Wednesday, October 28, 2009

Controlling the risks of Cloud Computing with contracts? How else do you document what's important?

http://www.pogowasright.org/?p=4811

LA Council Insists On Security Breach Penalty As It Oks Move To Google’s ‘Cloud’

October 27, 2009 by Dissent Filed under Breaches, Featured Headlines, Govt, Internet

The Los Angeles City Council voted today to move the city’s 30,000 email users to a system provided by Google, but only after a provision that the city be compensated if there is security breach in the data held on Google’s servers.

Consumer Watchdog had said that the security provisions for the Google “cloud computing” system for email and other applications remained untested and opposed the $7.25 million contract. However, the nonpartisan, nonpartisan consumer group had argued that if the contact were approved, it should contain a provision requiring “liquidated damages” or a payment in the event of a security breach. Council voted to add the penalty provision 9-3.

“Los Angeles residents cannot be sure the city’s confidential or sensitive data will be secure,” said John M. Simpson, consumer advocate with Consumer Watchdog, “but at least they know there will be a penalty if security is compromised. It’s essential that this project be closely watched to ensure that Google keeps its promises. Google’s latest mantra, ‘Trust us, security matters’ is not a real guarantee of anything.” [As they say in California, “Well, DUH!” Bob]

Key to the plan for LA’s system is Google’s “Government Cloud,” an Internet-based system that is intended to serve Federal, State and Local governments. While the “Government Cloud” has been announced, it has not be completed. Google has said it plans to seek Federal Information Security Management Act (FISMA) certification for it, but it is unclear if, or when such certification might happen.

The right way to have done this, is to have insisted that Google demonstrate the Government Cloud and its security and privacy measures before committing to use it,” said Simpson. “Would any of the Council members buy a car without test driving it? They’ve just voted to adopt a system that hasn’t even been built.” [Not uncommon. Bob]

The $7.25 million contract is actually with Computer Sciences Corp., which will manage the switchover to Google’s system. The Terms of Service agreement with Google is merely an appendix to the main contract, which may make it more difficult to hold Google responsible for any shortcomings in the system, Consumer Watchdog said.

Source: Consumer Watchdog



Another indication that this breach was huge. Eventually, the details will leak out.

http://www.databreaches.net/?p=8027

(Follow-up) Credit cards re-issued in Finland after data breach in Spain

October 28, 2009 by admin Filed under Breach Incidents, Financial Sector, Hack, ID Theft, Non-U.S.

A credit card security breach has been uncovered in Spain that may involve up to tens of thousands of Finnish bank and credit cards.

So far it is not known exactly how many Visa or Master Card accounts have been compromised because of the information breach. Where in Spain the hacking took place is also unclear.

In Finland, the news was first reported on Tuesday by the Finnish Broadcasting Company’s (YLE) main evening news bulletin.

According to Henry Kylänlahti, a Vice President at Luottokunta, a full-service card payment company that provides banks with card payment solutions, it is likely that the target of the hacking has been a Spanish firm in charge of card payment arrangements.

The large volume of the cards for which the information has ended up in the wrong hands indicates that the criminals have managed to gain access to payment processing data.

Read more on Helsingin Sanomat.



Should we emulate Canada?

http://www.pogowasright.org/?p=4807

Tough identity theft law passed

October 27, 2009 by Dissent Filed under Breaches, Legislation, Non-U.S.

The federal government has passed tough new legislation to give police and courts added powers to fight identity theft.

“This legislation … will better address identity theft and provide police with the tools they need to help stop these crimes before they are committed,” Justice Minister Rob Nicholson said in a statement released Tuesday in Ottawa.

Bill S-4 creates three new Criminal Code offences related to identity theft, including:

  • Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime.

  • Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information.

  • Unlawfully possessing or trafficking in government-issued identity documents that contain the information of another person.

Read more on CBC News.



My Business Continuity students agree.

http://www.thetechherald.com/article.php/200944/4689/SMBs-lack-cybersecurity-practices-training-is-something-that-hardly-exists

SMBs lack cybersecurity practices - training is something that hardly exists

by Steve Ragan - Oct 27 2009, 20:15

A study released on Tuesday from the National Cyber Security Alliance (NCSA) and Symantec says that small businesses are simply unprepared when it comes to security policy and actions.

… Of those who took part, 65-percent said they store customer data, 43-percent reported storing financial data, 33-percent keep credit card data, and 20-percent store sensitive company information.

With those figures, it was a mystery when the majority of SMB owners said that the Internet was a critical business service, but they are doing little to actually protect all the stored information accessible to the Web.

… Only 28-percent of U.S. small businesses have formal Internet security policies and just 35-percent provide any training to employees about Internet safety

and security. Yet at the same time, 86-percent of these firms said there isn’t anyone focused solely on IT security. Of the SMBs who said they offer security training, 63-percent actually offer less than five hours a year.

… The full survey is here.



