Miscellaneous Cybercrime & Privacy Tidbits

For the last day of Global Security Week (GSW) I posted to my blog, providing a few items that relate to cybercrime that I find interesting.

Peace be with you all!

Cyber Crime is a Real Business Issue

A recent report released by Finjan highlights that cyber crime is a growing concern for businesses of all sizes. Ninety one percent of 1,387 IT managers surveyed consider cyber crime as a major risk to their business with 73% claiming data theft is more worrying than downtime or malware infection. What is even more interesting is that 25% of those surveyed admitted to having been the victims of cyber crime.

The fact that 1 in 4 companies have been a victim of cyber crime is something that should concern us all. Remember no company exists in isolation and we depend on our customers, partners and vendors to enable our companies to survive. So even if your company has not been the direct victim of cyber crime what exposure do you have with any other companies you have close ties with? Have you clarified in contracts and SLAs who is responsible for certain areas of information security and more to the point what disclosure mechanisms have you in place in the event that one of your partners or vendors is the victim of cyber crime?

Maybe you should take some time to reflect on how integrated other companies and perhaps review your incident response plan to see how best to react in the event of one of them, or indeed you, becomes the victim of cyber crime.

Today We Remember

Today is day 4 of Global Security Week (GSW). It is in memory of this sad and tragic day in 2001 that the spirit and concept of GSW was created.

This is why GSW is held during the week leading up to 9/11 each year; to reflect, remember, learn, and work to raise awareness of all security issues and help to prevent bad things, of all types, from occurring, and to ensure such a tragedy does not happen again.

While this year's GSW theme is cybercrime, we must always stay aware of all security issues and do what we can, and what is reasonable, to make this a safer, more secure, world. We must remember and learn from the tragedies of September 11, 2001.

I shared some of my perspectives today in my blog posting.

Sloppy Disposal Aids Cybercriminals

For day 3 of Global Security Week I talked a little bit about the importance of securely disposing of your papers and storage media that contains
personal information...

See my post at http://www.realtime-itcompliance.com/information_security/2008/09/sloppy_disposal_aids_cybercrim.htm

Medical Identity Theft Is On The Rise

For day 2 of Global Security Week I want to highlight the growing worldwide problem of medical identity theft...

I blogged about this today at: http://www.realtime-itcompliance.com/identity_theft/2008/09/medical_identity_theft_is_on_t.htm.

Let me know what you think!

New Security Website Launched

As part of Global Security Week a new website has been launched to help promote awareness amongst home and business users. The Surfingsafer website provides information on a range of computer security products that are available. The site also has links to best practise and provides advise on how to protect your systems from cyber criminals. Well worth a visit and letting your friends and family know about it.

Many thanks to our colleagues in the United Kingdom for putting this site together.

"Police facing tough battle to tackle cybercrime"

Here's an interesting article about cybercrime to kick off our Global Security Week...

"Police facing tough battle to tackle cybercrime"

The statement from the article, “Law enforcement agencies are being swamped and there are not sufficient resources to cope with it” was quoted from a police officer in the U.K., but I think this is the situation worldwide.

Romania to Host Cyber Crime Seminar

The IT Board in Romania will be hosting a seminar on Thursday the 11th of September on the topic of Cyber Crime. The agenda is as follows;

14:00-14:45 - Cybercrime - Why us? - Victor Constantinescu, MVP Security
14:45-15:30 - viruses and spam, this situation and possible directions of evolution - Bogdan Morosan, CISSP
15:30-16:00 - Break
16:00-16:45 - System Security Management in Windows 2008 - Andrei Ionut-Pop
16:45-17:30 - Botnets & Phishing - Victor Constantinescu, MVP Security

Entrance is free and the event will be hosted at Microsoft Global Technical Support Center (GTSC) Str.Tudor Arghezi 8-10, Unimed Center, floor 2.

Registration link: http://itboard.ro/forums/thread/25202.aspx

5 Easy Things To Do for Global Security Week, September 8 - 12

Have you planned to do anything for Global Security Week? It's not that far away!

If you need some examples to get you started thinking about what you could do, I have a lot to share! :)

Yesterday I provided on my blog 5 easy things for organizations to do for Global Security Week. Got other ideas? Please share them!

Belgium to host Information Security Economics seminar

The Leaders in Security group (LSEC) will be hosting a seminar on Information Security Economics in Belgium as part of Global Securtiy Week 2008.

It looks to be a very interesting seminar.

Below are some of the details but more are available at LSEC's Site.

Introduction
A recent paper by our our partner KTN Cybersecurity in the UK, described a summary of the current status of science on the economics of information security. During this seminar, LSEC wants to support the development of Information Security professionals and experts by providing them with a number of basics on the organization of their information security projects.

