and all domestically made and imported computers are required to be sold with legitimate software pre-installed, said Wang.

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.
In its "Rootkits" report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

"Police blotter" is a weekly CNET News.com report on the intersection of technology and the law.
What: Wells Fargo Bank customers sue after their personal financial data was stolen from a contractor that had not encrypted the information.
When: U.S. District Judge David Doty in Minnesota ruled on March 16.
Outcome: Wells Fargo was found not to be negligent because the information was never misused by the thieves.
What happened, according to court documents: Wells Fargo had hired Regulus Integrated Solutions to print monthly statements for certain customers who had mortgages and student loans from its subsidiaries. In October 2004, thieves stole computers from Regulus with unencrypted customer information including names, addresses, Social Security numbers and account numbers.
A few weeks later, Wells Fargo alerted its customers and offered to provide identity protection services.

APRIL 17, 2006 (IDG NEWS SERVICE) - Computers infected with a well-known piece of malware began downloading a new spam tool Sunday night used by hackers to send unwanted e-mail.

1. SQL Slammer Researcher David Litchfield presents findings at Black Hat one week after Microsoft issues its SQL patch. Slammer worm that exploits that flaw dramatically slows Internet traffic in 2003. 2. Windows Plug and Play Internet Security Systems researchers in April 2005 discover Windows vulnerability that lets attacker take control of affected systems and remotely execute code. By August, Zotob worm exploits it. ...

As the mastermind of the Bali nightclub bombings awaited execution, he published a jailhouse autobiography teaching others to follow in his footsteps. In one of the chapters, Imam Samudra -- convicted of spearheading the attack more than three years ago that killed 202 people -- advises fellow radical Islamists on how to finance more terrorist acts by stealing confidential credit card information from exploitable programs in the United States, noting that American networks are not as impenetrable as one might think.

Cybercriminals have a parasitic side, and it's not to be underestimated. If they can't bust through the network perimeter of an enterprise, they're just as likely to go through the front door aboard an unwitting and trusted customer or business partner. Enterprises like research information provider LexisNexis, for example, spend countless hours and resources on resolving malware issues, shoring up intrusion defenses and architecting security into the network. But admittedly, LexisNexis had done little to ensure that customer and partner environments with access to LexisNexis databases were secure.

When a new virus strikes, some of us might fall ill, some might die and others will survive. That's the beauty of us each having a unique immune system. It's a concept that the computer security industry should take to heart, said Stephanie Forrest, a professor of computer science at the University of New Mexico, who spoke this week at a Symposium on Information Security and Privacy in Boston. The event was organized by Boston University to celebrate the launch of its Center for Reliable Information Systems and Cyber Security, an outfit that is taking the sort of interdisciplinary approach to computer security that Forrest endorses.

Instant messaging products crept onto corporate PCs and introduced a host of security, regulatory and management issues. In the same way, free desktop search tools - designed for consumers - are showing up on corporate networks and raising concerns about data protection. Desktop search tools use local processing power to locate items inside e-mail and data stores. Three of the most popular are available for free from Google, MSN and Yahoo. Most industry watchers agree the products aid productivity: From a single interface, users can quickly search the text of their e-mail, contacts, application documents, data files, multimedia files and more.

Cryptology and history buffs who missed a chance to buy a World War II-era Enigma machine on eBay last month have the option of building their own codemaking machine at home, from a kit.

Sprint Nextel Corp. on Thursday launched a new service that locates children through their cell phones, the first U.S. mobile carrier to offer tracking using standard hardware. Dubbed "Family Locator Service," the $9.95 per month service relies on GPS (Global Positioning System) technology to pinpoint up to four cell phones, and then maps their locations on a PC or a parent's own cell phone. Privacy safeguards, said Sprint, include parent-child permission to track phones, and text messages that are sent to the child's phone whenever the parent requests his or her location. Parents can also authorize others, such as a sitter, nanny, or other relative, to access a phone's location.

A rule change proposed by the U.S. Treasury Department and the Internal Revenue Service (IRS) has come under fire from privacy advocates who have taken issue with a clause allowing tax preparers to sell tax-return information to third parties. Introduced last December, the IRS change was proposed to update regulations that govern how tax preparers handle return information. These rules have not been changed since 1974, and the IRS wrote in the proposal that the revision will give preparers greater flexibility in the age of electronic filing. 

Almost 1,400 students are now at risk after their Social Security numbers were mistakenly attached in an e-mail. The University of South Carolina made a mistake when up to 1,400 students' Social Security numbers were accidentally e-mailed to other USC students. The mistake was made when a department chairwoman attached a wrong file while sending e-mails to students about classes in the summer.

Ben Rothke, director of security technology implementations at financial services company AXA, put his finger on biometrics when he said it "gets away from the worst aspects of security, users choosing lousy passwords," but doesn't quite live up to the marketing hype. At the recent InfoSec Conference in Orlando, Rothke spoke on biometrics, the techology for authenticating identity based on a human body part such as the finger, hand, iris, retina, face or the attribute of the voice.

Ameritrade completed its acquisition of TD Waterhouse in January to become TD Ameritrade Holding Corp. Just prior to the completion of that acquisition, Ameritrade finished rolling out technology that encrypts all data as it moves from servers to tape backup devices. The encryption effort was a reaction to the company?s loss of a data tape with the names of 200,000 clients in April 2005. Jerry Bartlett, CIO at TD Ameritrade, spoke with Computerworld recently about data security and storage management. Excerpts from the interview follow....

Everdream has launched a service to delete or encrypt files on stolen PCs and laptops. But the service depends utterly on the thief being naive enough to connect the stolen PC/laptop to the Internet without wiping the existing software on the hard drive first. The Everdream software is implemented as an agent on the PC or laptop. When the device is stolen and next connects to the Internet the agent software links to Everdream's control center and sends a set of network location information.

