A bit of analysis of the TJX settlement.
http://infoseccompliance.com/2009/07/02/tjx-settles-with-state-attorneys-general-for-975-million/
TJX Settles with State Attorneys General for $9.75 Million
Posted on July 2nd, 2009 by David Navetta
The TJX breach saga came a little closer to an end (excluding of course the still-pending case being pursued by a couple of issuing banks) with the announcement of a settlement with 41 State attorneys general that brought actions under their State’s respective consumer fraud and deceptive practices laws (a copy of the settlement document can be found: HERE). This is a summary of the TJX settlement.
… In addition to monetary payments, the settlement also requires TJX to “implement and maintain a comprehensive Information Security Program reasonably designed to protect the security, confidentiality and integrity of Personal Information.” The general description of the mandated program essentially matches the information security program required pursuant to TJX’s consent order with the FTC.
However, this settlement goes beyond the general requirements of the FTC’s consent order and mandates specific information security controls and actions, including:
Replacement of all WEP based wireless systems with WPA wireless systems (or equivalent)
No storage of sensitive authentication information related to payment cards (e.g. magnetic stripe track data, PIN numbers/PIN Blocks, and CVC2/CVV2/CID numbers)
Segmentation of TJX networks storing, processing or transmitting Personal Information (including Cardholder Information) from the rest of TJX’s network
“Security password management” for the portions of the TJX computer system that store, process or transmit Personal Information
Implementation of a security patching protocol for the portions of the TJX computer system that store, process or transmit Personal Information
Use of Virtual Private Networks/encryption for transmitting Personal Information
… As a condition of the settlement, TJX essentially has to advocate for improvements in the security of the payment card system. In particular, TJX must contact Visa and Mastercard and its acquiring bank and volunteer to participate in pilot programs for testing new security-related payment card technology (such as chip-and-PIN technology). TJX also must take steps encourage the payment card industry to achieve “end-to-end” encryption of cardholder data (all the way through the bank authorization process). TJX must take such steps within 180 days and must submit a report to the Attorneys General indicating TJX’s progress.
Stephen Rynerson sent me this article. (Looks like he reads the Physics blogs in his spare time.) This could be “the next big thing!” allowing true secure communications, until the little green hackers from Alpha Centauri arrive.
http://www.eurekalert.org/pub_releases/2009-07/iop-rut062909.php
Researchers unite to distribute quantum keys
Researchers from across Europe have united to build the largest quantum key distribution network ever built. The efforts of 41 research and industrial organisations were realised as secure, quantum encrypted information was sent over an eight node, mesh network.
… One of the first practical applications to emerge from advances in the sometimes baffling study of quantum mechanics, quantum cryptography has become a soon-to-be reached benchmark in secure communications.
… The researchers write, "In our paper we have put forward, for the first time, a systematic design that allows unrestricted scalability and interoperability of QKD technologies."
(Related) Why we might need unbreakable cryptography?
http://www.pogowasright.org/?p=1194
Cybersecurity plan to involve NSA, Ttelecoms
July 3, 2009 by Dissent Filed under Featured Headlines, Govt, Internet, Surveillance, U.S.
Since The Washington Post first broke the news that the Obama administration is moving ahead with Einstein, a Bush-era plan to use National Security Agency assistance in screening government computer traffic on private-sector networks, the drum beat from privacy advocates has been growing.
Today, Siobham Gorman of The Wall Street Journal reports that the latest complete version of the system won’t be fully installed for 18 months, and even when it is, the system won’t protect networks from attack but will only trigger an alarm after one has happened:
A more capable version has sparked privacy alarms, which could delay its rollout. Since the National Security Agency acknowledged eavesdropping on phone and Internet traffic without warrants in 2005, security programs have been dogged by privacy concerns. In the case of Einstein, AT&T Corp., which would test the system, has sought written approval from the Justice Department before it would agree to participate, people familiar with the matter say.
A side bar describes the three phases of Einstein:
Einstein 1: Monitors Internet traffic flowing in and out of federal civilian networks. Detects abnormalities that might be cyber attacks. [or the spike in traffic when Michael jackson died Bob] Is unable to block attacks.
* Einstein 2: In addition to looking for abnormalities, detects viruses and other indicators of attacks based on signatures of known incidents, and alerts analysts immediately. Also can’t block attacks.
* Einstein 3: Under development. Based on technology developed for a National Security Agency program called Tutelage, it detects and deflects security breaches. Its filtering technology can read the content of email and other communications.
The Associated Press notes that the planned deployment of the new Einstein 3 program was noted in the administration’s recently released cyber security review.
Win friends and influence people Do they think no one notices?
Microsoft Changing Users' Default Search Engine
Posted by timothy on Thursday July 02, @07:34PM from the now-what-did-we-say-about-playground-behavior? Dept. windows microsoft security
BabyDuckHat writes
"Cnet's Dennis O'Reilly caught 'Windows Search Helper' trying to change his default Firefox search from Google to Bing. T his isn't the first time the software company has been caught quietly changing user's preferences to benefit its own products."
(Related?)
http://blogs.computerworld.com/london_stock_exchange_to_abandon_failed_windows_platform
July 1, 2009 - 1:20 P.M.
London Stock Exchange to abandon failed Windows platform
Anyone who was ever fool enough to believe that Microsoft software was good enough to be used for a mission-critical operation had their face slapped this September when the LSE (London Stock Exchange)'s Windows-based TradElect system brought the market to a standstill for almost an entire day. While the LSE denied that the collapse was TradElect's fault, they also refused to explain what the problem really wa. Sources at the LSE tell me to this day that the problem was with TradElect.
Since then, the CEO that brought TradElect to the LSE, Clara Furse, has left without saying why she was leaving. Sources in the City-London's equivalent of New York City's Wall Street--tell me that TradElect's failure was the final straw for her tenure. The new CEO, Xavier Rolet, is reported to have immediately decided to put an end to TradElect.
The problem with using laws that almost apply?
http://news.cnet.com/8301-13577_3-10278483-36.html?part=rss&subj=news&tag=2547-1_3-0-5
Report: Guilty verdict overturned in MySpace suicide case
by Caroline McCarthy July 2, 2009 2:26 PM PDT
Lori Drew, the woman convicted of using a hoax MySpace profile to harass a teenage girl to the point of suicide, was acquitted by a Los Angeles judge on Thursday, Wired reported.
Judge George Wu overturned Drew's guilty verdict, which was issued in November, saying that if Drew had been convicted of a felony in the case, she would already have been sentenced. But because she was convicted of three misdemeanors--a significantly lighter offense than prosecutors originally sought--the constitutionality of the guilty verdict was less clear.
Interesting business model for a Venture Capital firm.
http://www.killerstartups.com/Web20/startupwiz-biz-a-laboratory-for-new-entrepreneurs
StartupWiz.biz - A Laboratory For New Entrepreneurs
StartupWiz introduces a new program of its own which prepares entrepreneurs and business owners to achieve a much greater level and probability of success. The program's series of 14 sequential modules goes well beyond the traditional MBA courses and startup ‘boot-camps' available. It takes the student from "Am I really prepared to be an entrepreneur?" to "I'm ready to pitch my compelling business case to sophisticated investors or bankers". Each module includes a downloadable offline training presentation and keyed workbook for the topic, followed by a fast-paced interactive "WebShop" online to explore and test their ideas. Students learn at their own pace and from the comfort of their homes, enabling family members and friends to participate in the entrepreneurial process with them. They can even postpone their next module until they've done more ground work, and then pick up where they left off.
The program begins with students exploring their underlying motivations and expectations of the startup process and their desired outcome. Next they examine the entire set of success criteria for doing business in today's tough economy. Students then build a comprehensive and compelling business model. Under the guidance of seasoned entrepreneurs students are continuously challenged to think critically about their plans and assumptions throughout the process. Those who complete the program get the opportunity to present their tested plan online to qualified investors world-wide. Students come away with a test presentation, executive summary, a ‘PlayBook' covering their whole business case, and a much stronger confidence in the viability of their business model and their ability to execute it.
"You wouldn't start laying bricks or putting up framing for a custom home before you architected it, so why build your business before you design it?" said Rudi Wiedemann, founder and CEO of StartupWiz. "Thinking at a strategic level about your new business model before you bet your job and savings on it is the smart move. Unfortunately, this is difficult work and few entrepreneurs have the patience to do it. But the savings in time, money, grief and reputation can be enormous."
Investors looking for a source of better quality fundable deals will appreciate business models and management teams that have been ‘shaken out' more thoroughly before approaching them for money. Experienced business executives have a new avenue to participate in hot new startups. Professional service providers can contribute to startups and potentially gain new clients. Business educators have a new place to send those graduates ready to take the entrepreneurial plunge.
Registration to StartupWiz is free and provides members valuable resources including PodCasts, downloads, links, templates and other tools which are constantly being updated and expanded.
For DaVinci Code fans? Something to add to the search tool folder
http://www.makeuseof.com/dir/symbols-look-up-symbols/
Symbols: Look Up Symbol Meanings
If you come across a symbol or sign and don’t know what it means, head straight to Symbols.com. It is a web resource where you can easily look up symbols and read their meanings. The site currently lists around 2500 western (modern and ancient) symbols organized in 54 categories.
There are four ways you can search for symbols:
Simple keyword search.
Use graphic index tool that searches symbols based on symmetry, shape and crossing lines.
Use word index to find a symbol with a certain meaning.
Check out a random sign.
Is this the “e-version” of sports fans chatting at a bar?
http://howto.wired.com/wiki/Follow_The_Tour_De_France_Online
Follow The Tour De France Online
From Wired How-To Wiki
The 2009 edition of the Tour de France -- the premiere event on the pro cycling calendar and the oldest of the three grand tours -- kicks off Saturday, July 4 with a short time trial in Monaco.
… Here are our tips for getting your Tour fix online.
This page is a wiki. Got extra advice? Log in and add it!
Contents
No comments:
Post a Comment