During this seminar, the focus will not be on technology sales, but principles that help getting an understanding of the economical drivers for information security technologies and projects. This seminar is part of LSEC’s contributions to the Global Security Week in Belgium, and effort to raise the awareness on all levels and throughout the business community on the needs for information security in the world. Part of this afternoon seminar is the workshop, intended to have an interactive session and discuss past, current and future challenges in your organization in getting your project to a next successful level.

Preliminary Program
The following speakers have been invited to participate during this seminar :

Afternoon Seminar :
13.00 : Welcome & Registration, Sandwich Lunch offered by LSEC and its partners
14.00 : Introduction : Global Security Week and Information Security Economics - Setting the program and defining the outline : Ulrich Seldeslachts, CEO LSEC
14.10 : Keynote : Summary of the Information Security Economics workshop of the KTN - David Pym, HP Labs, Principal Scientist
About David Pym : Principal Scientist in the Systems Security Lab (SSL) at HP Labs, Bristol (HPLB) is also Professor of Logic & Computation at the University of Bath, where he has led the development of the Mathematical Foundations research group. Prior to joining HP Labs’ permanent staff, he was a Royal Society Industry Fellow at HPLB. Prior to moving to Bath, he was Professor of Logic at the University of London, where he also held an EPSRC Advanced Fellowship. In SSL, he works on mathematical systems and security modelling, using algebraic, logical, stochastic techniques, and services sciences. He leads an HP Labs project – ‘Trust Economics’ – on systems and security modelling and the economics of information security. Degrees: MA in mathematics (King’s College, Cambridge), PhD in mathematical theory of computation (University of Edinburgh), FBCS, CITP, FIMA, CMath, CSci.

16.00 Coffee Break & Networking
16.30 Georges Attaya, Professor - Solvay Business School : Information Security as part of Information Management Business Drivers
17.30 Richard Clayton, Department of Computer Sciences - Cambridge University: Emerging threats in the European Union and economical impacts
18.30 Panel Discussion :
Experiences and Best Practices in getting your plan and project presented to management Benchmarking and metrics Return on Investment principles Security Management : standalone or integrated in wider risk management, it management, ... ...
19.00 : Reception & Networking
20.00 : Close of Seminar

Practical Details
Tuesday September 8th, Leuven - LSEC HQ - KU Leuven, ESAT - COSIC; Kasteelpark 10 - 3001 Heverlee 13h - 20h

Cyber Crime Conference in Dublin

Global Security Week, in conjunction with BH Consulting and VigiTrust , is pleased to announce a seminar on the theme of “Cyber Crime – Don’t Become a Victim” to be held on the 10th of September 2008.

The theme this year is intended to highlight how businesses and individuals can become victims of Cyber Crime and what steps they can take to protect themselves from this rapidly growing crime. In light of recent criminal attacks against various organisations in Ireland, the timing of the seminar could not come at a more opportune time.

To discuss this topic, a number of key speakers will present at the meeting on the topic. Speakers will include members of the Garda Bureau of Fraud Investigation and the industry experts in the field of information security and cybercrime.

A panel discussion will follow, whereby the speakers will answer questions from the audience.

Location
The seminar will be hosted at Jurys Croke Park on Wednesday the 10th of September from 2:00 p.m.

Registration
Registration is free and open to anyone concerned with Cyber Crime. Places can be booked by contacting Brian Honan on 01-4404065 or emailing brian@globalsecurityweek.com or Mathieu Gorge on 01-4100864, Mathieu@globalsecurityweek.com

Latest Cybercrime News

Below please find the latest roundup of Cybercrime news;

Irish Credit card security breach linked to retailers http://www.irishtimes.com/newspaper/finance/2008/0809/1218206296671.html
http://www.independent.ie/national-news/bitter-employee-suspected-in-foiled-credit-card-racket-1450787.html

Bank of America laptop stolen; customer data compromised
http://www.recordonline.com/apps/pbcs.dll/article?AID=/20080807/BIZ/80807021

Sen. Wiggins’ e-mail hacked
http://www.napavalleyregister.com/articles/2008/08/09/news/local/doc489d1970b9039707342120.txt

Hacker nabbed after customer data stolen
http://www.cyprus-mail.com/news/main.php?id=40774&cat_id=1

Irish Government data breach slammed as ‘serious incident’
http://www.rte.ie/news/2008/0811/data.html
http://www.irishtimes.com/newspaper/breaking/2008/0811/breaking25.htm
http://www.breakingnews.ie/ireland/mhqlmhcwaukf/

BBC confirms personal details stolen
http://www.scmagazineuk.com/BBC-confirms-personal-details-stolen/article/113625/
http://www.vnunet.com/vnunet/news/2223662/bbc-partner-loses-children-data
http://www.timesonline.co.uk/tol/news/uk/article4481621.ece

New SQL attacks emerge
http://www.vnunet.com/vnunet/news/2223618/sql-attacks-emerge

