California Bill Would Create Cyber Security Commission

By Christin McMeley and Jane Whang

In recognition of the increasing threat that cyber-attacks pose to the state's infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a "Cyber Security Commission."

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor's Office and Legislature on the status and progress of cyber security efforts.

Continue Reading...

House Subcommittee Approves Data Security Bill

By Richard Gibbs

On July 20, 2011, the House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic (SAFE) Data Act (“SAFE Data Act” or “Act”) in a voice vote. The text of the bill is available here. The measure will now move to the full Energy and Commerce Committee for consideration. The bill would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired and for notifying the Federal Trade Commission (“FTC”) and law enforcement of a security breach.

The bill applies to all persons and companies subject to the jurisdiction of the FTC and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code; however, entities subject to HIPAA and Gramm-Leach Bliley will be exempt from the Act in certain circumstances. Under the current version, only data containing personal information related to commercial activity is protected. Personal information is defined as the consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to gain access to the financial account are included).

Continue Reading...

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Continue Reading...

Confidential Information Should Be Encrypted or Not Stored on Laptops

Posted by Randy Gainer

81% of U.S. businesses surveyed this year reported that, in the previous 12 months, at least one of their laptops or other portable electronic devices had been lost or stolen. U.S. Survey: Confidential Data at Risk, 5 Privacy & Security Law Report 1162 (2006). When a laptop is lost or stolen, unencrypted data on the computer can easily be accessed. Even if a user name and password are needed to sign on to the laptop, the hard drive can be removed in a few seconds and all data on the hard drive can be copied to another computer or to a storage device in minutes.

Continue Reading...

Breaking News: PrivSecBlog solves "Lost"!

Posted by Lance Koonce

Warning! Spoilers Ahead!

As at least 15 millions regular viewers of this blog ABC’s hit series “Lost” are aware, one of the central plotlines for the show is based on the following premise. The main characters stumble upon a mysterious “hatch” on the mysterious island upon which they have mysteriously crashed. Upon opening the hatch, they find it leads to a mysterious underground research station that is manned by a mysterious individual who has been there for at least three years performing a single, routine task: every 108 minutes, he must punch in six numbers to reset a sort of doomsday timer that is counting down to . . . well, he doesn’t know what.

Continue Reading...

Persistent Problems with Proliferating Passwords

Several months ago, Lance Koonce commented on the security problem caused by modern technology forcing us to remember too many passwords, which leads to many of us to collect all the passwords and post them in an accessible location, thus defeating the security requirements. 

Some of these passwords (for credit card and bank accounts) are very important; others (such as those gaining access to a listserv or reading the online New York Times) much less so. And yet they all accumulate, with nobody providing advice on prioritizing the password mess.

Continue Reading...

Lawyers' Laptops

Posted by Joseph Vance

A recent article in Law.Com discusses the security risks associated with the increased use of laptops by lawyers. Obviously, laptop security is not only an issue that effects lawyers. And, it seems that despite a pretty steady drumbeat the last several years regarding the need to be vigilant with laptop security, the warning is going unheeded by many. (See our prior entry regarding a report of increased laptop thefts from cars in Silicon Valley.)

Continue Reading...

The Intellectual Property Protection Act of 2006

Posted by Joseph Addiego

This week it was reported that a proposed law dubbed the Intellectual Property Protection Act of 2006 is set to be introduced to Congress by Rep. Lamar Smith, who serves as the chairman of the House Subcommittee on Courts, the Internet, and Intellectual Property, which has jurisdiction over copyright law and information technology, among other things. The proposed bill aims to put more teeth into anti-piracy laws by expanding the types of punishable criminal offenses and their related penalties. For example, attempted criminal piracy, even if the attempt fails, would be a punishable offense as long as the attempt was willful. In addition, the punishment for certain criminal copyright offenses would be doubled.

Continue Reading...

Reasonable Data Retention: An Important Tool for Law Enforcement or Further Erosion on Privacy?

Posted by K.M. Das

In December 2005, the European Parliament passed a far-reaching directive requiring Internet service providers and telephone companies to retain data on every electronic message sent and phone call, including VoIP, made for six months to two years. Although ISPs and telephone companies will not be required to maintain the content of the communications, they will be required to keep data such as the time of a call, whether the call is answered or not, the times customers were connected to the Internet, their IP addresses, and other details related to e-mails and VoIP calls. The European parliament's rationale for passing the directive was to combat terrorism and serious crimes.

Continue Reading...

FDIC Security Tips

Posted by Peter Mucklestone and Stuart Louie

The Federal Deposit Insurance Corporation (FDIC) recently released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. The presentation also features actions consumers can take if their personal information has been compromised.

Continue Reading...

RSA Report: Are Fingerprint Readers Ready for Widespread Commercial Use?

Posted by K.M. Das

K.M. is blogging from the RSAConference2006 in San Jose this week.

One of the decisions I had made on my way to the RSAConference2006 was that I was not going to post any vendor-specific remarks or reviews based on what I saw at the conference or on the Exposition floor. I had a number of reasons for this decision, not the least of which were that: (1) I simply do not know enough about the technologies to write a knowledgeable review, and (2) I would only be getting the vendors' view of the technology and not the other side of the story. But as they say about the best laid plans of men and mice . . . .

