May 30 2011

California computer glitch releases violent criminals

Category: cyber securityDISC @ 12:33 pm

Gang members, sex and drug convicts, and more were accidentally released from California state prisons after computer software designed to reduce prison numbers encountered a glitch.
Around 450 dangerous inmates were let go unsupervised onto the streets of California, the state’s inspector general confirmed.

A glitch in software lead to prison officials accidentally releasing “high risk of violence” inmates from jails as opposed to low risk inmates set for release to elevate the crowded prison system.

In addition, over 1000 inmates deemed high risk for drug and property offenses were also mistakenly released.

The information comes after the US Supreme Court upheld a lower decision and ordered California to alleviate prison overcrowding by releasing prisoners or building more prisons. The decision gives State prison officials only two years to cut the 143,335 prisoner count by around 33,000 either by reductions, new programs outside of prisons or constructing new prisons within the state.
According to Renee Hansen, a spokesperson for the California inspector general, no attempts have been made to find or return the former inmates to prison or at least place them on supervised parole.

The computer error placed all of those who were released on ‘non-revocable parole’ which means they do not have to report to parole officers. It also means they are free to live their lives and can only be sent back to jail if they are caught committing a new crime.

The software was not designed to be discretionary based on the history of inmates and issues releases without consideration to their crimes or their risk of re-offending. It uses a database of arrests that does not correlate information regarding convictions and the facts surrounding a case.

Effective Physical Security, Third Edition

Tags: crime, Information Technology, Law, USA

Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.

  • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.

  • PCI DSS v1.2 Documentation Compliance Toolkit

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).

    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Reblog this post [with Zemanta]

    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386

    May 18 2009

    Security breach and notification

    Category: Security BreachDISC @ 1:05 am

    California Flag
    Image by victoriabernal via Flickr

    California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

    The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.


    California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

    Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
    Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

    Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
    When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.

    Reblog this post [with Zemanta]

    Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley

    Dec 29 2008

    Network Access Control and Security

    Category: Access ControlDISC @ 4:24 am

    Wireless Internet Access Global Map

    The purpose of network access control is to protect and safeguard assets attached to network from threats of unauthorized users gaining access to organization’s assets.

    Network Access Control (NAC) authenticate users to make sure they are authorized to login and following the policies and procedures for login before authorized to use organization assets. Some of the threats to assets are insider fraud, identity theft and botnet infestation, where botnet can be utilized as a launching pad for attacks to other organizations.

    Various laws and regulations have been introduced for various industries to protect organization data. Organization can be held liable, if they don’t practice due diligence or have adequate protection for their assets. Before putting the policy in place to protect these assets it might help to know specific threats to environment. Today’s threats come from well organized criminals who take advantage of unprotected assets. These days most of the cyber crimes are international crimes. Even though most of the countries have cyber crimes laws today but the legal system varies from country to country which slows cooperation between countries. Today’s technology is changing fast but the legal system is not changing fast enough to tackle new cyber crimes. We don’t have comprehensive international laws yet which cover cyber crimes to prosecute these criminals; most of cyber crimes are conducted from a country whose law enforcement agency either don’t have time and training to pursue these crimes vigorously or don’t have a jurisdiction in the country where the crime is committed. Sometime law enforcement agencies get help from Interpol to prosecute these individuals, but most of the time law enforcement agencies in various countries are helpless because these criminals are not in their jurisdiction. In some cases these criminals are utilizing state of the art tools to cover their tracks.

    Some Considerations to tackle NAC: adapt ISO 27002 domain 11 sub category 11.4 (NAC) controls as a policy suitable to your organization.

    1. Create a network access control policy: policy on use of network services
    2. User authentication for internal and external connections
    3. Enforce access control policy
    3a. Up-to-date signature file (anti-virus, anti-worm, anti-trojan, anti-adware)
    3b. Up-to date patches
    3c. Equipment identification in network
    3d. Backup access control logs remotely and review regularly
    3e. Multihome firewall installed which segregate networks
    3f. Harden system configuration
    3g. Network connection control
    3h. Network routing control
    4. Assess the posture of your network regularly to redefine policies
    5. Gartner MarketScope for Network Access Control, 2008
    6. The Forrester Wave™: Network Access Control, Q3 2008

    “In Forrester’s 73-criteria evaluation of network access control (NAC) vendors, we found that Microsoft, Cisco Systems, Bradford Networks, and Juniper Networks lead the pack because of their strong enforcement and policy. Microsoft’s NAP technology is a relative newcomer, but has become the de facto standard and pushes NAC into its near-ubiquitous Windows Server customer base.”

    Nortel Secure Network Access and Microsoft NAP integration

    Reblog this post [with Zemanta]

    Tags: Cisco Systems, Forrester, Gartner, iso 27002, Juniper Networks, jurisdiction, Law, Law enforcement agency, Microsoft, Microsoft Windows, NAC Policy, Network Access Control, Police, Security