Dublin open to cyber muggers
http://www.thepost.ie/ezineSBP/story.asp?storyid=35087

Dutch police notify botnet victims
http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?NewsId=10427

Online social networking sites are hacker playgrounds http://news.smh.com.au/technology/online-social-networking-sites-are-hacker-playgrounds-20080808-3s3e.html

Hi-tech thieves target Olympics
http://news.bbc.co.uk/2/hi/technology/7548870.stm

We Have a Winner

Thank you to everyone who entered this year's logo competition. This year saw the largest number of entries ever as people based their logo on this year's theme of "Cybercrime - Don't Become a Victim". Demonstrating that quantity does not always impact on quality, the judging panel had its toughest job to date in selecting a winner. Eventually we agreed on our winning logo which was designed by Noe Yaqien from Indonesia. Well done to Noe and thank you to all those who entered the competition.

Latest Roundup of Cyber Crime News

US cracks 'biggest ID fraud case'
http://www.siliconrepublic.com/news/article/11155/cio/major-hacking-ring-exposed-in-us-40-million-cards-stolen
http://www.nytimes.com/2008/08/06/business/06theft.html?hp=&adxnnl=1&adxnnlx=1217970104-2wcxADUSZSouBmsqMtOaxQ
http://news.bbc.co.uk/2/hi/business/7544083.stm
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209903401
http://today.reuters.co.uk/news/newsArticle.aspx?type=internetNews&storyID=2008-08-05T220538Z_01_N05334493_RTRIDST_0_OUKIN-UK-TJX-THEFT-CHARGES.XML
http://www.arnnet.com.au/index.php/id;583735157;fp;4;fpid;1382389953
http://technology.timesonline.co.uk/tol/news/world/us_and_americas/article4468114.ece
http://news.smh.com.au/technology/11-charged-in-connection-with-credit-card-fraud-20080806-3qmb.html
http://www.theregister.co.uk/2008/08/06/id_fraud_hacking_case/
http://www.vnunet.com/computing/news/2223347/eleven-charged-huge-identity

UK's lax wireless security threatens TJX-style hack
http://news.zdnet.co.uk/security/0,1000000189,39458164,00.htm
http://www.silicon.com/retailandleisure/0,3800011842,39268402,00.htm
http://technology.timesonline.co.uk/tol/news/tech_and_web/article4473266.ece

Credit card cybertheft will still 'flourish' say experts
http://www.nzherald.co.nz/feature/story.cfm?c_id=1501832&objectid=10525784

Russian Gang Hijacking PCs in Vast Scheme
http://www.nytimes.com/2008/08/06/technology/06hack.html?_r=1&oref=slogin

Google Sites exploited to bypass spam filters
http://www.zdnetasia.com/news/security/0,39044215,62044570,00.htm

Online Threats Cost Consumers $8.5 Billion Over Last Two Years
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209901659

Hi-tech criminals target Twitter
http://news.bbc.co.uk/2/hi/technology/7543014.stm
http://www.scmagazineuk.com/Blog-site-hit-by-fake-downloads/article/113391/
http://www.theregister.co.uk/2008/08/05/twitter_trojan/

Webcam hacker-ogler jailed for four years
http://www.theregister.co.uk/2008/08/05/webcam_hacker_jailed/

Rogue trader's apprentice under investigation
http://www.theregister.co.uk/2008/08/04/assistant_of_jerome_kerviel_preliminary_charges/
Feds accuse bank insider of massive data heist
http://www.theregister.co.uk/2008/08/04/countrywide_data_heist/

Dutch botnet herders arrested
http://www.theregister.co.uk/2008/08/04/dutch_botnet_herders_arrested/

US Senate polishes new teeth for cyber cops
http://www.theregister.co.uk/2008/08/01/senate_cyber_crime_bill/

British fraud ran Beijing ticket scam
http://www.smh.com.au/news/web/british-fraud-ran-beijing-ticket-scam/2008/08/06/1217702097417.html
http://today.reuters.co.uk/news/articlenews.aspx?type=internetNews&storyID=2008-08-04T073345Z_01_PEK255628_RTRIDST_0_OUKIN-UK-OLYMPICS-TICKETS-SCAM.XML&archived=False
http://www.vnunet.com/vnunet/news/2223350/phishing-attack-hits-beijing-olympics

Lonely hearts warned of 'money mules' scam
http://www.smh.com.au/news/web/lonely-hearts-warned-of-money-mules-scam/2008/08/06/1217702096786.html

Data for over 190,000 at risk
http://www.chicagotribune.com/business/dp-biz_dataloss_0806aug06,0,4148457.story

Security oversight may have enabled Countrywide breach
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111587&intsrc=news_ts_head

ID thefts at England Air Force bases total $70G
http://www.stripes.com/article.asp?section=104&article=56604

