Archive for January, 2012
Google (NASDAQ:GOOG) Jan. 31 assured Congress that it is changing its privacy policies to make them easier to manage and improve the company’s existing Web services for its users.
“By folding more than 60 product-specific privacy policies into our main Google one, we’re explaining our privacy commitments to users of those products in 85 percent fewer words,” Pablo Chavez, director of public policy for Google, wrote in a letter to Congress.
These changes go into effect March 1. Pundits seized on this change to argue that Google is trampling user privacy rights to help it better compete with Facebook for advertising dollars.
Eight U.S. senators expressed concerns about the changes, seeking more information from Google about the changes in a letter, signed Jan. 26 by Reps. Henry A. Waxman, D-Calif.; Cliff Stearns, R-Fla.; Edward J. Markey, D-Mass.; Joe Barton, R-Texas; Diana DeGette, D-Colo.; Marsha Blackburn, R-Tenn.; G. K. Butterfield, D-N.C.; and Jackie Speier, D-Calif.
“We believe that consumers should have the ability to opt out of data collection when they are not comfortable with a company’s terms of service and that ability to exercise that choice should be simple and straightforward,” they wrote in the letter, addressed Google CEO Larry Page.
The senators had asked Google to respond by mid-February; Google responded in five days.
Chavez also stressed that users needn’t sign in with a Google account to access Google Search, Maps, and YouTube, and that users’ private information remains private.
Also, a user might have a Google account and choose to use Gmail, but not use Google+. Users may also keep their data separated by employing different accounts, such as keeping one for YouTube and one for Gmail.
Google began life in 1998 solely as a search engine, but gradually added Gmail, Google Maps, Google Apps, Blogger, Chrome, Android, YouTube, and Google+. Combined these services have several hundreds of millions of users.
Chavez also noted that Google’s ability to share information for one account across services also allows signed-in users to use Google+’s Circles sharing feature to send directions to people without leaving Google Maps. Under current privacy policies, this information-sharing would not be possible.
As of March 1, signed-in users will be treated as “single entities” across most Google services.
An independent regulator for securities
firms has warned investors of a growing number of financially motivated attacks
targeting email accounts.
Malicious attackers are compromising
user email accounts and sending trading instructions, the Financial Industry
Regulatory Authority said in an investor alert issued Jan. 27. Similar warnings
have been issued by the FBI and the Financial Services Information Sharing and
The incidents highlight “some of
the risks” associated with being able to transmit or withdraw funds via
email, the notice said. After compromising an email account, the attackers
obtain the information needed to request wire transfers to accounts overseas,
FINRA said. The accounts are also used to send authorization letters to the
brokerage firms approving the transfer of funds without the investors’
“FINRA has received an increasing
number of reports of incidents of customer funds stolen as a result of
instructions emailed to firms from customer email accounts that have been
compromised,” according to the investor alert.
Some firms released the funds despite failed
attempts to verify the instructions by phone, FINRA said. In at least one case,
the fraudsters sent an email stressing the urgency of the requested transfer,
forcing the brokerage firm to release the funds before verifying the
instructions, FINRA said.
Investors should monitor their accounts
for signs of being compromised, for such things as reports of spam, bounced
email messages or unexplained password changes, according to the alert.
Investors should also monitor their accounts for unauthorized transactions.
This kind of financial fraud totals
approximately $23 million, according to figures provided by the FBI. Actual
victim losses are approximately $6 million.
The FINRA warning was issued a day
after the U.S. Securities and Exchange Commission charged a trader with hacking
into user accounts and manipulating stock prices. Four brokerage firms were
also charged in the case for being unregistered and still allowing the trader
to make trades in the U.S. securities market, according to a complaint filed by
the SEC in a federal court in San Francisco.
A trader in Latvia was charged with breaking
into online brokerage accounts 159 times between 2009 and August 2010, the SEC
said Jan. 26. Igors Nagaicevs allegedly manipulated prices for more than 100
securities listed with the New York Stock Exchange and NASDAQ exchanges by
making unauthorized purchases and sales, making $874,896. His stock fraud
scheme may have cost investors more than $2 million, according to the SEC
Nagaicevs is accused of setting up
accounts with eight unregistered brokerage firms, four of which are based in
the United States to trade in the U.S. securities market. He then hacked into online
accounts at other broker dealer companies and used their client investors’ cash
funds to make unauthorized trades of stock and securities, the SEC said in a
complaint filed in a federal court in San Francisco. The unregistered brokerage
accounts made the trades in accounts using the company names, allowing
Nagaicevs to make the trades anonymously.