APRIL 12, 2006 (COMPUTERWORLD) - Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They’re among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver's license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access.

The handling of customer data is one of the thorniest business issues of the 21st century. If companies aren't struggling to determine which versions of their customer records are accurate and up to date, they're scrambling to do damage control in the wake of security breaches that expose sensitive information to prying eyes.

With data theft and network intrusions continuing to flourish, network security is no longer a perimeter game. Just ask Jeff Schmitt, network administrator at Troy, Mich.-based Motor Information Systems, a reseller of automotive data. "We sell data" he said. "Obviously, the data that's on our network, we have to make sure we keep that under wraps";

Enterprises are under increasing pressure to safeguard the privacy and security of personal data, but the complexity of the task is making it difficult to meet higher expectations, an HP project manager said Tuesday.

Terrorist groups, which for years have used the Internet and its various tools to organize and communicate, are paying more attention to addressing security and privacy concerns similar to those of other Web users, counterterrorism experts say.

Researchers at Edith Cowan University have proven Generation One Radio Frequency Identification tags can be breached to cause a denial-of-service attack on the tags, using cheap store-bought radio transmitters.

The registry for the new .eu domain has booked 1.4 million Web addresses since Friday morning - but one registrar has accused the group that runs it of inept organization, allowing companies to cheat the system by setting up bogus registrars to work on their behalf.

A software security expert warned users of Oracle Server that a software flaw could allow any user to read, modify, and delete data used by Oracle applications; he also says that Oracle may have unwittingly shown hackers how to exploit the previously unknown hole.

"Google hacking" is on the rise, according to a study by masters student Natalia Nehring and Ellen Rose, senior lecturer at the Institute of Information and Mathematical Sciences at Massey University. The term refers to online attacks that use search engines to look for vulnerabilities. The study found that New Zealand Web sites are more vulnerable to hackers using the Google search engine than Australian or U.S. Web sites.

Rhode Island retailer Ross-Simons said the personal information of thousands of credit card applicants may have been compromised. NBC 10 Consumer Reporter Audrey Laganas reported that about 32,000 accounts were potentially at risk. All of the accounts belong to customers who applied for a Ross-Simons credit card between October 2004 and April 4 of this year.

Security and process integrity have replaced inventory control as RFID's primary driver. Legal mandates are imposing a deadline for implementation. Initially conceived to prevent theft and improve inventory control, RFID (radio frequency identification) is evolving into exciting new areas. Wide-ranging security and process integrity mandates in the United States and European Union are challenging providers of the technology to come up with new applications. Take the U.S. 2002 Public Health Security and Bioterrorism and Response Actfor example.

MySpace.com, the social networking Internet site popular with young people that has alarmed some parents and law enforcement officials concerned about sexual predators, announced yesterday that it was hiring a former federal prosecutor to be its first chief security officer. The site, acquired last July by the News Corporation, which also owns Fox Broadcasting and DirecTV satellite television, is used by young people to post personal pages that can include their photographs and other details about their lives and interests so they can interact with others on the site.

Desktop management service provider Everdream on Tuesday announced a service that makes it possible to encrypt or delete data even after a laptop has gone missing. The new Everdream "Theft Recovery Managed Service" allows organizations to retain control over lost or stolen PCs and laptops, the Fremont, Calif., company said in a statement. The service also can assist law enforcement with the tracking, locating and recovery of computers, the company said. When a missing PC is connected to the Internet, it automatically contacts Everdream. This triggers encryption or deletion of data on the computer, based on the customer's setting, Everdream said.

WASHINGTON, April 11 (AP) — The Internal Revenue Service said Tuesday that it had won approval from a federal court to ask the online payment company PayPal to turn over information about people who may be evading taxes by hiding income in other countries.

A dozen companies selling records of private phone calls in the U.S. have been subpoenaed by U.S. House Energy and Commerce Committee Chairman Joe Barton.

(AP) NEWARK Computer hackers were able to gain access to the Social Security numbers and other confidential financial information of almost 2,000 University of Medicine and Dentistry of New Jersey students and alumni, university officials said. UMDNJ kept the electronic break-in quiet while it investigated if the information -- including the tuition aid and loan information of about 700 students and 1,150 alumni -- could be used by the hackers. So far, officials believe the information was accessed, but initial reports suggest that no information was taken. However, computer experts are still investigating the incident. "We know it was hacked into because there were some things on it that did not belong -- pranks and games," UMDNJ interim President Bruce C. Vladeck told The Sunday Star-Ledger.

In Russian, there is no word for “privacy.” That never sat well with St. Petersburg native and former citizen of the Soviet Union Rafail Ostrovsky. Now a UCLA computer science professor at the Henry Samueli School of Engineering and Applied Science, Ostrovsky is an expert in computer security and cryptography, the head of UCLA’s Center for Information and Computation Security — and a fighter on the front lines of the war against terrorism.

Researchers at IBM have come up with a way to hardwire encryption technology into a microprocessor, promising a more secure way to store data. IBM plans to announce availability of the new technology, dubbed Secure Blue, on Monday. The Armonk, N.Y.-based company envisions its idea and technology will be used in digital media players, electronic organizers, cell phones, computers and devices used by the government and the medical and financial industries.

Privacy advocates have raised concerns over Google's proposed free Wi-Fi service in San Francisco, which would target users with advertising based on their location. Most troubling is the potential of tracking where people go on the Web based on the user names and passwords they use in signing on to the network. If that information is stored in a database, then government or private lawyers can subpoena it later in criminal or civil matters. The Electronic Frontier Foundation, a San Francisco-based privacy group, has submitted to the city guidelines and minimum standards it considers necessary for protecting people's privacy. The recommendations have been taken under advisement, but it's unclear how much impact they will have on negotiations between Google and its partners, and Chris Vein, the head of the city's technology department.