Continue Reading...

RSA Report: REAL ID -- Will It Create a De Facto National Identity System, and Will It Lead to Better Security?

Posted by K.M. Das

K.M. is blogging from the RSAConference2006 in San Jose this week.

One of the topics that is being frequently discussed at various sessions at the RSAConference2006 is the erosion of consumer confidence in e-commerce and how, if that erosion continues, it could lead to a crash of the entire e-commerce model. The need for private entities and the government to work together to reverse the trend has been repeated by numerous keynote speakers, including Art Coviello, CEO and President of RSA Security, Inc., Stratton Sclavos, CEO and President of VeriSign, Inc., and John Thompson, CEO of Symantec Corp. One of the possible solutions that speakers at the conference have pointed to is the implementation of a more robust national identification and authentication system, based perhaps on the REAL ID Act.

Continue Reading...

RSA Report: RFID -- Dead on Arrival(?)

Posted by K.M. Das

K.M. is blogging from the RSAConference2006 in San Jose this week.

The RSAConference2006 on information security had an extremely distinguished panel discussing cryptography as one of the keynote addresses on Tuesday, February 14, 2006. The panelists included Whitfield Diffie and Martin Hellman (of the Diffie-Hellman-Merkle key exchange protocol) and Ronald Rivest and Adi Shamir (the "R" and the "S" of RSA). Although the discussion ranged over a wide variety of topics, Professor Shamir made one of the most interesting announcements during his initial comments.

Continue Reading...

RSA Report: Strong Encryption -- If You Build It, They May Not Come (or It's the End of the Password as We Know It)

Posted by K.M. Das

K.M. is blogging from the RSAConference2006 in San Jose this week.

One of the themes that appears to be emerging at this year's RSAConference2006 on information security is that security protocols that are aimed at consumers (e.g., security at e-commerce sites and online banking) and employees (e.g., network authentication or database access) is effective only when the consumer or the employee does not find the measures inconvenient.

Continue Reading...

Data Protection 101

Posted by Merrill Baumann

Here is a nice primer on the basics that every business should think about regarding the need to adopt data protection measures.

Another helpful habit, of course, is to visit www.privsecblog.com regularly. We'll keep you informed with news and insights on the constantly-changing landscape of data protection, privacy and security law issues.

Two-Factor Identification Too Frustrating for Consumers?

Posted by Bruce Johnson

The Associated Press reports about federal efforts to require banks to demand "two-factor" identification from their customers. As Brian Wong noted recently, the Federal Financial Institutions Examination Council (FFIEC), an umbrella group that includes the Federal Reserve and the Federal Deposit Insurance Corp., has told U.S. banks to strengthen their online authentication procedures by the end of 2006.

Continue Reading...

Security or Privacy?

Posted by Lance Koonce

We don't often do this on this blog, but since Kraig and I are both attending the same conference and listening to many of the same speakers, I thought I'd comment briefly about my take on the issue Kraig just raised about the yin and yang of privacy and security. While I agree that there is a tension between the two concepts, I've always focused more on the complementary aspects: the collection of personal data gives rise to a need for security measures to protect the stored information, and security measures that require high levels of authentication may require collection of personal data in order to function.

Continue Reading...

Surprise! Electronic Voting Systems Won't Be Ready By 2006

Posted by Kraig Baker
ャ†ャ†
Here's a big surprise. The GAO reports that electronic voting systems aren't likely to be sufficiently secure by the 2006 elections. According to the report, the list of vulnerabilities included everything from easily-guessed administrator passwords and voter-verified paper trail design flaws, to incorrect software installation and system failures on Election Day. Here's a link to the GAO report.

Continue Reading...

What the Bird Flu Can Teach Us About Data Security

Doesn't it sound familiar? Emerging from a country or countries where the conditions of human life are more desperate, the virus propagates throughout the globe despite local efforts to contain it, and despite efforts in as-yet-unaffected areas to put up barriers to stop it.

Continue Reading...

"Authentication in an Internet Banking Environment"

Posted by Brian Wong

On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued the guidance "Authentication in an Internet Banking Environment." The FFIEC considers single-factor authentication to be "inadequate for high-risk transactions involving access to customer information or the movement of information to other parties."

Continue Reading...

U.S. District Court Orders Interior Department Computers Disconnected from the Internet Based on Security Concerns

Posted by K.M. Das

In a 205 page Memorandum Opinion, Judge Lamberth of the United State District Court for the District of Columbia blasted the lack of security of the Interior Department ("Department") computers that contain data relating to Indian Trust assets.

Continue Reading...

Spam-like Text Messages May Threaten Cellular Networks

Posted by Steve Chung
Although it hasn't happened yet, it seems inevitable that before long "[m]alicious hackers [will] take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam". This from the New York Times, reporting on a paper released by professors at Penn State.

Continue Reading...

If you can take it with you, someone else can take it from you

Posted by Brian Wong

Even a no-longer-cutting-edge BlackBerry or mobile phone holds enough data to be a major security breach when lost. Many devices already include password protection and automatic locks, and some software gives system administrators the ability to wirelessly transmit a command to erase data when a device is lost.