“Nagaicevs engaged in a brazen and
systematic securities fraud, repeatedly raiding brokerage accounts and causing
massive damages to innocent investors and their brokerage firms,” said
Marc J. Fagel, director of the SEC’s San Francisco regional office.
Nagaicevs allegedly generated profits
of $14,000 in 32 minutes by driving up the stock price of a NYSE-listed company
using the hacked accounts, and then buying and selling securities at those
artificial prices through the anonymous brokerage accounts. The broker-dealer
companies were forced to reimburse the investors who had been hacked.
Four firms—Alchemy Ventures, KM Capital
Management, Zanshin Enterprises and Mercury Capital—face charges for giving
Nagaicevs access to the markets despite not being registered. Associates at
Mercury and Zanshin have agreed to settle for $35,000 each in fines. If these
firms had been registered brokerage firms, they would have been required to
implement safeguards, which would have flagged Nagaicevs’ malicious activity
Stop SOPA, PIPA Madness: Ways to Sensibly Protect Copyrights
Page 1 of 2 )
I have written three books, and I still
get royalty checks from my publishers. I open the envelope typically every six
months to find money that rewards me for my original work. It’s like
someone is printing money and sending it to me. Although my royalty checks are
printed from a rather small printing press, there is great satisfaction in
creating intellectual property and through that skill receiving compensation
But what if one of my books suddenly
appeared on some rogue Website? “Hey, wait a minute, you can’t do that!
You’ve stolen my property!” Or, what if some group in, say, China
republished my book and made it available for much less than my book?
These are some of the issues behind the
House of Representative’s Stop Online Piracy Act (SOPA) and
the U.S. Senate’s version of the same issues called Protect Intellectual
Property Act (PIPA).
Those opposing these bills in Congress
are not suggesting that we support piracy or steal intellectual
property. Rather, they believe that, as written, these bills—while protecting
intellectual property and preventing piracy—could end up becoming one big
censorship engine with far-reaching negative implications for society.
Remember the discussion about “Death
Panels” during the debate about Obama Care? These bills would set up
processes whereby review panels (government agencies or even private review
boards) would judge which Websites are “illegal” and shut them down
or which factories to close because they are generating pirated CDs, DVDs or
The problem with this solution is that it’s not far from
censorship: Some with power can wage war on those they don’t like
and use “invasion of intellectual property or privacy” as a means to
control others. How about if only “certain allowable results” were
allowed in Google’s or Microsoft’s search engine? Who’s to decide?
So, what’s the solution to the
problem? How do you establish laws or systems that protect
intellectual property while at the same time not allowing censorship to wage
war on some but not others? How do you protect artists who create
great songs, producers and directors who create great movies, programmers and
developers who create great Websites, and authors (and their publishers) who
create great books?
The problem is more difficult to solve.
Here’s an example. Let’s say I go to Barnes Noble and buy “Killing
Lincoln” by Bill O’Reilly and Martin Dugard. (It’s a fascinating read,
by the way.) But I know a Civil War history buff, so I give it to him to read.
Innocent enough. We’ve all done that.
Or, let’s say I buy a CD of a popular
artist like Adele. I then rip it into iTunes and sync it with my iPhone and
iPad. No problem. Then, my friend says he loves Adele, so I give him the
CD. I don’t need it any longer, so what’s the harm in giving it to a
friend? In each of these cases, the fact is that the actions have actually
pirated someone’s intellectual property. But society doesn’t generally get
upset when someone does this on a small scale and doesn’t do it for financial
We generally allow everyone who buys a
book, CD or DVD to have some personal distribution rights to share it with a
few friends. That’s because there isn’t intent to mass produce and distribute
the work or make money through the process. For example, Apple gives
everyone the right to share a purchased song or album on five computers.