Sunday 9 April 2006: Online bank RaboDirect, has announced a 100% Secure Guarantee for its Irish customers. The bank, which implements the highest levels of online banking security is the first bank in Ireland to give a guaranteed protection to its customers. RaboDirect's parent company the AAA rated Rabobank Group has been consistently voted one of the worlds's safest banks by Global Finance Magazine. RaboDirect remains the only bank in Ireland to operate the Digipass system of online security based on the concept of two-factor authentication which makes 'phishing' attacks virtually impossible.

BAGRAM, Afghanistan — No more than 200 yards from the main gate of the sprawling U.S. base here, stolen computer drives containing classified military assessments of enemy targets, names of corrupt Afghan officials and descriptions of American defenses are on sale in the local bazaar. Shop owners at the bazaar say Afghan cleaners, garbage collectors and other workers from the base arrive each day offering purloined goods, including knives, watches, refrigerators, packets of Viagra and flash memory drives taken from military laptops. The drives, smaller than a pack of chewing gum, are sold as used equipment.

Whenever the president travels, security is a prime consideration. Motorcade routes are kept secret, and premature release of information about a presidential trip aboard one of the twin Air Force One planes can result in the Secret Service canceling a visit. Thus, the Air Force reacted with alarm last week after The Chronicle told the Secret Service that a government document containing specific information about the anti-missile defenses on Air Force One and detailed interior maps of the two planes -- including the location of Secret Service agents within the planes -- was posted on the Web site of an Air Force base.

APRIL 10, 2006 (COMPUTERWORLD) - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida's Broward County are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on the county’s Web site.
A county official said the information available on the Web is in full compliance with state statutes that require counties to post public documents on the Internet.

Oracle Corp.'s next critical patch update (CPU) is a week away, but customers of the database giant already have a security hole to worry about -- and this one appears to have been accidentally released by the company itself. According to Alexander Kornbrust, a well-known database security researcher and business director at German firm Red-Database-Security GmbH, Redwood Shores, Calif.-based Oracle accidentally posted information about the flaw -- including how to exploit it -- on its MetaLink customer support site.

A database problem with a U.S. domain name registrar exposed sensitive financial and personal information relating to thousands of domain name registrations, a Dutch company said Friday. DiscountDomainRegistry.com, of New York, fixed the problem shortly after being notified Thursday, said Nico Vandendries, CEO of Strongwood, a private investigation company based in the Netherlands. DiscountDomainRegistry.com CEO Alex Brecher said in an e-mail to the IDG News Service that the company is 100% positive customer data was not compromised. The "alleged vulnerability,"; he wrote, was patched within minutes after the company was contacted by Strongwood.

Regulatory compliance and protecting intellectual property (IP) are among the top reasons driving demand for security products – not phishing, worms, spyware and hack attacks, according to a recent report. Some 50 North American chief information security officers (CISOs) participated in the Merrill Lynch & Co. Inc. survey. Put simply, they said regulatory compliance ranks as the top business reason driving demand for security software. Next came protecting access by unauthorized intrusions and unplanned downtime. Security software and infrastructure represents a relatively small portion of their respective company's IT budgets, with 78 percent report allocating less than 10 percent of overall spend. Respondents, however, expect to increase spending an average of 11.4 percent during the next 12-18 months.

YORKTOWN HEIGHTS, N.Y., April 10, 2006 -- IBM today announced a new technology designed to greatly increase the security of consumer products, medical devices, defense systems and digital media. Developed by IBM Research and codenamed “SecureBlue”, the new technology helps enable mainframe-inspired security typically only available in data centers. “SecureBlue” protects the confidentiality and integrity of information on a device through encryption, encoding it to prevent its unauthorized use, even from an adversary that has physical access to or control of the device. As the use of various forms of digital devices becomes increasingly widespread and more essential, information becomes more distributed and thus more vulnerable, making strong security increasingly important since devices can be lost or stolen. Encryption techniques have long been employed on high-end systems, but the technologies are traditionally expensive and have considerable impact on system performance, making them impractical for consumer products. 'SecureBlue' is the first technology to make encryption practical even for low-cost, relatively low performance electronics...

Messy, redundant, and insecure customer data has companies turning to data governance for a change

The handling of customer data is one of the thorniest business issues of the 21st century. If companies aren't struggling to determine which versions of their customer records are accurate and up to date, they're scrambling to do damage control in the wake of security breaches that expose sensitive information to prying eyes.

By Bruce Schneier| Also by this reporter
02:00 AM Apr, 06, 2006

There are basically four ways to eavesdrop on a telephone call.

One, you can listen in on another phone extension. This is the method preferred by siblings everywhere. If you have the right access, it's the easiest. While it doesn't work for cell phones, cordless phones are vulnerable to a variant of this attack: A radio receiver set to the right frequency can act as another extension.

Two, you can attach some eavesdropping equipment to the wire with a pair of alligator clips. It takes some expertise, but you can do it anywhere along the phone line's path -- even outside the home. This used to be the way the police eavesdropped on your phone line. These days it's probably most often used by criminals. This method doesn't work for cell phones, either.

In their rush to implement Web services, some companies may be exposing themselves to new security risks that they may not fully understand, a security researcher said at the CanSecWest/core06 conference in Vancouver on Thursday.

During a conference presentation, researcher Alex Stamos outlined how a number of Web services technologies, including the Asynchronous JavaScript + XML (AJAX ) and the XQuery query language could be exploited by hackers to dig up secret information and attack systems.

Web services is a catch-all expression used to describe a form of distributed computing that uses standards based on XML to simplify the job of programming software. One of its key tenets is that Web services applications are extremely portable and can easily interact with different types of software.