Continue Reading...

Too Many Passwords?

Posted by Lance Koonce

RSA Security today released the results of a survey of 1700 technology end users in the United States about their password management habits. The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques such as listing passwords on post-it notes (you know who you are) or on computer spreadsheets, and also creates a drain on productivity by taxing the resources of IT help desks. Corporate requirements of frequent password changes further exacerbates the problem.

Continue Reading...

Stalemate in the Battle to Protect Against Internet Credit Card Fraud

Posted by Peter Mucklestone and Stuart Louie

High ranking security experts at both Visa USA Inc. and MasterCard International Inc., two of the world's largest credit-card associations, have suggested that the struggle to protect against the fraudulent use of credit card and accountholder information has reached a stalemate, and those tasked with enforcement are in danger of losing ground. According to recent data compiled by the F.B.I., in 2004, the incidents of internet-related credit card crimes increased by sixty-six percent (66%) and the average reported loss associated with each such incident tripled to $2,400.00.

Continue Reading...

Credit Reporting Companies to Use Coordinated Encryption Standard

Posted by Lance Koonce

Equifax, Experian and TransUnion announced today that they will each adopt a single standard for protection of data provided to them by financial institutions and merchants, in order to protect the massive quantity of sensitive data that the three companies maintain. Published reports on the coordinated effort state that it will involve "the development and adoption of a data-cloaking code built on encrypted algorithm and 128-bit, secret-key technologies."

Continue Reading...

Human Immune System as Model for Intrusion Detection

SearchSecurity.com is reporting on a novel method of fighting attacks on computer systems that borrows a page from the human body's own immune system.

Continue Reading...

What Does Sarbanes-Oxley Have To Do With Information Security?

Although it has a high profile in corporate America, the Sarbanes-Oxley Act has not been at the center of discussions about the need for corporations to adopt appropriate information security measures. However, a recent article in the August 29th, 2005 issue of the National Law Journal by well-known Chicago trade secrets lawyer R. Mark Halligan persuasively suggests that "... directors and top managers must become actively involved with intellectual asset management and information security, to avoid both civil and criminal liability under Sarbanes-Oxley and shareholder derivative suits for the breach of the fiduciary duty to adequately protect intellectual property assets.", and that this represents a "sea change" in the law.

Continue Reading...

VoIP Security

Voice over Internet Protocol (VoIP) security is an emerging issue now, but it is only a matter of time before the risk rises to a level which demands action. VoIP is susceptible to the same dangers as data networks that use the Internet. At risk: any telephone conversation traveling on the company network; sensitive information; deals; strategies; and company secrets.

Continue Reading...

Cancelable Biometrics -- Outsmarting Gummy Bear Attacks and Enhancing Privacy

The Associated Press is reporting today on the use of sophisticated algorithms to alter biometric snapshots to provide an extra layer of protection against breaches of biometric authentication systems, with the added benefit of limiting the potential invasion of privacy that such systems may represent.

Continue Reading...

Google Releases Beta Version of Its Desktop 2 Search Program

On Monday, August 22, Google released a beta version of its Desktop 2 search program as a free download. Like the predecessor Desktop program, this program allows users to search their desktop as well as network folders and drives. Additionally, the beta version includes a Sidebar panel that displays information based on users' browsing habits. Sidebar not only aggregates e-mail messages from a variety of e-mail accounts, including Google's own Gmail, but it also pulls Really Simple Syndication (RSS) feeds from websites that a user has visited (assuming that website offers RSS feeds).

Continue Reading...

Philip Zimmerman Unveils Encryption for VoIP

Philip R. Zimmerman, the creator of Pretty Good Privacy("PGP"), unveiled a prototype for encrypting data carried on VoIP (Voice over Internet Protocol) at the Black Hat Security conference in Las Vegas in late July. The prototype, called zFone, will be written in Python mainly because it is built to run off the open-source Shtoom, which is also written in Python. Currently, zFone runs on the Mac OS X and Zimmerman hopes to make the prototype available for download by the end of August.

Continue Reading...

Insiders - The Real Threat To Data Security?

The data security plans of many organizations are largely focused on technical measures to guard against efforts by outsiders to gain unauthorized access to the organization's networks, computers and data. Studies and news reports continue to show, however, that the greatest risks to most organizations' sensitive data are really internal and come from insiders - disgruntled current or former employees or contractors.

Continue Reading...

GAO Financial Institution Security Report

A Government Accountability Office report published recently found that financial market organizations still need better information security, particularly restrictions on access to their networks and systems. The report, which studied the practices of seven unnamed financial market organizations, found that all of the organizations had implemented five key elements of a sound information security program. In addition to general access restrictions, the GAO identified specific areas where security could be improved. The report is available here, and an abstract is available here.

Posted by Brian Wong

Vulnerability Testing

Companies in almost every business niche are spending unprecedented amounts of money on software and other solutions to enhance the security of their computer systems. But this recent NY Times article (subscription req'd) is another good reminder that data security requires assessment, and employee vigilance, on many different levels.

Posted by Merrill Baumann