FTC Issues Final Breach Notification Rule for Electronic Health Information

http://www.ftc.gov/healthbreach/

FTC Issues Final Breach Notification Rule for Electronic Health Information

The Federal Trade Commission has issued a final rule requiring certain Web-based businesses to notify consumers when the security of their electronic health information is breached.

Congress directed the FTC to issue the rule as part of the American Recovery and Reinvestment Act of 2009. The rule applies to both vendors of personal health records – which provide online repositories that people can use to keep track of their health information – and entities that offer third-party applications for personal health records. These applications could include, for example, devices such as blood pressure cuffs or pedometers whose readings consumers can upload into their personal health records. Consumers may benefit by using these innovations, but only if they are confident that their health information is secure and confidential.

Many entities offering these types of services are not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA), which applies to health care service providers such as doctors’ offices, hospitals, and insurance companies. The Recovery Act requires the Department of Health and Human Services to conduct a study and report by February 2010, in consultation with the FTC, on potential privacy, security, and breach-notification requirements for vendors of personal health records and related entities that are not subject to HIPAA. In the meantime, the Act requires the Commission to issue a rule requiring these entities to notify consumers if the security of their health information is breached. The Commission announced a proposed rule in April 2009, collected public comments until June 1, and is issuing the Final Rule today.

The Final Rule requires vendors of personal health records and related entities to notify consumers following a breach involving unsecured information. In addition, if a service provider to one of these entities has a breach, it must notify the entity, which in turn must notify consumers. The Final Rule also specifies the timing, method, and content of notification, and in the case of certain breaches involving 500 or more people, requires notice to the media. Entities covered by the rule must notify the FTC, and they may use a standard form, which can be found along with additional information about the rule at www.ftc.gov/healthbreach.

The Commission vote approving the Final Rule was 4-0. The notice will be published in the Federal Register shortly, and is available now on the FTC’s Web site and as a link to this press release.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,500 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

How Hackers Snatch Real-Time Security ID Numbers

How Hackers Snatch Real-Time Security ID Numbers

By SAUL HANSELL

The world’s savviest hackers are on to the “real-time Web” and using it to devilish effect. The real-time Web is the fire hose of information coming from services like Twitter. The latest generation of Trojans — nasty little programs that hacking gangs use to burrow onto your computer — sends a Twitter-like stream of updates about everything you do back to their controllers, many of whom, researchers say, are in Eastern Europe. Trojans used to just accumulate secret diaries of your Web surfing and periodically sent the results on to the hacker.

The security world first spotted these new attacks last year. I ran into it again while reporting an article in Thursday’s Times about a lawsuit meant to help track down the perpetrators of these attacks.

By going real time, hackers now can get around some of the roadblocks that companies have put in their way. Most significantly, they are now undeterred by systems that create temporary passwords, such as RSA’s SecurID system, which involves a small gadget that displays a six-digit number that changes every minute based on a complex formula.

If you computer is infected, the Trojan zaps your temporary password back to the waiting hacker who immediately uses it to log onto your account. Sometimes, the hacker logs on from his own computer, probably using tricks to hide its location. Other times, the Trojan allows the hacker to control your computer, opening a browser session that you can’t see.

“What everybody thought was a very secure identification method, these guys found a low-tech means to get around it,” said Joe Stewart, the director of malware research for SecureWorks, a software company. “They don’t break the encryption; they just log in at the same time you do.”

Mr. Stewart recently decoded a particularly nasty Trojan that uses a real-time technique called Clampi, which is used to attack people who have access to corporate bank accounts with large balances.

When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.

Then Clampi starts sending a real-time stream of the user’s actions using a modified version of standard instant messaging software. The hackers log into the user’s bank account, quickly copying the one-time password if one is used. They start initiating wire transfers to accomplices (mules is the term of art) who send the funds on to the crooks. Sometimes they have even set up “mules” or fake employees who earn fat salaries by direct deposit.

