Security roundup: Privacy ground war; malware taunts; Massachusetts data loss stink; is SIEM dead?

What happens to your personal data if a company goes bankrupt? Just one hot-button security issue for week ending Sept. 23

Personal privacy or the growing lack thereof was one of the hot security buttons this week.

First we had the privacy stink that erupted over Borders bankruptcy dealings.

Borders bookstore collected a ton of consumer information -- such as personal data including records of particular book and video sales -- during its normal course of business. Such personal information Borders promised never to share without consumer consent. But now that the company is being sold off as part of its bankruptcy filing, all privacy promises are off.

IN THE NEWS: 8 surprising hunks of space gear that returned to Earth

Reuters wrote this week that Barnes & Noble, which paid almost $14 million for Borders' intellectual assets including customer information at auction last week, said it should not have to comply with certain customer privacy standards recommended by a third-party ombudsman. In court papers, Barnes & Noble said that its own privacy standards are sufficient to protect the privacy of customers whose information it won during the auction.

At the heart of Barnes & Noble's disagreement is the court appointed Consumer Privacy Ombudsman Michael St. Patrick Baxter of the Washington, D.C., law firm Covington & Burling's requirement that any use of Borders consumer information would require consent.

From Reuters: "Barnes & Noble rejected the consent requirement as 'completely unrealistic.' The retailer proposed narrowing the recommendations to allow it to use its own privacy policy to govern the customers, which it said provides as much protection as Borders' policy, if not more."

The Federal Trade Commission has weighed in on the matter, saying in a letter to St. Patrick Baxter's office that recommended that any transfer of personal information in connection with a bankruptcy sale take place only with consent of Border's customers or with significant restrictions on the transfer and use of the information.

The argument will be played out outside court in all likelihood.

Meanwhile, Network World's Scott Bradner writes that in November 2009 the European Parliament approved a directive on Internet privacy that, among other things, required user opt-in before websites could install cookies on the user's computer.

In theory, any U.S. company running a website that may be used by any citizen of any European Union country would have to follow the rules or risk being brought up on charges by an EU country.

Over the past two years many European Union member states have passed legislation implementing the directive, but the specific requirement for cookie opt-in has remained confusing. The Justice Department of the European Commission has been trying to figure out just what might constitute opt-in in the context of the directive. The primary group working on the issue has been the Article 29 Working Party.

That group's members recently met with European advertisers who would like to use more of an opt-out approach by maintaining that users who agree to visit a website are, by their action, opting in to the website's practices. The Working Party seems to disagree and wants instead a clear opt-in process.

This could be more than a little disruptive if implemented: Imagine a pop-up window asking if it is OK to store a cookie for each of the sites that wanted to put a cookie on your machine when you went to one website. For example, nine different companies store cookies on your computer when you connect to The New York Times homepage, the same number as do for the Network World homepage.

The U.S. has mostly met the requirements of the EU privacy rules by implementing the Safe Harbor framework. U.S. companies can self-certify that they meet the EU rules when dealing with EU customers (but do not need to provide similar protections for U.S. customers). Some 3,000 companies have self-certified, but many have not kept up-to-date on the certification. The frameworks will need to be updated when the cookie rules have been finalized. In any case, the Safe Harbor is a good way to cover your butt if you are doing business in Europe or with European customers.

One thing that the Safe Harbor makes clear is that the U.S. does not have any meaningful privacy protection laws when it comes to the data that Internet companies collect about all of us. The Federal Trade Commission has been looking into the issue and has asked for responses to a bunch of questions in this field.

Speaking of the FTC, the agency this week said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security.

From the FTC: "Facial recognition technology has been adopted in a variety of new contexts, ranging from online social networks to digital signs and mobile apps. Its increased use has raised a variety of privacy concerns. The FTC workshop will gather consumer protection organizations, academics, business and industry representatives, privacy professionals, and others to examine the use of facial recognition technology and related privacy and security concerns."

The workshop will take place in Washington, D.C., on Dec. 8 is free and open to the public.