CNET site compromised by malware
http://www.vnunet.com/vnunet/news/2223412/cnet-site-compromised-malware

Malware writers go for your gold during the Olympics
http://www.vnunet.com/vnunet/news/2223416/malware-writers-juice-olympics

Protesters hack into Olympics website
http://www.smh.com.au/news/web/protesters-hack-into-olympics-website/2008/08/07/1217702199030.html
http://www.nzherald.co.nz/section/story.cfm?c_id=5&objectid=10525779

Spam attacks 'quadrupled in just three months'
http://www.scmagazineuk.com/Spam-attacks-quadrupled-in-just-three-months/article/113492/
http://www.vnunet.com/vnunet/news/2223406/spam-150bn-messages-day

Hacker jailed for accessing colleague's personal emails
http://www.vnunet.com/computing/news/2223378/hacker-prosecuted-accessing
http://www.theregister.co.uk/2008/08/06/spanish_email_hacker_jailed/

Security breach at S&K Menswear website: The Real Deal
http://www.9wsyr.com/content/news/real_deal/story.aspx?content_id=554e9769-330e-47c6-92e2-3b908a276988

Latest Cyber Crime news

Here is a roundup of the latest news relating to cyber crime;

British Hacker vows to fight extradition
http://news.bbc.co.uk/2/hi/uk_news/7533916.stm
http://www.heise.de/english/newsticker/news/113593
http://management.silicon.com/government/0,39024677,39266041,00.htm
http://technology.timesonline.co.uk/tol/news/uk/crime/article4428270.ece
http://www.cnn.com/2008/WORLD/europe/07/30/uk.hacker.ap/index.html

Online threats materializing faster, study shows
http://news.smh.com.au/technology/online-threats-materializing-faster-study-shows-20080729-3mhx.html

Stolen e-passports 'worth millions' on black market
http://www.zdnetasia.com/news/security/0,39044215,62044350,00.htmhttp://www.silicon.com/publicsector/0,3800010403,39265475,00.htm

Web browsers become tools for criminals
http://www.heise.de/english/newsticker/news/113592

Stolen laptop had Busch employees' personal info
http://www.dailypress.com/news/dp-local_busch_0729jul29,0,6332846.story

Game Over for Neosploit?http://securitywatch.eweek.com/exploits_and_attacks/game_over_for_neosploit.html
http://www.theregister.co.uk/2008/07/30/neosploit_calls_it_quits/

California Man's Computer Used to Send Bomb Threat in India http://blog.wired.com/27bstroke6/2008/07/california-mans.html

FBI warns of new Storm worm variant
http://www.zdnetasia.com/news/security/0,39044215,62044355,00.htm

Numbers Botnets Account for 25% of Click Fraud http://www.csoonline.com/article/439025/Numbers_Botnets_Account_for_of_Click_Fraud?contentId=439025&slug=&source=nlt_csoupdate

Thieves steal Vancouver client information from TD bank
http://www.canada.com/vancouversun/news/business/story.html?id=d11109e2-223a-4133-a931-6b46e869fbd3

Huge rise in fraud against UK banks
http://www.vnunet.com/vnunet/news/2222850/fraud-against-uk-banks-rise-kpmg

Security researchers 'aiding' cyber-crooks http://www.zdnetasia.com/news/security/0,39044215,62044358,00.htmhttp://www.vnunet.com/vnunet/news/2222896/security-researchers-aiding-crooks

Phishing Kits Widely Compromised To Steal From Phishers
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209900688

Most Malicious Code Launched From Legitimate Web Sites
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209800526
http://www.theregister.co.uk/2008/07/30/websense_high_profile_website_malware_survey/http://www.vnunet.com/vnunet/news/2222890/legit-sites-host-malware-report

Bank robbing computer hackers caught in Hungary
http://www.realdeal.hu/20080731/hungarian-customs-zeroes-in-on-bankrobbing-computer-hackers

Latest Cyber Crime News

Here is a roundup of the latest news relating to cyber crime;

Server containing sensitive information was stolen from Veterans Home
http://www.startribune.com/local/25623519.html?location_refer=Homepage:latestNews:4

HR directors targeted as computer hackers seek staff data http://www.personneltoday.com/articles/2008/07/18/46772/hr-directors-targeted-as-computer-hackers-seek-staff-data.html

eBay auction fraudster jailed for four years http://www.theregister.co.uk/2008/07/24/ebay_auction_fraudster/

Romanian phisher confesses to scam targeting financial giants http://www.theregister.co.uk/2008/07/23/romanian_phisher_guilty_plea/

Computer fraud, damages triple for S'pore companies http://www.zdnetasia.com/news/security/0,39044215,62044143,00.htm

'Spam King' Escapes From Prison
http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209600539
http://www.smh.com.au/news/technology/spam-king-escapes-from-jail/2008/07/23/1216492492843.html
http://www.theregister.co.uk/2008/07/22/convicted_spammer_escapes/

