A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

ISC: Industrial Control Systems Vulnerability

Dark Reading: Hackers in the House

SC Magazine: “Byzantine” botnet uses military, education servers for spam

Search Security: Media file malware outbreak plagues file-sharing services

USA Today: Identity thieves prey on patients’ medical records

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

Dark Reading: Supermarket ATM/Card Reader Rigged With Illicit Scanner

Security Focus: German intel agency blasted for cyber espionage

Wired.com: Hackers Assault Epilepsy Patients via Computer

SC Magazine: Hacker denies using tool to break into Dish Network Security

CIO.com:Colorado Penny Stock Spammer Gets Jail Time

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

Washington Post: Obama Site Visitors Redirected to Clinton Campaign

Securosis: It’s About The Fraud, Not The Breaches

Carnegie Mellon: Automatic Patch-Based Exploit Generation

Wall Street Journal: Security is No Match for Chocolate and Good Looking Women

Dark Reading: Companies May Be Held Liable for Deals With Terrorists, ID Thieves

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

Computer World: Payment industry receives first version of application security standard

SC Magazine: One-third of breach victims walk away from company, survey

eWeek: PayPal Plans to Ban Unsafe Browsers

Rational Security: The Four Horsemen of the Virtualization Security Apocalypse

Computer World: Chinese hackers poised for anti-CNN attack over the weekend

Yahoo News: Report: NYC Freedom Tower plans found in trash

Ars Technica: Verizon cell customers last to know when their data pinched

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

SearchSecurity: Next version of PCI DSS due in September

PC World: Internet Fraud Dupes Men More Often Than Women

InformationWeek: The Cybercrime Economy

BusinessWeek: The New E-spionage Threat

Wired - Threat Level Blog: Security Expert Gives Intruders a Taste of Their Own Medicine

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

Internet Crime Complaint Center (IC³): Reported Dollar Loss From Internet Crime Reaches All Time High

eWeek: Web 2.0 Security Hangover

PC World: Sites’ Personal Questions May Pose Security Risk

IT Security News: The Top 10 Security Events of 2008

Tech News World Botnet Survivor: Outwit, Outplay, Outlast Bot Herders at Their Own Game

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

BBC: China’s battle to police the web

IRS: IRS Warns of New E-Mail and Telephone Scams Using the IRS Name; Advance Payment Scams Starting

Popsci: Compuer Viruses: Now, Pre-Installed!

eWeek: Security Research on Tap With New Track at RSA Conference

SC Magazine: FTC plans anti-phishing roundtable

A major data breach was announced this week, with Hannaford Brothers grocery chain disclosing a large loss of protected credit card information. Details are sketchy and in some cases conflicting. But, the discussion online has raised some interesting questions about PCI. Rich Mogull, former Gartner Security analyst and blogger at securosis.com, takes a look at what might have happened and asks the question is PCI worthless. Both discussions are worth checking out – the first as an exploration of the actual breach and whether PCI helped and the second as a more in-depth look at whether PCI is improving things or just consuming resources. Avivah Litan and John Pescatore at Gartner have also weighed in with implications for enterprises.

I also talked to Ted Keniston, one of our Professional Services compliance gurus and a PCI Qualified Security Assessor (QSA). He recommended a few recent blog postings and sites to check out when keeping up with the regs:

PCI Blog- Compliance Demystified as the leading reference site.

These three postings at PCI DSS News and Information cover these ten PCI myths:

10. PCI only applies to my e-commerce transactions.
9. Non-profits like charities are exempt from PCI
8. Outsourcing my card processing makes me PCI compliant.
7. I use a PABP application/service provider, so I’m PCI compliant.
6. A card association would never fine a college or university!
5. PCI compliance is an IT project.
4. PCI is inflexible with unreasonable technical, security, and business requirements.
3. PCI requires me to hire a QSA.
2. The card industry requires me to keep cardholder data.
1. I’ve completed my Self-Assessment Questionnaire, so I’m compliant.

A weekly feature highlighting news stories, reports and editorials of interest to IT and security managers. Also see stories including SecureWorks staff or research, press releases, and research.

USA Today: Botnet scams are exploding

Bank Info Security: Anti-Money Laundering Update: Did The System Work in the Spitzer Case? (requires registration)

SC Magazine: Experts try to make sense of Hannaford data breach

NetworkWorld: International cyber-cop unit girds for uphill battles

Ars Technica: Ongoing IFrame attack proving difficult to kill

The Federal Trade Commission settled its lawsuit with ValueClick and in doing so, smacked ValueClick upside the proverbial head by imposing some heavy fines for spamming activities. Of particular interest is the part of the final settlement agreement that makes it clear that ValueClick violated its own privacy policy in a number of ways.

ValueClick’s privacy policy promised encryption of client data and the implementation of reasonable security measures. From reading the settlement agreement, together with the original complaint, it appears that ValueClick was found to have failed on both counts - they did not provide encryption for data and they did not provide what was deemed as “reasonable security,” specifically by failing to fix vulnerabilities that allowed SQL injection attacks.

ValueClick’s failure with security issues seems fairly straightforward. But the encryption issue merits a little bit more discussion. Encryption is a specific security precaution that may or may not have made sense in light of the company’s risk profile. In fact, ValueClick may have protected data in another way that was perfectly adequate from a security perspective. But even if they properly came to the conclusion that encryption was not necessary to protect client data, no one at the company went back to change the privacy policy.

Let’s be honest, website privacy policies are often crafted by webmasters - and frequently they are “borrowing” language from another website to generate the content. However, the FTC has repeatedly stated that the commission views these policy statements as binding contracts or commitments by the recipient of data to its website visitors.  The ValueClick case is not the first nor will it be the last such enforcement action that the FTC will bring in this area. (For a listing of the other cases and settlements,  go to http://www.ftc.gov/privacy/privacyinitiatives/promises_enf.html)

The ValueClick settlement is a reminder that these privacy policies need to be coordinated with the company’s Information Security program. If you don’t coordinate, you run the risk of promising security assurances to clients or visitors that may or may not be part of the security program you have implemented. This lack of consistency creates the potential for claims that your company is misrepresenting its handling of personal information - even if you have a solid information security program in place.