Cookies Under the Amended ePrivacy Directive

From http://www.mofo.com/news/updates/bulletins/16191.html

Cookies Under the Amended ePrivacy Directive

November 2009
by Karin Retzer, Anthony Nagle

Cookies Under the Amended ePrivacy Directive

After years of debate, the Council of the European Union has finally agreed on various amendments to the ePrivacy Directive (the Directive on privacy and electronic communications 2002/58/EC – “ePrivacy Directive”),[1] which include new requirements for websites that use cookies or similar tracking technologies.

These requirements have significant implications for communication and Internet service providers and the online advertising industry in general. The presidents of both the European Parliament and the European Council are due to sign the drafts into law on November 25. The 27 EU Member States will then have to implement the new requirements within 18 months of the publication date of the amendments in the EU’s official journal, which is to be expected in the weeks ahead.

The introduction of the cookies and spyware requirements had gone almost unnoticed during the negotiations over the amendments because the requirements have been introduced as part of a wider EU telecommunications package. This includes an ongoing, high-profile debate about the introduction of U.S.-style breach notification requirements and the so-called “three-strikes law,” which would enable local regulators to cut off individuals’ Internet use if they repeatedly download illegal content. While the breach notification regime was adopted, the three-strike law was eventually rejected. These debates overshadowed the amendments agreed upon relating to cookies and other similar technologies, which were added at the last minute, meaning that online businesses only recently became aware of the amendments.

What Is the Existing Framework?

Under the existing ePrivacy Directive, it is acceptable to use cookies for legitimate purposes if the users are provided:

“with clear and precise information” about the purposes of such use, “so as to ensure that users are made aware of information being placed on the terminal equipment they are using.”

Due to the way some EU Member States such as the UK have interpreted the original cookie law when implementing the prior version of ePrivacy Directive into local law, the business community tended to take this language to mean that it was acceptable give users the right to refuse the placement of a cookie “after” the delivery of the cookie. Under this interpretation, it was acceptable to provide the necessary information in the privacy policy on the website, and users were directed to sites which described how they could disable or reject cookies. Other Member States, such as Germany, did not adopt specific laws on the issue, but rather relied on general data protection rules.

And the New Rules?

The amendments signal a European-level shift towards prior notice and “consent.”

The amended Article 5(3) refers more specifically to consent and reads as follows (redlines are against the original):

“Member States shall ensure that the use of electronic communications networks to storeing ofinformation or to gainoraccess to informationalready stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been is provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of to provide an information society service explicitly requested by the subscriber or userto provide the service.”

A new recital 66 is intended to add clarity relating to which the notice and consent obligations:

“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the users consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”

In Member States that previously have not specifically required advance notice and consent for cookies, the practical impact of this change may be that the Member States interpret this new language to require pop-up messages (or some type of “landing” page) to ask users for their consent to use cookies before the website places a cookie on the user’s computer.

The following types of cookies appear to be exempt from the requirements:

• session cookies; and
• other cookies “strictly necessary” for specific service explicitly requested by the subscriber or user.

For example, an online store receiving a specific purchase request from a user might be able to use cookies without having to obtain consent under the exception provisions (i.e. “a specific service explicitly requested by the subscriber or user” is excluded from the advance consent requirement).

What Type of Notice?

Recital 25 of the prior ePrivacy Directive requires that notice be provided in a format “as user-friendly as possible.” In the past, many operators have complied with this obligation by providing notice in privacy policies and online terms of service. The amendments repeat these requirements, but it is unclear whether or not the prior practices will be sufficient. This will be resolved based on how the amendments are transposed into Member State law, and it may be that at least some Member States adopt an “enhanced notice” mechanism, such as that advocated by the United States Federal Trade Commission:

“a clear, concise, consumer-friendly, and prominent statement that . . . data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests,[2]”

In the United States, this may ultimately take the form of an icon on publishers’ pages (where the information is collected) or in or around the advertisements themselves, leading to a landing page with more information and a choice mechanism. This framework is likely to be incorporated into a new self regulatory program launching in the first quarter of 2010.[3]

And What Consent?

The amendments do not clarify the type of consent that will be required. Under recital 66 it may be still be possible to obtain user consent through the user’s browser settings. Recital 66 expressly states that where“technically possible and effective,” the default browser setting or other applications are a means to provide consent. The Working Party 29 and the European Data Protection Supervisor had initially objected to this change, arguing that reference to browser settings was not technology-neutral, and it would erode the definition of “informed” consent as most users are not aware of the implications of a browser setting. However, this argument was rejected by the Council of the European Union and thus it is evident that the use of browser settings as a means to achieve consent is consistent with the amendments. There is also a strong argument that the language on browser settings in recital 66 indicates that opt-out or implicit consent is sufficient because a default browser setting cannot be viewed as explicit or opt-in consent for a specific website. Rather, the default setting will constitute implicit or opt-out consent.