One victim of Clampi was Slack Auto Parts in Gainesville, Ga., which lost $75,000 to the scam, according to a post in the Washington Post’s Security Fix blog.

Clampi appears to be operated by a single gang, Mr. Stewart said. He infers that the hackers speak Russian because that language is used in the computer code. Other similar Trojans, including ZeuS and Silentbanker, are being sold to many different groups of cybercrooks. (Here is an article from USA Today about the hacker behind ZeuS.)

Does this all mean that all those password gizmos are a waste of money? Not exactly. They still protect against less sophisticated forms of password phishing, not to mention people just looking over your shoulder as you log onto your computer. Moreover, if you can keep your computer clean of malware by avoiding suspicious e-mail attachments and Internet downloads, you are safer.

But there is nonetheless a race to find an even more secure way to keep the big bucks safe. One way is what is called two-channel authentication, using something other than the computer — most likely a cellphone — as part of the log-on procedure. That’s a good idea, but you know the hackers are already working out how they will attack those phones as well.

http://bits.blogs.nytimes.com/2009/08/20/how-hackers-snatch-real-time-security-id-numbers/

Radisson Hotel Data Breach

M4x: Incident happened between Nov2008 to May2009. That long ago and just reported now? What happened to Incident Monitoring, Transaction logging Audits?

Radisson Hotels Reporting Significant Data Breach

8/19/2009

• By David Morrison

The Radisson Hotel chain is the latest American retail company to announce it has suffered a significant breach of its computer systems resulting in the compromise of credit and debit card data.

In an open letter to guests on the hotel's Web site (http://www.radisson.com/openletter/openletter.html) Radisson said that the breach had occurred for a number of months, from November 2008 until May 2009, but said the investigation had not revealed how many card numbers might have been compromised. It also revealed that the data accessed may have included the name printed on a guest’s credit card or debit card, a credit or debit card number, and/or a card expiration date.

“This unauthorized access was in violation of both civil and criminal laws. Radisson has been coordinating with federal law enforcement to assist in the investigation of this incident,” wrote Fredrik Korallus, chief operating officer for the hotel and resort chain.

“While the number of potentially affected hotels involved in this incident is limited, the data accessed may have included guest information such as the name printed on a guest’s credit card or debit card, a credit or debit card number, and/or a card expiration date. We recommend that you review your account statements and credit reports closely.”

The announcement comes on the heels of news of the indictment of Albert Gonzalez, the man law enforcement alleges has been responsible for many computer security thefts and card data breaches since 2007.

http://www.cutimes.com/News/2009/8/Pages/Radisson-Hotels-Reporting-Significant-Data-Breach.aspx?PrintPreview

Most recent breaches posted by Privacy rights Clearinghouse

This AMEX incident is troubling and the fact that this is hard to detect and control, consumers are just sittnig ducks. Well I am unaware of the complete details but many types of incidents like this go unreported. Brace yourself again, AMEX cardholders. Check you recent purchases.

Aug. 14, 2009	American Express (New York, NY)	Some American Express card members' accounts may have been compromised by an employee's recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue.	Unknown
Aug. 14, 2009	Calhoun Area Career Center (Battle Creek, MI)	Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available.	455
Aug. 15, 2009	Northern Kentucky University (Highland Heights, KY)	A Northern Kentucky University employee's laptop computer - which contained personal information about some current and former students -- was stolen from a restricted area. The personal information stored on the employee's computer included Social Security numbers of at least 200 current and former students.	200

Associated Content: Privacy and Monitoring in the USA

Privacy and Monitoring in the USA

The USA Patriot Act and Laws Regarding Privacy and Monitoring in the United States

By D W

http://www.associatedcontent.com/article/2042805/privacy_and_monitoring_in_the_usa.html?cat=17