Southeast London is card fraud cesspool
http://www.theregister.co.uk/2008/07/24/card_fraud_hotspots/http://www.vnunet.com/vnunet/news/2222452/credit-card-fraud-uk
http://www.silicon.com/financialservices/0,3800010322,39263794,00.htm

E-gold execs plead guilty in money-laundering case http://news.zdnet.co.uk/security/0,1000000189,39451568,00.htm

Spam king to spend almost four years behind bars
http://www.heise.de/english/newsticker/news/113279
http://www.scmagazineuk.com/End-of-reign-for-jailed-spam-king/article/112780/
http://www.theregister.co.uk/2008/07/23/soloway_sentenced/

New York threatens Comcast over child porn http://www.vnunet.com/vnunet/news/2222373/york-threatens-comcast-child-porn

Internal security threats multiply
http://www.gcn.com/online/vol1_no1/46705-1.html

Philadelphia TV Anchor Accused Of Hacking Rival's E-mail
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=209400773

Stolen tape puts Bristol-Myers employee data at risk
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110485

Logo Competition Launched

As announced earlier this week the theme for the 4th Global Security Week security awareness event is “Cybercrime - Don’t become a victim” and we need your help, especially if you have an artistic flair.

We are running a competition where you get to design the logo for this year’s Global Security Week. The winning logo should be based on this year’s theme and should be an original design. A full list of the rules are available on the Global Security Week website.

If you win your logo will be used on all the material relating to , such as the website, the blog and any publications such as posters and brochures. So this is your chance to get global recognition for your talents. There will also be a prize of a $100 Amazon.com gift voucher for the lucky winner.

So get out your smocks, your easels or just fire up MS Paint and get drawing. The closing date for the competition is Friday the 1st of August 2008.

Rebecca Herold has announced the competition on her blog and Brian Honan has announced it on his so there should be some stiff competition this year.

Remember the closing date is Friday the 1st of August 2008.

Global Security Week 2008 Launched

We are happy to launch the 4th annual Global Security Week. This year's event will run from September 8th to 14th 2008 with this year’s theme being “Cybercrime – Don’t Become a Victim”.

The concept of a Global Security Week is simple yet vitally important. Commercial and governmental organisations are investing heavily in technical security controls but the security problems caused by people remain largely unaddressed. Global Security Week promotes activities around the globe to raise the general public’s awareness of security matters. By coordinating, encouraging and publicising a wide variety of simultaneous security-related awareness activities and events worldwide, Global Security Week leverages media coverage of individual activities for the benefit of all participants.

It is no coincidence that Global Security Week runs through September 11th annually, since both physical and information security aspects are important. Against a backdrop of global terrorism and organised crime, security in general, and information security in particular, has become a vitally-important sociological and business issue:

• Aside from terrorist atrocities, natural disasters such as the earthquake in China and typhoon in Myanmar are indiscriminate, impacting individuals and organisations that were simply going about their daily lives and business. Knowing what to do, if not actually being prepared for such situations can literally make the difference between life and death for people, and survival or bankruptcy for corporations. Security awareness is part of the solution.
• All Internet users are part of a mutually dependent global community. It is in everyone's interest to secure their own computer systems and be a good neighbour on the web. We all face the threats of spam, malware, phishing, hackers, intellectual property theft, cyber-terrorism, cyber-extortion and fraud. All of us need to take responsibility for implementing suitable information security measures to protect privacy and to avoid being part of the problem.

Those interested in participating in Global Security Week are asked to register at http://www.globalsecurityweek.com. Involvement is welcomed from individuals, groups or companies wishing to participate by organising security awareness activities during the week, and encouraging links to the global campaign using free promotional images. Global Security Week will gladly promote these activities on the Global Security Week website free of charge.

Thank You

To all of those who took part in this year's Global Security Week we wish to thank you all. Whether you ran workshops, seminars, gave presentations or simply promoted this year's theme of "Privacy in the 21st Century" we are extremely grateful for your cooperation.

This year has been a great success for Global Security Week as we reached out and helped more people and organisations become more aware of the security issues we face in a modern society.

Lets not waste the good work that has been done in this year's event and use it to build upon throughout the coming weeks, months and years. And while this year's Global Security Week comes to an end lets look forward to next year and make it even more successful.

Please feel free to contact us if you wish to become involved in the committee or to participate in next year's event.

Thank you
The Global Security Week team

Has your privacy been compromised?

I stumbled across SSNBreach.org today - a Website dedicated to capturing personally identifiable information exposed on the Internet and storing (a sanitized version of) it in a searchable database.

Don't worry if that's all Greek to you, simply visit the site and enter your name. If you are surprised to find a breach record under your name in association with an organization that quite possibly holds personal data about you, it's maybe a good idea to contact them for further details.