Moreover, the language in the amendments relating to cookies is not the same as the language used when opt-in consent was specifically wished for commercial communications. For example, in the section relating to “spam” the obligation is to obtain “prior explicit” consent or opt-in consent. That language is not used in the cookies section. Thus there is a good argument that the consent need not be opt-in. In the end, it will be for each Member State to transpose these obligations and to determine the type of consent allowed. Notwithstanding these arguments, we anticipate that at least some Member States will make a strong push to incorporate an opt-in standard under the amendments.

Who and What Is Covered?

Strictly speaking, the ePrivacy Directive only applies to the processing of personal data in connection with the provision of publicly available electronic communication services in public communications networks within the EU, including public communications networks which support data collection and identification devices. The proposal to expand its scope to cover website operators and corporate networks or closed user groups was rejected (recital 55). There may be an argument that only telecommunication and Internet service providers are covered. That said, the cookies amendments target users, and we anticipate that most Member States will implement the rules to cover websites broadly.

As for the types of technologies covered, the provisions aim at cookies – small text files which are sent by a website to a user’s web browser and collect information about the user’s web use (which is later collected by the website). The new rules appear to apply to other applications as well, such as web beacons, ad tags, JavaScript code, or other technologies that are integral to the functioning of the Internet or used for advertising, provided they are used to store or access information on a user’s computer or other device.

What Is Next?

Due to the relatively short implementation period of 18 months, Member States must now begin interpreting and implementing the amended ePrivacy Directive by enacting local laws in each EU Member State. Legislators in Member States are expected to run a consultation process prior to amending the local laws. This will give local industry and businesses the opportunity to lobby and present any issues and concerns about the new requirements. Industry will likely emphasize the threat to the workings of the Internet if all such features are made subject to onerous opt-in requirements. Given the unclear language of the Directive, there is certainly room for local variation.

In any event, the amendments may well mean that existing requirements are enforced more actively.

The amended ePrivacy Directive provides for a new Article 15a:

“Member States shall lay down the rules on penalties, including criminal sanctionswhere appropriate, applicable to infringements of the national provisions adoptedpursuant to this Directive and shall take all measures necessary to ensure that theyare implemented. The penalties provided for must be effective, proportionate anddissuasive and may be applied to cover the period of any breach, even where thebreach has subsequently been rectified.”

Therefore, the real impact of the new cookie requirements may be in the area of enforcement rather than any new substantive requirements. Under the original ePrivacy Directive, Member States did not go to any great lengths to enforce the cookie laws. Whether the amendments under the revised ePrivacy Directive will bring greater enforcement is not clear at this stage, but the EU regulators have been provided with increased enforcement powers, and there are now greater penalties.

---

Footnotes

[1] Available in English here.

[2] SeeFTC Staff Report: Self-Regulatory Principles For Online Behavioral Advertising (February 12, 2009), available at http://www.ftc.gov/os/2009/02/P085400behavadreport.pdf.

[3] See Self-Regulatory Principles for Online Behavioral Advertising (American Association of Advertising Agencies, Association of National Advertisers, Council of Better Business Bureaus, Direct Marketing Association, and Interactive Advertising Bureau) (July 2, 2009), available at http://www.the-dma.org/government/ven-principles%2007-01-09%20FINAL.pdf.

Federal Trade Commission's Red Flags Rule Takes Effect November 1, 2009

From http://www.mofo.com/news/updates/bulletins/16108.html

Privacy and Data Security Update, October 30, 2009

It’s time to set your clocks back and implement a Red Flags program. The Federal Trade Commission’s (FTC) Red Flags Rule takes effect on this Sunday, November 1. As of this writing, the FTC has not announced that it will further delay its enforcement of the Rule.

The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs – or “red flags” – of identity theft in their daily operations, take steps to prevent identity fraud, and mitigate its damages.

The FTC has broadly interpreted the definition of “creditor” to apply the Rule to all businesses or organizations that regularly defer payment for goods or services. Many industries have protested this broad application of the Rule and have sought additional guidance from the FTC. In response, the FTC has repeatedly delayed implementation of the Red Flags Rule since its initial effective date in November 2008.

Unless the FTC elects to further delay the effective date of the Red Flags Rule, all covered businesses and organizations should have a written Identity Theft Prevention Program in place by November 1.

Federal Court Bars Application of Rule to Lawyers

In August 2009, the American Bar Association (ABA) filed suit to block the Rule’s application to the legal profession. Yesterday, October 29, 2009, the U.S. District Court for the District of Columbia granted the ABA's motion for summary judgment, thereby barring the FTC’s application of the rule to lawyers. Judge Walton ruled that the FTC’s application of the Red Flags Rule to attorneys exceeded its statutory authority, and he appeared to question the FTC’s broad application of the Rule to anyone who provides services and later bills customers in arrears.