Takeaways

USA Patriot Act

Privacy and Monitoring Laws

Ethics and Technology

The United States of America has been reducing privacy levels drastically as part of its anti-terrorism campaign. The USA has passed a law known as the USA Patriot Act, which allows criminal and intelligence investigations to go anywhere that Americans used to believe was private. This law allows investigators to break into homes and examine objects without consent, and even examine an individual's personal records. This law can overrule state and federal privacy laws, and is directly linked to the FBI. This is an example of the power of information shifting to the government, and this means that increased use of, and improved, investigation technology will contribute to increasing levels of power being attributed to the US government over it's citizens. If the government keeps this type of action up, then it will soon begin to develop a lot of dominance over it's citizens in the form of restricted information. If citizens wish to maintain any level of privacy, they will need to begin standing up for their own personal privacy rights before they let it's increasingly restrictive government from manipulating and controlling it's people. It is unlikely that many Americans want to see prying monitoring technology end up being installed in private locations just to feed information to it's hungry government, only then to not have access to any of the personal information themselves.

So why not let everyone have access to the receiving end of monitoring technology? It is possible to argue that if all the data that is gathered from this technology was made public and accessible to everyone, that it would be morally acceptable. Should anyone behave in a way that is not acceptable for everyone (at least of a certain age) to witness, even if it is in a private location? The answer to this is a definite no. If everyone had the ability to openly spy on each other, then it would turn into a society where those who had the most attention would be ostracized while those who are fortunate enough get ignored can begin to gain an advantage simply by not being noticed, and likely get off with rule-breaking and criminal activity.

This would lead then lead to lack of efficiency, lack of innovation, dis-utility, and even some inequality because those who are simply more commonly spied on, likely because they are beginning to get ahead, will lose an edge in our competitive society. If human and informational monitoring was reduced only to public areas, then it would be much more ethical because people could simply operate outside of the public eye if they so desired. Still, many of these same issues still exist, with the wealthier members of society being the only ones who can afford the necessary private property, and the poorer being the ones who need to use public services and are forced to conform more strongly to the legal system of the society.

However, many advantages also exist to public monitoring, especially in situations where the nature of the law (or desired restricted/encouraged behaviors) exists in and of itself because the location is public. Good examples are freeways and public intersections, where people simply must adhere to the rules in order for the service to function. Public monitoring in an area like this can only be deemed ethical because all it does is encourage more organized, beneficial behavior in a highly publicized location.

The only downside is that they must access this public location in order to get from one private location to another, but with the monitoring it still becomes a more organized area that should eliminate free-riders, dangerous law-breakers, and unwanted public behavior in a place that everyone has to be. Some semi-public places (such as a hospital or school) may want to reduce monitoring and respect more privacy rights because of the reality that patients have little choice in the matter, as they require the public services to function, and have to spend much of their time at the public locations whether or not they are being monitored.

latimes.com/business/la-fi-cover-privacy16-2009aug16,0,5663794.story

Online, your private life is searchable

Photos, addresses, family ties, court documents, details from MySpace profiles -- the moment information is published online, it can be copied and re-posted, and often is.

By David Sarno

August 16, 2009

When Maya Rupert wrote an article frowning at several Southern states for officially celebrating Confederate History Month, Internet critics lined up to fire back.

But this time, they arrived with more than harsh words.

The 28-year-old Los Angeles attorney's detractors dug up a photo of her and posted it, along with details of political contributions she'd made, in an online discussion of the article she wrote for the L.A. Watts Times. They called their finds evidence of her bias on the emotionally charged subject.

"It really surprised me when I found out that people could see how much I donated to Obama," Rupert said, referring to the $400 she gave to the candidate last year, the record of which is available through several online watchdog sites.

After that, Rupert said, "they pulled a picture off my firm's website and said, 'Of course she's black.' "

Until recently, personal information has been scattered across cyberspace, to be found or not depending on the luck and sophistication of the searcher. But a new crop of "snooper" sites is making it easier than ever for anyone with Internet access to assemble the information into a digital portrait.

"It's amazing what you can Google," one of the people who criticized Rupert wrote in an online forum.

