President Obama’s cybersecurity plan – Part 2 Data Breach Notification Act

ID theftFollowing up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.

Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.

First, the definition of Personally Identifiable Information, or PII:

  1. Full name plus any two of the following

    1. Address and phone number
    2. Mother’s maiden name
    3. Month, day, and year of birth

  2. Social Security Number (SSN), driver’s license number, passport number, alien registration number, or other government issued identification number

  3. Biometric data such as fingerprints, retinal scans, etc.

  4. Unique account numbers, financial account numbers, credit card numbers, debit card numbers, electronic IDs, user names or routing codes

  5. Any combination of the following
    1. First and last name or first initial and last name
    2. See item four above
    3. Security codes, access codes, passwords or source codes used to derive the aforementioned

RolodexThe new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.

Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.

FTC fight back against ID theft logoThe proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.

If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.

After a data loss incident, organizations would be required to notify individuals by letter, phone or email.

Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.

States may pass laws requiring notifications to include information about identity theft/fraud prevention.

When more than 5,000 victims are involved, organizations would be required to do the following:

  • Place advertisements in mass media ensuring potential victims are aware of the risk they are being exposed to.

  • Notify all consumer credit reporting agencies of the victims within 60 days of discovery.

Police badgeBusinesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:

  • The breach contains, or is believed to contain, PII on 5,000 or more individuals.

  • The breach involves a database or network of databases that contain PII on 500,000 or more individuals.

  • The breach involves a database owned by the United States government.

  • The breach involves PII of employees or contractors of the United States government involved in law enforcement or national security.

Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.

The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.

Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.

Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.

It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.

Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.

Malware on your Mac? Don’t expect AppleCare to help you remove it

Fake anti-virus on the MacZDNet writer Ed Bott has today published a fascinating conversation with an AppleCare support rep on the subject of Mac malware.

For reasons which will become obvious when you read the interview, the Apple support rep has chosen to remain anonymous. Chances are that if he hadn’t kept his identity secret that he would be thrown out of the company pretty quickly.

According to Bott’s source at Apple, AppleCare’s call volume is “4-5 times higher than normal” and the overwhelming majority of calls come from Apple customers who have been hit by the current spate of fake anti-virus attacks on the Mac OS X platform.


Mac Security fake anti-virus. Click for a larger version

The Mac Defender fake anti-virus attack, and its variously named variants, are becoming common problems it seems:

It started with one call a day two weeks ago, now it’s every other call. It’s getting worse. And quick.

Perhaps most astonishingly, the interview reveals that Apple’s official policy is that representatives are “not supposed to help customers remove malware from their computer.”

The reason for the rule, they say, is that even though Mac Defender is easy to remove, we can't set the expectation to customers that we will be able to remove all malware in the future. That's what antivirus is for.

Although the support rep does admit that he often ignores corporate policy and help customers remove infections, he does acknowledge that this could get him into trouble if it comes to the attention of higher management.

But I can sympathise with the support rep, as it’s hard to justify refusing to help a user with an infected Mac when it is using scare tactics and unsavoury pop-up windows to hoodwink them into handing over their credit card details for a “fix”.

As the AppleCare support rep describes:

Well, I’m sure you’re aware of what Mac Defender pops up on your screen if you don’t buy it. Last call i got before the weekend was a mother screaming at her kids to get out of the room because she didn’t want them seeing the images. So, panicking, yes, I’d say that would be the situation usually. I had a teacher call about Mac Defender last week.

Typical website displayed to users who refuse to pay after the fake anti-virus attack

You can read the full interview on the ZDNet website.

Here’s a video where we caught one of the fake anti-virus attacks in action:


(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like.)

Sophos detects the latest Mac malware as OSX/FakeAV-DOE, and as we continue to encounter more waves of this attack we will enhance our protection.

If you’re not a Sophos customer, but have a Mac at home, you can still protect your Mac right now.Download our free Mac anti-virus. It’s automatically updated to protect against the latest threats.

DownloadFree Anti-Virus for Mac
Download Sophos Anti-Virus for Mac Home Edition

Spam and Phishing Landscape: May 2011

The unexpected raid and resulting death of Osama Bin Laden shocked the world. As always, spammers were quick to jump on this headline and send a variety of spam messages leveraging the event. The “Fallout from the Death of Osama Bin Laden” section includes samples of some of the spam monitored in different languages.

The effect of the Rustock shutdown from the previous month continued this month. After falling 27.43 percent in March, the average daily spam volume fell another 5.35 percent in April. Compared to a year ago , it is down 65.42 percent. Overall, spam made up 74.81 percent of all messages in April, compared with 74.68 percent in March. Going back a year, the percentage of spam was 89.22 in April 2010.

To find out more, click here to download the May 2011 State of Spam & Phishing Report, which highlights the following trends:

·         Fallout from the Death of Osama Bin Laden

·         Spammer Wishes You Happy Mother’s Day

·         Let the Games Begin!

·         Free Coins for Online FIFA Players

·         April 2011: Spam Subject Line Analysis

Best email practices are:

Do Not

·         Open unknown email attachments. These attachments could infect your computer.

·         Reply to spam. Typically the sender’s email address is forged, and replying may only result in more spam.

·         Fill out forms in messages that ask for personal or financial information or passwords. A reputable company is unlikely to ask for your personal details through email. When in doubt, contact the company in question through an independent, trusted mechanism, such as a verified telephone number, or a known Internet address that you type into a new browser window (do not click or cut and paste from a link in the message).

·         Buy products or services from spam messages.

·         Open spam messages.

·         Forward any virus warnings that you receive through email. These are often hoaxes.

Mac App Store exposes users to security risks, claims researcher

The Mac App Store's current version of OperaIf you are using the Apple Mac App Store you might be putting your computer’s security at risk.

That’s the finding of security researcher Joshua Long who has warned that the App Store has not published the latest versions of various applications, despite the fact they can include critical security updates.

Here’s part of Long’s warning:

Third-party Web browser maker Opera has released version 11.11 of its software, which fixes a "critical" security issue.

Mac users who have downloaded Opera through the App Store may find themselves using a copy of Opera that is now two versions old, 11.01, which was released back in March and is vulnerable to the security bug patched in 11.11.

Users who rely on the App Store to tell them whether their software is up-to-date may not be aware of the security risks and may continue to use an unsafe version of the Opera browser.

Opera on the Mac App Store

Long says that he contacted Apple and Opera about the issue. Opera replied saying that they were waiting on Apple to approve the next version of Opera for Mac (Apple’s approval is necessary before anything gets posted in the Mac App Store).

Apple's promotion of App Store updatesPut in simple terms, Apple seems to be falling short of the promise it makes in its promotion of the App Store that it “keeps track of your apps and tells you when an update is available” and that “you’ll always have the latest version of every app you own.”

And, it appears, that Opera is not the only application in the Mac App Store that is out-of-date and might be vulnerable to security flaws. Long points out that Amazon’s Kindle app in the App Store, for instance, hasn’t been updated since January.

So, the key question is, how quickly is Apple going to approve the latest Opera update, and other software which might have been updated to secure against critical security vulnerabilities, for the App Store?

Because if Apple can’t update software containing critical security patches to the App Store in a timely fashion, users might be wiser getting their software via a more conventional route – such as (in the case of Opera) a direct download from the vendor’s own website.