So you browse your favorite restaurant review site and settle on a great Mediterranean restaurant, and “magically” a variety of preferences get fed back to your Facebook profile, to be shared, re-shared and re-shared, ricocheting around the internet to form purportedly value-added experiences elsewhere you visit. That’s great news if you want your preferences bounced around, giving websites and apps information that could possibly provide a more personalized experience wherever you visit. It’s also bad – trying to protect maddeningly automatic Personally Identifiable Information (PII) and preference sprawl, all at the speed of light.

There is a macro trend flooding the interwebs that almost EXPECTS users’ information to be fed and cross-fed elsewhere online. When I signed up on pinterest.com, it expected (and indeed required) me to provide Facebook or Twitter logins, so the ooze of my information back and forth begins, in order to give me customized output based on it.

This “frictionless sharing” can make it devilishly difficult to control personal privacy sprawl. I have a friend who – a few years back – determined to keep his own identity completely off of the internet. This included no pictures, signing up for mandatory online services using aliases, etc. It was simpler then. Moving forward, my friend will have quite a time as more and more online services move to a 2-factor authentication scheme where users have to provide things like passwords, along with – you guessed it – Facebook/Twitter logins, which are then linked to everything else.

Aside from the obvious parallel of my friend feeling like he’s being forced to sign up for the Matrix, mostly to volunteer to be invaded by curiously personal floods of advertising, should he have a right to keep his own private life pretty much to himself?

Advertisers, on the other hand, are creatively looking for ways to get in front of more targeted eyeballs than just wide net venues like traditional TV. One of those ways is invading the app world and embedding revenue models into things people are already doing, and monetizing the data. Your data. Well, sort of, really more like a snapshot of someone just like you, aggregatized and sold as a pile of targeted data. My friend would argue that doesn’t seem very anonymous in the traditional sense. And he wouldn’t be alone.

For those who value their own privacy, it’s a tough road ahead. Someone remarked that we are seeing the end of the age of privacy, but at what price? Those who have had experiences with personal information spreading wildly out across the internet to those they don’t know, ala racy tropical vacation pictures involving margaritas and double-dares, know the pain incurred and subsequent reputation damage that can happen firsthand. But what can you do once your data is out there besides change your identity, and possibly lay off the margaritas? Good question, and one that lots of folks will wrestle with as the app sprawl goes wild, taking your information with it, and then trying to get it back.

My colleague Stephen Cobb points out an article showing how a single breached Facebook account became a potential leverage point for scams aimed at the myriad friends that account owner had. This highlights that your security/privacy is only as strong as its weakest link, which might be a close friend who’s not particularly interested in either privacy or security – until they get burned, and then you do too.

See more here:
Facebook/app data privacy – sharing gone wild

Kaspersky Lab, a leading information security software developer, has detected Mydoom.m, a new version of I-Worm.Mydoom. This malicious program spreads via the Internet as an attachment to infected messages. However, this latest addition to the Mydoom family uses a unique propagation technique which caused several well known search engines – Google, Yahoo!, Lycos and AltaVista – to malfunction.Mydoom.m is activated when a user opens an attachment to an infected message. The worm installs itself to the system, and then propagates by scanning files on the victim machine. It sends a copy of itself to all email addresses which it finds. It then sends a search request to Google, Yahoo!, Lycos and AltaVista, analyses the data it receives and sends itself to email addresses contained in the search results. The large number of requests generated by machines infected by Mydoom.m led to disruptions in the service provided by these search engines.Mydoom.m didn’t only cause search engines to malfunction; its main malicious payload is a backdoor function. Once the worm has penetrated the victim machine, it opens a port to receive remote commands. Virus writers will then have full control over the infected machine, and will be able to delete or modify

Go here to read the rest:
Mydoom.m: search engines suffer along with users

In an escalation of the tendency to require companies to be forthright with their users following a breach, a European Union proposed bill intended to overhaul a 17-year old law is making progress. This week EU will outline the overhaul to the existing rules, hoping to encourage more expedient communication efforts following a breach, in an effort to speed notification to the affected parties.

According to Justice Commissioner Viviane Reding, “Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay,” and she hopes breach notifications will occur within 24 hours. The new bill also hopes to bring increased sanctions with it for reporting delays, though exact details remain to be sorted out during the next week.

The U.S has a patchwork of notification legislation that varies state-by-state, with some states like Massachusetts taking a very strong stance. Expect other states to beef up their reporting requirements in the near future, in response from consumers and lawmakers alike.

