DISC InfoSec blog

50 Ways to Protect Your Identity and Your Credit: Everything You Need to Know About Identity Theft, Credit Cards, Credit Repair, and Credit Reports

Primary Account Number (PAN) is a
“12-digit or 19-digit numeric code embossed on the face side of a bank card, and also encoded in the Magnetic Stripe. The primary account number is a composite number containing: the Major Industry Identifier of the card issuer; an individual account identifier, which includes part of the account number; and a Check Digit or code that verifies the authenticity of the embossed account number.”

There are three pieces of information that are included in a financial transaction. Which are PAN, primary identification number (PIN) and card’ expiration date. The PAN is 12 to 19 digit number embossed on the front of the card.
For a successful transaction PIN, PAN and card expiration date are transmitted along with other information from the merchant, the merchant will transmit the information to merchant bank, the merchant bank will transmit the information to service provider (processor), the processor will transmit to the card issuer entity to authorize the transaction.

Credit card authorization process:
1) Creditholder swipes card at merchant. A request is sent to merchants bank
2) Merchants bank “asks” processor to determine the cardholder bank
3) Processing network finds cardholders bank and request approval for purchase
4) Cardholders bank approves purchase and generates a approval code
5) Processor sends an approval code merchants bank
6) Merchants bank sends approval code to merchant
7) Purchase is complete and cardholder receives a receipt

“Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

The PIN is protected from malicious activity by encryption from POS terminal to all the way to the cardholder bank; However PAN is currently transmitted unencrypted. Valid PAN in wrong hands increase the possibility of credit card fraud. So the industry has decided that PAN must be protected. Below are the requirements for PAN protection.

Requirements for PAN protection
1. The PAN protection mechanism must support multiple source methods, including manual entry, magnetic swipe, chip, and NFC.
2. The PAN protection mechanism is encryption using an X9 or ISO approved algorithm.
3. Financial transaction message format and protocol standards must be modified to handle encrypted PAN data.
4. Transaction processing systems must be able to access some of the PAN digits.
5. For different transactions, encryption of the same PAN with a given encryption key should not predictably produce the same encrypted value.
6. For transaction routing by an intermediary between a sender and a receiver, the PAN must be translated from the sender’s encryption key to the receiver’s encryption key.
7. PAN translation must reveal some of the PAN digits for the intermediary to process the transaction.
8. PAN encryption keys must be changed periodically using X9 or ISO approved key management methods.
9. PAN encryption keys must only be used for their intended purpose.
10. Different encryption keys must be used for protection of PAN storage and transmission.
11. PAN encryption keys and the associated key encryption key (KEK) must be protected using X9 or ISO approved tamper resistant security modules (TRSM).
12. The customer must be advised in writing of the importance of the PAN with guidelines on the proper use of the card and the PAN.

PAN encryption is a major step forward toward protecting the card holder data.

Related articles by Zemanta

• New standard for encrypting card data in the works; backers include Heartland (computerworld.com)
• Credit card authorization process weakness (deurainfosec.com)
• PIN Crackers Nab Holy Grail of Bank-Card Security (wired.com)

Fake a Credit Card

Technorati Tags: Bank card number, Credit card, credit card encryption, credit card fraud, credit card privacy, credit card secure, credit card security, credit card theft, credit card transaction, encryption, Financial services, Identity Theft, Magnetic stripe card, Personal identification number, Primary Account Number, secured card, TRSM

Usually security breach occurs due to lack of basic security controls or lack of effective control which is not relevant over the time. Security controls also disintegrate over the time due to lack of maintenance and monitoring.
According to Privacy Rights Clearinghouse survey, the top three breaches resulted from laptop theft, software or human error, and hackers. Most of these breaches could have been prevented by procedural, management and technical security controls. Most of the security breaches happen during the state of non-compliance. The most famous TJX security breach happens in 2007, at the time of the breach TJX complied with only 3 out of 12 PCI-DSS requirements.