Information resellers often fail to follow privacy protection guidelines when dealing with the federal government, and many do not believe the guidelines should apply when public records are involved.
That's the conclusion of a report the Government Accountability Office released Tuesday. Resellers' adherence to privacy protections was also the topic of a joint oversight hearing Tuesday.
The issue gained the attention of the GAO and members of Congress, in part because of dozens of high-profile data breaches last year, including one by Choicepoint Inc.
The Privacy Rights Clearinghouse, a consumer advocacy organization, reported that more than 52 million Americans have had their personal information jeopardized by data breaches since Feb. 15, 2005, when thieves set up bogus accounts using information obtained from ChoicePoint. The Federal Trade Commission recorded more than 685,000 consumer fraud and identity theft complaints in its database in 2005. Thirty-seven percent of all of the complaints were due to identity theft.

Taxpayers would be exposed to identity theft if the Internal Revenue Service gets its way with proposed rule changes considered during a congressional hearing this week.
Opposition is growing in response to the plan, which would allow tax preparers to sell personal information with consent. At least 45 attorneys general have joined several members of congress, consumer advocacy groups and others urging the IRS to drop the plan.
'This is an attempt by the tax preparation services to fatten their bottom lines at the expense of their customers' privacy,' New York State Attorney General Eliot Spitzer said through a prepared statement Tuesday.

The Electronic Frontier Foundation (EFF) on Wednesday filed the legal briefs and evidence supporting its motion for a preliminary injunction in its class-action lawsuit against AT&T.
After asking EFF to hold back the documents so that it could review them, the Department of Justice consented to EFF's filing them under seal -- a well-established procedure that prohibits public access and permits only the judge and the litigants to see the evidence.

While not a party to the case, the government was concerned that even this procedure would not provide sufficient security and has represented to the Court that it is 'presently considering whether and, if so, how it will participate in this case.'

'The evidence that we are filing supports our claim that AT&T is diverting Internet traffic into the hands of the NSA wholesale, in violation of federal wiretapping laws and the Fourth Amendment,' said EFF Staff Attorney Kevin Bankston.

HP is warning of a vulnerability in some of its printer driver software that could allow hackers to siphon information from a user's PC.

The unusual security alert -- printer software is not usually at the forefront of security worries -- affects anyone using a Windows Toolbox utility that comes with the company's Color LaserJet 2500 and 4600 printers.

HP is advising anyone affected to download a fix as soon as possible after studying update instructions on its site.

The browser-like Toolbox program is used mainly to monitor printer status, and is thought to be vulnerable when it has been installed in its default configuration, which would be case for the overwhelming majority of the users.

A recent case in which an employee at Progressive Casualty Insurance wrongfully accessed information on foreclosure properties she was interested in buying highlights again the dangers posed to corporate security by insiders.

Progressive officials Thursday confirmed that the company sent out letters in January to 13 people informing them that confidential information, including names, Social Security numbers, birth dates and property addresses had been wrongfully accessed by an employee who has since been fired.

Michael O'Connor, a spokesman for the Mayfield Village, Ohio company, said officials were alerted to the situation when a local woman complained about receiving calls from a Progressive agent inquiring about her house being under foreclosure.

'What happened was that the former employee, who purchased foreclosure property, wrongly used the information in a real estate database,' O'Connor said. Though there was no actual hacking involved to get at the data, her actions constituted a violation of Progressive's code of ethics, O'Connor said.

Microsoft Corp. said Wednesday it would increase investments in digital rights management (DRM) to guard against piracy and support the wireless industry, as more tunes, pictures and video clips are sent over the airwaves to mobile phones.
More than 30 million U.S. wireless subscribers will consume video and television content on mobile devices by 2009, estimates IDC Corp.
Providing no financial details, Microsoft said only that the investment would prove 'significant.' The Redmond, Wash., company claims more than 100 content service licenses and deploys the Microsoft Windows Media DRM platform on hundreds of devices to deliver content securely for playback on computers, mobile devices and portable devices.
The platform supports download and play, subscription, video on demand, and enables device manufacturers to directly acquire licenses on their handsets.

LaserJet becomes snooping tool

By John LeydenPublished Thursday 6th April 2006 12:10 GMTGet breaking Reg news straight to your desktop - click here to find out how.A security vulnerability involving some HP printer models makes users open to hacking attack.

The bug in the Toolbox software installed with HP's Color LaserJet 2500 and 4600 printers creates a means for attackers to pinch valuable information. When the Toolbox is left in a default configuration hackers might be able to steal files from a Windows PC connected to these printers. HP advises users to upgrade their Toolbox software to version 3.1 to guard against possible attacks.

Sherlock For investigators like Scott Cooper, the devil is in the digital details. 'All we're after is the story, just like in the old days,' he said.
Mr. Cooper, a computer forensics expert, learned that the numeral '1' had been scrubbed in some later versions of this digital document. This gave his client, a partner in a software firm that had recently been sold, just a 5 percent rather than a 15 percent share in the company. If the change had gone undetected, the partner would have received $32 million rather than his rightful $96 million payout.
What the partner did not realize was that digital data rarely goes away, even when erased. 'It is extremely difficult to completely delete all evidence from a hard drive,' said John Colbert, the chief executive of Guidance Software, which makes a widely used program that helps retrieve digital evidence.
Using various techniques, Mr. Cooper, the managing director of the Insync Consulting Group's electronic discovery and forensics practice, based in Los Angeles, figured out when the document had been changed and by whom. His client got his money.
Digital storage of information has become ubiquitous. In 2003, the School of Information Management and Systems at the University of California, Berkeley, estimated that 92 percent of new information was being stored on some form of magnetic media. As a result, digital forensics — the acquisition and analysis of digital information — has become an important legal tool.

