Welcome to the Monday Morning News Kick Off post from the ITAC blog. As many of our readers are surely still digging out from the massive snow storm that hit the mid-Atlantic region this past weekend, we hope you can leverage your WiFi connections and stay connected and read our first post in the second week of the second month of 2010 (hope that made sense!). This week, we have a number of stories including news of the House passing cyber security legislation, a study that shows how hotels are vulnerable to cyber crime and much much more.
House Passes Cybersecurity Bill
Last week, the House overwhelmingly passed a bill aimed at building up the United States’ cybersecurity army and expertise, amid growing alarm over the country’s vulnerability online. The bill, which passed 422-5, requires the Obama administration to conduct an agency-by-agency assessment of cybersecurity workforce skills and establishes a scholarship program for undergraduate and graduate students who agree to work as cybersecurity specialists for the government after graduation. As officials puzzle over how to defend the nation from enemies that are often impossible to pinpoint, the lawmakers behind the bill said education and recruitment are crucial. Read the full post here.
Hospitality Industry Hit Hardest By Hacks
Hackers checked into hotel networks more than any other in 2009, and all organizations hit by attacks didn’t discover breaches for an average of 156 days, according to a new report based on real-world attacks worldwide. Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs, announced at Black Hat DC this week these and other findings the company compiled in 218 data breach investigations in organizations across 24 countries. Financial services companies accounted for about 19 percent of the breaches, but that was far fewer than in the hospitality industry, where 38 percent of all breaches took place. Retail (14.2 percent) and food and beverage (13 percent) also suffered a fair chunk of attacks, according to Trustwave’s data. Read the full Dark Reading article here.
Hacker Attacks Ceridian; Data from 27,000 at Risk
A hacker attack at payroll processing firm Ceridian Corp. of Bloomington has potentially revealed the names, Social Security numbers, and, in some cases, the birth dates and bank accounts of 27,000 employees working at 1,900 companies nationwide. In a Jan. 29 letter to an affected worker obtained by the Star Tribune, Ceridian said a hacker attacked its Internet payroll system Dec. 22 and 23. Spokesman Keith Peterson said the breach was reported to the FBI and local authorities immediately, but affected consumers weren’t notified until this week that they were at financial risk. Read the full Minneapolis Star Tribune article here.
SF Man Charged with $9.7 Million Condo Swindle
Armed only with a pen, a San Francisco man allegedly forged grant deeds transferring three condominiums worth $7.5 million from the woman who owned them to himself, then took out $2.2 million in loans against the properties. The San Francisco District Attorney’s office announced today that they’ve charged Winston Lum, 45, with 16 felony counts, including grand theft, identity theft, offering false or forged instruments for record and attempted grand theft. Authorities accuse Lum of recording with the San Francisco Assessor’s Office three forged grant deeds to real property located at the One Rincon Hill condominiums, worth approximately $7.5 million, that fraudulently transferred titles to himself in Jan. 2009. The defendant was then able to successfully take out $2.2 million in loans against those properties. Read the full Examiner article here.
Happy Monday!
Welcome to our weekly Friday’s Food for Thought post. Often we like to take an alternative (some would say “enlightening”) view on many of the identity theft, cyber security and data breach topics that we cover on an ongoing basis. This week, we try to analyze the core of why people commit fraud: the easy and nefarious pursuit of the all mighty dollar. It all comes down to money. And why is that?
According to an interesting blog called Currency History, “In all the history of the world currency evolution is marked with lots of changes. First of all we were trading with commodity money. Many cultures around the world eventually developed the use of commodity money. Ancient China and Africa used cowrie shells. Trade in Japan’s feudal system was based on the koku – a unit of rice per year. The shekel was an ancient unit of weight and currency. The first usage of the term came from Mesopotamia circa 3000 BC and referred to a specific weight of barley, which related other values in a metric such as silver, bronze, copper etc. A barley/shekel was originally both a unit of currency and a unit of weight.”
So, as human beings, we have been using currency for a very long time. This actually begs the question…then has there always been crime and fraud aimed at bilking others out of their hard-earned cash? The answer is yes. Check out our ID theft history contest we did last year here. And, check out this article about the Fraud Museum.
So, what does this tell us about the future of fighting fraud? It’s going to be an uphill battle because financial fraud was is and always will be around. What do you all think?