Unfortunately, though, if your name does NOT pull up any breach records at SSNBreach, you're still not safe - the site claims to have amassed a quarter of a million breach records so far but according to the Privacy Rights Clearinghouse, there have been nearly 166 MILLION personal records breached since January 2005, and that number only includes the major incidents. Individuals whose PCs have been infected with personal-data-stealing spyware/Trojans are not fully included in any reliable statistics since there is no way of knowing the true number.

Would You Like Some Privacy with Your Pizza

The American Civil Liberties Union have a very humorous yet very thought provoking flash movie demonstrating the impact the erosions on our privacy could have.

Enjoy

Brian

Genetic privacy

A senior judge has called for the entire British population, including visitors to the country, to be DNA fingerprinted to aid in crime detection.

To many this is just a 'natural next step' for the DNA fingerprinting technology which has proven its worth in solving thousands, perhaps millions of crimes since it was invented in the mid-1980s. Back then, I was doing my PhD in the Genetics Department at Leicester University where it all started. I was working on a different project, just helping occasionally with a bit of IT programming and support for Professor Alec Jeffries' research team. There was a real buzz to the place. We talked at the time about DNA fingerprinting people at birth in order to be able to trace criminals from tiny traces of DNA so often left at the scenes of crime. These days, the ability for victims of identity theft to confirm their true identities unambiguously, and for the authorities to prove that identity thieves are using bogus identities, would be fabulous, right?


But in the labs we also talked about some of the privacy and human rights issues that population-wide DNA fingerprinting would raise, like for example the effect on life insurance. Insurers would welcome the opportunity to select customers according to their risk of genetically-linked diseases - not just the obvious ones like Down's Syndrome but things such as predispositions to morbid obesity, heart disease or cancer. The human genome project has already characterised a number of 'disease' genes down to the level of their DNA sequences and I gather work is under way to identify the effects of the "junk DNA" between genes, the very regions that DNA fingerprinting uses. As more information of this nature becomes available, we face difficult questions. Should insurers be allowed to insist on DNA testing their customers, in order to manage their risks and (the argument goes) reduce premiums for fit and healthy people? Should health professionals have the same right, in order to detect and start managing diseases like cancer even before the patient is aware? If DNA is gathered and tested for one purpose (such as crime detection), can the same information be used for other purposes (such as genetic disease detection)?


Protecting the integrity of DNA data is already a serious issue for Police forces and crime labs. There are rigorous processes in place to validate the identity of each person providing evidential saliva or blood samples, and to prevent the samples being mixed-up with others during the collection and testing processes. Multiple samples are taken: one or more for testing and one or more to keep as a reference in case of legal dispute (in much the same way that forensic analysis of a PC involves taking one or more forensically sound full read-only copies of the hard drive for analysis, then placing the original drive back in a safe as a potential reference point). Protecting the confidentiality of the samples and the analytical data (including electronic files) is presumably part of the standard processes for securing evidence.

So, back to the story: there are genuine civil liberties issues to be discussed around crime detection and personal privacy. Let's hope the discussion reaches sound conclusions before the key public policy decisions are taken. The technology is already available. We need to catch up.

Third Pfizer data breach disclosure since June

Personal data on more than 34,000 Pfizer workers have been exposed when a former employee downloaded the information from a Pfizer computer.

"The incident occurred sometime late last year but was discovered by Pfizer on 10 July, according to Pfizer spokeswoman Shreya Prudlo. The company started notifying individuals of the breach on 24 August - more than six weeks after learning of the incident."
Source: Computer Weekly

Pfizer and its employees are having a bad year. This is the third such breach disclosed by Pfizer this year. An employee's spouse accessed over 17,000 employees' data using file-sharing software on a company computer in June, and in July, two laptops containing confidential employee and proprietary data were stolen from a contractor's vehicle.
According to Dark Reading, "A Pfizer spokesman called the breaches 'three separate and distinct incidences' that bear no relationship to each other."

Comments invited on NZ privacy breach guidelines

The New Zealand Privacy Commissioner is inviting comments on a draft guideline on reporting privacy breaches. As a guideline, compliance will presumably be optional and it seems to be slanted at NZ government departments and agencies.

I believe similar disclosure rules in the much of the US tend to be mandated by law and apply across-the-board to any private or public-sector organization that fails to prevent unauthorized disclosure of personal data (Rebecca knows more!). They appear to have been very successful in naming-and-shaming organizations that suffer privacy breaches, and I suspect have caused many organizations to review and update their privacy/information security controls in order to avoid adverse publicity of this kind. However, some of the named-and-shamed argue that the disclosure and publicity are unwarranted if there is no actual evidence of identity theft or related incidents arising from the disclosures, such as when a thief steals a laptop that happens to contain personal data and the laptop is soon recovered. My feeling is that if they had used suitable hard disk encryption, they probably would not have had to disclose the breach since the data would have been secure. Even better, if they had applied adequate physical controls, or not put personal data at risk in this way by keeping them off laptops and portable media, there would have been nothing to disclose!