RFID will someday revolutionize business, but that won't occur until serious security issues are resolved.

That was the message delivered Monday at InfoSec World by Kevin Ashton, founder and director of MIT's Auto-ID Center, which developed RFID technology.

Ashton, currently vice president of marketing and business development for ThingMagic, a company that provides RFID readers and other sensing technology, said the basic idea behind RFID was to enable machines to 'sense things on their own.'

He said MIT and other places spent quite a bit of effort over the years trying to come up with machines that could 'see' the world, but trying to replicate human vision proved incredibly difficult. As an alternative approach, RFID and other sensor technology use relatively simple and low cost chips to help machines perceive on their own.

A SECURITY hole in Sydney internet provider Astratel's LiveBilling online account management system has seriously compromised its customers' privacy.

Astratel customer Nick Adams notified the ISP after he discovered that he could view billing information and call records for other customers, by lodging their phone number into an online query form.
Mr Adams also demonstrated that non-Astratel member could access the compromised web query service by transplanting code from the page where it was located and placing it at an alternative web address.

Symantec released Monday a new version of its IM Manager designed to shore up vulnerabilities in instant messaging networks and address compliance issues.
Security vulnerabilities in IM networks are causing companies to limit or prohibit use of IM, and certain verticals are required to log all IM conversations for compliance reasons, said Jon Sakoda, senior director of product management for enterprise messaging at Symantec, Cupertino, Calif.
Symantec's IM Manager 8.0 addresses these issues with management and reporting features that allow companies to continue to benefit from realtime communications.

Companies are clamping down on employees' workplace use of the expanding range of free Internet services, such as instant messaging and video downloading, to protect themselves from viruses, communications traffic jams and regulatory missteps.
General Electric Co. has barred outside instant-messaging and file-sharing programs, as well as access to personal online email accounts like those offered by Yahoo Inc. Telecom company Global Crossing Ltd. also blocks outside instant messaging and online email accounts. J.P. Morgan Chase & Co. is one of many banks that blocks Internet services it can't track or monitor, including outside instant-messaging, phone and email programs.
Another big bank, ABN Amro Holdings NV of the Netherlands, also bans many consumer-communications technologies, including Skype, the Internet phone service owned by eBay Inc. (See related article.) 'I'm not allowing Skype because I don't know what it does,' says Bill Rocholl, global head of strategy and engineering for ABN Amro's telecommunications and network services.

MARCH 31, 2006 (IDG NEWS SERVICE) - A U.S. Senate committee yesterday approved a bill that would outlaw the practice of posing as a telephone or mobile phone customer to obtain phone records.

The practice, called pretexting, is allegedly used by a number of online companies that sell phone records. The Senate Commerce, Science and Transportation Committee's bill makes it illegal to acquire, use or sell a person's confidential phone records without that person's written consent.

'I really do believe ... this measure will prevent unscrupulous individuals from obtaining confidential phone records,' said Senator George Allen, a Virginia Republican and lead sponsor of the bill. 'It's what Americans expect.'

The bill, an amended version of the Protecting Consumer Phone Records Act, also requires voice carriers -- including wireline, mobile and VOIP (voice over Internet Protocol) providers -- to notify customers when someone has gained access to their phone records without authorization. The bill directs the U.S. Federal Communications Commission (FCC) to create phone-record regulations similar to those protecting financial information under the Gramm-Leach-Bliley Act, passed by Congress in 1999.

A House of Representatives committee has unanimously approved a bill that would create new regulations for so-called data brokers, including a requirement that U.S. companies that traffic in personal data notify victims of breaches.

The House Energy and Commerce Committee's 41-0 approval of the Data Accountability and Trust Act comes a year after the beginning of a rash of data breaches at dozens of U.S. companies, starting with data brokers ChoicePoint and LexisNexis. The bill, which now goes to the full House for a vote, requires any company that 'experiences reasonable risk of identity theft' to notify potential victims as well as the Federal Trade Commission (FTC).

'This is legislation that consumers deserve if we are to help them and our economy defeat the growing menace of identity theft,' Rep. Cliff Stearns (R-Fla.) and primary sponsor of the bill, said in a statement.

What's your biggest concern in data center security?
JP Callahan: Physical security in the data center is about who touched what when. I'm not worrying about someone stealing a server for its monetary value. I'm concerned someone stealing the data without me knowing.
We do audit trails, employee vetting. What's the biggest threat in the data center?
Internal users?
Callahan: Exactly. Instead of spending money on bollards [posts preventing vehicles from entering an area], run internal checks. Which guy in your company just went into bankruptcy? How many background checks could that money buy?
What misconceptions have you seen in data center security?
Callahan: I come across data centers with pop-up bollards. How many times in the last 35 years has a truck bomb been used in the U.S.? The University of Wisconsin ROTC bombing [1970]; the Oklahoma City bombing [1995]; and then the New York Trade Center [1993]. Three times. But we're spending hundreds of millions of dollars hardening our data centers against truck bombs.

Last week, Sun Microsystems Inc. announced the debut of its Sun Grid Compute Utility, available at www.network.com. The world's first grid available for public, commercial use, Sun Grid was created to serve customers big and small needing inexpensive, simple access to large-scale computing resources.
But within hours, Sun Grid was brought to its knees by a distributed denial-of-service (DDOS) attack, necessitating an emergency login procedure change. While grid computing may very well revolutionize enterprise computing, the incident underscores the security risks that could prove quite harrowing for enterprises that rely on grid computing.

The Secret Service yesterday announced seven arrests in five states and
the District of Columbia as part of a continuing crackdown on online
forums where credit card data and other stolen consumer information is
routinely traded.

A total of 21 people have been arrested in the United States and Britain
in the last three months in the undercover operation, the agency said.