Today, the U.S. House of Representatives is scheduled to vote on a proposed bill that is designed to enhance federal cybersecurity research and development activities, and stimulate the growth of a cybersecurity workforce. Called the Cybersecurity Enhancement Act of 2009 (HR 4061), this piece of legislation was introduced by Rep. Daniel Lipinski (D-IL) last year, and was passed by the House Science and Technology Committee.
If passed, HR 4061 would reauthorize several cybersecurity grant program the National Science Foundation (NSF). The NSF will get up to $396 million over the next four years to fund research and development programs that are focused on cybersecurity. The bill also sets aside another $94 million in scholarships over the same period for students who pursue cybersecurity studies, so long as they commit to the public sector after graduating. In addition, about another $120 million will be available to the NSF for funding activities related to improving cybersecurity, including constructing research facilities and offering training programs in colleges and universities. Read the full Computerworld article here.
What do you all think about this legislation? A critical piece is the funding of scholarships for students who want to study cybersecurity. We need to tap into our nation’s young bright minds to help develop key innovations for dealing with cybersecurity issues that plague our country.
February 3rd, 2010 in
Daily News | tags:
cybersecurity,
Cybersecurity Enhancement Act of 2009,
House Science and Technology Committee,
HR 4061,
Identity Theft,
Identity Theft Assistance Center,
ITAC,
National Science Foundation,
NSF,
U.S. House of Representatives |
Post a Comment
Last week, a letter was sent to Federal Trade Commission (FTC) Chairman Jon Leibowitz by leaders of the American Medical Association, American Osteopathic Association, American Dental Association and American Veterinary Medical Association (AVMA) to exclude healthcare professionals from a “red flags” rule intended to combat identity theft.
According to this article from CMIO, The FTC’s interpretation of the regulation imposes an unfunded mandate on healthcare professionals for detecting and responding to identity theft, according to the organizations. In the letter, they asked the FTC to make it clear that the rule will not apply to their members given the result of recent litigation brought by the American Bar Association against the FTC where the U.S. District Court for the District of Columbia ruled that lawyers should be excluded from the requirements imposed by the “red flags” rule.
What do you all think about this? George Hulme the Healthcare blogger for InformationWeek had this to say: Step up and protect your customers from identity theft.
We believe that George has a valid point. Healthcare providers deal with sensitive customer information that can easily be compromised. Even though the Red Flags rule may be cumbersome to meet the requirements, what is the alternative? Having patients accept the responsibility when they become victims of identity theft? Wouldn’t it be better to have steps in place to ensure that this data is protected? We welcome all thoughts and feedback!
Welcome to the Monday Morning News Kick Off post on the ITAC blog. We hope everyone had a restful weekend and have recharged the batteries. This week we have an assortment of stories including the state of NY creating its first “Data Privacy Day,’ as well as CSIS study about our critical infrastructure being vulnerable and a story about identity theft being a concern in Haiti. Scroll down to read all the actionable news you need to kick off your work week. And, as always, please share your thoughts, comments and feedback.
New York Announces Data Privacy Day To Protect Residents From Identity Theft
Governor David A. Paterson and several New York State agencies are today joining with government officials from across the United States and 27 European countries, privacy professionals, academics, legal scholars, representatives of international businesses, and others to promote understanding of privacy best practices and rights through the observance of National Data Privacy Day. As part of the commemoration, Governor Paterson issued a proclamation declaring January 28, 2010 Data Privacy Day in New York State. Governor Paterson noted that the New York State Consumer Protection Board (CPB), the State’s Chief Information Officer/Office for Technology (CIO/OFT) and the State Office of Cyber Security and Critical Infrastructure Coordination (CSCIC) are all working to protect residents from identity theft and to address consumer and business concerns regarding data privacy and security issues. Read the full Gov Monitor article here.
Can We Stop the Global Cyber Arms Race?
In a speech this month on “Internet freedom,” Secretary of State Hillary Clinton decried the cyberattacks that threaten U.S. economic and national security interests. “Countries or individuals that engage in cyber attacks should face consequences and international condemnation,” she warned, alluding to the China-Google kerfuffle. We should “create norms of behavior among states and encourage respect for the global networked commons.” Perhaps so. But the problem with Clinton’s call for accountability and norms on the global network — a call frequently heard in policy discussions about cybersecurity — is the enormous array of cyberattacks originating from the United States. Until we acknowledge these attacks and signal how we might control them, we cannot make progress on preventing cyberattacks emanating from other countries. Read the full Washington Post Op-Ed here.
