Rina Steenkamp - Privacy and technology
[Getting accountability right with a privacy management program | Unscrubbed hard drives report | Hacker intelligence initiative, monthly trend report #9 | State and trends of the Russian digital crime market 2011 | ICC UK Cookie guide | Smart metering implementation programme - data access and privacy | Security in the age of mobility | Is everything we know about pass-word-stealing wrong? | Opinion [...] on facial recognition in online and mobile services | Procure secure - a guide to montoring of security levels in cloud contracts | Security, trust and assurance registry (STAR) | PICOS - Privacy and Identity Management for Community Services | Protecting consumer privacy in an era of rapid change | Symantec 2011 cost of data breach study, United States | Beyond cyber threats - Europe's first information risk maturity index | Study on data collection and storage in the EU | Protecting patient privacy - strategies for regulating electronic health records exchange]
A publication by three Canadian privacy commissioners.
From the document:
"The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia have worked together to develop this document with the goal of providing consistent guidance on what it means to be an accountable organization. It is intended for organizations subject to our respective private-sector privacy legislation and outlines what we expect to see in a privacy management program. [...] This document outlines what we think are the best approaches for developing a sound privacy management program, for organizations of all sizes, in order to meet obligations under applicable privacy legislation. This document is not a “one-size-fits-all” solution, however. Each organization will need to determine, taking into consideration its size, how best to apply the guidance found here to develop a privacy management program."
Canadian privacy commissioners: Getting accountability right with a privacy management program (PDF)
[Open link in this window | Open link in new window]
HL: Guidance on establishing and maintaining a privacy management infrastructure
[Open link in this window | Open link in new window]
A report by the ICO.
From 'NCC findings':
"Negligible personal data was found on the memory sticks and mobile telephones. In the case of hard drives: 38% of the devices had been wiped of data; 14% were damaged/ unreadable; 37% contained nonpersonal data; 11% contained personal data."
ICO: Unscrubbed hard drives report (PDF)
[Open link in this window | Open link in new window]
ICO: Deleting your data from computers, laptops and other devices
[Open link in this window | Open link in new window]
Security.nl: 11% tweedehands harde schijven bevat persoonlijke info
[Open link in this window | Open link in new window]
A report by Imperva.
From 1. Overview:
"Cyber-criminals are increasingly using automation to carry out their attacks on web applications. This phenomenon has several reasons:
- Automatic tools enable an attacker to attack more applications and exploit more vulnerabilities than any manual method possibly could.
- The automatic tools that are available online save the attacker the trouble of studying attack methods and coming up with exploits to applications' vulnerabilities. An attacker can just pick a set of automatic attack tools from the ones that are freely available online, install them, point them at lucrative targets, and reap the results.
- These tools use resources (like compromised servers that are employed as attack platforms) more efficiently.
- Automatic tools open new avenues for evading security defenses. For example, such a tool can periodically change the HTTP User Agent header that is usually sent in each request to an application and that may be used to identify and block malicious clients. As another example, sophisticated automatic tools can split the attack between several controlled hosts, thus evading being blacklisted."
Imperva: Hacker intelligence initiative, monthly trend report #9 (PDF)
[Open link in this window | Open link in new window]
Imperva: Imperva report details automated web application attacks
[Open link in this window | Open link in new window]
Security.nl: Scriptkiddies veroorzaken chaos met automatische tools
[Open link in this window | Open link in new window]
A report by IB-Group.
From the introduction:
"This report contains the results of the study of the state of the Russian cybercrime market in 2011. It examines the main risks associated with various types of hacker activities, analyzes the main trends in the development of the Russian cybercrime market, estimates the shares and the financial performance of the Russian segment of the global cybercrime market, and forecasts market trends for this year."
IB-Group: State and trends of the Russian digital crime market 2011 (PDF)
[Open link in this window | Open link in new window]
Security.nl: Russische cybercriminelen stelen 3,5 miljard euro in 2011
[Open link in this window | Open link in new window]
A guide by the International Chamber of Commerce UK.
From the introduction:
"In line with recent changes in European legislation, UK law now requires website operators to ask for a website user's permission when placing certain kinds of cookie on their devices for the first time. Where consent is required, the law states that it should be 'informed consent'. This increases the onus on websites to ensure that visitors understand what cookies are and why website operators and others want to use them. This guide aims to help both website operators and website users come to terms with the new law by placing cookies into four categories, based on their function. [...] This guide is designed to help website operators to provide information to users in language they can understand and enable users to make an informed choice. Wide adoption of standard language will also, it is hoped, reduce the learning journey of users across websites."
International Chamber of Commerce UK: ICC UK Cookie guide (PDF)
[Open link in this window | Open link in new window]
Data Protector: The ICC clarifies the cookie conundrum
[Open link in this window | Open link in new window]
A consultation document by the [UK] Department of Energy and Climate Change.
From the executive summary:
"Consumers' interests must be protected in the smart metering world. Concerns about privacy have been raised in many countries rolling out smart meters, and it will be important to give consumers clarity and reassurance about the ways in which their energy consumption data can be accessed, by whom, for which purposes, and the choices that consumers have about this. In this consultation document, the Government is seeking views on a proposed framework for smart metering data access and privacy."