Perhaps you sympathise with CSO Magazine's comments on the US breach laws?

Submit your comments on the guidelines by September 28th.

Dublin Seminar a Success

Today's Global Security Week seminar held in Dublin was a resounding success. We had excellent key note speakers;

• Tony Delaney, Assistant Commissioner, Office of the Data Protection Commissioner
• Caspar Bowden, Chief Privacy Advisor EMEA, Microsoft

The occassion was also used to call on the Irish Government to implement Data Security Breach Disclosure Laws in Ireland.

Copies of the presentation will be made available on the Global Security Week Website over the coming days.

Brian

Calculating the Cost of a Security Breach

One of the challenges facing many security professionals is justifying the cost of implementing security controls, procedures and supporting technologies. The Privacy Breach impact Calculator from InformationShield could be used to help you estimate the costs of a privacy breach, i.e. where personal data for clients could be exposed. While the tool is focused primarily for the US market and is used to promote the company’s products, it might be of some use to help determine the potential € impact of a breach. This could help you provide some objective rather than subjective data for your risk assessments or justification for purchasing of a solution.

Brian

Breach Notice Laws; Definitely A 21st Century Privacy Issue!

I recently updated my U.S. "State Breach Notification Laws" document.

There are many different listings of these U.S. laws out on various sites, but the ones I find always seem to leave out some of the states. So I've been maintaining my own simple listing to make it easier to see the names/numbers of each law for each U.S. state along with the corresponding effective dates.

U.S. state breach notice laws truly are a unique 21st century privacy issue! There were not any other breach notice laws in the previous century that I'm aware of. Many other countries, such as Canada and Japan, are also now considering passage of privacy breach notice laws.

It makes sense that people should be notified when a company loses their customers' or employees' personally identifiable information (PII), or identifies that PII has been stolen, inappropriately used, or accessed by unauthorized people.

People need to know if someone is potentially doing bad things with their PII so they can try and defend against those bad things as best they can. Of course, the organization experiencing the breach should assist with this risk mitigation.

It's really too bad, when you think about it, that laws must exist to make organizations do the right thing and notify individuals of their privacy breaches. That should just be a matter of doing good business.

The 39 current U.S. breach notice laws highlight the raised public awareness of privacy issues and emphasize the need for organizations to protect the PII with which they've been entrusted. Your customers expect it.

The breach notice laws are a very good representation of how privacy in the 21st century is a hotter topic now than ever before for businesses to address.

A case study in writing policy documents?

The UK's Driver and Vehicle Licensing Agency (DVLA) holds vehicle registration data on all vehicles licensed to use the public highways, plus their owners (and keepers where different). Under the Data Protection Act (DPA), names and addresses are classified as personal information, therefore the DVLA has a legal obligation to secure the data and prevent its unauthorized disclosure. Certain disclosures are automatically authorized under the DPA, such as for use to prevent serious crimes - hence the Police can legitimately find out the name and address of the owner/keeper of vehicle involved in a serious road traffic offence, and insurance companies can obtain and share personal information to reduce insurance fraud.

So what happens if, say, an ordinary member of the public calls DVLA to obtain the owner/keeper's details for a vehicle parked across their drive or on their land? The Information Commissioner's Office has published a guidance note explaining that, under some such circumstances, the disclosure of personal information by DVLA to the public is permitted.

OK, so what's the situation if, say, a jealous husband sees his wife getting out of a strange car and wants to know who owns that car? Is it OK for a private investigator to obtain the information on behalf of the husband? What about nosey neighbours keeping tabs on everyone in the street and asking DVLA for details? Situations like this would (presumably) not be classed as legitimate disclosures, but as anyone who has written such guidance will confirm, finding the right form of words to say so in an official guidance document is not easy. Take a look at the note to see how they address this issue, and think about the similarities to drafting corporate security policies. The note summarizes the legal criteria for disclosure but then essentially says other disclosures are permitted where there is a reasonable, legitimate-sounding reason, in other words the DVLA has some discretion. It gives some examples and concludes with a warning that trying to obtain personal information under false pretences is against the law. The note is only about two sides long and is written in plain, readable language.

Report of Privacy Attitudes in Australia Highlights The Need for Privacy Trust

The Office of the Federal Privacy Commissioner of Australia released the report "Community Attitudes to Privacy"on August 28.

It reveals some interesting findings and statistics. A few to note:

• 90% of Australians are concerned about how businesses send personally identifiable information (PII) to other countries* 60% are concerned about identity theft
• 45% believe the Internet is the most likely venue for identity fraud and theft.
• 73% believe the government is trustworthy* 58% believe financial institutions properly protect PII

How do your customers and consumers view your organization's privacy practices? Do you build trust by communicating your privacy policies and providing ongoing privacy communications?