Critical Infrastructure Vulnerable To Attack
Executives at corporate operators of critical infrastructure — power, water, oil, telecom, finance, and transportation companies — say that their networks face relentless attacks from cybercriminals and foreign governments, a situation that amounts to an undeclared cyberwar. Last week, McAfee, a security vendor, published a cyber security report authored by the Center for Strategic and International Studies (CSIS), a public policy research group. Read the full InformationWeek article here.
Many Haitians Concerned About Identity Theft
Victims of Haiti’s earthquake are dealing with yet another painful reality as they struggle to get back on their feet. Many have no identification to prove who they are and they’re afraid they could become victims of identity theft. There are tiny signs that life is slowly returning to normal in Haiti. However, there are even bigger signs of just how slow that recovery is. Read more here.
Internal Data Breaches a Rarity, Study Finds
Internal data breaches might keep CSOs awake at night, but they appear to be a rare event, a university analysis of reported UK compromises has found. In the UK Security Breach Investigations Report the University of Bedfordshire crunched data on incidents reported to forensics firm 7Safe, finding that the overwhelming majority came from external sources. Of the 62 breaches 7Safe was called in to investigate across a range of sectors, 80 percent were found to be external in origin, 18 percent came from business partners, leaving only 2 percent to be blamed on insiders. Read the full ComputerWorld article here.
February 1st, 2010 in
Daily News | tags:
Center for Strategic and International Studies,
CSIS,
Cyber criminals,
Cybercrime,
Data Privacy Day,
Global Cyber War,
Governor David A. Paterson,
ID Theft,
ID theft and Haiti,
Identity Theft,
Identity Theft Assistance Center,
ITAC |
Post a Comment
Did you know that there is a list of the top 20 movies that involve hackers and cyber crime? Well, it turns out that Hollywood has been cranking out hacker-related movies since 1974 when The Conversation came out – which takes on the theme of surveillance and the violation of people’s privacy (although there are no computers in the movie).
From that point on Hollywood has been developing such popular films as Tron, War Games and Real Genius — all the way up to more recent films like Die Hard 4. Of course, how could we all forget Sandra Bullock who plays a software engineer who loses her identity to digital thieves in the 1995 film The Net?
So, the reality is that all of these films are a bit dated and cliched about cyber crime. We wonder if we will see more films that involve the truth behind cyber security: a hero fighting an unseen organized crime group, or hackers from a rogue nation? Eitherway, Hollywood always has an interesting — if not somewhat out-of-touch with reality — take on things. But who are we to judge? Perhaps Hollywood is helping raise more awareness around this issue? We welcome all thoughts, comments and feedback!
We are excited to announce that have secured an exclusive podcast with Mike Spinney, Senior Policy Analyst, Ponemon Institute. Mr. Spinney discussed with us in detail the results of the Ponemon “Fourth Annual US Cost of Data Breach Study,” which shows that the cost of a data breach increased last year to $204 per compromised customer record. In addition, Mr. Spinney highlights how critical it is for companies and organizations to have a data breach readiness program in place.
The announcement of this study has garnered a tremendous amount of media coverage from Investor’s Business Daily, CNET, eWeek, InformationWeek, ZDNet, PC World, and many more. Listen to our podcast with Ponemon Institute below.
It goes without saying that recovering from a data breaches can be a costly endeavor. In fact, the Ponemon Institute just issued its Fourth Annual “US Cost of Data Breach Study,” which shows that the cost of a data breach increased last year to $204 per compromised customer record. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009.
Speaking of a heavy tab to pay, BlueCross BlueShield of Tennessee just announced that it has spent more than $7 million to respond to a security breach that might have compromised members’ personal and health data. In October 2009, 57 hard drives were stolen from a company training facility. The hard drives contained audio and video files with identifying information for up to 500,000 members.
What costs soo much for BCBS? The company had to hire more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services. Read more from iHealthBeat here.
Deloitte in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Center at Carnegie Mellon issued the results of the 2010 CyberSecurity Watch Survey. And, the results were sobering: many organizations are focused on stopping random hackers and blocking pornography when they should be concerned with bigger threats from professional cybercriminals. The survey was conducted last year with 523 IT and security managers, top-level executives, and law enforcement personnel and it found that hackers were rated the biggest threat, followed by insiders and foreign entities.
This report further reinforces that there is a larger more sinister issue brewing when it comes to cyber security: hackers and rogue nations causing havoc on our cyber security infrastructure. And, the NY Times came out with a front-page story today about how top Pentagon leaders gathered to simulate how they would respond to a sophisticated cyberattack aimed at paralyzing the nation’s power grids, its communications systems or its financial networks. According to the article, the results were dispiriting. The enemy had all the advantages: stealth, anonymity and unpredictability. No one could pinpoint the country from which the attack came, so there was no effective way to deter further damage by threatening retaliation.
So, the take away from all of this news is that attackers from nation-states and organized crime syndicates use more sophisticated techniques that can do more economic damage and go undiscovered. We face some very daunting cyber security challenges and the main point that keeps resonating it that we are NOT prepared and do not have the tools to deal with it. Welcome all thoughts and feedback on this!
January 26th, 2010 in
Daily News | tags:
2010 Cyber Security Watch,
Anne Wallace,
CSO Magazine,
Cyber Security,
cybercriminals,
data breaches,
Deloitte,
Google and China,
Identity Theft Assistance Center,
information security,
ITAC,
nation's cyber infrastructure |
Post a Comment
Welcome to the Monday Morning News Kick Off post from the ITAC blog. As always, we have tried to compile the latest news regarding ID theft, cyber security and data breaches — a virtual repository for the most actionable news. This week’s post includes some news regarding the ID thief who stole Ben Bernanke’s wife’s identity, as well as an update on a report about data breaches resulting from malicious attacks. As always, please share your thoughts, feedback and ideas with us!
Leader of ID Theft ring That Ensnared Bernanke Gets 17 Years
A ringleader of a $1.5 million identity-theft ring that left Federal Reserve Chairman Ben Bernanke as one of its victims has been sentenced to 17 years in prison and ordered to pay back $1.4 million. Leonardo Zanders paid pickpockets and professional office employees to steal identifying information that he and others used to steal cash from bank accounts, authorities said. One of those pickpockets grabbed a pocketbook from Bernanke’s wife at a D.C. Starbucks. He then used her driver’s license and checkbook to cash $900 in checks from their bank account. Read the full Washington Examiner article here.
Survey: Data Breaches From Malicious Attacks Doubled Last Year
Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches, according to a new Ponemon survey to be released on Monday. The incidence of malicious attacks rose from 12 percent in 2008 to 24 percent last year, according to the 2009 Annual Study: U.S. Cost of a Data Breach survey conducted by the Ponemon Institute and sponsored by PGP Corp. The cost per compromised record involving a criminal act averaged $215, about 40 percent higher than breaches from negligence and 30 percent higher than those from glitches, the survey found. Read the full CNET article here.
Heartland Moves to Encrypted Payment System
Responding to its widely reported and massive data breach that took place a year ago, Heartland Payment Systems will be moving to an end-to-end encryption system for payment transactions, according to Chairman and CEO Robert Carr. “End-to-end encryption is a good way to mitigate the risk of having the kind of compromise that we and hundreds of other companies have had,” Carr said in an interview. The company, which handles more than 4 billion transactions annually for more than 250,000 merchants, will be using Thales nShield Connect hardware security module along with Voltage Security’s SecureData encryption software as the basis of this capability. Read the full PC World article here.
Social Networking Site Breach Exposes Most Popularly Used Passwords
An analysis of more than 32 million exposed passwords revealed “123456″ as the most commonly used security code when logging into online accounts. Social networking services and customized widget company, Rockyou.com, suffered a data breach in December 2009. The breach included millions of people’s email addresses and passwords for Rockyou.com (and in many cases passwords and login details for associated social networking sites). The hacker responsible for the attack subsequently posted the full list of passwords on the internet. Read the full Independent Media article here.
Informing Victims of Identity Theft
Until recently, information assurance (IA) personnel and attorneys specializing in this area of the law have had to search for the appropriate governing laws for each jurisdiction. In this column, I review a valuable resource for locating the laws that apply to disclosure of personally identifiable information (PII) in each state in the United States and internationally. The first victim-notification law in the U.S. that required organizations to notify data subjects when PII records were compromised was State Bill (SB) 1386, the California Database Breach Act that came into force in 2003 and which was under review in 2009. Read the full Network World article here.
Happy Monday!
.gif)
Facebook
LinkedIn
Twitter