Just like “the cloud” of 2009 and 2010, this year’s red-hot buzz term bandied about by executives who may or may not have clue what it means is “big data.” But just as 2011 saw the world wrap its head around the cloud, the time is coming when technology around big data will gain traction, understanding, and deployments. And when it does, infosec professionals need to be ready for the security and compliance complications that it could potentially introduce.
So what exactly is big data? In a nutshell, it’s a dataset that’s too big to be crunched by traditional database tools. Whether it is from scientific or environmental sensors spewing out a cascade of data, financial systems producing a mounting cavalcade of information, or Web and social media apps that create a snowballing mass of records, big data is typically classed as such if it maintains three essential dimensions. They’re what Gartner’s Doug Landoll, then of META Group, back in 2001 called the 3Vs of data management: volume, variety, and velocity.
The first one’s obvious, clearly something wouldn’t be called big data if there wasn’t a heck of a lot of it. But big data is also a swarm of unstructured data that has got to be fast to store, fast to recover, and, most importantly, fast to analyze.
“While many analysts were talking about, many clients were lamenting, and many vendors were seizing the opportunity of these fast-growing data stores, I also realized that something else was going on,” Landoll wrote recently in a retrospective on that first report. “Sea changes in the speed at which data was flowing mainly due to electronic commerce, along with the increasing breadth of data sources, structures and formats due to the post Y2K-ERP application boom were as or more challenging to data management teams than was the increasing quantity of data.”
When Landoll first wrote about the 3Vs 11 years ago, it was mostly addressing the data management challenges that had contributed to the evolution of data warehousing. These types of data stores gain their value mainly through analysis–which is why data warehousing and business intelligence had gone hand-in-hand for years before “big data” became common parlance.
Read the rest of this article on Dark Reading.
More than 700 IT pros gave us an earful on database licensing, performance, NoSQL, and more. That story and more–including a look at transitioning to Win 8–in the new all-digital Database Discontent issue of InformationWeek. (Free registration required.)
Social media archiving and screening specialist Actiance enables financial advisors to post preapproved content on their pages and profiles.
After helping financial services firms prevent financial advisors from posting anything they shouldn’t to social media, compliance and archiving specialist Actiance is now pivoting to help them post more.
Financial services must work around compliance hazards to participate in social media, since anything their representatives publish that could be considered financial advice must be monitored and archived. Actiance, which has a history of working with these firms to manage other electronic communications such as instant messaging and unified communications, entered the social software market with Socialite, a tool that screens posts and manages LinkedIn profiles.
A new product, Socialite Engage, turns the approval process around, allowing a firm’s marketing department to provide a library of preapproved posts advisors can post to one or more social profiles.
“In probably the last six to eight months, the focus has shifted,” said Sarah Carter, vice president of marketing at Actiance. “Compliance is the easy side of things. Getting people to adopt social media is the challenge.”
[Do financial advisors need a network of their own? See LinkedFA Offers Social Network For Financial Advisors]
“Within three weeks of enabling our advisors, more than 1,200 of them were using social media. Actiance helps us understand what content is the most relevant and allows our advisors to further build their social media presence,” Mike White, marketing director at Raymond James, said in a statement.
Raymond James, which has been using the product since October, also provided a background interview on how the process works. Financial advisers do have the freedom to write their own posts, but Socialite routes the posts for a compliance department review prior to publication. Because the posts distributed from the content library have been preapproved, an advisor can immediately publish any of those to Facebook, Twitter, or LinkedIn. Advisors can’t modify the preapproved posts, but they can add comments–in which case their comments get filtered through the Socialite compliance review process prior to publication, like any other post.
Besides ensuring compliance, this content distribution allows advisors to post more frequently than if they had to write the content themselves.
This distribution model mirrors that of Hearsay, which also has some financial services customers such as Farmers Insurance. Hearsay provides a general solution for national or global companies to execute a social media strategy through their local representatives.
Although Hearsay has stepped up its targeting of financial services companies, Carter said Actiance has the advantage of deeper industry experience. “The underlying principle behind all of the Actiance platform is compliance,” she said.