Small organizations sometimes don’t have enough resources to comply with all the requirements of regulations and standards like HIPAA and PCI. But that is not an excuse of not understanding the relevant regulations and standards requirements to your business and having a clear security strategy which explains how to achieve the compliance down the road. Also your security strategy will be an evidence of your due diligence to secure your critical assets. On the other hand big organizations have enough resources to implement security controls, but for whatever reason they often do not have clear strategy how to establish security controls.

Information security is not a onetime static process but an ongoing assessment of risks in your business, where you need to understand the your critical assets, classification of those assets based on CIA, sensitive data and its access, policies, standards, procedures , training, security reviews and continuous monitoring.

One of the most popular baseline for security controls is the international standard ISO 27002 – Code of Practice for Information Security management. ISO 27002 have 11 security clauses and 133 security controls are high level which provides a reasonable guidance for implementing an Information Security Management System (ISMS). Due to ISO 27002 broad scope, it’s relevant to every industry and size of business.

Organization should have a baseline of security controls before barging onto complying with PCI or HIPAA regulation. ISO assessment will help you to understand what controls are in place and assist you with security strategy and later will become a measuring stick for your ISMS.

Ongoing compliance is achieved by monitoring the relevant controls. Ongoing compliance will depend on the quality of your information security management system (ISMS). ISMS would include thorough monitoring, logging and reviewing controls to maintain and improve system security over time. You can develop an automated monitoring process to achieve consistent results and sustain compliance by continuously monitoring your system. ISMS (based on ISO 27001) certainly can be a great value to manage ongoing monitoring, maintenance and improvement cycle.

Related articles by Zemanta

• How ARRA and HITECH provisions affect HIPAA compliance (deurainfosec.com)
• Rise of cybercrime and management responsibility (deurainfosec.com)
• Web 2.0 and social media business risks (deurainfosec.com)
• Congressional data mining and security (deurainfosec.com)
• PCI compliance is essential and why you have to (deurainfosec.com)

ISO Assessment

Information Security Risk Management for ISO 27001

vsRisk - InfoSec Risk Assessment Tool

ISO 27k: Books & Tools

ISO Standards

Technorati Tags: Computer security, Health Insurance Portability and Accountability Act, Information Security, Information Security Management System, ISO/IEC 27001, pci dss, Privacy Rights Clearinghouse

According to SF chronicle article by Deborah Gage (June 17, 2009, c1) a troublesome online network for buying and selling access to infected computers has been discovered by security researchers. The name of the group is GoldenCashWorld which sell access to online infected computers such as web server, mail server, database server etc. Infected computers are utilized to send spam, SQL injections, XSS attacks, buffer overflow attacks and spread viruses and worms.

According to the article this underground network already have access to more than 100,000 websites and 40% of these compromised computers reside in the United States. This is a growing threat to individuals and business assets in United States which should be taken seriously by National Cyber security Divisions.
GoldenCashWorld is a global underground ring which requires an international law to crack this nut.

Online Secure Remote Backup solution
Online crime ring detected
Guide to Computer Forensics and Investigations

Cyber Crime Growing Global Threat

Technorati Tags: buffer overflow, cyber crime, GoldenCashWorld, NCD, online infected computer, San Francisco Chronicle, Spam, SQL injection, xss

Credit Repair Kit For Dummies (For Dummies (Business & Personal Finance))

Credit card authorization secquence:

1) Creditholder swipes card at merchant. A request is sent to merchants bank
2) Merchants bank “asks” processor to determine the cardholder bank
3) Processing network finds cardholders bank and request approval for purchase
4) Cardholders bank approves purchase and generates a approval code
5) Processor sends an approval code merchants bank
6) Merchants bank sends approval code to merchant
7) Purchase is complete and cardholder receives a receipt

“Every time you swipe your credit card and wait for the transaction to be approved, sensitive data including your name and account number are ferried from store to bank through computer networks, each step a potential opening for hackers.”