Rupert has since learned that the photo and campaign contributions were just a small part of her online "footprint" -- an expansive dossier that she did not realize was available to anyone searching her name.

On Snitch.name, users can enter a name -- their own or someone else's -- and watch as the site culls information from dozens of search engines, social networks and directories.

Rupert entered her name into Snitch last week, and within a minute she was presented with photos of herself, details of her California Bar membership and the names and addresses of her sister and parents.

"I'm a fan of open records and a fan of a lot of information being public," she said. "But there's public," and then there's the unfettered Web where "at the touch of a button, I can find out private information about you and use that for other purposes."

"It's really creepy," she said.

Latest Data Breach as Reported by the Privacy Rights Clearinghouse

Aug. 13, 2009

National Guard Bureau (Arlington, VA)

An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates.

131,000

http://www.securityfocus.com/news/11556

Two convicted in U.K. for refusal to decrypt data
Chris Williams, The Register 2009-08-12

Two people have been successfully prosecuted for refusing to provide U.K. authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years.

The British government said today it does not know their fate.

The power to force people to unscramble their data was granted to authorities in October 2007. Between 1 April, 2008 and 31 March this year the first two convictions were obtained.

The disclosure was made by Sir Christopher Rose, the government's Chief Surveillance Commissioner, in his recent annual report.

The former High Court judge did not provide details of the crimes being investigated in the case of either individual — neither of whom were necessarily suspects — nor of the sentences they received.

The Crown Prosecution Service said it was unable to track down information on the legal milestones without the defendants' names.

Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail.

Sir Christopher reported that all of the 15 section 49 notices served over the year - including the two that resulted in convictions - were in "counter terrorism, child indecency and domestic extremism" cases.

The Register has established that the woman served with the first section 49 notice, as part of an animal rights extremism investigation, was not one of those convicted for failing to comply. She was later convicted and jailed on blackmail charges.

Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report.

To obtain a section 49 notice, police forces must first apply to the National Technical Assistance Centre (NTAC). Although its web presence suggests NTAC is part of the Home Office's Office of Security and Counter Terrorism, it is in fact located at the government's secretive Cheltenham code breaking centre, GCHQ.

GCHQ didn't immediately respond to a request for further information on the convictions. The Home Office said NTAC does not know the outcomes of the notices it approves.

NTAC approved a total of 26 applications for a section 49 notice during the period covered by the Chief Surveillance Commissioner's report, which does not say if any applications were refused. The judicial permission necessary to serve the notices was then sought in 17 cases. Judges did not refuse permission in any case.

One police force obtained and served a section 49 notice without NTAC approval while acting on "incorrect information from the Police National Legal Database", according to Sir Christopher. The action was dropped before it reached court.

Locational Privacy

Another neat paper from EFF on locational privacy:

http://www.eff.org/wp/locational-privacy

On Locational Privacy, and How to Avoid Losing it Forever
By Andrew J. Blumberg and Peter Eckersley, August 2009


Over the next decade, systems which create and store digital records of people's movements through public space will be woven inextricably into the fabric of everyday life. We are already starting to see such systems now, and there will be many more in the near future.

Here are some examples you might already have used or read about:

* Monthly transit swipe-cards
* Electronic tolling devices (FastTrak, EZpass, congestion pricing)
* Cellphones
* Services telling you when your friends are nearby
* Searches on your PDA for services and businesses near your current location
* Free Wi-Fi with ads for businesses near the network access point you're using
* Electronic swipe cards for doors
* Parking meters you can call to add money to, and which send you a text message when your time is running out
* These systems are marvelously innovative, and they promise benefits ranging from increased convenience to transformative new kinds of social interaction.

Unfortunately, these systems pose a dramatic threat to locational privacy.