Use of face recognition technology is growing fast. One of its biggest pushes could come in the form of Microsoft's Windows 8. Network World recently wrote that the software giant is building facial recognition technology into Windows 8, offering a more secure way to access your computer. And this month the U.K.'s largest airport, Heathrow, will install facial recognition scanners for international and domestic passengers to prevent illegal immigration in the country.

What else was hot in security this week? Read on:

Open this malware or I'll sue you

The latest social engineering trick to get victims to open malicious email attachments accuses them of being spammers and threatens to sue them if they don't stop. It's all in an attempt to get targets to open up the .zip attachment by telling them it contains evidence of their spamming. Actually it's an .exe file that infects the machine but displays like a document, according to the Websense Security Labs Blog.

The attachment installs a downloader Trojan that copies itself to the system path so it executes when the system boots up. It connects to remote servers to download specific exploit files. The blog says the current attacks could contain other variants of the Trojan as attachments. The new attack cropped up Monday in WebSense's ThreatSeeker network that gathers data about malicious email campaigns. The emails are dressed up to look like they come from real businesses that is upset because the recipient has been spamming them. "The emails even formally claims that legal action will be taken because of the spam you have sent," says the blog.

The blog includes an image containing the text of one such email: "Hello. Your email is sending spam messages! If you don't stop sending spam, we will be impelled to sue you! We've attached a scanned copy of the document assembled by our security service to this letter. Please carefully read through the document and stop sending spam messages. This is the final warning

1 in 3 in Massachusetts had personal data compromised

Personal information on about a third of Massachusetts residents has been compromised, according to the state's attorney general, citing statistics gleaned from the tough data breach reporting law there. About 2.1 million of the state's roughly 6.6 million residents had some form of personal data put at risk in 1,166 reported theft incidents, says Attorney General Martha Coakley, according to a report in the Boston Globe. She was citing numbers gathered from the start of 2010 through this August.

She says she is reviewing the stats to see whether the law, which imposes heavy fines for noncompliance by entities entrusted with this data, is cutting back on breaches that lead to compromises.

The AG says a combination of hacking, errors by employees and a growing body of personal data that is stored electronically by businesses will put that data at more risk over time. "This is going to be an increasing target," she says. The largest breach in the time period Coakley is reviewing involved information on about 800,000 people that was lost by a vendor hired to destroy it. Even information on 210,000 residents entrusted to a state agency was put at risk.

The types of data covered by the law include credit card and bank account numbers, Social Security numbers and medical records. Massachusetts' reporting law is considered one of the toughest in the nation. The state is also the home of TJX, whose loss of millions of credit card numbers was notable for its scale and is still one of the largest ever.

Bigger isn't better when it comes to social engineering attacks

When it comes to social engineering attacks, larger companies attract more of them, and when they are victimized it costs more per incident, according to a survey sponsored by Check Point. The result comes from "The Risk of Social Engineering on Information Security," a poll conducted by Dimensional Research, which surveyed 853 IT professionals from the U.S., U.K., Canada, Australia, New Zealand and Germany.

Of the entire group 322 say they were victims of social engineering attacks and they tracked how often they occurred. The companies with 5,000 or more employees were hit the most, with 48% saying they suffered 25 or more attacks. When size was not taken into consideration, just 32% reported 25 or more attacks.

SIEM: Dead or alive?

Is SIEM dead? That depends on who is taking its pulse. The press release this past week from eIQnetworks reads a bit like an obituary for Security Information and Event Management. According to a recent survey the company conducted with senior security professionals at Global 5000 and federal organizations, SIEM has joined signature-based technologies on the ash heap of IT history.

"The SIEM approach of relying entirely on logs and other event-based information to effectively address modern enterprise threats is now dead," said John Linkous, eIQ vice-president and chief security and compliance officer.

Instead, Linkous said, an eIQ product called SecureVue delivers "a true unified situational awareness platform that delivers comprehensive security intelligence and provides the real-time information that defenders need to identify, prioritize and respond to modern security threats."

Follow Michael Cooney on Twitter: nwwlayer8


Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022