Weak security enables credit card hacks

Credit Card Fraud Made Easy

Related articles by Zemanta

• Help me pay my credit card? (fundable.com)
• Why Do Lenders Want You To Use Your Debit Card Like A Credit Card? [Debit Cards] (consumerist.com)




Technorati Tags: Credit card, credit card privacy, credit card secure, credit card security, credit card theft, secured card, visa card

Hipaa Plain and Simple: A Compliance Guide for Healthcare Professionals

How ARRA and HITECH provisions will affect HIPAA compliance. We will highlight the changes to HIPAA due to these new provisions and discuss a possible solution, how to comply with these new HIPAA security and privacy requirements. American Recovery and Reinvestment Act of 2009 (ARRA) was signed into a law on February 17, 2009. The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA include important changes in Health Insurance Portability & Accountability Act (HIPAA).

• 2/17/210 applies to business associate – Covered Entity (CE) can apply the HIPAA provisions to Business Associates (BA) through business associate agreement. The HIPAA Administrative Simplification Security Rule “shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity. With the change in the HITECH privacy provisions of ARRA, the business associate now has responsibility and liability directly for a breach. CE should revise their business associate contracts to reflect the changes before the deadline.

• Civil Action & Penalties – State Attorney General can prosecute neglect and individual can receive monetary compensation. HIPAA now have teeth with monetary, civil and criminal prosecution.

• Breach Notification – Notification to individual, HHS and media – Notification become more formal if the affected residents are more than 500. Use appropriate public media for cases involving more than 500 individuals. A breach requires notification, which is activated when there is an incident of “unsecured protected health information”.

• Accounting for disclosure – CE is accountable for its BA disclosure of Protected Health Information (PHI)

• Sale of Protected health Information – CE and BA cannot receive payment in exchange of PHI without an individual authorization. CE and BA are required to tell patients about disclosure of PHI for payment, treatment and administrative operation.

HIPAA compliance and how to manage your risks to healthcare assets:

HIPAA requires CE to have appropriate administrative, technical and physical safeguards to protect the privacy of health information. However HIPAA did not provide specific guidance as to what measure and controls will be appropriate.

ISO 27001 provides the basis to build an Information Security management System (ISMS), where organization can develop its own ISMS by applying controls from ISO 27002 code of practice. Only those controls apply which relate to its business objectives and the potential risks to the business. One document which is required to build ISMS is the Statement of Applicability (SoA) which explains why each of the 133 controls from ISO27002 is included in SoA and justification of the remaining controls which are not included. You can build ISMS suitable to your HIPAA needs, a healthcare organization could use its ISMS to ensure that HIPAA security standards required controls were selected from ISO 27002 and appropriately implemented. You need to certify ISMS (ISO 27001) to provide an ongoing assurance to HHS and healthcare business associates which can provide an edge in this downturn economy and more opportunities to enhance business worldwide.

Resources:
CMS audit checklist
NIST guide for implementing HIPAA
Security risk assessment tool

Technorati Tags: American Recovery and Reinvestment Act of 2009, arra, Health Insurance Portability and Accountability Act, hipaa, hipaa laws, hipaa privacy, hipaa security, hippa compliance, hitech, Protected Health Information

The core technology utilized in the cloud computing is virtualization. Some organization may not want to jump into cloud computing because of inherent risks can take a shot at virtualization in their data centers. Virtualization can be utilized to reduce hardware cost and utility cost. Organization that might have 100 servers can consolidate into 10, where each physical machine will support 10 virtual systems will not only reduce the size of data center, but also hardware cost, and huge utility bill savings.

Virtualization was being utilized to increase efficiency and cost saving, which is now turning into centralized management initiative for many organizations. In centralized management patches, viruses and spam filter and new policies can be pushed to end points from central management console. Policies can be utilized to impose lock out period, USB filtering and initiate backup routines, where policies can take effect immediately or next time when user check in with the server.