What is "locational privacy"?
Locational privacy (also known as "location privacy") is the ability of an individual to move in public space with the expectation that under normal circumstances their location will not be systematically and secretly recorded for later use. The systems discusssed above have the potential to strip away locational privacy from individuals, making it possible for others to ask (and answer) the following sorts of questions by consulting the location databases:

* Did you go to an anti-war rally on Tuesday?
* A small meeting to plan the rally the week before?
* At the house of one "Bob Jackson"?
* Did you walk into an abortion clinic?
* Did you see an AIDS counselor?
* Have you been checking into a motel at lunchtimes?
* Why was your secretary with you?
* Did you skip lunch to pitch a new invention to a VC? Which one?
* Were you the person who anonymously tipped off safety regulators about the rusty machines?
* Did you and your VP for sales meet with ACME Ltd on Monday?
* Which church do you attend? Which mosque? Which gay bars?
* Who is my ex-girlfriend going to dinner with?

Of course, when you leave your home you sacrifice some privacy. Someone might see you enter the clinic on Market Street, or notice that you and your secretary left the Hilton Gardens Inn together. Furthermore, in the world of ten years ago, all of this information could be obtained by people who didn't like you or didn't trust you.

Continue reading at:

http://www.eff.org/wp/locational-privacy

Two convicted in U.K. for refusal to decrypt data

http://www.securityfocus.com/news/11556 Two convicted in U.K. for refusal to decrypt data Chris Williams, The Register 2009-08-12 Two people have been successfully prosecuted for refusing to provide U.K. authorities with their encryption keys, resulting in landmark convictions that may have carried jail sentences of up to five years. The British government said today it does not know their fate. The power to force people to unscramble their data was granted to authorities in October 2007. Between 1 April, 2008 and 31 March this year the first two convictions were obtained. The disclosure was made by Sir Christopher Rose, the government's Chief Surveillance Commissioner, in his recent annual report. The former High Court judge did not provide details of the crimes being investigated in the case of either individual — neither of whom were necessarily suspects — nor of the sentences they received. The Crown Prosecution Service said it was unable to track down information on the legal milestones without the defendants' names. Failure to comply with a section 49 notice carries a sentence of up to two years jail plus fines. Failure to comply during a national security investigation carries up to five years jail. Sir Christopher reported that all of the 15 section 49 notices served over the year - including the two that resulted in convictions - were in "counter terrorism, child indecency and domestic extremism" cases. The Register has established that the woman served with the first section 49 notice, as part of an animal rights extremism investigation, was not one of those convicted for failing to comply. She was later convicted and jailed on blackmail charges. Of the 15 individuals served, 11 did not comply with the notices. Of the 11, seven were charged and two convicted. Sir Christopher did not report whether prosecutions failed or are pending against the five charged but not convicted in the period covered by his report. To obtain a section 49 notice, police forces must first apply to the National Technical Assistance Centre (NTAC). Although its web presence suggests NTAC is part of the Home Office's Office of Security and Counter Terrorism, it is in fact located at the government's secretive Cheltenham code breaking centre, GCHQ. GCHQ didn't immediately respond to a request for further information on the convictions. The Home Office said NTAC does not know the outcomes of the notices it approves. NTAC approved a total of 26 applications for a section 49 notice during the period covered by the Chief Surveillance Commissioner's report, which does not say if any applications were refused. The judicial permission necessary to serve the notices was then sought in 17 cases. Judges did not refuse permission in any case. One police force obtained and served a section 49 notice without NTAC approval while acting on "incorrect information from the Police National Legal Database", according to Sir Christopher. The action was dropped before it reached court.