Meet top cloud computing technology companies in Cloud Connect’s ever-growing Expo Hall, and learn about the latest cloud services, applications and platforms. It happens in Santa Clara, Calif., Feb. 13-16. Sign up now with Priority Code CPMWCC18 for a free Expo Pass or $100 off our conference passes.
Good news for Megaupload users: Your data just got a two-week reprieve from being deleted.
Friday, U.S. district attorney Neil MacBride had written to Megaupload’s lawyers, informing them that federal investigators had finished reviewing Megaupload data, and that it could be deleted from servers just one week later. “It is our understanding that the hosting companies may begin deleting the contents of the servers beginning as early as February 2, 2012,” wrote MacBride.
In the United States, Megaupload leases servers from two hosting providers: Carpathia Hosting and Cogent Communications. Since the Justice Department froze Megaupload’s assets, however, the file-sharing site could no longer pay its leasing bills.
But Ira Rothken, Megaupload’s U.S. attorney, said the two hosting providers have since agreed that they won’t delete the Megaupload data they’re storing, for at least two more weeks. “The hosting companies have been gracious enough to provide additional time so we can work out some kind of arrangement with the government,” Rothken said, according to news reports. The negotiations are meant to free up funds to pay the hosting providers to recover some data, which he said may also aid Megaupload’s defense.
[ Proposed U.S. anti-piracy legislation has been widely criticized for trampling Internet privacy, but are EU Data Rules Worse Than SOPA? ]
The data reprieve means that Megaupload users who used the cyberlocker service to store files may one day regain access to them. The servers have remained offline since being taken down earlier this month by the FBI, after a Justice Department indictment–unsealed in federal court–accused seven Megaupload executives of racketeering, money laundering, and copyright violations, and of using their file-sharing site to amass $175 million in “criminal proceeds.”
That takedown quickly sparked a reaction from some other file-sharing sites. For starters, 4shared, FileJungle, FilePost, Fileserve, UploadStation, VideoBB, and VideoZer began deleting accounts, disabling sharing, or canceling affiliate programs that rewarded people for uploading popular content. Similarly, FileSonic–which has seen a billion page views per month–disabled sharing and canceled its affiliate program. But other file-sharing sites, such as MediaFire and RapidShare, have said they have nothing to fear over their cyberlocker business practices.
Given that variation in reaction, what legal lessons might be drawn from the Megaupload takedown? So far, that’s not entirely clear. While the company’s founder, Kim Dotcom, remains in prison in New Zealand at the request of the FBI, he’s denied all of the charges leveled against Megaupload, and said he plans to mount a vigorous defense.
Furthermore, the Justice Department has faced criticism over the takedown for not distinguishing between material stored on Megaupload’s servers that may have infringed U.S. copyright laws, and non-copyrighted material that was legitimately stored there by users, some of whom had purchased a premium subscription from Megaupload. Lawyers in other countries have also accused the Justice Department and FBI of overstepping their authority by taking Megaupload offline not just in the United States, but worldwide.
In addition, the indictment itself has been criticized for being founded on a criminal complaint. Past cases involving alleged copyright infringement–for example, involving YouTube–weren’t treated as criminal matters, but rather civil ones, said Jeff Ifrah, an attorney who co-chairs the American Bar Association’s criminal justice section and committee on white collar crime, speaking recently by phone.
The bigger lesson, Ifrah said, may be simply that the Obama administration is attempting to satisfy demands from music and movie trade associations that it do something about piracy. “We have an administration that’s very captive to that industry,” he said. “It wouldn’t surprise me if they were the ones propelling the Eastern District action in this case. That’s the only reason you get a prosecutor who wants to ignore the fine line between civil and criminal in this case.”
IT’s spending as much as ever on disaster recovery, despite advances in virtualization and cloud techniques. It’s time to break free. Download our Disaster Recovery Disaster supplement now. (Free registration required.)