[UK] Department of Energy and Climate Change: Smart metering implementation programme - data access and privacy (PDF)
[Open link in this window | Open link in new window]
The Register: UK.gov - firms can't fondle your smart meter privates... unless you want them to
[Open link in this window | Open link in new window]
A TrendLabs quarterly security roundup by Trend Micro.
From the report:
"'Mobile technology' is just what the name implies — portable technology that isn’t limited to mobile phones. This also includes devices like laptops, tablets, and global positioning system (GPS) devices. As with any other kind of technology though, there are drawbacks to 'going mobile.' Mobile devices can expose users' and organizations' valuable data to unauthorized people if necessary precautions are not taken. [...] Trend Micro identified approximately 5,000 new malicious Android apps just this quarter."
Trend Micro: Security in the age of mobility (PDF)
[Open link in this window | Open link in new window]
TrendLabs Malware Blog: Q1 threats go mobile
[Open link in this window | Open link in new window]
TrendMicro: A look back at 2011 (PDF)
[Open link in this window | Open link in new window]
TrendMicro: 2011 - the year of data breaches
[Open link in this window | Open link in new window]
AG: Hackers gaan over op veel geavanceerdere aanvallen
[Open link in this window | Open link in new window]
A paper by Dinei Florencio and Cormac Herley.
Abstract:
"Federal Reserve Regulation E guarantees that US consumers are made whole when their bank passwords are stolen. The implications lead us to several interesting conclusions. First, emptying accounts is extremely hard: transferring money in a way that is irreversible can generally only be done in a way that cannot later be repudiated. Since password-enabled transfers can always be repudiated this explains the importance of mules, who accept bad transfers and initiate good ones. This suggests that it is the mule accounts rather than those of victims that are pillaged. We argue that passwords are not the bottle-neck, and are but one, and by no means the most important, ingredient in the cybercrime value chain. We show that, in spite of appearances, password-stealing is a bad business proposition."
Dinei Florencio and Cormac Herley: Is everything we know about pass-word-stealing wrong? (PDF)
[Open link in this window | Open link in new window]
Microsoft Research: Is everything we know about password stealing wrong?
[Open link in this window | Open link in new window]
Security.nl: "Katvanger echte slachtoffer fraude internetbankieren"
[Open link in this window | Open link in new window]
An opinion by WP29.
From the introduction:
"Online services, many owned and operated by private organisations, have built up vast collections of images uploaded by the data subjects themselves. In some cases these images may also be unlawfully obtained by scraping other public sites such as search engine caches. Small mobile devices with high resolution cameras enable users to capture images and link in real-time to online services through always-on data connections. As a result users are able to share these images with others or perform identification, authentication/verification or categorisation to access additional information about the known or unknown person standing before them. Facial recognition in online and mobile services therefore requires specific attention from WP29 as the use of this technology presents such a range of data protection concerns."
WP29: Opinion [...] on facial recognition in online and mobile services (PDF)
[Open link in this window | Open link in new window]
Inside Privacy: Facial recognition opinion targets social networks, authentication services and games consoles
[Open link in this window | Open link in new window]
A guide by ENISA.
From the executive summary:
"This document is a practical guide aimed at the procurement and governance of cloud services. The main focus is on the public sector, but much of the guide is also applicable to private sector procurement. This guide provides advice on questions to ask about the monitoring of security (including service availability and continuity). The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery."
ENISA: Procure secure - a guide to montoring of security levels in cloud contracts (PDF)
[Open link in this window | Open link in new window]
ENISA: Procure secure - a guide to monitoring of security levels in cloud contracts
[Open link in this window | Open link in new window]
ENISA: Procure secure - ENISA's new guide for monitoring cloud computing contracts
[Open link in this window | Open link in new window]
An initiative by the Cloud Security Alliance.
From the main page:
"The Cloud Security Alliance (CSA) announces the launch of a new initiative to encourage transparency of security practices within cloud providers. The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CSA STAR is open to all cloud providers, and allows them to submit self assessment reports that document compliance to CSA published best practices."
Cloud Security Alliance: Security, trust and assurance registry (STAR)
[Open link in this window | Open link in new window]
DarkReading: Vetting the security of cloud service providers
[Open link in this window | Open link in new window]
A website by the PICOS consortium.
From the main page:
"Privacy and Identity Management for Community Services (PICOS) is an international research project, focused on mobile communities. [...] PICOS has the mission to investigate mobile communities and their services. Especially regarding aspects like privacy and identity management as well as technical and economical aspects."
PICOS consortium: PICOS - Privacy and Identity Management for Community Services
[Open link in this window | Open link in new window]
CORDIS: Feature stories - protecting privacy in the mobile internet age
[Open link in this window | Open link in new window]
A report by the FTC.
From the executive summary:
"With this Report, the Commission calls on companies to act now to implement best practices to protect consumers' private information. These best practices include making privacy the 'default setting' for commercial data practices and giving consumers greater control over the collection and use of their personal data through simplified choices and increased transparency. Implementing these best practices will enhance trust and stimulate commerce."