Privacy Statement
Copyright 2006, SecurityFocus

Some intersting data breaches from PrivacyRights.Org

http://www.privacyrights.org/ar/ChronDataBreaches.htm

Aug. 11, 2009
University of California, Berkeley(Berkeley, CA)
Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009.
493 # OF RECORDS COMPROMISED


Aug. 19, 2009
Bank of America Corp./Citigroup Inc.(Charlotte/Massachusetts)
Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use."
Unknown # OF RECORDS COMPROMISED


Aug. 3, 2009
National Finance Center(Washington DC)
An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees' personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed.
27,000# OF RECORDS COMPROMISED


July 31, 2009
Jackson Memorial Hospital(Miami, FL)
A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.
Unknown


July 24, 2009
Network Solutions(Herndon, VA)
Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores.
573,000# OF RECORDS COMPROMISED


July 22, 2009
A Honolulu hospital(Honolulu, HI )
In June 2009, a Hawaii woman was sentenced to a year in prison for illegally accessing another woman's medical records and posting on MySpace that she had HIV. The State of Hawaii brought charges under a state law that criminalizes unauthorized access to a compute as a class B felony. The defendant was employed by a hospital and had access to patient medical records.
Unknown


July 10, 2009
Northern California dumpsters(dumpsters from Bay Area to Central Valley in Calif.)
A criminal complaint filed against 30-year-old suspect claims that he made more than 1,000 fake ID cards that he used to rip off people, stores and banks. He also allegedly admitted to stealing the identities of more than 500 people all across Northern California, ranging from the Bay Area to the Central Valley. Federal agents say the man said it was easy to find new victims: All he needed to do was visit a local bank and search their dumpsters. Using the sensitive materials he found in the trash, He was able to use a computer to mock up fake identification cards and blank checks, according to authorities. He also allegedly confessed to stealing between one to two million dollars in cash and merchandise.
1,500# OF RECORDS COMPROMISED


July 8, 2009
AT&T(Chicago, IL)
A temporary employee for AT&T was arrested today on charges she stole personal information on 2,100 co-workers and then pocketed more than $70,000 by taking out short-term payday loans in the names of 130 of them.
2,100# OF RECORDS COMPROMISED


May 18, 2009
Anderson Kia Car Dealership(Boulder, CO)
Police have chained up 10 recycling bins outside Boulder’s now-defunct Anderson Kia car dealership after learning that the bins were stuffed with personal information from the dealership’s former customers. Green recycling bins were piled full with folders, each headed with an individual’s name. All of the folders contained Social Security numbers, driver’s license information, photos, phone numbers and financial information for Kia customers.
Unknown# OF RECORDS COMPROMISED

Chronology of Data Breaches / Data-Loss Database

Since January 2005, privacyrights.org has compiled a list of data breach incidents - most of these are caused by internal hacks, external attacks, lost laptops and physical security missteps. To date, almost 250Million accounts have been affected and this is only those known. Those "unknowns" can be more than 250M!

See the complete list here:
http://www.privacyrights.org/ar/ChronDataBreaches.htm

This is another good source of data breaches:
http://datalossdb.org/

10 Rules for Hacker-Proof Passwords

A database of about 1400 encrypted passwords can be decrypted by a hacker utilizing his cracking tool and a regular off-the-shelf Pentium 4 PC in under 15 minutes (using dictionary attack) and about less than 8hrs (using brute-force attack).

Here is a guide from Privacyright.org:
http://www.privacyrights.org/ar/alertstrongpasswords.htm

My advice:

1. Use at least 12 characters (I highly recommend 15). Combine alphabets, numbers and special characters.

2. Change them every 180 days (I highly recommend 90 days)

3. Use your own algorithm. So, when you need to change it you don't have to remember a bunch of passwords. For example: Password1 is !L0v3mybeatles0!1! Password2 is !L0v3mybugs0!2!

4. Don't share your passwords

5. Don't use any words in your passwords that may depict your name, your family, your car, your school or anything that describes or relates to you

6. If you have too many passwords, use a password manager. There are many out there but I only trust one - PasswordSafe. Google it. Lifehacker suggests 5 alternatives:

http://lifehacker.com/5042616/five-best-password-managers

7. No names, no common words, no birthdays, no SSN, no address, no famous quotations.

8. When the system won't permit you to use more than 8 characters and special characters, be creative and please, email the webmaster (politely) to improve their password requirements.