The way virtualization works is OS sits on an open source hypervisor which provides 100% hardware abstractions where drivers become irrelevant. With OS image backed up at management console, which allows virtualization technology a seamless failover and high availability for desktop and servers.

As I mentioned earlier, virtualization allows enforcing of policies on end points (desktops). As we know compliance drive security agenda. If these policies are granular enough which can be map to existing regulations and standards (SOX, PCI and HIPAA) then virtualization solution can be utilized to implement compliance controls to endpoints. It is quite alright if the mapping is not 100% that is where the compensating controls come into play. The compliance to these various regulations and standards is not a onetime process. As a matter of fact standard and regulation change over time due to different threats and requirements. True security requires nonstop assessment, remediation’s and policy changes as needed.

Related articles by Zemanta

• The Real Meaning of Cloud Security Revealed (devcentral.f5.com)
• White Paper: Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services (aws.typepad.com)
• Virtual Reality (devcentral.f5.com)

Technorati Tags: Cloud computing, Data center, Health Insurance Portability and Accountability Act, hipaa, Hypervisor, Open source, PCI, Security, sox, Virtualization

During this down turn economy organized cyber crime is a booming underground business these days. Most of the security expert and FBI agree that cybercrimes are on the rise and pose a biggest threat to US vital infrastructure. Cybercriminals are thieves in cyberspace who will swipe the sensitive data and sell to other criminals in their community, who might turn around and ask for ransom to keep the data private or perhaps resell to the highest bidder again in the black market. The risk of getting caught is minimized by legal jurisdiction and neglected by huge monetary gains. Motivated by potential gains, cybercriminals are determined to exploit the vulnerabilities of the target rich environment. Another issue to this problem is that our personal and private information has potential to be exploited at various locations such as banks, credit card companies, credit debit card processor, credit report companies and merchants etc…

Level 1, 2 and 3 merchants usually follow security best practice, allocate enough resources and try to maintain PCI compliance. On the other hand level 4 merchant are usually not compliant and have security vulnerabilities which are easy picking for cybercriminals, which is a primary reason why more security breaches happens to level 4 merchants. PCI was apparently created to safeguard the credit card and debit card data. PCI DSS standard are managed by PCI Security Standard Council.

The most significant reason to comply with PCI is because you have to.

PCI DSS address the baseline security for payment card infrastructure and ROI is a total cost of ownership. PCI DSS cannot guarantee absolute security but making organization to adhere to due care security justify its cost and use. As far as liability goes the security breach will be very detrimental in the state of non compliance which will include fines, legal fee and possibly lose the credit card processing ability. To motivate themselves, merchants should also remember that their customer’s data is worth a lot of money to cyber criminals.

The trick is keeping the state of compliance – true security of credit card holder data requires nonstop assessment and remediation to ensure that likelihood and impact of the security breach is kept as low as possible. PCI compliance is not a project; it’s an ongoing process of assessment. PCI assessor utilized defined set of controls objectives to assess the state of compliance. PCI provides an option of doing internal assessment with an officer sign off.
Merchants should monitor and assess to keep compliance on ongoing basis. Implement defense in depth mechanism and apply security control at every layer (network, application, operating system, and data). The idea is to make their job hard enough so the attacker moves on to easier target.

Check my previous posts regarding PCI DSS.
pci-dss-misconceptions-and-facts
pci-dss-significance-and-contractual-agreement

Recommended books to implement PCI compliance process

Technorati Tags: Credit card, defense in depth, level 4 merchant, Merchant Services, pci dss, PCI Security Standard Council, roi, Security, Total cost of ownership

California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.

Technorati Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

According to SF Chronicle article by Deborah Gage (May 8, 2009, c2) consumer reports magazine’s annual “State of the Net” survey finds that cybercrimes has held steady since 2004, with one out of five consumers becoming victims in last two years at a cost to economy of $8 billion. Consumer report can be found on at www.consumerreports.org

Uncertain economic time brings new threats and scams and most of the security experts agree that there’s a possibility of increase in cybercrime for this year. Survey also found that around 1.7 million people were victims of identity theft and 1.2 million had replaced their computers because of infected software.

