Wednesday, January 28, 2015

42 privégegevens die van jou worden verzameld

42 privégegevens die van jou worden verzameld

door         
BIG DATA, kijk, oog
door
Nieuws - Ben je ook zo benieuwd welke privacygevoelige data wordt opgeslurpt door het Alziende Oog van de opsporingsdiensten als je onbekommerd je vlucht neemt naar zonnig Marbella, deze zomer? We hebben ze op een rijtje gezet.
De Europese Commissie wil 42 persoonlijke details van je weten als je een vliegtuig boekt voor een interne vlucht op ons continent. Die data worden vervolgens vijf jaar opgeslagen in een centrale database en wordt telkens als je opnieuw een ticket besteld verrijkt met nieuwe data. Waarom is dat? Nou, terrorisme en zo. Niet dat ooit is bewezen dat het massaal vergaren en opslaan van data van alle burgers iets heeft uitgehaald in de strijd tegen terrorisme, maar elke maatregel bekt zo lekker als daadkrachtig bestuur.
Maar welke data wordt dan opgeslagen? We geven ze hier alle 42 op een rijtje, met dank aan The Guardian:
  1. Je paspoortnummer
  2. Welk land je paspoort heeft uitgegeven
  3. Wanneer je paspoort verloopt
  4. Je doopnamen
  5. Je achternaam
  6. Je geslacht
  7. Je geboortedatum
  8. Je nationaliteit
  9. Een zogeheten passenger name record locator code (code voor PNR-opslag)
  10. Datum van ticketreservering
  11. De data waarop je geboekte vlucht(en) gaat/gaan
  12. Je volledige naam
  13. Andere namen die elektronisch verbonden zijn aan je naam
  14. Je adres
  15. Alle vormen van betaalinformatie
  16. Het adres dat gebruikt wordt bij het bestellen/betalen
  17. Opgegeven telefoonnummers/contactinformatie
  18. Alle reisplannen voor dit specifieke PNR
  19. Frequent Flyer-informatie
  20. Reisbureau
  21. Reisagent
  22. Deelcode voor PNR-informatie
  23. Reisstatus van de passagier
  24. Op te delen PNR-informatie
  25. E-mailadres
  26. Informatie uit het ticketsysteem
  27. Algemene opmerkingen
  28. Ticketnummer
  29. Stoelnummer
  30. Datum waarop ticket is uitgegeven
  31. Je no-show-verleden
  32. De gegevens van je kofferlabel
  33. Je go-show-verleden
  34. Andere service-gerelateerde informatie
  35. Speciale verzoeken, zoals voedselvoorkeuren
  36. Informatie over waar deze informatie vandaan komt
  37. Alle historische wijzigingen in deze PNR-data
  38. Aantal reizigers in dit specifieke PNR-record
  39. Stoelinformatie
  40. Enkele reis-informatie
  41. Alle API-systeeminformatie
  42. De software die gebruikt is om het ticket aan te maken

Veel van de data heeft een zeer hoog "aha, dat is herkenbaar"-gehalte. Daarnaast is er een aantal technische data, bedoeld voor gebruikers van het PNR-systeem. PNR staat voor Passenger Name Records, een systeem dat al jaren wordt gebruikt door vliegmaatschappijen. In het rijtje komt verder de afkorting API voor, dat staat voor Advance Passanger Information en dat gebruikt wordt door vooral de Amerikanen om vooraf al te weten wie er aan komt vliegen.
Sommige specifieke punten zijn minder duidelijk: wat wordt er bedoeld met algemene opmerkingen (27) bijvoorbeeld. Je go-show-verleden lijkt het aantal malen dat je daadwerkelijk op komt dagen bij de gate.
Het plan om deze data op te slaan en onderling te delen, wordt dit jaar door het Europees Parlement behandeld. Ondanks fel verzet van privacyvoorvechters lijkt er een meerderheid in het parlement te zijn voor deze massale dataopslag.

Monday, January 26, 2015

Basel Committee updates risk data, reporting adoption


Basel Committee updates risk data, reporting adoption

The Basel Committee on Banking Supervision today issued a second progress report on banks’ adoption of the Committee’s Principles for effective risk data aggregation and risk reporting.
Published in 2013, the Principles aim to strengthen risk data aggregation and risk reporting at banks to improve their risk management practices and decision-making processes. Firms designated as global systemically important banks (G-SIBs) are required to implement the Principles in full by 2016.
The report published today reviews banks’ progress in 2014 and updates a 2013 stocktaking self-assessment survey completed by G-SIBs, other large banks and supervisors. It outlines the measures G-SIBs have taken to improve their overall preparedness to comply with the Principles, as well as the challenges they face. G-SIBs are increasingly aware of the importance of this topic and have moved towards implementing the Principles. However, of the 31 participating banks, 14 reported that they will be unable to fully comply with the Principles by the 2016 deadline, compared with 10 G-SIBs in 2013.
The Principles apply initially to all systemically important banks and the Committee will continue to monitor G-SIBs’ progress towards meeting the 2016 deadline. In addition, the Committee recommends that national supervisors apply the Principles to institutions identified as domestic systemically important banks three years after their designation as such. The Basel Committee says it believes that the Principles can be applied to a wider range of banks in a way that reflects their size, nature and complexity.