A written opinion will be issued within 30 days, which should clarify whether the ruling will extend beyond the legal profession. (In the interests of full disclosure, Morrison & Foerster Partner Andrew Smith chairs the ABA task force overseeing the Red Flags litigation.)

Additionally, legislation that would bar the Rule’s application to certain small businesses and others at low risk for identity theft has passed the House of Representatives. We understand that Senate Banking Committee staff is working on companion legislation, but no bill has yet been introduced.

We will continue tracking challenges to the enforcement of the Red Flags Rule and keep clients abreast of key developments. Please feel free to contact us if you have questions regarding the application of the Red Flags Rule to your business or organization.

BlueCross BlueShield and Virginia DepEd Breaches

Oct. 6, 2009

BlueCross BlueShield Assn. (Chicago, IL)

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. Some 16% to 22% of those physicians listed -- as many as 187,000 -- used their Social Security numbers as a tax ID or NPI number.

187,000

Oct. 15, 2009

Virginia Department of Education (Richmond, VA) (877) 347-5224

A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced. The information included names, Social Security numbers and employment and demographic information. The flash drive contained information on all students who finished an adult education course in Virginia from April 2007 through June 2009 or who passed a high school equivalency test between January 2001 and June 2009.

103,000

http://www.privacyrights.org/ar/ChronDataBreaches.htm

6 Ways We Gave Up Our Privacy

by Bill Brenner, Senior Editor, CSO

October 12, 2009

Editor's note: Tomorrow, we continue this report with a podcast featuring Chicago-based business consultant Mark Cummuta, who specializes in compliance, security and CIO challenges.

Privacy has long been seen as a basic, sacred right. But in the Web 2.0 world, where the average user is addicted to Google apps,GPS devices, their BlackBerry or iPhone, and such social networking sites as Facebook and Twitter, that right is slowly and willingly being chipped away. In fact, some security experts believe it's gone already.

Adding to this sobering reality is that public and private entities have a growing array of tools to track our movements, habits and choices. RFID tags are on more of the items we take for granted. Those discount cards you use at the grocery store offer companies an excellent snapshot of the choices you make. And in the post 9-11 world, the government has greatly expanded its power to spy on you with such laws as The Patriot Act.

"Your credit card company and your loyalty card program memberships track your purchases, travels, expenditure levels, and blend that into offers that meet your lifestyle profile," said John Zurawski, vice president of Authentify Inc. "Firms sell GPS devices specifically to be hidden in vehicles permitting anyone to track your movements. The RFID Tollway passes states offer to speed you through their toll roads know where you've been and how fast you drove."

Based on an informal survey of privacy and security experts, here are six examples of how we've willingly allowed our privacy to be taken away, and how we might be able to get some of it back.

1. Google
Google apps such as Gmail and Google calendar allow individuals and organizations to bring order to the hectic process of scheduling and communicating. But when you input company agenda items into the applications along with other proprietary information and potentially embarrassing things like an upcoming doctor's appointment, you're giving up privacy to Google, said Chicago-based business consultant Mark Cummuta, who specializes in compliance, security and CIO challenges.

"When Google first started, it said it would only use that information internally, to get a sense of the things you like and talk about," he said. "All that information used to be gathered in a way where you explicitly gave permission, through things like surveys. But Google can easily poke around without seeking permission, and they don't explain to you how they know what they know."

2. Social networking
It's getting increasingly harder NOT to find someone on LinkedIn, Facebook, Twitter or all of the above. Then there's Myspace and a lot of lesser-known social networking sites. If you use these programs -- and you probably do -- chances are pretty good that you give up a lot of your privacy every day, willingly and even happily. Security experts have spent a lot of time ringing the alarm bell over this lately, because bad people can easily take the personal tidbits you post and use it against you, for everything from marketing to blackmail.

"Privacy is evaporating because Facebook, Myspace, Twitter and blogs are raising a generation of kids and adults who have no concept of privacy or the ability to truly understand that nothing digital is ever forgotten or destroyed," said Raj Goel, owner of security compliance consultancy Brainlink International Inc. "Ten years from now, kids will be Googling their mommy's spring break pictures and their daddy's Facebook profile, if they don't do so already."

3. RFID tags and loyalty cards
In this fast-paced world, people use special transponders to blow through highway toll stations without stopping and pay for gas without having to swipe a credit card. Then there are those cards you present at the grocery store for discounts. All have technology that can be used to track your movements and habits, right down to the time of day you typically go through a toll plaza each morning on the drive to work.

