Privacy and data protection

Updated 3:10 p.m. PST with comment from BitDefender.

Moscow-based security firm Kaspersky has hired a security expert to investigate the weekend breach of its U.S. site, the company said Monday.

Meanwhile, the hacker site claiming credit for the breach said on Monday that it had done the same compromise on the Portuguese Web site of antivirus provider BitDefender.

In a statement, BitDefender said an unnamed partner site was compromised and that the company was investigating the incident to help the partner prevent it from happening again. "This was an unfortunate event and while we sympathize with … Read more

Kaiser Permanente is notifying its 29,500 Northern California employees that their data may have been exposed in a breach, the company said on Friday. It is unknown exactly how many workers have been affected, but a handful of workers have reported identity fraud as a result of the breach, Kaiser said.

The Oakland, Calif.-based company is offering one year of free credit monitoring for anyone who is affected, according to a statement from Kaiser.

One person, who is not a Kaiser employee, was arrested after law enforcement authorities seized a computer file with Kaiser human resources-type data in … Read more

Online scammers, always quick to exploit the latest news event, are sending out e-mails promising economic-stimulus package payments but that instead steal sensitive data, the US-CERT warned on Friday.

The e-mails are disguised to look like official Internal Revenue Service communications. They offer a link to a Web site that asks for personal information or include a form that needs to be filled out and returned, the security organization said in an alert.

People who receive the fraudulent e-mail messages are encouraged to send the e-mail message and the Web site URL to the IRS at phishing@irs.gov.

CERT … Read more

Microsoft made its Forefront Threat Management Gateway (TMG) beta 2 version available on Friday, adding antimalware and Secure Sockets Layer inspection but also offering an edge protection service to its latest operating-system platform.

TMG beta 2 is designed to provide a safe Web surfing environment for employees, said Bill Jensen, senior product manager for TMG, which used to be called ISA Server.

Microsoft has added built-in antimalware that detects and blocks infected files from entering the network and a network inspection service, or intrusion prevention, that blocks viruses and other malicious code based on their signature and their behavior, he … Read more

New powers are needed to combat a culture of "pervasive" surveillance that has seen the U.K. become the most spied-upon country in the world, the Lords said Friday.

The U.K. is now watched by more about 4 million CCTV cameras and details of 7 percent of the population is held in the National DNA Database (NDNAD)--more than any other country, according to chairman of the House of Lords Constitution Committee, Lord Goodlad.

At the same time national databases designed to hold personal information on nearly every U.K. citizen are being set up across Whitehall, … Read more

My official title may be "analyst," but market research is the part of my job that appeals to the geek in me. Good thing I work at ESG, where we do market research around information assurance all the time.

Given an IT security landscape highlighted by regulatory compliance, publicly-disclosed data breaches, and increasingly sophisticated threats, we often ask survey respondents whether their organization suffered a data breach in the last 12 months. ESG has probably asked this very question in several research projects over the past few years. In the past, about 30 percent of large organizations (i.… Read more

A U.S. Department of Justice e-mail that phished for sensitive information from federal workers was a hoax that the agency sent out to test its own security awareness, according to a report.

The e-mail, sent two weeks ago to Justice Department employees, directed recipients to a Web site that prompted them to supply account information related to the federal retirement savings program, the Associated Press reported.

"We have learned that the messages are part of a hoax invented and distributed by DOJ to test employee security awareness," Ted Shelkey, assistant director for information systems security, wrote in … Read more

For anyone even slightly optimistic about thwarting the never-ending crush of spam I have two words: don't bother.

At the Information Security Best Practices conference at Wharton School of the University of Pennsylvania, I've learned the following from the first panel.

Comcast's Gerard Lewis, senior counsel and chief privacy officer, noted that the Can-Spam act of 2003 "hasn't done anything to curb spam," but is "a well intentioned law." Indeed, almost all e-mail is classified as spam.

Lewis should know since Comcast … Read more

Update at 7 a.m. PST January 30: Clarification made in the final paragraph.

Every day it seems like there is a new and significant data breach in the news. In fact, organizations like ChoicePoint, TJX, the Department of Veterans Affairs, or Heartland Payment Systems have become poster children for the sorry state of information assurance.

Recognizing the risks to sensitive data, many companies have implemented full-disk encryption software from companies like PGP, PointSec, SafeBoot, and Utimaco. Still, this means purchasing, deploying, and managing add-on software on lots of PCs--a cumbersome operational task. For a number of years, I've … Read more