It is the largest federal law enforcement action taken against the
thriving online trade in credit card numbers, bank accounts, passwords,
personal identification numbers and other data since an earlier effort,
Operation Firewall, broke up the largest black market trading board,
Shadowcrew.com, in 2004.

In what could be a landmark ruling, the Ohio Supreme Court has decided that the state's open records law supersedes the federal Health Insurance Portability and Accountability Act's privacy protections for medical records. The decision may be the first in the country concerning a conflict between a state's open records law and HIPAA was at issue, attorney John Greiner said. He represented the Cincinnati Enquirer newspaper in its successful suit to compel the city to release information about landlords and homeowners cited for lead paint violations.

Greiner said the ruling could affect areas beyond Ohio because many states have similar open records laws.

Joy Pritts, a privacy expert in Washington, D.C., said the ruling highlights a potential area of vulnerability in HIPAA protections for individuals' health records.

In its unanimous March 17 decision, Ohio's highest court found that the Cincinnati Health Department erred by citing privacy of personal health information, when it refused to release records about the houses whose were cited for lead paint contamination.

Partners Healthcare, the giant of the Boston medical world, is studying a plan with other big academic hospitals elsewhere to sell aggregated patient data to the government, pharmaceutical and biotech companies, insurers, and publishers. ''As the adage goes, 'Information is power, and power is money,' ' notes a confidential Partners' document outlining the ''data commercialization project.'

Partners executives say no decision has been made to go ahead with the project. ''It is still in the brainstorming stages,' says Partners chief operating officer, Tom Glynn. They are sensitive to concerns about patient confidentiality, and say the most likely first customer would be government agencies such as the Food and Drug Administration. As an example, they say data collected by the hospitals could have been used by the FDA to correlate the use of Vioxx and the incidence of heart attacks.

But the confidential outline makes clear Partners sees the market as much broader. ''This project offers the opportunity to understand how various enterprises (government, pharma/biotech, consulting/analysis firms, investment analysts, publishers, etc.) utilize healthcare data to achieve their goals,' the memo states.

Among the information available in Partners' ''data warehouse': patient demographic data; diagnoses and procedure data; inpatient pharmacy data; and ''assorted data' on inpatient hospitalization and clinical encounters, including provider information.

The risk of identity theft is rising as the workforce becomes more mobile and people tote around sensitive personal data on computer equipment, observers say.
The latest example came to light Wednesday, when 196,000 current and former Hewlett-Packard employees were notified about the theft of a laptop computer containing their names, Social Security numbers, compensation and other confidential information. The company administering HP's retirement plans, Fidelity Investments, was carrying the HP employees' data on the laptop to discuss the plans at a business meeting.
Fidelity has said there is no evidence the data has been mis-used or released. The company is monitoring employees accounts to make sure they remain protected.

MONTPELIER — Thousands of Vermont State Colleges students, faculty and staff learned this week that a VSC laptop computer stolen from a car parked in Montreal on Feb. 28 could have given thieves access to their personal financial information, including Social Security numbers and payroll data.

And while system administrators assured the thousands of potential identity-theft victims that they had all but eliminated access to the colleges' computer network from the laptop, some faculty and staff are furious that VSC took three weeks to warn them.

'I can share with you that many, many people have come to me to express their anger,' said Ernest Broadwater, an education professor at Lyndon State College and the president of the Vermont State Colleges Faculty Federation.

Florida state workers warned that their personal data could be vulnerable as state's HR system was improperly handed over to a company in India.
By Robert McMillan, IDG News Service, 03/24/06

Florida state employees are being warned that their personal information may have been compromised after work on the state's People First payroll and human resources system was improperly subcontracted to a company in India.

Employees who worked for the state during an 18 month period between Jan. 1, 2003 and June 30, 2004 may be affected, according to an e-mail message sent to all state employees on March 16. The state's Department of Management Services (DMS), which oversees the People First system, estimates that 108,000 current and former state employees may be affected by the data breach, although that estimate could change as the department's investigation into the matter continues.

The e-mail was sent after a subcontractor of outsourcing service provider Convergys improperly allowed subcontractors in India to index state personnel files, said DMS spokeswoman Tiffany Koenigkramer. The offshoring was done as part of Convergys's nine-year, $350 million contract to manage the state's personnel work.

Exclusive Like sands through the hourglass, these are The Days of Ernst & Young laptop loss. Yes, friends, The Register can confirm that BP has been added to the list of Ernst & Young customers whose personal data has been exposed after a laptop theft. BP joins Sun Microsystems, Cisco and IBM in this not so exclusive club.
Ernst & Young has sent out a letter to all 38,000 BP employees in the US, telling them that a laptop theft had exposed their names and social security numbers. To keep the BP staff's mind at ease, Ernst & Young said that the file name containing their info did not indicate what type of information was on the laptop, and the laptop was password protected. Phew!

With acquisition of OmniSecure, Protegrity adds the ability to protect unstructured data to its list of capabilities.
By Tim Greene, NetworkWorld.com, 03/23/06

Database security vendor Protegrity has bought OmniSecure, a database security company that can add the ability to protect unstructured data to Protegrity's list of capabilities.

The deal, for an undisclosed amount, also brings Protegrity customers in Asia and the Pacific, places where the company was not as strong as elsewhere.

Protegrity has a 12-month plan for integrating five key OmniSecure technologies into the Protegrity product lines, according to Protegrity CEO Gordon Rapkin. OmniSecure's file protection software will be brought into Protegrity's administration software to make it easier to deploy, disseminate and audit. Similarly, its encryption key management will be brought into Protegrity's management platform.

The user interfaces for both companies' products will be integrated, and OmniSecure's software for Unix will be ported to Windows. Protegrity will also integrate its Watchdog feature into OmniSecure products. Watchdog monitors whether application are still running and if not restarts them.