"Let's add RFID chips, the Real ID Act and the PASS Act to the list as well. How about chips in passports? We're lulled into a false sense of security and people aren't realizing that they are simply giving those rights to privacy away," said Julie Davis Friend, president of Gemstone Partners, a firm that advises organizations on issues surrounding identity theft and new legal requirements."

4. The Patriot Act
Given all the debate about the evils of The Patriot Act and how it gave the government a ridiculous amount of power to spy on people, we often forget that citizens were perfectly comfortable giving away privacy in the immediate aftermath of 9-11, when people were consumed with the desire to stop the next terrorist attack from happening. [See also: Eight Years After 9-11: Better Security or Just Luck?] Many a security expert will argue that the law did indeed improve our safety and prevent more attacks. In other words, enacting it was the right thing to do. But it's also universally accepted that civil liberties were eroded under the law.

Notes Zurawski: "The Patriot Act granted broad powers to law enforcement to enter your home with 'probable cause' and no warrant."

5. GPS
GPS navigation used to be a luxury item. Now most of us use the technology. It's relatively inexpensive to buy a GPS device that's bolted to the dashboard. Higher-end cars come with built-in GPS. And there are plenty of free navigation apps available for the BlackBerry and iPhone. The flip side to fewer people getting lost is that the providers of those systems can track your whereabouts without breaking a sweat.

6. The Kindle
Here's one you may not have seen coming. The increasingly popular Kindle allows us to tear through books on the go. But the device also "keeps track of what you read, how quickly you read it, what you may have read over several times, and can delete content you've paid for without your knowledge should it become 'necessary,'" Zurawski said.

Getting back some privacy
The good news in all of this is that there are steps people can take to protect more of their privacy. Educating younger folks on what they are giving away is a good place to start, those polled said. Businesses should steer clear of something like Gmail if they have sensitive data to send someone. And consumers can demand that government agencies crack down on the privacy-stealing practices of private-sector companies.

"The FTC could take on Facebook, Myspace and other sites that target kids the same way they expanded HIPAA's scope and brought online health care databases under their purview," Goel said. "When my goverment grows up, I want them to be the FTC -- the only national agency that's done anything meaningful about consumer privacy and security in the past decade."

© CXO Media Inc.

http://www.csoonline.com/article/504793/6_Ways_We_Gave_Up_Our_Privacy

53 arrested in international cybercrime case

Story By Mary Manning
http://www.lasvegassun.com/news/2009/oct/07/3-las-vegans-arrested-international-cybercrime-cas/

Indictment:

http://media.lasvegassun.com/media/pdfs/blogs/documents/2009/10/07/indictment1007.pdf

Three Las Vegas residents were among 100 people indicted in what the FBI is calling the largest group ever arrested in a cybercrime case.

In the multinational investigation in the United States and Egypt, authorities uncovered a sophisticated "phishing" operation that collected personal information that was used to defraud American banks.

Authorities, including Metro Police and the FBI in Las Vegas, were arresting 53 people named in the 51-count indictment returned last week by a federal grand jury in Los Angeles, the FBI said. Arrests today occurred in Nevada, Southern California and North Carolina.

The three Las Vegas residents arrested were identified as 21-year-old Shontovia Debose, 20-year-old Tramond Davis and 21-year-old Raymond Valentino Mancillas III.

The three were arrested without incident, said Joseph Dickey, a spokesman for the Las Vegas office of the FBI. Davis and Mancillas were arrested at their homes and Debose was taken into custody at the parole and probation office west of downtown Las Vegas, he said.

In addition, authorities in Egypt have charged 47 people linked to the phishing scheme.

Operation "Phish Phry" marks the first joint cyber investigation between Egyptian law enforcement and United States officials, the FBI said.

Phish Phry also marks the largest cybercrime investigation in the United States, with 53 people charged here, the FBI said.

Operation Phish Phry began in 2007 when FBI agents, working with United States financial institutions, took steps to identify and disrupt sophisticated criminal enterprises that targeted financial businesses in the United States. Investigations here and in Egypt led authorities to cooperate in the investigations.

Phishing involves a technique that sends e-mail messages that appear to be official correspondence from banks or credit card vendors. In illegal phishing schemes, bank customers are directed to fake Web sites appearing to be linked to financial institutions. There, customers are directed to enter their account numbers, passwords and other personal identification information. The customers do not realize that the sites are not those of legitimate financial institutions, the FBI said.

Those involved in the scheme based in Egypt collected bank account information, then members of the conspiracy hacked into accounts at Bank of America and Wells Fargo.

The United States ring was allegedly operated by Kenneth Joseph Lucas, Nichole Michelle Merzi and Jonathan Preston Clark, all of California, the FBI said.

The Las Vegas members of the ring set up bank accounts where the funds stolen from compromised accounts could be deposited.

Those arrested in Las Vegas will have their initial appearance in U.S. District Court in Las Vegas on Wednesday afternoon.