Now do you believe there is a relationship between “social networks” and ubiquitous surveillance? (Note the name) “I've got friends and I need to know where they are at all times!” Clever app

http://news.cnet.com/8301-19882_3-10384727-250.html?part=rss&subj=news&tag=2547-1_3-0-20

Stalqer mobile social app finds friends in new ways

by Rafe Needleman October 27, 2009 9:00 PM PDT

The developers of the iPhone app GasBag, which helps iPhone users find the cheapest gas for their cars, are working on a new mobile friend locator service, Stalqer. This clever and aptly named service has two technologies that are unique, as far as I know, to help it get around two of the big problems found in other friend locators like Foursquare, Loopt, and Google's Latitude.


(Related) Also for my forensic students...

http://www.pogowasright.org/?p=4809

US-CERT warns about free BlackBerry spyware app

October 27, 2009 by Dissent Filed under Surveillance

Elinor Mills reports:

The U.S. Computer Emergency Readiness Team warned BlackBerry users on Tuesday about a new program called PhoneSnoop that allows someone to remotely eavesdrop on phone conversations.

The PhoneSnoop application must be installed on the phone by someone who has physical access to it or by tricking the user into downloading it, the CERT advisory said.

The author of the app, Sheran Gunasekera, director of security for Hermis Consulting in Jakarta, Indonesia, says it wasn’t written to do any actual harm, but rather to warn of the dangers that still exist with the BlackBerry.

The application can be used by anyone to spy on any BlackBerry user’s phone. However, Gunasekera says it is not hidden on the device after it’s installed, so users should be able to easily see it.

Read more on Cnet.

[From the article:

To aid BlackBerry users who asked him how they could protect themselves from being snooped on, he said he released on Tuesday another free tool called "Kisses" that will detect and display hidden programs on the device.

[Available here: Click here to download PhoneSnoop>>



Cyber War: No need to attract attention to the Op, just have the technology ignore you!

http://tech.slashdot.org/story/09/10/28/1211228/Trojan-Kill-Switches-In-Military-Technology?from=rss

Trojan Kill Switches In Military Technology

Posted by Soulskill on Wednesday October 28, @08:46AM from the rockets-falling-out-of-the-sky dept.

Nrbelex writes

"The New York Times reports in this week's Science section that hardware and software trojan kill switches in military devices are an increasing concern, and may have already been used. 'A 2007 Israeli Air Force attack on a suspected, partly-constructed Syrian nuclear reactor led to speculation about why the Syrian air defense system did not respond to the Israeli aircraft. Accounts of the event initially indicated that sophisticated jamming technology was used to blind the radars. Last December, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source in raising the possibility that the Israelis might have used a built-in kill switch to shut down the radars. Separately, an American semiconductor industry executive said in an interview that he had direct knowledge of the operation and that the technology for disabling the radars was supplied by Americans to the Israeli electronic intelligence agency, Unit 8200.'"



Eventually, we'll figure this out.

http://www.maclife.com/article/news/net_neutrality_and_you

Net Neutrality: Follow the Money

Posted 10/27/2009 at 3:47:14pm | by Michelle Delio

… There are good arguments to be made on both sides of the Net Neutrality argument, but those who are currently shaping the conversation have apparently decided not to simply present their business case to the general public. Thankfully no one has yet figured out a way to tie Net Neutrality to Protecting The Children, but tried and true concepts like “Freedom” and “Government Interference” and “Greedy Big Business” plus “Jobs” and “Innovation” are being flung about with great abandon.


(Related) For some years I have advocated a city owned corporation to do the infrastructure which can then be leased to competing providers. Strangely, they hate that idea too.

http://arstechnica.com/tech-policy/news/2009/10/want-50mbps-internet-in-your-town-threaten-to-roll-out-your-own.ars

Want 50Mbps Internet in your town? Threaten to roll out your own

ISPs may not act for years on local complaints about slow Internet—but when a town rolls out its own solution, it's amazing how fast the incumbents can deploy fiber, cut prices, and run to the legislature.

By Nate Anderson | Last updated October 27, 2009 9:40 PM CT



Because it's very important to ensure your automatic target recognition software is not easily hacked.

http://linux.slashdot.org/story/09/10/27/2115243/New-DoD-Memo-On-Open-Source-Software?from=rss

New DoD Memo On Open Source Software

Posted by kdawson on Tuesday October 27, @06:55PM from the rules-of-engagement dept.

dwheeler writes

"The US Department of Defense has just released a new official memo on open source software: 'Clarifying Guidance Regarding Open Source Software (OSS).' (The memo should be up shortly on this DoD site.) This memo is important for anyone who works with the DoD, including contractors, on software and systems that include software; it may influence many other organizations as well. The DoD had released a memo back in 2003, but 'misconceptions and misinterpretations... have hampered effective DoD use and development of OSS.' The new memo tries to counter those misconceptions and misinterpretations, and is very positive about OSS. In particular, it lists a number of potential advantages of OSS, and recommends that in certain cases the DoD release software as OSS."

[Available at: http://www.dwheeler.com/misc/DoD-OSS-memo-2009.pdf

No comments: