The Messy Debate Over Liability and Cybersecurity

The other line of thinking, which leads to liability limitations, suggests exactly the opposite: that we don’t have enough information about what works for cybersecurity to be able to say with any authority what companies and software developers should be doing by way of defense. We still don’t know what the cybersecurity equivalents of seatbelts in cars or locks on doors are, these proponents say, and we don’t even really know what the most serious threats we face are or how much damage they do, because organizations are so secretive about security incidents, for fear of inviting bad publicity and lawsuits. Therefore, we should be focused on assuaging those fears, through liability and FOIA limitations, like those in the White House’s proposal, so we can learn more about threats and mitigation tactics.

Article source:


No Comments

Pilgrim pushes for data retention breach notices

Telcos have bad data security track record, Privacy Commissioner says.

Telcos and internet service providers should be forced to notify customers of data breaches as part of the Government’s proposed two-year metadata retention scheme, according to Privacy Commissioner Timothy Pilgrim.

Pilgrim has long advocated for laws that would force companies to notify customers as well as his office if personal information had been compromised in a data breach.

The Labor party has attempted on a number of occasions to pass legislation to enforce data breach notifications – most recently mid last year – but the bills have been knocked back by the Coalition which argued the bills needed more work in terms of wording and definitions.

The two bills proposed by Labor would have amended the Privacy Act to include provisions governing a “serious data breach” and “notifying [of a] serious data breach”, outlining the circumstances in which an entity would have been subject to a serious data breach and how they must then act to address it.

The bills would also have given the Privacy Commissioner powers to seek penalties of up to $340,000 for individuals or $1.7 million for organisations who repeatedly or seriously offend. 

In his submission to the parliamentary committee investigating the Government’s data retention bill, published late last week, Pilgrim argued that the bill must include requirements for providers to notify both himself and their customers in the event of a data breach.

“Telecommunications data retained under the scheme is likely to be a target for people with malicious or criminal intent,” he wrote.

“In the event of a security breach resulting in unauthorised access to or disclosure of telecommunications data, affected individuals would face increased risks of identity theft, fraud, harassment or embarrassment.”

Pilgrim said the telcos and service providers likely to be subject to the scheme were among the top 20 entities most complained about to the Office of the Australian Information Commissioner.

Whilst not providing specific names, Pilgrim pointed to Telstra’s 2011 leak of 734,000 customer details and a further leak of the details of 15,775 customers in 2013.

“Australian service providers have experienced significant issues in handling and keeping personal information secure.”

He also warned that providers may end up collecting more personal information on their customers than necessary and retaining it longer than needed, meaning telcos and ISPs could end up being forced to handle personal data in a manner inconsistent with their obligations under the Privacy Act.

Pilgrim’s submission to the parliamentary inquiry was one of around 130 to be published over the last week.

The majority of the submissions voiced strong dissent to the proposed legislation, which would see ISPs and telcos forced to retain a still-to-be-defined set of user metadata for two years.

Australia’s law enforcement agencies continued their push for the scheme, while dozens of privacy, human rights, consumer advocacy and industry groups denounced the proposal as going beyond what was necessary to fight crime.

Copyright © . All rights reserved.

Article source:,pilgrim-pushes-for-data-retention-breach-notices.aspx


No Comments

Banks Want Merchants to Chip In After a Data Breach

Your (Article, Chart, Blog) was successfully saved to your folder My Default Folder

Don’t forget you can visit My Briefcase to manage your folders at any time.

Article source:


No Comments

Congress to Hold Data Breach Legislative Hearing – First of its Kind

After a year of high-profile retail data hacks, and with the big EMV target date approaching, legislators on Capitol Hill have agreed to hold a legislative hearing on federal protocols for data breaches and reporting, according to sources at SC Magazine.

Spurred on by President Barack Obama, and with House and Senate Democrats working on draft legislation, the first hearing will convene on Jan. 27. While it is unclear what the proposed legislation will say specifically, sources close to Congress and industry leaders suggest that it will require breached organizations to notify customers within 30 days of a breach that it occurred, as well as clearing up where the liability lies in data breaches. The law would also initially include the criminalization of illicit overseas identity trade.

While 47 states already have laws on the books regarding data breaches and identity theft, proponents of the federal standard like the National Association of Federal Credit Unions (NAFCU), which sent a letter to Congress on Jan. 22 calling for a working group to form to tackle the issue. The national security standards, according to the group, would clear up confusion as to where the jurisdiction lies for data breaches that cross state lines, as well as clarify who pays the costs in at-fault cases.

While the move is proving popular with banks and credit unions, which have strong data breach prevention practices in general, some like Ken Westin, senior security analyst with Tripwire, are concerned with the 30-day “shot clock” regarding reports. In comments he sent to, Westin questions how such a provision would be enforced. Does the 30-day countdown start once it is put to law enforcement? If it does, then it could promote hiding the information from law enforcement in an attempt to solve the issue before they’re involved, effectively extending the 30-day window.

Article source:


No Comments

The Week Ahead: State of the Net, Data Breach Hearing & FCC Open Meeting


The State of the Net Conference, a House hearing regarding data breach legislation and the Federal Communications Commission’s January open meeting are on tap for this week.


The Federal Communications Commission hosts a “Small Business Emerging Technologies Conference and Tech Fair.”

A subcommittee of the House Energy and Commerce Committee holds a hearing titled “What are the Elements of Sound Data Breach Legislation?”

A subcommittee of the House Science, Space and Technology Committee holds a cybersecurity hearing.

The Internet Education Foundation hosts its annual State of the Net Conference.


The American Enterprise Institute’s Center for Internet, Communications and Technology Policy hosts an event on tech policy issues in 2015.

The Georgetown Center for Business and Public Policy hosts a panel discussion on media mergers and independent programmers.

A subcommittee of the House Science, Space and Technology Committee holds a hearing on supercomputing.

The Senate Homeland Security and Governmental Affairs Committee holds a hearing titled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”


The Center for Democracy and Technology holds an event titled “Always On: The Digital Patient.”

The Federal Communications Commission holds its January open meeting.

George Mason University School of Law’s Center for the Protection of Intellectual Property co-hosts a discussion on patents and startups.

Comments in post: The Week Ahead: State of the Net, Data Breach Hearing  FCC Open Meeting0 comments

Article source:


No Comments

All players needed to combat data breaches

The new Congress will have its work cut out for it this year as the House and Senate establish legislative priorities and adjust to changing dynamics on various priorities for the American people.  While significant legislative debates no doubt lie ahead, one especially timely issue presents a common problem that Democrats and Republicans should be able to work together to solve.   

Last year, Americans seemed to be hit with data breaches one after the other.  A December poll found that just under half of us have experienced some sort of breach.  The theft of personal information from more than 80 million J.P. Morgan Chase account holders’ last summer, and the highly publicized attack on Sony has brought this issue to light for many on Capitol Hill and in middle America.

Because hackers have targeted both retail stores and financial institutions, it is important for both sectors to work together effectively to provide greater security for the entire electronic payment sphere.  When customers make electronic purchases in a store, they are doing so with a card issued by a bank or credit union.  Both the store and the card issuer have a responsibility to put their customers’ security first.

Last year, 19 different business groups came together to establish the Merchant-Financial Cyber Partnership.  Over the course of nearly 50 meetings, some 250 individual executives met to hear from outside experts and chart a way forward toward stronger data protection measures.  Their recommendations, recently submitted to the new Congress, include updating the federal criminal code to better reflect the changing nature of the online underworld responsible for devastating cyber-attacks, along with increasing government research and introducing “safe harbor” liability protections for threat information shared in good faith.

These are basic principles that not only the business community, but elected leaders on both sides of the aisle and in both houses of Congress should be able to embrace.  One group, however, has removed itself from the collaborative process: credit unions.

While a number of banking industry groups – including the American Bankers Association (ABA) and the Independent Community Bankers of America (ICBA) – are contributing members of the Merchant-Financial Cyber Partnership, credit unions have taken no part in the group’s activities.  Instead, they seem to prefer poisoning the process by lobbing inaccurate and misleading statements that are in no way constructive to the process of bolstering payment security.

Credit unions continue to spread the false claim that retailers make no contribution to the costs incurred by data breaches.  In a recent op-ed in The Hill, B. Dan Berger, CEO of the National Association of Federal Credit Unions, says this responsibility is thrust solely upon credit unions “often at great expense, without help or compensation from the breached entity.”  He need only look no further than the terms his card issuers have negotiated with major card companies for proof that this is not the case.  Merchants do indeed contribute to breach cleanup costs by contractual agreement.  A small financial institution that provides its customers with MasterCard cards will receive payment from merchants to help with replacing any compromised cards.

One step that could be taken almost immediately to usher in safer electronic payments is the widespread American introduction of “chip-and-PIN” payment cards, known the world over as a safer alternative to magnetic stripe cards.  But credit unions insist on standing in the way of this innovation.  They ignore facts surrounding the greater protections “chip-and-PIN” cards provide their own customers including the Federal Reserve stating PINs can make payments up to 700 percent safer.

A unique opportunity exists to work with President Obama along with the new Congress to make real advances on the path to greater protections for Americans.  And credit unions should either join in the collaborative effort or stop obstructing progress to serve their own agenda.  The first thing they can do is to stop the misleading attacks and embrace 21st Century “chip-and-PIN” cards which will protect their own customers from the same cyber-attacks they denounce.

Kennedy is president of the Retail Industry Leaders Association and Shay is president of the National Retail Federation.

Article source:


No Comments

Banks Want Merchants to Chip in After a Data Breach

Your (Article, Chart, Blog) was successfully saved to your folder My Default Folder

Don’t forget you can visit My Briefcase to manage your folders at any time.

Article source:


No Comments

Albany health system notifies more than 5000 patients of data breach

Albany, NY-based St. Peter’s Health Partners is notifying more than 5,000 patients at St. Peter’s Medical Associates P.C., one of the system’s physician groups, that a manager’s cell phone – which contained their personal information – was stolen.

How many victims? 5,117.

What type of personal information? Names, dates of birth, and days, times and locations of medical appointments, as well as general descriptions of the reasons for the appointments. Addresses and phone numbers were included for two patients.

What happened? A manager’s cell phone – which had access to corporate email systems and, thus, patient information – was stolen.

What was the response? Law enforcement was notified. Data was remotely wiped from the device, and it was disconnected from the corporate email system. Encryption controls on corporate-issued mobile devices are being reviewed. All impacted individuals have been notified.

Details: Officials learned of the breach on Nov. 24. The incident primarily involved data from August 2014 to November 2014. The cell phone was password protected, but not encrypted in accordance with St. Peter’s Health Partners customary security procedures. So far there have been no reports that patient information was improperly used.

Quote: “While at this time we believe the risk is low that the data on these individuals was accessed, we are committed to doing all we can to protect each and every one of them,” Donald Martin, CEO of St. Peter’s Health Partners, was quoted as saying.

Source:, Albany Business Review, “St. Peter’s Health Partners reports potential data breach after cellphone theft,” Jan. 23, 2015.

Article source:


No Comments

Marriott Fixes Simple Bug in Web Service That Could Expose Customer Data

Customer payment information and other data was made vulnerable by a flaw in the Marriott Web service used by the Android app as well as the Web site, a security researcher found.

The vulnerability is the result of Marriott’s system failing to use any kind of authentication on requests, meaning that an attacker who knew a victim’s Marriott Rewards number could query the back end and retrieve sensitive information. That data could then be used to access some limited payment information and personal data of the victim on Marriott’s site. Researcher Randy Westergren discovered the vulnerability and reported it to Marriott’s security team, which fixed the issue within a day, he said.

“Marriott was fetching upcoming reservations with a completely unauthenticated request to their web service, meaning one could query the reservations of any rewards member by simply specifying the Membership ID (rewards number). It appeared concerning enough, but I wondered how serious the impact was to customers. With permission, exploring the upcoming reservations of a friend revealed what a valid response looked like,” Westergren wrote in a post describing the vulnerability. 

The response from Marriott’s server contained the name of the hotel for the upcoming reservation, the check-in date, the victim’s last name and other data.

“There’s a lot of sensitive information there. What’s worse is that in order to completely manage a reservation on Marriott’s website, one only needs the reservation number along with the last name of the customer. As seen above, both of these fields are returned in the response. Logging in to manage the reservation, one could cancel the entire reservation,” Westergren said.

On a separate screen on the Marriott site, an attacker could access the victim’s complete contact information, including physical address and email address and partial payment card data. Westergren said he had a difficult time getting in touch with the security team at Marriott, but once he did the team moved quickly to fix the problem.

“After over a month of trying Twitter and some LinkedIn contacts, I finally got in touch with the someone in information security. I was extremely impressed with Marriott’s response; their team immediately took the report seriously and ended up resolving the vulnerability in about one day,” Westergren said.

It’s been an interesting month for Marriott. Two weeks ago the company said in a short statement that it would stop blocking customers’ personal WiFi hotspots in some parts of its hotels. The company had angered customers and run afoul of regulators at the FCC by sometimes sending deauthentication packets to guests’ devices in order to prevent them from using their own WiFi hotspots rather than paying to use the hotel’s network.

“In some cases, sent de-authentication packets to the targeted access points, which would dissociate consumers’ devices from their own Wi-Fi hotspot access points and, thus, disrupt consumers’ current Wi-Fi transmissions and prevent future transmissions. At the same time that these employees engaged in these practices, Marriott charged conference exhibitors and other attendees anywhere from $250 to $1,000 per device to use the Gaylord Wi-Fi service in the conference facilities,” the FCC said in a statement.

Article source:

No Comments

Adobe Begins Auto-Update Patching of Second Flash Player Zero Day

Adobe on Saturday began patching a zero-day vulnerability in Flash Player, exploits for which have been included in the notorious Angler Exploit Kit. This is the second of two previously unreported critical flaws in the software that have been patched in the last five days.

Adobe last Thursday sent out an emergency patch for another zero-day under attack for a vulnerability that could be used to defeat memory protections on Windows machines.

The second vulnerability, CVE-2015-0311, was reported by French researcher Kafeine, known for his work studying exploit kits and malware used in cybercrime and targeted attacks. The flaw affects Adobe Flash versions and earlier on Windows and Mac OS X machines. Adobe said it is aware of active exploits via drive-buy download attacks against Windows 8.1 and earlier machines running IE or Firefox.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in an advisory.

On Saturday, Adobe released the patch for users who have enabled auto-update for Flash Player desktop runtime. Those users began getting the fix via version

“Adobe expects to have an update available for manual download during the week of January 26, and we are working with our distribution partners to make the update available in Google Chrome and Internet Explorer 10 and 11,” Adobe said.

As of this morning, a manual download is still not available from Adobe.

“As a matter of fact, Adobe still lists as the most recent version,” said Johannes Ullrich of the SANS Internet Storm Center. “You can download if you manually check for updates using Flash.”

The inclusion of CVE-2015-0311 in the Angler Exploit Kit is worrisome because that could increases the odds vulnerable machines would be attacked before the availability of a patch. Kafeine said only some instances of the exploit kit, however, contain the exploit.

Last Thursday, Kafeine said on Twitter that the group behind Angler had changed the code to exploit Firefox as well as fully patched IE 11 on Windows 8.1. The Flash zero-day exploit is being used to install a version of the Bedep malware, which is used in ad fraud campaigns.

Researchers at Cisco, meanwhile, said that security engineers should expect this trend of Flash zero days finding their way into exploit to continue.

“The group is incorporating these exploits into the Angler EK before the bugs are publicized,” researchers Nick Biasini, Earl Carter and Jaeson Schultz wrote in a report published on Friday. “Considering these 0-day exploits are being used alongside one of Angler’s preferred methods of distribution, malvertising, thus intensifying the potential for large-scale compromise.”

Cisco said its data shows the Angler exploit for Flash is targeting only IE and Firefox, and that Chrome is being served only other exploits. The researchers report a spike in Angler attacks starting Jan. 20.

“Although this spike showed an increase in Angler related attacks, these attacks represent a small minority of the overall attack traffic. Based on our telemetry data we have seen domains associated with a single registrar being primarily responsible for the exploits being delivered,” the Cisco report said. “The approach appears to be rapid domain registration and exploitation with quick rotation of domains. Despite the rapid use of domains the IP’s associated with the attacks have been limited to two primary addresses (46[.]105.251.7 94[.]23.247.180).”

The domains, Cisco said, are used only for 24 hours and that the attackers continue to register new domains daily.

Article source:

No Comments