In the meantime, it’s a good exercise to plan for data breach drills at your organization. Internally it will help highlight potential weak links in the security chain long before potentially being trotted out to the press and customers as an uncomfortable spectacle. If you set aside a certain evening to run a drill every 6 months or so you’ll be far more prepared than your competition, and will have a much higher chance of staying out of the headlines altogether for data breaches. Setting aside a couple nights a year for your staff will cost far less than the cheapest data breach recovery, so it’s money well spent. It will also help both your organization and its customers sleep more soundly at night, knowing the steps you are taking to protect both groups.

View post:
EU – data breaches to be reported within 24 hours

Two weeks ago, I discussed the difficulties of obtaining relevant data regarding medical identity theft.
I started my research in this field after I read some old stories on the Internet:

• Lind Weaver refused to pay hospital bills she received for the amputation of her right foot. It was in 2006, but the story still makes the headlines in 2011.
• Joe Ryan got a bill from a Denver, Colorado, hospital for a surgery. In was in 2004, but everybody talks about it today.
• The Virginia Prescription Monitoring Program welcome page was replaced in April 2009, with a US$10 million ransom demand.
• The Indian police arrested, in November 2009, the director of a business process outsourcing company for his involvement in stealing medical history data of a UK-based entity.

Okay, you got the wrapping paper off the new tablet hotness, fired it up and now cannot put it down. But what should you be doing in the New Year to properly feed, protect, and care for your newly found addiction? Well here are some of the basics – things that are easy to do now and may prevent a lot of pain later.

#1: Install the latest updates: As my colleague Aryeh Goretsky pointed out on a recent podcast, due to the supply chain behind the scenes, your “new” tablet was manufactured months ago and has taken a long rambling journey to reach the place where it was purchased. This means you’ll probably need to install patches and updates, even if it’s brand new to you. Be sure to patch using the native update utility for the device, but also pay attention to software like Java and Flash, which provide their own update path, outside of the regular operating system updates. Java has been the target of recent exploits because it tend to placed on the back burner update-wise, and exploits have bitten many users.

#2: Protect it from loss: Tablets are mobile by definition so keep in mind it’s very easy for thieves to swipe them at a moment’s notice if they’re left sitting in the top of a bag or on a table at a coffee shop while you pick up your latte. Tablets are likely to be a popular target for turning into quick cash through resale on the Internet or other channels. At the same time they can hold lots of personal data that you’d rather not share with others. So you might want to look into various tracking options using 3G and/or GPS features found on many tablets, enabling a remote locking and/or “phone home” setup that lets you freeze a thief out of the device and possibly help locate it so you can it back.

#3: Automate your backups: The last thing you want after spending a half year collecting e-books, addresses, documents and music, is to have to start over. Many tablet offerings have a cloud-based backup that can be scheduled so you don’t have to think of it, it just happens. This is a convenient way to go – if you trust the cloud as a place to store your personal data. For those who want something more private, there are apps for automating backups over your home network to a hard drive you can see, touch, and securely store. You may even be able to back up your data to a Micro SDHC card in the tablet (be sure to remove and store it in a safe location when done with your backup, though). Backups are like eating veggies, we all know we should do more, but it may not be the most exciting thing to think about. Just find something that works for you. It doesn’t have to be perfect, but if it safely protects your data without you thinking about it much, you’ll be very, very thankful later if something bad happens.

#4: Think before you install: With the bewildering number of apps available for modern tablets, the tendency to flood your tablet with apps can be seductive. Don’t give in. We all remember the first computer we owned, where we installed everything, clicked on everything, and then had to re-format and start over a few months later as things slowed to a crawl. Less is more on your tablets. Also, keep in mind your tablet has much of the full operating system power and sophistication of the average computer a few years ago. That means scammers are eyeing the tablets for all sorts of nasty schemes. The more apps you have, the more potential for holes that allow intruders access. Just be careful. Also, install from the official app source for your tablet and resist the urge to install from third-party websites that tend to be patrolled less rigorously for rogue applications.

#5: Social Networking: If you use your tablet for social networking or email it won't be long before the device contains a lot of valuable credentials. To prevent someone abusing those credentials, some networks, such as Facebook, provide a system for notifying you if someone tries to access your account from an unrecognized device. It makes sense to enable this type of feature and in Facebook you do so via your Account Settings, choosing Security, then clicking on Login Approvals. Check where it says: “Require me to enter a security code each time an unrecognized computer or device tries to access my account.” Also enable Login Notifications. Now you will get the chance to register each of your computers or mobile devices with Facebook the first time you connect from them. You register them using a code that Facebook sends via SMS to your cell phone. You can deregister devices whenever you like and check on which devices are logged into Facebook at any time.

#6: Security software: As noted above in #4, there is small-but-growing amount malicious software for tablets. Some tablet vendors, screen software for malicious behavior before allowing it into their stores, while others allow you to directly install software. Even for the former, it is always possible that a malicious app will slip through the screening process. Many antimalware vendors, including ESET, now offer versions of their security software which run on tablet operating systems like Google Android.

Follow these steps and you’ll have far less to worry about in the future as you invest time and effort putting content on your tablet device. Adopting sensible practices right away will give you peace-of-mind using your tablet now, and help you stay safe online for a long time to come.

See the original post here:
New Year’s resolutions for your new tablet

I heard a number of interesting mobile-related talks at the 28th Chaos Communications Congress (28c3) this week. Not every talk at the Congress was about newly discovered bugs or zero-day exploits; sometimes we got the building blocks necessary to better understand systems and increase security. I enjoyed key presentations on reverse-engineering USB 3G data sticks and the internals of 2G and 3G mobile data protocols.

Reverse-engineering a Qualcomm baseband
Guillaume Delugré acknowledged researcher Ralph Phillip Weinmann’s work from last year during Delugré’s talk on reverse-engineering a popular 3G USB data stick.

Guillaume Delugré discusses how he reverse-engineered Qualcomm firmware and developed a debugger.

The USB stick runs a proprietary OS named REX. Delugré reverse-engineered a diagnostic mode used by Qualcomm engineers. Although some work has been done on documenting and using the diagnostics interface (the ModemManager project), he developed more detailed specifications.

Delugré explains the format for an undocumented diagnostics interface.

Cellular protocol stacks for Internet
Harald Welte, a lead developer of the Openmoko project and a Linux kernel developer, gave a good breakdown of various mobile data protocols. Cellular voice communication on GSM has gotten a lot of coverage over the years, but outside of the mobile industry there has been little to no information on how the data protocols function.

Harald Welte presents details on mobile data protocols.

The talk covered the layout of a number of the mobile data protocols, including the latest 3G protocols.

Diagram of UMTS network architecture.

Perhaps in the next year we will see more development in the exploitation and security of mobile devices.

See the rest here:
Chaos Congress Peers Into Mobile Security, Protocols

We’ve noted recently that many companies store credit card information in an unencrypted form, sometimes several years' worth. So what happens if your systems get hacked before you get around to securing that credit card data? Sure, there’s the embarrassment of telling your customers their data has been exposed–a legal requirement in more than 40 states–but what about the hit to the bottom line, the cost in dollars and cents (or euros or pounds, etc.)?

Small businesses increasingly conduct payment card transactions online, a trend that will grow in the coming year. Also, many small businesses don’t have access to trained staff which might have more sophistication regarding securing a payment system, a fact that hasn’t escaped the scammers’ attention. Attacks on larger organizations are much more likely to be met with sophisticated defenses, but small and medium sized organizations simply may not have the budget for a dedicated security specialist, or specialized security equipment to guard against a breach.

But if they can’t afford the dedicated staff or specialized equipment, they can hardly afford the expense of a breach either. So if it happened to your company, what would it cost? Tracy Reed, of Copilotco, was asked to tell a company just that. Although some of Reed's data points are in 2009 dollars, inflation isn’t your friend. Whatever the 2011 numbers are, this dataset is a sobering picture of just how much a breach might cost.

“According to Gartner the average loss to the customer is $939 per credit card,” says Reed, “So if your company has transacted roughly 65,000 cards, half of which would theoretically still be current and valid at the time of a breach, the reimbursement costs of the fraudulent charges to the cards alone would be $15,258,750.” Reed adds, “The card companies further charge to replace compromised credit cards.” Costs to a merchant can be as much as $50 per card. The banks themselves have a card replacement cost that ranges from $2 to $5 per card. Reed put the merchant cost in this scenario at $812,500.

After the notifications, charge-offs, and card replacement comes a security audit. About this Reed says, “The card companies will require a forensic audit of the systems to determine how the compromise happened. According to Security Metrics, the cost of a forensic audit starts at $50,000.” Rounding out the audit costs, he continues, “After an intrusion a company is then classified as a Level 1 merchant and is subject to the strongest security and audit procedures. This means an annual on-site audit which will typically cost $100,000.”

And then there’s the fines. Tracy says, “Major payment brands can impose fines as a result of the data exposure. Fines can be as high as $500,000. Non-compliance is a major determining point whether fines will be imposed.”