ALBANY, N.Y. (AP) -- New York's attorney general sued an Internet
company Thursday over the selling of e-mail addresses in what
authorities say may be the biggest deliberate breach of Internet privacy
ever.

Attorney General Eliot Spitzer accused Gratis Internet of selling
personal information obtained from millions of consumers despite a
promise of confidentiality.

The consumers thought they were simply registering to see a Web site
offering free iPod music players or DVD movies and video games, Spitzer
spokesman Brad Maione said. On sign-up pages, Gratis promised it ''does
not ... sell/rent e-mails.''

One of the most sophisticated bot Trojans ever has been infecting machines for months, a security company revealed Wednesday, and has compromised an estimated one million PCs in an ongoing effort to pillage personal bank accounts.
According to Reston, Va.-based iDefense, multiple variants of a Trojan dubbed 'MetaFisher,' a.k.a. 'Spy-Agent,' has been spreading for months under the proverbial radar.
'MetaFisher has compromised hundreds of thousands if not millions of accounts for financial fraud,' said Ken Dunham, the director of iDefense's rapid response team.
The Trojan's pitched the usual way -- via spammed e-mail that includes a link -- and uses the long-patched Windows Metafile (WMF) vulnerability to silently install via a drive-by download on machines whose users simply surf to these malicious sites.
Once on a machine, the malware turns the PC into yet another 'bot,' or remotely-controlled computer. But Dunham, who called MetaFisher 'the most sophisticated bot to date,' said it has several unique technical tricks up its sleeves.

Business technology managers are facing tough challenges as data centers grow larger and more complex. More than 75% of all companies have experienced a business disruption in the past five years, including 20% who say the disruption had a serious impact on the business, according to a recent survey of data center managers.
Despite the critical nature of data center operations to business, nearly 17% reported they have no risk management plan, and less than 5% have plans that address viruses and security breaches.
The results, which were announced Tuesday at the Data Center World conference in Atlanta, are part of survey of nearly 200 members of AFCOM, a leading association for data center managers. 'Data center professionals need to prepare for what is going on,' said Jill Eckhaus, president of AFCOM. 'If we don't prepare, companies are not going to be able to run their facilities efficiently. We are hoping we can raise awareness.'

The National Institute for Standards and Technology wants government and industry to comment by June 12 on its new draft standards for digital signatures, according to a request for comments issued today.

The draft Federal Information Processing Standard (FIPS) 186-3, Digital Signatures Standard, would replace the existing FIPS 186-2, which was first issued in 1994 and last revised in 1999.

The draft standard would improve the security of digital signatures, which rely on cryptographic keys for their algorithms.

A former security guard at a General Motors' technical center has been charged with stealing documents containing the names and Social Security numbers of about 100 GM employees and using those numbers to hack into the company's employee-vehicle database, county police said.

The ex-employee, James S. Green, of Washington Township, Mich., then sent e-mails to those employees asking them questions about their vehicles.

Green was arraigned Monday on eight counts of obtaining, possessing or transferring personal identity information, one count of using a computer to commit a crime and one count of stalking that was unrelated to the GM cases. He was released after his family posted 10% of a $50,000 bond, a probable-cause hearing will be held in a few weeks, Wickersham said.

A new kind of denial-of-service attack has emerged that delivers a heftier blow to organizations' systems than previously seen DOS threats, according to VeriSign's security chief.

The new DOS attacks first emerged in late December and kicked into high gear in January, before dying down four weeks ago, said Ken Silva, VeriSign's chief security officer. In less than two months, 1,500 separate Internet Protocol addresses were attacked using this method, he noted.

'These attacks have been significantly larger than anything we've seen,' he said.

Under a more common DOS attack, a network of bots, or compromised PCs commandeered by remote attackers, directly inundates a victim's Web server, name server or mail server with a multitude of queries. The goal of a DOS attack is to crash the victim's system, as it tries to respond to the requests.

A laptop computer containing the names, Social Security numbers, compensation and other information for 196,000 current and former Hewlett-Packard employees was stolen a week ago, HP confirmed Wednesday.
The employees were all participants in HP's company-sponsored retirement plans administered by Fidelity Investments. Fidelity sent e-mails and letters overnight Tuesday to the retirement plan participants notifying them that the Fidelity laptop had been swiped.
``We have no indication that any of the information's been misused,'' Anne Crowley, a Fidelity spokeswoman, said Wednesday. ``We went back and monitored activity in accounts since the theft, and we find nothing to indicate there's any unusual or suspicious activity.''

Over the past 20 years, there's been a sea change in the battle for personal privacy.
The pervasiveness of computers has resulted in the almost constant surveillance of everyone, with profound implications for our society and our freedoms. Corporations and the police are both using this new trove of surveillance data. We as a society need to understand the technological trends and discuss their implications. If we ignore the problem and leave it to the 'market,' we'll all find that we have almost no privacy left.
Most people think of surveillance in terms of police procedure:
Follow that car, watch that person, listen in on his phone conversations. This kind of surveillance still occurs. But today's surveillance is more like the NSA's model, recently turned against Americans: Eavesdrop on every phone call, listening for certain keywords. It's still surveillance, but it's wholesale surveillance.

European Data Protection Supervisor Peter Hustinx criticized governments' fondness for biometrics to identify citizens and warned that greater interoperability of databases may have serious implications for people.

In response to a recent communication by the European Union on the interoperability of several databases, including the Visa Information System and Eurodac, Hustinx issued an opinion calling for a better analysis of the data protection implications.

'Interoperability is mentioned not only in relation to the common use of large-scale IT systems but also with regard to possibilities of accessing or exchanging data, or even of merging databases,' according to the opinion. 'This is regrettable since different kinds of interoperability require different safeguards and conditions.'