Bad Privacy Practices = Lost Trust = Lost Customers

This is a good week to start an ongoing habit of building that trust!

The conflict between personal privacy and the public good

In the wake of a US government report on the Virginia Tech massacre, the privacy commissioner in British Columbia, Canada, confirmed that Universities can share confidential medical records about troubled students if there's a perceived a threat to public safety. According to the US report, schools, doctors and police often do not share information about dangerous students because of complicated, overlapping (and potentially conflicting) laws. Guidance has already been released on the interpretation of FERPA (Family Educational Rights and Privacy Act) and HIPAA (Health Insurance Portability and Accountability Act) rules under such circumstances.

Conflicts of this nature are not uncommon, like for instance the issues that arise when sensitive personal (or indeed proprietary) information originally provided to some government department in confidence gets released under the Freedom of Information Act, or is published as a matter of public record. In days gone by, "publication" generally meant releasing a weighty printed report that would generaly sit in the public records office gathering dust. In the 21st Century, "publication" has come to mean "made available to anyone, anywhere in the world, via the Internet, in milliseconds". Google's robots will happily crawl most anything on the Web and serve up millions of juicy URLs to anyone curious enough to search for the right keywords.

Google itself acknowledges privacy concerns about its services in this video, published a few days ago.

Privacy breach disclosure delay creates bad publicity

Does your organization have a policy on promptly informing those affected by privacy incidents and, where necessary, disclosing breaches to the proper authorities? If not, a privacy incident at John Hopkins Hospital might make you think again:

"A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft. The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen."

Another suggestion is to make sure your organization's contingency plans cover privacy and security incidents, giving management a blueprint to help them deal with a crisis in the most efficient and professional manner possible under the circumstances.

*UPDATE* The stolen PC has been returned via a lawyer. Those who have examined it believe it was not even turned on - which is exactly what one would expect if the hard drive had been removed, forensically copied and returned. Remember: if someone competent gains unrestricted physical access to your computer, it's game over as far as information security is concerned.

More on "Nothing to Hide"...

Following up on Brian's previous post, a few weeks ago I blogged about this very topic, "Privacy: Are You Sure You *REALLY* Have Nothing To Hide?" which was inspired by Dr. Solove's paper.

I have also blogged about another fantastic interview published in Scientific American with Dr. Latanya Sweeney, a Carnegie Mellon computer scientist and head of the Data Privacy Lab at Carnegie Mellon University; "Carnegie Mellon's Data Privacy Head Urges Development of New Privacy Technologies."

Both Dr. Solove and Dr. Sweeney make compelling arguments about how people *REALLY* feel about privacy when it comes right down to it.

How does your organization *REALLY* feel about privacy?

This would be a great week to discuss within your organization the ways in which your company takes steps to preserve privacy, along with the ways in which privacy protections can be improved.

The "I've Got Nothing to Hide" argument

One of the arguments often thrown out when discussing privacy is "I've got nothing to hide so therefore I need not worry about government plans to increase surveillance". In a 25 page paper titled "I've Gor Nothing To Hide And Other Misunderstandings of Privacy" Professor Daniel Solove from the George Washington University Law School explores this argument and highlights the flaws in this reply. Well worth a read.

Brian

Take A Few Minutes To Participate In Carnegie Mellon's Privacy Policy Study

I just received a notice that Carnegie Mellon University is conducting a Privacy Policy Study.

"The purpose of this study is to collect data that will improve on-line privacy polices."

What great timing, and quite fitting, for Global Security Week!

Please make this one of your activities for observing the week. I'm not affiliated with the study in any way what-so-ever, but I certainly am for improving online privacy policies. Wouldn't you like to improve upon them also?

GSW 2007 site and awareness materials released

In readiness for GSW 2007 starting tomorrow, we have updated and republished the Global Security Week website.

From the freebies page, you can download free awareness posters, briefings and presentation slides on this year's theme of Privacy in the 21st Century. There you will also find a collection of hyperlinks to related sites and resources on the Web, useful for individuals and businesses concerned about privacy.

A number of privacy and security awareness events will be taking place during or near GSW this year: visit the events calendar to see what's happening and do get in touch if you know of others. We would love to post futher privacy-related resources on the site - awareness materials and hyperlinks - so if you are willing to share yours with the GSW community, just drop us an email.

Finally, read more about GSW and how you can get involved in the FAQ.

Gary.

Welcome to the Global Security Week 2007 Blog

The theme for this year's Global Security Week is "Privacy in the 21st Century" and will run from September the 3rd to September the 9th.

This Blog will be active during the week to allow those interested in this year's topic to share their views and comments.