All told, that’s a bill of $16,471,250. Let’s say he’s only half right, you’re expenses would “only” be the cost of a nicely equipped mid-size business jet and all the entertainment for your staff after you fly them to Cancun in style. You could probably pay for the ride home too, along with all the umbrella drinks for the week.

We haven’t yet spoken about the brand damage. Awhile back I read that Sony’s data breach costs topped $171 million and were still rising. Let’s just say it would cost your company dearly. Now, what would it cost you to protect your systems? A few extra developer hours? Maybe some System Administrator time? That suddenly seems very cheap, and your customers would agree. That sort of thing would make everyone happier, and a lot less stressed in the new year, though you still may have to spring for staff bonuses to get everyone to Cancun. But you can make them pay for the drinks.

Follow this link:
What would a credit card breach cost your company?

We recently noted that the data broker industry, in conjunction with social media outlets will become increasingly relied upon as a kind of shadow credit score for judging candidates’ qualifications. Now we see a startup that uses your Facebook profile directly to determine a “credit score” used for microloans.

We hear horror stories of lost employment (or simply not being selected) because of content on social media sites. Now Lenddo, a Hong Kong based startup, is betting money on it.

To determine a prospective applicant’s suitability for a loan, the applicant must submit the logins to three services, starting with Facebook. Users will then be asked for logins to other services like Twitter, Gmail, Yahoo and Windows Live. Three logins are required.

Then Lenddo generates a score based on information gathered, which is then used to determine if you get the loan. What determines the score? Part of that is the “secret sauce”, so details are a bit sketchy, but CEO Jeff Stewart says it is heavily weighted by the information they can gather about the friends you have listed on the qualifying sites. On their website it says, “Lenddo enables you to score your social graph and compare it to your peers. The Lenddo score is a living, breathing score that YOU have control over; you have the ability to increase your score and open yourself up to new opportunities, such as a personal loan, personalized discounts, or other financial products.”

“Social graph” is an interesting term. This is the kind of shadow social media capital we opined would start accruing, and will become more accurate and telling as the data silos about you become more robust over time. Data mining efforts like this will start to move more and more to the mainstream as more of a standard measurement, and more businesses may bet on the data.

This trend also increases the importance of both website security, and your own personal data security management to avoid getting scammed and costing you personally in multiple ways.

They say you’re known by the company you keep. Now that may mean more than you bargained for. If you haven’t locked down your social media profiles, the holiday season downtime might be a good time to take a look. After all, increasingly the solidity (and selectivity) of your e-profile will have more and more direct effect on how you live, maybe even one day when you try to get a loan. Before you try to go out and add the Forbes 400 to your friend list, this venture is only serving the Phillipines market currently. But quantifying social media capital and using it for financial determinations seems like a strong bet for the future. This might be just the tip of the iceberg.

Read more:
Facebook credit score?

Your smartphone is as likely to be lost or stolen as your wallet, bank cards or house keys – and that means the data on your phone could fall into the wrong hands

Excerpt from:
Kaspersky Mobile Security Lite Now Available for Free on Android Market

The Trojan downloader malware Win32/TrojanDownloader.Agent.QXN that showed up in my email about 10 days ago made a return visit today, posing as a pair of emails from the United States Postal Service. The first time the malware showed up it was dressed up, as a package delivery receipt from Canada Post. But this time the presentation was fairly unimaginative, as you can see here.

The message is in plain text from an email address that does not resemble a USPS address. The text is not full of typos but it lacks logic and it is, at least to my ears, strangely worded (can you recall any USPS documents that employ the phrase “the recipient's address is erroneous?”).

Furthermore, the malware delivery mechanism here is fairly primitive. There is a zip file attached to the email and this contains an executable that the intended victim must therefore extract and run to get infected.

The faked Canada Post delivery mechanism was a plausible URL that triggered a file download. The Trojan itself was presented as a somewhat obscure file type with the extension .PIF, not the more obvious .EXE extension used in this case. The .PIF extension offers the added benefit of being easily confused with .PDF by novice users.

Of course, even an unsophisticated malware delivery system still means that some recipients of this email will execute the Trojan code and open up a back door on their systems, one that may lead to all their data and a whole lot more. Fortunately, this particular piece of malware is widely recognized by antimalware programs. In fact, it is unlikely to make it as far as your in-basket if you are using Gmail or a major ISP. Nevertheless, the fact that this showed up twice in one day in my in-basket serves as a reminder to be vigilant at this time of the year, a time when package delivery is on the minds of many.