FTC: Protecting consumer privacy in an era of rapid change (PDF)
[Open link in this window | Open link in new window]
CNet Privacy Inc.: FTC stops short of calling for new 'do not track' law
[Open link in this window | Open link in new window]
EFF: FTC final privacy report draws a map to meaningful privacy protection in the online world
[Open link in this window | Open link in new window]
Epic.org: Federal Trade Commission calls for privacy legislation
[Open link in this window | Open link in new window]
FPF: FPF responds to FTC release of final privacy framework report
[Open link in this window | Open link in new window]
FPF: FPF senior fellow Peter Swire - FTC deserves praise for its de-identification "safe harbor"
[Open link in this window | Open link in new window]
FPF: Context and legitimate basis: US-EU approaches to data processing
[Open link in this window | Open link in new window]
HL: FTC releases final privacy report
[Open link in this window | Open link in new window]
HL: Details on FTC recommendation of legislation to address practices of information brokers
[Open link in this window | Open link in new window]
Inside Privacy: Federal Trade Commission releases privacy report
[Open link in this window | Open link in new window]
MediaPost: FTC supports right to opt out of data collection by ad networks
[Open link in this window | Open link in new window]
PrivacyLives: Federal Trade Commission report calls on companies to adopt best privacy practices
[Open link in this window | Open link in new window]
Tech@FTC: Tech highlights of the FTC privacy report
[Open link in this window | Open link in new window]
TLF: FTC issues groundhog report on privacy
[Open link in this window | Open link in new window]
TLF: Initial thoughts on FTC's final privacy report
[Open link in this window | Open link in new window]
Tweakers.net: Amerikaanse toezichthouder wil strengere privacywetgeving
[Open link in this window | Open link in new window]
Wired Threat Level: FTC tells net - Agree to stop invading privacy (or we'll say 'stop' again)
[Open link in this window | Open link in new window]
Benchmark research conducted by Ponemon Institute LLC.
From the executive summary:
"Negligent insiders and malicious attacks are the main causes of data breach. Thirtynine percent of organizations say that negligence was the root cause of the data breaches. For the first time, malicious or criminal attacks account for more than a third of the total breaches reported in this study. Since 2007, they also have been the most costly breaches. Accordingly, organizations need to focus on processes, policies and technologies that address threats from the malicious insider or hacker."
Ponemon Institute LLC: Symantec 2011 cost of data breach study, United States (PDF)
[Open link in this window | Open link in new window]
Inside Privacy: 2011 data breach study reports lower costs, higher incidence of malicious attacks
[Open link in this window | Open link in new window]
A report by PwC.
From the foreword:
"To understand the levels of information risk within European mid-market businesses and their capability to mitigate against this, Iron Mountain commissioned PwC to study 600 mid-sized businesses across Europe. The results reveal a deeply concerning picture of complacency, ignorance and lack of management that should sound an alarm bell across the European community."
PwC: Beyond cyber threats - Europe's first information risk maturity index (PDF, hosted at ContinuityCentral.com)
[Open link in this window | Open link in new window]
Iron Mountain Nederland: 'Europese bedrijven zijn te zelfvoldaan over de gevoeligheid van hun informatie'
[Open link in this window | Open link in new window]
Nu.nl: Bedrijven beveiligen data onvoldoende
[Open link in this window | Open link in new window]
WebWereld: Nederlandse bedrijven niet bewust van datalekrisico
[Open link in this window | Open link in new window]
A report by ENISA.
From the executive summary:
"The overall objective of the Study on data collection and storage in the EU is to serve as a starting point for a pan-European view on the rules relating to the collection and storage of personal data in the European Union and on their implementation in Member States legislation. This is realised via the examination of the principle of minimal disclosure (which is also known as the data minimisation principle) and the duration of the storage of personal data (which is also known as conservation principle). Both these principles are examined as integral parts of the principle of proportionality, which is fundamental in the European privacy and data protection legal framework."
ENISA: Study on data collection and storage in the EU (PDF)
[Open link in this window | Open link in new window]
ENISA: Study on data collection and storage in the EU
[Open link in this window | Open link in new window]
ENISA: Privacy - a fundamental right - between economics and practice
[Open link in this window | Open link in new window]
A publication by the New York Civil Liberties Union.
From the introduction:
"The state [of New York] has endorsed a set of privacy and security policies and procedures for the implementation of health information exchange. But these policies have significant flaws that pose challenges to the integrity of electronic record-sharing in New York State. Most significantly, these policies do not allow for patient control over the inclusion of their health information in the network. In addition, the technological infrastructure used by the state’s HIEs represents an all-or-nothing approach: Once a patient consents to allowing a provider to gain access to his or her medical records, the provider sees everything that was ever entered into the network about that patient, regardless of whether the information is relevant to current treatment."
New York Civil Liberties Union: Protecting patient privacy - strategies for regulating electronic health records exchange (PDF)
[Open link in this window | Open link in new window]
PrivacyLives: NYCLU - Protecting patient privacy - strategies for regulating electronic health records exchange
[Open link in this window | Open link in new window]