First why all the signs are showing uptick in cybercrimes and second what are we going to do about it.

Management should start considering security as total cost of ownership instead of wasting time on what is ROI of information security. If there is a security breach, somebody in the management should be held accountable not an IT or security personnel. Management will keep demonstrating lax attitude toward data protection and security in general unless there are serious consequences like spending time in jail for lack of security controls (basic due diligence) and not taking appropriate actions for the risks that posed a significant threat to the organization.

PCI, HIPAA and SOX compliance are a good start in a right direction for management to take information security into consideration, but these compliance initiatives don’t address the security of a whole organization. They address security risks of a business unit in an organization. If management is really serious about security then ISO 27002 code of practice is one of the option which should be considered to address the security of the whole organization and ultimately organization should achieve ISO 27001 certification which will build a comprehensive information security management system to manage ongoing risks.

ISO Assessment

Information Security Risk Management for ISO 27001

vsRisk - InfoSec Risk Assessment Tool

ISO 27k: Books & Tools

ISO Standards

Related articles by Zemanta

• The 2009 U.S. Stimulus Bill and Future of Global Healthcare Privacy (blogs.sun.com)
• Tenzing Joins Elite Rank of ISO 27001 Certified Service Providers (newswire.ca)

Technorati Tags: Information Security, International Organization for Standardization, isms, iso 27001, iso 27002, Operating system, Policy, Security

M1 - We are relatively small company so we don’t have to worry about PCI compliance
F1 – The PCI DSS must be met by all organizations that transmit, process or store payment card data

M2 – PCI DSS is either a regulation or a standard
F2 – It‘s a neither a standard nor a regulation. It is a contractual agreement between card associations, the merchant banks and merchants

M3 – We neither understand PCI and nor have in house expertise to address compliance
F3 – PCI document clarify most of the questions in business terms but get help to interpret technical questions. Due care imply to understand your requirements to comply and protect your data

M4 – PCI has no ROI and simply too much for a small business
F4 – PCI address a baseline security for payment card infrastructure and its ROI is a total cost of ownership

M5 – Why bother when some companies get breached even though they were compliant
F5 – PCI DSS compliance is not a onetime process it is an ongoing process to maintain it

M6 – PCI compliance cannot be that hard, all we have to do is fill out the questionnaires
F6 - Yes, on the questionnaires has to be validated through scan. Vulnerabilities need to be resolved before submitting the report to merchant bank

M7 – My application and POS equipment are PCI compliant
F7 – PCI DSS compliance apply to an organization neither to an application nor an equipment

M8 – PCI compliance addresses the security of the whole organization
F8 – PCI DSS does not addresses the CIA for the whole organization but only card holder data security

M9 – Data breach will not affect the business revenue
F9 – Become level 1 (cost of monitoring), lose card acquiring ability, forensic charges and fines

M10 – We don’t need to scan PCI assets
F10 – Quarterly scanning is mandatory for all merchants (Level 1-4)

M11 – Merchants can use any application to transmit, process and store PCI data
F11 – Not really, beginning 2010, merchants can only use payment applications validated under the payment application data security standard (PA-DSS)

M12 – We have compensating control in place so we are covered
F12 – You still have to prove how well compensating control covers the PCI requirement. Compensating controls are harder to do and cost more money in the long run















Documentation Compliance Toolkit

PCI Compliance

Practical guide to implementation (Soft Cover)

Practical guide to implementation (Download)




Technorati Tags: Company, Financial services, Merchant Services, Payment card industry, pci dss, Security

This week I was in attendance with thousands of people from all over the globe at RSA conference in Moscone Center San Francisco. The conference offers variety of training tracks and this year included two new tracks physical security & governance and risk & compliance. Since Novell CNE was one of my first professional certification, I was glad to see Novell making some headway’s in information security arena, especially Deloitte was promoting Novell identity management solution in the conference.

The cloud computing is the buzz word for this year conference. As far as virtual environment boundaries are concerned , it’s hard to say where it start and where it ends which complicate the matters and complexity of the cloud will introduce new threats and risks. With that in mind cyber security appears to be worse than last year. Attendance might be bit low this year due to budget cut but the conference floor was packed with vendors and enthusiastic audiences.

Most of the security expert understand that companies are cutting budgets and might be decreasing their investment in security. Having a proactive security strategy and spending the security dollars wisely is the key to success of a business in this downturn economy. One thing to understand about information security, there is no ROI (return on investment) in security. ROI is a total cost of ownership.

Another concern in the conference is that the threats and fraud goes up during downturn economy. Companies should have comprehensive policies to tackle insider threats regarding disgruntled employees who might be at verge of getting laid off to prevent them from stealing intellectual property.

There is an outstanding line of keynote speakers like Melissa Hathaway, federal acting senior director of cyberspace. She advised the current (Obama) administration. She will be discussing issues like how much federal government should be involved in protecting critical assets like power grids. The conference like RSA helps security professionals to sharpen their skills and work in collaborative manners to successfully defend their organizations from attackers.

Related articles by Zemanta

• Call for concerted cyber-crime fight (news.bbc.co.uk)
• RSA Conference launches its own bailout plan (stillsecureafteralltheseyears.com)
• RSA 2009 Conference Session on Cloud Computing Security (blogs.adobe.com)

RSA Conference 2009 Highlights

Technorati Tags: Cloud computing, Consultants, Information Security, Melissa Hathaway, Moscone Center, Obama, RSA Conference, San Francisco, Security

The worm targeted a social network Twitter with four attacks and created havoc for couple of days. This worm happens to self replicated itself when clicked on but didn’t steal 6 million users personal information.
According to SF chronicle article by Michael Liedtke (Apr. 14 2009, c2) Twitter deleted 10,000 tweets after a worm makes a squirm.

“The worm was intended to promote a Twitter knock off, StalkDaily.com. It displayed unwanted messages on infected Twitter accounts, urging people to visit the website.”

With all the resources of a big company Twitter was unable to quarantine the worm and the only way to get rid of the worm was to delete 10,000 Twitter messages, known tweets. The social network growth is widening the threats and making an inviting target for hackers and scam artist with a treasure trove of personal information. People personal and in some cases private information is up for grab unless we enact policy protections against these scam artists to pursue legal action.

How to clean Twitter worm “StalkDaily” aka “Mikeyy”

Technorati Tags: facebook, San Francisco Chronicle, Social network, Twitter

Privacy is a fundamental human right and in US a constitutional right. Advancement in technology are breaking every barrier to our privacy; at this rate individuals will be stripped of their privacy unless we enact policy protections. In this situation we need to define reasonable privacy for a society in general while keeping threats and public safety as a separate issue. Social networks are becoming a repository of sensitive information and usually privacy is anonymize by striping names and addresses. Fake profiles have been created on social network to be anonymous and a user may create multiple profiles with contradictory or fake information.

Arvind Narayanan and Dr. Vitaly Shmatikov from Univ. of Texas at Austin established an algorithm which reversed the anonymous data back into names and addresses.

The algorithm looks at the relationships between all the members of social networks an individual has established. More heavily an anonymous individual is involved in the social media, easier it gets for the algorithm to determine the identity of anonymous individual.

One third of those who are both on Flickr & Twitter can be identified from the completely anonymous Twitter graph, which deduces that anonymity is not enough to keep privacy on social network. The idea of “de-anonym zing” social networks extends beyond Twitter and Flickr. It is equally applicable in other social networks where confidential and medical data can be exposed such as medical records in healthcare.

“If an unethical company were able to de-anonymize the graph using publicly available data, it could engage in abusive marketing aimed at specific individuals. Phishing and spamming also gain from social-network de-anonymization. Using detailed information about the victim gleaned from his or her de-anonymized social-network profile, a phisher or a spammer will be able to craft a highly individualized, believable message”

Now is it reasonable to say that social network wears no clothes?

Personally identifiable information
California Senate Bill 1386 defines “personal information” as follows:
• Social security number.
• Driver’s license number or California Identification Card number.
• Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

Names, addresses, email addresses and telephone numbers do not fall under the scope of SB 1386.

HIPAA Privacy defines “Individually identifiable health information” as follows
1. That identifies the individual; or
2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
The term “reasonable basis” leaves the defining line open to interpretation by case law.

Arvind Narayanan and Dr. Vitaly Shmatikov paper.

Social network privacy video

Technorati Tags: Anonymity, Flickr, Personally identifiable information, privacy, Security, Social network, Twitter, Vitaly Shmatikov

Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

“Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

Three categories of cloud computing technologies:

Infrastructure as a Service (IaaS)

Platform as a Service (PaaS)

Software as a Service (SaaS)

Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

Possible risks involved in cloud computing
Complete data segregation
Complete mediation
Separation of duties
Regulatory compliance (SOX, HIPAA, NIST, PCI)
User Access
Physical Location of data
Availability of data
Recovery of data
Investigative & forensic support
Viability and longevity of the provider
Economy of mechanism

Related articles by Zemanta

• Cloud Computing Security Framework May Nudge The Enterprises Towards Clouds (cloudave.com)
• Security in the clouds - or clouds in security? (theregister.co.uk)
• Your privacy: cloud computing report & tips; privacy notices & ICO consultation (consumingexperience.com)

Cloud computing security panel

Technorati Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services

Worm like conficker is a digital time bomb which is hard coded to trigger on April 1 (April fool’s day). Antivirus companies are doing their best to minimize the impact of conficker worm. Conficker first variant was introduced few months back and have already caused significant amount of damage to businesses. Conficker is using MD6 hash algorithm, first known case where this new algorithm has been used. Across the globe, there are about 15 million computer infected with conficker worm.

“In computer, a worm is a self replicating virus that does not alter files but resides in active memory and duplicates itself”

This happens to be third variant of conficker in the wild which is named “conficker c” which pose a significant threat to businesses and security expert are still trying to figure out the potential impact of this worm. In new variant, the worm has tendency to morph into something else which makes it harder for antivirus software to detect it. What is known about this worm so far is that at a predefined time on April 1st the infected machine will execute the worm which will be later be exploited by the worm originator. The originator or controller of the worm will control the infected machines and it’s anybody’s guess right now what commands will be given to these zombies. It can be to steal private and personal information, spam, DDoS, or simply wipe the infected machine hard drive. Also bad guys don’t have to give the commands to zombie machines on April 1st, it can be any time after April 1st.

Possible countermeasures:
• Keep up-to-date patches (Microsoft Ms08-067 security update)
• Keep antivirus signature files up-to-date (latest DAT)
• Disable Auto run
• Try different antivirus software to verify and take advantage of McAfee free online scan services
• Free Sophos Conficker clean-up tool
• Make sure your machine is not infected with “conficker c” then you don’t have to worry about April 1st

Microsoft is offering a $250,000 reward for information that leads to the arrest and conviction of the conficker worm’s makers.

AntiVirus	AntiSpyware	AntiSpam	AntiAdware
AntiWorms	AntiTrojans	AntiBot	AntiPhishing

Related articles by Zemanta

• April Fool’s Day computer worm (madhavgopalkrish.wordpress.com)
• Conficker Windows virus infects 15 million PCs (telegraph.co.uk)
• Conficker C Worm to Activate on April Fool’s Day (blippitt.com)
• Microsoft: Bounty on Conficker worm creator (crunchgear.com)

Technorati Tags: Antivirus software, April Fools Day, conficker, Malicious Software, McAfee, Microsoft, Security, Viruses