People who get e-mail that looks like it is from a bank or other financial institution but turns out to be fake can file a complaint online, the FBI said. The Internet Crime Complaint Center is at www.ic3.gov.

Book Insidious

Taken from http://www.mementosecurity.com/insidious/#

Insidious – How Trusted Employees Steal Millions
and Why It’s So Hard for Banks to Stop Them
By BC Krishna and Shirley Inscoe

A compelling exploration of a complex problem
Insidious is no ordinary business book. It takes an unconventional and occasionally irreverent look at a problem most companies don’t want to even talk about—employees who steal. With more than three decades of fraud experience between them, authors Shirley Inscoe and BC Krishna bring you a uniquely informed and objective perspective on the perennial, deeply damaging, and growing problem of employee fraud.

Historically, embarrassed silence greets any discussion of employee fraud. But industry work groups and visionary banks are starting to speak up—motivated by escalating losses, high-visibility fraud events, and a marked rise in employee fraud. Insidious takes this discussion to a new level by providing one of the most provocative and wide-ranging explorations of employee fraud to date.

Why now?

The time is right for Insidious. Economic uncertainty has created a perfect storm that allows employee fraud to thrive like never before. Many financial services organizations are in transition—struggling or merging. More employees are in desperate financial straits. Morale is low. In short, the three sides of the notorious Fraud Triangle —opportunity, motivation, and justification—are stronger than ever. And even entry-level employees have unparalleled access to the data and systems they need to commit fraud—often in just a few keystrokes. No wonder employee fraud is on the rise.

Sophisticated fraud schemes fuel higher losses

Employee fraud is no longer the domain of the disgruntled loner. Highly skilled and often ruthless collusive gangs are recruiting bank employees to participate, willingly or not, in elaborate high-loss fraud schemes. Employee fraud often enables cross-channel fraud schemes that tap deep into the core systems of banks and credit unions—creating losses that are often not even attributed to employee fraud.

Voices from the frontlines of fraud
Insidious goes behind the scenes at banks and talks to the analysts and investigators who know firsthand why employee fraud is so hard to stop—and who share their stories from the frontlines of fraud. It highlights dozens of real-world fraud schemes that generate stomach-dropping losses, send customers fleeing, and damage reputations for years.

To bring you new insights on fraud, Inscoe and Krishna talk to dozens of sources, well-known as well as unconventional. You’ll hear reputational damage experts, executives at banks of all sizes, industry pundits, theoretical mathematicians, the Bureau of Engraving, and many others. You’ll find out just how easy committing fraud is by doing it yourself. And Insidious concludes with an interview with a former bank vice president on the eve of reporting to Federal prison for stealing—providing a rare first-person account of why good employees (often even top performers) go bad.

Insidious takes a Socratic approach
In a dozen chapters, Insidious asks the hard questions:

• Why do employees steal?
• Why do they get away with fraud?
• Why is employee fraud particularly damaging to banks?
• What capabilities do analysts and investigators need to fight fraud?
• What can banks do to start addressing the problem?
• How can banks know they’re making progress?

Beware of consultants bearing silver bullets
For answers, Insidious looks beyond the usual prescriptive solutions. There are no Ten Steps You Need to Take to Wipe Out Employee Fraud. And it doesn’t presume to provide a failsafe, one-size-fits-all solution to employee fraud. Instead, it explores the overall approaches and strategic moves that can help banks and credit unions create an organizational environment that discourages fraud—and that identifies fraud earlier and more often when it does happen.

Ultimately, employee fraud is an inherently human problem that generates painful damage—financial, reputational, and more. And everyone suffers when an employee goes bad, from banks and credit unions, to honest colleagues who resist the temptation to steal, to the fraudsters themselves.

The time to stop employee fraud is now
Insidious is a must-read for financial services executives, investigators, analysts, and other fraud fighters. This unusual, powerful book will leave you inspired, informed, and uniquely empowered to boost the effectiveness of your own efforts to fight employee fraud.

Though Insidious focuses on employee fraud at banks and credit unions, its findings and insights resonate with brokerages, retail organizations, pharmaceutical groups, and other organizations susceptible to employee fraud.

Hotmail, Gmail passwords exposed; Most common password?

123456 is the most common password!

http://www.wired.com/threatlevel/2009/10/10000-passwords/#comments

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.

Forty-two percent of the passwords used lowercase letters from “a to z”; only 6 percent mixed alpha-numeric and other characters.

Many of the top 20 passwords used were Spanish names, such as Alejandra and Alberto, suggesting that the victims were in Spanish-speaking communities. Nearly 2,000 of the passwords were only six characters long. The longest password was 30 characters — lafaroleratropezoooooooooooooo.

The 10,000 passwords and user names, believed to be booty from a phishing attack, were posted over the weekend to the clipboard site PasteBin. The site owner has since removed the list, but Bogdan Calin ofAcunetix grabbed the passwords before it disappeared.

The list included only online account addresses that began with “A” or “B,” suggesting that the list was only part of a larger cache of credentials. On Tuesday, the BBC reported that it had viewed a second list of more than 20,000 account credentials that included Gmail, Yahoo and AOL accounts, and that Google had uncovered a third list containing an unknown number of accounts.

Some of the accounts on the list of 20,000 names the BBC saw appeared to be old, unused or fake, though many were genuine. The list also included Comcast and Earthlink accounts.

Both Google and Microsoft, which own Gmail and Hotmail, MSN and Live.com respectively, have taken measures to block use of the exposed accounts until the legitimate users can reset their passwords.

FTC Takes Additional Safe Harbor-Related Enforcement Actions

Posted at 3:53 PM on October 6, 2009 by Hunton & Williams LLP

FTC Takes Additional Safe Harbor-Related Enforcement Actions

On October 6, 2009, the Federal Trade Commission (“FTC”) announced proposed settlement agreements with six companies over charges that they falsely claimed membership in the U.S. Department of Commerce Safe Harbor program. In six separate complaints, the FTC alleged that ExpatEdge Partners LLC, Onyx Graphics, Inc., Directors Desk LLC, Collectify LLC, and Progressive Gaitways LLC deceived consumers by representing that they maintained current certifications to the Safe Harbor program when such certifications had previously lapsed. The terms of the proposed settlement agreements prohibit the companies from misrepresenting their membership in any privacy, security or other compliance program. The six enforcement actions are significant as they mark a considerable uptick in the FTC’s enforcement related to the Safe Harbor program. The FTC recently brought its first enforcement action relevant to the program, which is detailed in our post titledFTC's First Safe Harbor Enforcement Action.

The European Union Data Protection Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU unless the EU has made a determination that the laws of the recipient jurisdiction are substantially equivalent to those of the EU, and thus provide “adequate” protection for personal data. Because the EU has determined that laws of the United States do not meet its adequacy standard, the U.S. Department of Commerce and the EU developed the Safe Harbor Framework, which went into effect in November 2000. The Safe Harbor Program allows participating U.S. companies under the jurisdiction of the FTC or the U.S. Department of Transportation to transfer personal data lawfully from the EU. To join the Safe Harbor, a company must self-certify to the U.S. Department of Commerce that it complies with seven principles that have been deemed to meet the EU’s adequacy standard. To maintain its certification to the Safe Harbor program, a company must re-certify on an annual basis that it continues to comply with the seven principles. The Department of Commerce maintains alist of all currently-certified companies.

The proposed FTC settlement agreements highlight that companies certified to the Safe Harbor program should verify that their certifications remain current. If companies wish to cease Safe Harbor membership, their representations, including those in website notices and marketing materials, should be promptly updated to avoid deceptive representations to consumers. In all cases, the defendant companies had let their memberships lapse; exhibits to the FTC's complaints included pages from their websites, in which the companies continued to purport Safe Harbor membership.

The Hunton & Williams law firm's Privacy and Information Management practice includes attorneys who provide services related to privacy law and information security. Our lawyers practice in all areas of privacy and information security, including: state and federal privacy law compliance; EU data protection compliance, including global data transfer mechanisms such as the U.S. Safe Harbor program and model clauses; HIPAA compliance, including the Privacy Rule and Safeguards Rule; GLBA compliance, including the Privacy Rule and Safeguards Rule; FCRA compliance, including disclosure of consumer reports, Affiliate Marketing Rule compliance, and Red Flags Rule compliance; e-commerce issues such as CAN-SPAM, TCPA, mobile marketing, other direct marketing and behavioral advertising; response to and preparation for information security breaches, including breach notification; workplace privacy, such as employee monitoring; identity theft; records management, records retention, and records disposal; online privacy such as COPPA compliance and website privacy notices; e-discovery; and FTC or other government enforcement actions.

© Hunton & Williams LLP 2009 - Attorney Advertising. Case results depend upon a variety of factors unique to each case. Case results do not guarantee or predict a similar result in any future case.