Tuesday, January 13, 2015

N.J. Law Requires Insurers to Encrypt

N.J. Law Requires Insurers to Encrypt

New Requirement Goes Beyond HIPAA

By , January 12, 2015.
Credit Eligible  
N.J. Law Requires Insurers to Encrypt
A New Jersey law that will go into effect in July requires health insurers in the state to encrypt personal information that they store in their computers - a stronger requirement than what's included in HIPAA .
See Also: Threat Intelligence: Real-Time Breach Discovery
The new law, signed by N.J. governor Chris Christie last week, was triggered by a number of health data breaches in the state, including the 2013 Horizon Blue Cross Blue Shield of New Jersey breach affecting 840,000 individuals. That breach involved the theft of two unencrypted laptops.

The new law states: "Health insurance carriers shall not compile or maintain computerized records that include personal information, unless that information is secured by encryption or by any other method or technology rendering the information unreadable, undecipherable, or otherwise unusable by an unauthorized person.

The law applies to "end user computer systems" and computerized records transmitted across public networks. It notes that end-user computer systems include, for example, desktop computers, laptop computers, tablets or other mobile devices, or removable media.
Personal information covered by the encryption mandate includes individual's first name or first initial and last name linked with any one or more of the following data elements: Social Security number; driver's license number or State identification card number; address; and identifiable health information.

Different than HIPAA

"The New Jersey law differs from HIPAA in that it mandates implementing encryption, whereas HIPAA mandates addressing encryption," privacy attorney Adam Greene of law firm Davis Wright Tremaine says.
The Department of Health and Human Services offers this explanation of the HIPAA encryption requirement on its website: "The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of electronic PHI.
"If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision."
Greene points out that because the new state law is tougher than HIPAA, "A New Jersey health plan could determine that some of its protected health information does not require encryption under HIPAA, but they will nevertheless be required to encrypt the information under the New Jersey law."
Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

Monday, January 12, 2015

Hackers try to Blackmail Swiss Bank After Stealing Data: Report

The Banque Cantonale de Geneve said the theft had affected several thousand of its estimated 240,000 clients but that there had been "no financial damage."
The hackers, calling themselves Rex Mundi, were threatening to publish some 30,000 emails of the affected clients if the bank did not hand over 10,000 euros ($11,800) by Friday, the Le Temps daily reported.
The threat was reportedly made on Twitter.
The cantonal bank, which focuses on small and medium-sized businesses and on portfolio investments, refused to comment on the blackmail report when contacted by AFP.
BCGE said the authorities have launched an investigation into the hacking.
The stolen data included names, addresses, telephone numbers and account numbers.
The bank said it had beefed up Internet security and blocked access to online forms. 

Amazon Releases New Encryption Options for RDS

Amazon Releases New Encryption Options for RDS

The goal: Make encryption simpler for AWS customers


Amazon Web Services has added new encryption options for customers of its Relational Database Service. Here are the details.
Jeff Barr, chief evangelist for Amazon Web Services.
Encryption isn't always easy to deal with in the cloud (or in any other way, actually), but Amazon Web Services (AWS) is hoping to make encryption simpler for its customers. The company unveiled new encryption options for its Relational Database Service (RDS), enabling additional encryption options for a variety of database services for its customers.
As noted by Jeff Barr, chief evangelist for Amazon Web Services, in a blog post, Amazon is aiming to make it easier for customers to encrypt data at rest on AWS RDS database instances running MySQL, PostgreSQL and Oracle Database.
Prior to the most recent announcement, Amazon offered encryption on RDS for Oracle Database and RDS for SQL Server, but now the company is offering encryption an expanded list of database offerings, including RDS for MySQL, RDS for PostgreSQL and Oracle Database. All of the new encryption offerings provide customer-managed keys for encryption using AWS Key Management Service.
"For all of the database engines and key management options listed above, encryption (AES-256) and decryption are applied automatically and transparently to RDS storage and to database snapshots. You don’t need to make any changes to your code or to your operating model in order to benefit from this important data protection feature," Barr wrote.
This follows on November's launch of the AWS Key Management Service, which was designed to provide customers and partners with centralized control over their encryption keys. With the new options, both MySQL and PostgreSQL now have the option of customer-managed keys using Amazon KMS.
As for the new Oracle Database option, Amazon is tying it into its CloudHSM compliance-focused service, which provides customers with the ability to meet compliance requirements.