In the old days, when "auditing passwords" :) these are the common passwords we've uncovered

god, jesus, godislove, bart, simpsons, loveisgod, honey, sweetheart, ****** (masked bec it's too obscene), name, password, secret, cia, fbi, nsa, hacker. :), :(, cool and many others

m4x

Annual Cost of Breach Report from Ponemon Institute

Ponemon is Gartner to Security and Colgate to Toothpaste :) You can get a copy of the reports here:

http://securityandprivacyblog.blogspot.com/

Among the study’s key findings:

• Total costs continue to increase: The total average costs of a data breach grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and 11 percent compared to 2006 ($182 per record). Breaches are costly events for an organization; the average total cost per reporting company was more than $6.6 million per breach (up from $6.3 million in 2007 and $4.7 million in 2006) and ranged from $613,000 to almost $32 million.

• Cost of lost business continues to carry the highest impact: The cost of lost business continued to be the most costly effect of a breach averaging $4.59 million or $139 per record compromised. Lost business now accounts for 69 percent of data breach costs, up from 65 percent in 2007, compared to 54 percent in the 2006 study.

• Third-party data breaches increase, and cost more: Breaches by third-party organizations such as outsourcers, contractors, consultants, and business partners were reported by 44 percent of respondents, up from 40 percent in 2007, up from 29 percent in 2006 and 21 percent in 2005. Per-victim cost for third-party flubs is $52 higher (e.g., $231 vs. $179) than if the breach is internally caused.

• “First timers” cost more, repeat breaches continue: Data breaches experienced by “first timers” are more expensive than those experienced by organizations that have had previous data breaches. Per-victim cost for a first time data breach is $243 vs. $192 for experienced companies. More than 84% of all cases in this year’s study involved organizations that had more than one major data breach.

• Training and awareness programs lead companies’ efforts to prevent future breaches, according to 53% of respondents. Forty-nine percent are creating additional manual procedures and controls. Of the technology options, 44% of companies have expanded their use of encryption technologies, followed by identity and access management solutions to prevent future data breaches.

Privacy Resources

Most updated (and free) privacy resources are coming from unlikely sources such as:

Morrison & Foerster

http://www.mofo.com/about/overview/index.html

Perkins and Cole

http://www.perkinscoie.com/news/newspubs.aspx

AICPA

http://infotech.aicpa.org/Resources/Privacy/Federal+State+and+Other+Professional+Regulations/State+Privacy+Regulations/

First Steps on Security and Privacy

I've been doing Security since 2000 and technologies since my highschool days (1986 - yes, I'm old!) but Privacy is something new to me. Started work on Privacy during my HIPAA compliance and audit days back at my former employer and that was in 2005. Now, as an almost full-time Privacy guy, I've been very involed with Privacy-related Frameworks, Best Practices, Methodologies, Laws and Regulations.

As a first step for people diving into the Privacy career path, look at GAPP (by AICPA). It's the best model available if you're planning to setup your company's Privacy Program. Every company, whether small, medium or large, should have a Privacy Program to protect your company's information but more importantly, employee and customer data.

Another option is to look into various open-source resources such as NIST (they have a good document on protecting PII - that is personally identifiable information), GAO, ISACA, ISSA, HHS, ITCI and many others.

In Security, there is not a lot of mystery - many sites and organizations offer a wealth of information. Some of the notables are NIST, CIS, ISO, ISC2, ISACA, ISSA, ISF, Big 4 Firms, SecurityFocus, SecurityNewsPortal, CCCure.Org, PCI, HHS (HIPAA) and probably thousands more!

m4x

Welcome to my Blog!

I have been planning to setup this blog for the longest time and really had never the time to create one. I have one for my travels and one for my family but never had one for my profession. Probably because of google and gmail. With this search engine and almost unlimited email inbox, one can have every info you need.

Well, this blog will be for security, privacy and technology. Traffic will be modest because I have a full-time job! But I will try to post some informative job for fellow technology professionals and also, to document my day2day stuff around the industry.

m4x