Unless otherwise noted, attorneys not certified by the Texas Board of Legal Specialization.

http://www.huntonprivacyblog.com/2009/10/articles/enforcement-1/ftc-takes-additional-safe-harborrelated-enforcement-actions/

Another possible data breach of Veterans data

The issue involves a defective hard drive the agency sent back to its vendor for repair and recycling without first destroying the data. The hard drive helped power eVetRecs, the system veterans use to request copies of their health records and discharge papers. When the drive failed last year, the agency returned the drive to GMRI, the contractor that sold it to them, for repair. GMRI determined it couldn’t be fixed, and ultimately passed it to another firm to be recycled. The drive was part of a RAID array of six drives containing an Oracle database that held detailed records on 76 million veterans, including millions of Social Security numbers dating to 1972, when the military began using individuals’ Social Security numbers as their service numbers.

http://www.bloggernews.net/122474

FISMA Guide from Tripwire

http://edge.networkworld.com/whitepapers/nww/pdf/Tripwire_FISMA_Prescriptive_Guide.pdf

Smart Grid CyberSecurity Strategy and Requirements

Nice read from NIST

http://csrc.nist.gov/publications/drafts/nistir-7628/draft-nistir-7628.pdf

PCI DSS Update Could Include Virtualization Security

PCI Virtualization Special Interest Group (SIG) is drafting guidelines and a mapping tool for applying PCI to virtualized systems

By Kelly Jackson Higgins, DarkReading
Sept. 25, 2009
URL:http://www.darkreading.com/story/showArticle.jhtml?articleID=220200260

The PCI Data Security Standard (PCI DSS) is due for an update next year, and the upcoming version of the standard could define securing cardholder data in virtualization environments.

The PCI Virtualization Special Interest Group (SIG), made up of auditors, vendors, merchants, banks, and quality security-assessment firms, this week met to hash out a proposal for how to include virtualization technology in PCI. The group is working on proposed changes to the DSS, as well as guidelines for how to map virtualization to the existing PCI spec.

"Because DSS does not even mention virtualization, there have been a lot of questions about how it applies, whether it can be used for PCI, and what areas are not in-scope," says Kurt Roemer, a member of the PCI board of advisers, chief security strategist for Citrix, and a member of the PCI DSS board of advisers. "We're addressing these questions."

The group is putting the final touches on a white paper and mapping "tool" document that explains where virtualization applies within each requirement of the DSS. "We're not out to replace or change PCI," Roemer says. Instead, the group is providing "an information supplement and additional guidance" for making virtualization environments PCI-compliant.

Roemer says the group is gathering additional input for proposed changes to the DSS. It will deliver the information to the PCI Standards Council, which meets in January to begin the process of building version 1.3 of the standard, due in October 2010. At this point, all of the proposals are basically a supplement to PCI, and it's up to the council to decide whether the spec itself is updated to include virtualization.

This is the latest effort in expanding PCI to incorporate emerging technologies. The PCI Security Standards Council (PCI SSC) recently unveiled best practices for retailers to defend themselves against the growing number of credit- and debit-card skimming scams, and in July a council working group created a set of recommendations for wireless deployment for PCI.

Mark Weiner, managing partner of virtualization vendor Reliant Security and a lead author of the PCI virtualization white paper, says companies and auditors have had to make their "own assumptions" in the absence of official PCI guidelines for virtualization. "That illustrates the need for this work," he says.

The hot topics are virtualization of point-of-sale (POS) systems and electronic commerce, Weiner says. "This is becoming hotter as retailers try to use virtualization for the cost benefit," he says. Ecommerce has raised issues, such as segmentation and the role of the hypervisor with cardholder data.

Among some of the technical issues are segmentation of the network, encryption, and how the presence or absence of virtualization will affect PCI compliance, says Richard Rees, security solutions director for SunGard Availability Services and a contributor to the PCI virtualization working group. "Answering questions -- such as, are all virtual machines on the same hypervisor as cardholder data VMs in scope, does virtualization violate the 'one primary function per server' tenet, and do virtual switches and virtual security appliances truly segment virtual environments on the same hypervisor -- are all things we are looking to the PCI Council, technical working group, and virtualization SIG to help answer," Rees says. "At this point, that's open to the interpretation of each QSA. "

And physical security with cloud computing is another tricky area that's under discussion. PCI DSS has specific requirements and audits for physical security. "If you're outsourcing part of your environment with cloud computing and don't understand their physical security, or can't get access to local controls, you're still obligated to protect [the cardholder data]," Rees says.

Heartland on Defense at Senate Hearing

The ranking member of the Senate Homeland Security and Governmental Affairs Committee told the chief executive of Heartland Payment Systems that she was "astonished" a breach of the company's information system lasted for nearly 1½ years without being detected.

At a panel hearing Monday on protecting industry against growing cyber threats, Sen. Susan Collins, R.-Maine, asked Heartland CEO Robert Carr to explain how this delay happened. Carr responded that a breach is usually detected when the processing payer is notified of fraudulent use of cards, and that didn't occur until the end of 2008.

"Isn't there software in the systems to detect such a breach?" Collins asked.

"There is, and the cyber criminals are very good at masking themselves," Carr replied. "To be able to scan systems to determine what the malware is, you have to understand something about the attack vector, and you need to know something about the malware to find it. All of us in the industry go through annual assessments, but the bad guys are working together to get around all those assessment."

Carr told the panel Heartland is taking two major steps to prevent this type of breach to reoccur. Working through the Financial Services Information Sharing and Analysis Center, Heartland and other payment processors established Payments Processing Information Sharing, a forum for sharing information about fraud, threats, vulnerabilities and risk mitigation practices.

Continue reading at..

http://www.govinfosecurity.com/articles.php?art_id=1774

France to vote on new piracy bill

The French National Assembly will vote on Tuesday to decide whether to allow the authorities to cut illegal downloaders off from the web.

The hard-line policy has drawn worldwide attention as nations around the globe grapple with the issue of piracy.

An earlier version of the bill was ruled unconstitutional and a compromise version has been hammered out.

The legislation is backed by President Nicolas Sarkozy.

The proposed legislation operates under a "three strikes" system. A new state agency would first send illegal file-sharers a warning e-mail, then a letter and finally cut off their connection if they were caught a third time.

While it is backed by the film and record industries, consumer groups have warned that innocent people may get punished.

The European Parliament is currently considering whether cutting off internet access is a breach of human rights.

In the UK, Business Secretary Lord Mandelson has been widely credited with seeking a tougher line on UK piracy laws.

The British government is proposing a tougher stance which could include cutting repeat offenders off from the net.

http://news.bbc.co.uk/2/hi/technology/8256362.stm

DataLossDB Report: 38000 records containing SSN lost

http://datalossdb.org/incidents/2317-missing-laptop-contains-names-social-security-numbers-and-dates-of-birth-of-38-000

Missing laptop contains names, Social Security numbers and dates of birth of 38,000

FTC Issues Final Breach Notification Rule for Electronic Health Information

http://www.ftc.gov/healthbreach/

FTC Issues Final Breach Notification Rule for Electronic Health Information

The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached.

Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors’ offices, hospitals, and insurance companies. The Recovery Act requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the Commission to issue a rule requiring these entities to notify consumers if the security of their health information is breached. The Commission announced a proposed rule in April 2009, collected public comments until June 1, and is issuing the Final Rule today.

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

The Commission vote approving the Final Rule was 4-0. The notice will be published in the Federal Register shortly, and is available now on the FTC’s Web site and as a link to this press release.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

How Hackers Snatch Real-Time Security ID Numbers

How Hackers Snatch Real-Time Security ID Numbers

By SAUL HANSELL

The world’s savviest hackers are on to the “real-time Web” and using it to devilish effect. The real-time Web is the fire hose of information coming from services like Twitter. The latest generation of Trojans — nasty little programs that hacking gangs use to burrow onto your computer — sends a Twitter-like stream of updates about everything you do back to their controllers, many of whom, researchers say, are in Eastern Europe. Trojans used to just accumulate secret diaries of your Web surfing and periodically sent the results on to the hacker.

The security world first spotted these new attacks last year. I ran into it again while reporting an article in Thursday’s Times about a lawsuit meant to help track down the perpetrators of these attacks.

By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA’s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula.

If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see.

“What everybody thought was a very secure identification method, these guys found a low-tech means to get around it,” said Joe Stewart, the director of malware research for SecureWorks, a software company. “They don’t break the encryption; they just log in at the same time you do.”

Mr. Stewart recently decoded a particularly nasty Trojan that uses a real-time technique called Clampi, which is used to attack people who have access to corporate bank accounts with large balances.

When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.

Then Clampi starts sending a real-time stream of the user’s actions using a modified version of standard instant messaging software. The hackers log into the user’s bank account, quickly copying the one-time password if one is used. They start initiating wire transfers to accomplices (mules is the term of art) who send the funds on to the crooks. Sometimes they have even set up “mules” or fake employees who earn fat salaries by direct deposit.

One victim of Clampi was Slack Auto Parts in Gainesville, Ga., which lost $75,000 to the scam, according to a post in the Washington Post’s Security Fix blog.

Clampi appears to be operated by a single gang, Mr. Stewart said. He infers that the hackers speak Russian because that language is used in the computer code. Other similar Trojans, including ZeuS and Silentbanker, are being sold to many different groups of cybercrooks. (Here is an article from USA Today about the hacker behind ZeuS.)

Does this all mean that all those password gizmos are a waste of money? Not exactly. They still protect against less sophisticated forms of password phishing, not to mention people just looking over your shoulder as you log onto your computer. Moreover, if you can keep your computer clean of malware by avoiding suspicious e-mail attachments and Internet downloads, you are safer.

But there is nonetheless a race to find an even more secure way to keep the big bucks safe. One way is what is called two-channel authentication, using something other than the computer — most likely a cellphone — as part of the log-on procedure. That’s a good idea, but you know the hackers are already working out how they will attack those phones as well.

http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/