Currently we allow the following HTML tags in comments:
These tags can be used alone and don’t need an ending tag.
br Defines a single line break
hr Defines a horizontal line
These require an ending tag – e.g.
a Defines an anchor
b Defines bold text
big Defines big text
blockquote Defines a long quotation
caption Defines a table caption
cite Defines a citation
code Defines computer code text
em Defines emphasized text
fieldset Defines a border around elements in a form
h1 This is heading 1
h2 This is heading 2
h3 This is heading 3
h4 This is heading 4
h5 This is heading 5
h6 This is heading 6
i Defines italic text
p Defines a paragraph
pre Defines preformatted text
q Defines a short quotation
samp Defines sample computer code text
small Defines small text
span Defines a section in a document
s Defines strikethrough text
strike Defines strikethrough text
strong Defines strong text
sub Defines subscripted text
sup Defines superscripted text
u Defines underlined text
The survey of 500 IT professionals who had experienced a data breach at their organization also found that 60% of respondents said the customer data that was lost or stolen was not encrypted.
“Something that was eye-opening was the fact that quite a few of the breaches could have been prevented”, said Ozzie Fonseca, senior director at Experian Data Breach Resolution. He told Infosecurity that data encryption could have gone a long way in preventing many of the breaches. “In this day and age, I find it difficult to understand why a company would have sensitive information that was not encrypted”, he added.
Examples of the types of data that companies lost included, email (70%), credit card or bank payment information (45%), and social security numbers (33%).
The cause of the breach was the result of a negligent insider for 34% of respondents, outsourcing of data to a third party for 19% of respondents, and a malicious insider for 16%. Where a negligent insider was the cause of a breach, “a simple training program could have prevented it”, Fonseca said.
The majority of respondents (66%) said that the experience of investigating the causes of a breach will help them in determining the root causes of future incidents.
Following the data breach, 61% of respondents said their organizations increased their security budget and 28% hired additional IT security staff.
“What we are seeing is that things that should have been done as a matter of course…became the focus only after the breach happened”, Fonseca observed.
When it came to reducing the negative consequences of the data breach, retaining outside legal counsel (56%) and carefully assessing the harm to victims (50%) ranked as the highest priorities.
At the same time, 73% of respondents said their organization did not offer identity protection products or services such as credit monitoring and other identity theft protection measures, including fraud resolution, scans, and alerts, to victims.
“Although companies felt responsible for the event and wanted to do the right thing by educating employees and increasing IT budgets, more than 70% of the companies neglected to also consider the victims well-being by providing some type of protection product”, Fonseca said.
HARTFORD, CT – Protecting personal information has never been more important for consumers and businesses and there are simple things that can be done to help keep it safe, said Attorney General George Jepsen, who offered “top 10” tips for data security.
“Smart communications technology has made it simple for anyone to access information. But easy access also raises the threat of identity theft and other security problems when personally identifiable information falls into the wrong hands,” Attorney General Jepsen said.
In recognition of National Data Privacy Day, Jepsen reminded consumers who provide personally identifiable information and businesses that collect it about problems that may result if information is not protected from improper disclosure.
Top 10 Tips for Consumers:
1. Stop and think before posting any information online. Using Facebook or Twitter to let the world know you are “on vacation” may also be an open-door invitation to criminals.
2. Pay attention when enabling location services on your phone or other mobile device.
When enabled, your location can be determined in posts to sites like Facebook and embedded in digital photographs.
3. Monitor and strengthen your security settings on social media.
It can help with early detection of any account breaches/unauthorized access. For example, on Facebook, controls can be changed under Settings à Security to require login approvals from devices you haven’t previously authorized; notification when your account is being accessed, and check/end active sessions of your Facebook account (helpful if you forgot to log-out in public place, etc.)
5. Avoid using public computers to access personal or private information. The connection may not be secured and information may be tracked or logged.
6. Never provide sensitive information, such as your Social Security Number, unless there is a legitimate purpose, such as for employment or health care reasons. Always ask what the information is being used for.
7. Never give out any personal information, such as Social Security or credit card number, in response to an unsolicited e-mail or telephone call. If the e-mail or call claims to be from a company you do business with, call them first to confirm the contact is legitimate. If not, do not provide information or click on links within the suspect e-mail.
8. Encrypt your wireless router. Also, following the manufacturer’s instructions, change the password and turn off the feature that openly broadcasts your network’s SSID.