Nine out of ten Americans want their banks to monitor their online accounts for signs of suspicious behavior, much as credit card companies do now, a survey published Tuesday said.
Conducted by RSA Security, the poll also found that although consumers aren't seeing a rise in the number of phishing e-mails, they are increasingly wary of all electronic communiqués from their banks. According to telephone survey, 79 percent said that they were less likely to respond to e-mail from their bank because of worry over phishing scams; that's up nine points from 2004, said RSA.
A solid majority of 59 percent want their banks to contact them when something fishy is found, while 73 percent think banks should boost security by moving to a stronger authentication scheme than the typical username and password.
'Consumers seem to feel comfortable with the notion of their financial institution monitoring their online activity and contacting them when something suspicious is detected, just as they've become accustomed to [the same in] credit cards,' said Chris Young, the general manager of RSA Cyota, in a statement.

Six months after Hurricane Katrina struck, federal, state and local emergency responders still lack interoperable communications, emergency management technology experts say.

Richard Skinner, the Homeland Security Department's inspector general, told the Senate Homeland Security and Government Affairs Committee March 8 that the lack of interoperable communications equipment stymied much of the hurricane response effort.

Skinner's office will soon release a new report, “A Review of DHS' Progress in Adopting and Enforcing Equipment Standards for First Responders,” which will show that as of this month, DHS still has not adopted standards for interoperable communications equipment.

The most troubling fact is that the 2001 terrorist attacks revealed the urgent need for interoperable communications well before the 2005 hurricanes, said Herman Leonard, a professor of public management at Harvard University's Kennedy School of Government and co-chairman of its crisis management program.

As the General Services Administration continues work on improvements to the Federal Procurement Data System—Next Generation, the agency will accept comments on the system's privacy standards through June 2, according to a notice published in today's Federal Register.

The primary purpose of the notice was to identify FPDS-NG as a records system subject to the Privacy Act of 1974 and outline the privacy policy.

FPDS-NG gives GSA a broad way to organize and present data on government contract procurement. The information is used to create reports for agencies and the public. The system maintains official statistical data on federal contracting, including information on unclassified contracts that the government considers sensitive.

A new bill would increase port security through measures including running all cargo containers through radiation portal monitors, providing risk-based funding through a dedicated port security grant and checking all port employees with access to secure areas against terrorist watch lists, according to a press release.

The bipartisan legislation, called the Security and Accountability for Every (SAFE) Port Act, was introduced March 14. The bill has 46 co-sponsors.

“A dedicated grant program for port security will not only protect domestic assets, it will enhance international border security through measures implemented both abroad and at U.S. maritime ports of entry,” said Rep. Dan Lungren (R-Calif.), who chairs the House Homeland Security Committee's Economic Security, Infrastructure Protection and Cybersecurity subcommittee.

Lungren, one of the co-sponsors, is scheduled to hold a hearing on the legislation March 16.

As more companies disclose information losses and data theft, information technology companies have entered the market to sell products that encrypt entire hard drives.

Those companies argue that encrypting all data on a disk is the best way to protect it from internal and external threats, including user carelessness. “It means the user can never make a mistake” that jeopardizes data security, such as putting classified material in an unclassified folder or onto a portable storage device, said Matt Pauker, co-founder of Voltage Security.

The arrival of whole-disk products marks a change in how encryption is used, experts say. Encryption traditionally focused on “data in flight” because information was more vulnerable when in transit than when it resided at its endpoints, said Kevin Brown, vice president of marketing at Decru.

'When you have state agencies putting this stuff online, you are spoon feeding criminals valuable information,' says Betty Ostergren, a privacy activist whose husband was a victim of identity theft in 1987 and 1989. 'And they can be anywhere in the world -- an Internet cafe in Pakistan or a library in Mexico.'

The disclosure of Ohio residents' Social Security numbers on the state government's Web site highlights what many privacy experts -- and criminals -- already know: Such information is readily available to anyone with an Internet connection.

It is common for the websites of the USA's secretaries of state to contain personal information, including Social Security numbers (SSNs) and home addresses, in business statements. Besides Ohio, the data is available in New York, Florida and at least seven other states, say privacy experts who provided links to public Web sites.

A new system of protecting sensitive data while it is being transmitted over fiberoptic cables has been described by its University of Toronto inventors as “the protective equivalent of a fire-breathing dragon.'

The researchers described how they have demonstrated the first experimental proof of a quantum decoy technique to encrypt data over fiberoptic cable. In quantum cryptography, laser light particles (photons) carry complex encryption keys through fiberoptic cables, dramatically increasing the security of transmitted data. Conventional encryption is based on the assumed complexity of mathematical problems that traditional computers can solve.

But quantum cryptography is based on fundamental laws of physics - specifically, Heisenberg's Uncertainty Principle, which tells us that merely observing a quantum object alters it.

The technique varies the intensity of photons and introduces photonic 'decoys,' which were transmitted over a 15-kilometer telecommunication cable. After the signals are sent, a second broadcast tells the receiving computer which photons carried the signal and which were decoys. If a hacker tries to 'eavesdrop' on the data stream to figure out the encryption key, the mere act of eavesdropping changes the decoys - a clear sign to the receiving computer that the data has been intercepted.

When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks.
No one is feeling the pinch of this threat more than Oracle, which commands 41% of the relational database market. The company has found itself wrestling with a growing number of security vulnerabilities not just with its databases but across its entire product line. Its most recent quarterly critical patch update release addressed 82 vulnerabilities across its database, application server, collaboration suite, E-business suite, and Enterprise Manager products, as well as products inherited from its PeopleSoft and JD Edwards acquisitions. The previous update, in October, addressed 85 vulnerabilities, the highest number since Oracle first started offering quarterly critical patch updates in January 2005.