9. Encrypt any private or secret information sent through e-mail.
10. Protect your information and identity off-line: Review your credit reports and report all inaccuracies. (You are entitled to one free report from each of the three major credit rating bureaus annually. annualcreditreport.com ); shred personal letters and bills before discarding; review credit card and bank statements for any fraudulent charges.
Top 10 Tips for Business:
1. Encrypt sensitive information on your network and servers, as well as in any communication that is sent electronically.
2. Install security updates, patches and anti-virus programs on your computers and firewalls on your networks to prevent outsiders from hacking your system or exploiting known vulnerabilities.
3. Educate your employees about data security, data breach prevention and the data breach response plan. Make sure everyone with access, not just information technology staff, knows how to keep information safe and to respond to data security incidents.
4. Restrict sensitive information to a “need to know” basis.
5. Collect and keep data only when absolutely necessary to the work you are performing and dispose of it properly. Old data is dangerous.
6. Develop and implement a social media policy. Instruct employees about its use and potential risks in the workplace.
7. Have a data breach response plan in place and update it regularly. Waiting until you need it will be too late.
If you can’t protect it, don’t collect it. Connecticut law requires sensitive customer information and personally identifiable information to be protected from improper disclosure and made unreadable prior to disposal.
Conduct periodic, detailed security assessments to identify and resolve vulnerabilities and account for newly developed threats.
10. Have a formalized password protection policy that is enforced, regularly reviewed and updated.
Anyone who believes they may be a victim of identity theft or a data privacy breach, or who needs answers about data privacy protection, is encouraged to contact the Office of the Attorney General Consumer Protection department at 860-808-5400.
More information about National Data Privacy Day is available at www.staysafeonline.org. If you would like to share information about Data Privacy Day through Twitter, use the hashtag or, you can “like” the Data Privacy Day Facebook page at http://www.facebook.com/DataPrivacyNCSA.
ATLANTA, January 31, 2012 — /PRNewswire/ —
Businesses often view data threats from mobile devices like smartphones and tablets in terms of malware, phishing, and spyware, but improper decommissioning can pose an even bigger security risk, according to Blancco, the global leader in data erasure and computer reuse solutions. Analysts estimate that more than 100 million mobile phones are now recycled each year, yet surveys show that from 20 to 90 percent reach the secondhand market with sensitive data. While many corporate security policies address removal of data from servers and laptops before reassignment, resale or donation, mobile devices are often overlooked, despite similar repercussions as larger equipment in terms of regulatory fines and damages to corporate reputation.
Blancco Mobile Edition data erasure software offers businesses, as well as the third-party information technology asset disposal (ITAD) specialists who support them, an extra level of assurance that all data has been wiped from mobile devices. The software’s effectiveness in sanitizing data was recently certified by the internationally recognized testing agency TÜV SÜD, complementing its adherence to DoD data erasure standards. The certification comes at a time when many businesses are developing or assessing their mobile device policy.
“IT asset and security managers now recognize that simply destroying a smartphone’s SIM card and performing a factory reset doesn’t always fully erase internal and external memory,” said Markku Willgren, President of Blancco’s US operations. “Blancco Mobile Edition, as certified by TÜV SÜD, removes data from mobile devices while creating a detailed erasure report as proof. A growing number of security- and compliance-minded companies – including a major international chemical company with more than 50,000 employees – have embraced the certified Blancco Mobile Edition as a security best practice.”
With Blancco Mobile Edition, a single operator is capable of erasing more than 300 smartphones per day, with automatically-generated erasure reports providing details such as serial number, IMEI code, operator information and storage capacity – all important details for resale and reuse purposes. Blancco Mobile Edition is TÜV SÜD certified for Android, Blackberry, Symbian and Windows Mobile platforms, with certification expected for Apple iOS in Q1 2012.
Blancco is the proven data erasure solution for millions of users around the globe. As the global leader in data erasure and computer reuse solutions, Blancco offers the most certified data erasure solutions within the industry. The company serves users across a wide range of industries, including banking, finance, government and defense. The company’s products are highly valued by IT asset disposal professionals around the world. Blancco operates from an extensive network of international offices and partners across Europe, North America, Middle East, Asia and Australasia. More information is available at http://www.blancco.com.
Markku Willgren, President, US Operations
SOURCE Blancco Oy Ltd.