Tuesday, January 6, 2015

The World's Biggest Data Breaches, In One Incredible Infographic

The World's Biggest Data Breaches, In One Incredible Infographic

In late November, hackers targeted Sony Pictures Entertainment in an unprecedented cyber attack. This led to the exposure of thousands of sensitive emails from Sony executives and threats to release more if the release of the film "The Interview" wasn't canceled.
While this breach was indeed historically devastating, it's not the first successful cyber attack on a big corporate powerhouse.
The folks over at Information Is Beautiful have put together an amazing infographic with the biggest data breaches in recenty history. You can see when the attack happened, who it happened to, and how large the impact was.
Check it out (click for interactive version):
World's Biggest Data Breaches


Read more: http://uk.businessinsider.com/data-breaches-infographic-2014-12?r=US#ixzz3O3XXhGzt

Monday, January 5, 2015

Morgan Stanley Fires Employee for Stealing Client Data

Morgan Stanley Fires Employee for Stealing Client Data

NEW YORK - US investment bank Morgan Stanley on Monday said it had fired an employee for stealing the personal data of hundreds of thousands of wealth management customers.
Some account information for about 900 of the clients, including account numbers and names, was briefly posted on the Internet and, once detected, was "promptly removed,"the bank said in a statement.
No passwords or social security numbers were stolen, the company said, adding: "There is no evidence of any economic loss to any client."
Morgan Stanley did not identify the alleged thief by name but said the person worked in its wealth management business, without providing further details.
The employee stole data on about 10 percent of its wealth management customers, or about 350,000 people, it said.
The New York-based global financial services firm, which has offices in more than 43 countries, said it had informed law enforcement and regulatory authorities and was working with authorities to investigate the incident.
Shares in Morgan Stanley dived 3.4 percent to $37.39 amid a broad US stock market rout.

Secure your email not just your email account

       

Secure your email not just your email account

Will Ackerly, co-founder and CTO, Virtru
Will Ackerly, co-founder and CTO, Virtru
The risks of having your email hacked are high, but the reaction of most has been muted. Email security is a problem that continues to pop up in the news every two weeks and something needs to change.
Email is a perfect target for hackers. If you want to find out everything about someone all you need is their email account. Once you're in, search for terms like password and hope that they've either sent or received an email with a plain text password. Email is a great place to get more passwords and private data.
Most people send passwords in email when they shouldn't and most people use the same password everywhere. This makes life so easy for criminals, and it also means that you can bank on the regularity of these news stories. Recently news broke regarding “20 percent of internet users have been hacked by a Russian gang” in addition to 5 million Gmail usernames and passwords were leaked on a Bitcoin forum. The risk is very real.

Two-factor authentication: Close but no cigar
After all of these scandals and hacks the common wisdom is to write news stories and blog posts encouraging everyone to turn on two-factor authentication (2FA). Everyone should turn on 2FA for everything immediately, this is true. Our systems leverage the identity services of webmail providers such as Yahoo!, Outlook.com, and GMail so turning on 2FA will provide more security and make it nearly impossible for someone to hack your email account by guessing a password.
Turning on 2FA will secure your account from hackers, but it really doesn't make your email any more protected than it is now. Yes, it will be difficult for a hacker to break into your account: they would have to steal your password and steal your smartphone. Your account may not be compromised, but the emails you send to others are still very much at risk.

Email security: Lowest common denominator
When you send an email with sensitive information that email is only as safe as your recipient's inbox. You can secure your account as much as you want to, but if you send that sensitive, secret business plan to a friend, you are trusting that they also run 2FA. The network effect of email, the fact that your recipient can forward that attachment to others just increases the risk.

2FA isn't for everyone
Given that email security is related not just to your own email account's security but your recipient's you should be encouraging the people to whom you send email to turn on 2FA.
After you turn on 2FA for yourself you should set aside the entire day to call up everyone in your address book and ask them to also turn on 2FA.  Then ask all of these same people to call up the people they might forward your emails to to turn on 2FA. If you really want your information to be secure you're going to have to make sure that everyone between you and Kevin Bacon has 2FA turned on.
Are you going to do this? Probably not. If you did this, maybe 10 percent of the people you communicate with would think of turning on 2FA.  The reality of 2FA is that normal people don't turn it on. They should, but even though companies like Facebook and Google have made it very easy it is still a hassle and many people still believe that “they have nothing to hide.” It isn't until people get hacked that they realize how important it is.
Assume that no one turns on two-factor even after reading all these blog posts about email hacks.  What do you do?
Secure your email not just your email account
Email is plaintext. It can be encrypted when it is sent over a network and it can be encrypted on a server, but the way email was designed relies on the fact that a server is reading plain text headers to read a list of email address, a subject, and a body. Attachments are encoded but not encrypted and when a recipient gets an email nothing checks to see whether someone has permission to read an email.
This is the real insecurity of email not the fact that email accounts might have weak authentication.  Don't get me wrong, that's a bad thing, but it isn't the fundamental problem that needs to be solved in email.  What needs securing isn't your account it is the data in your account.
This is the real solution to securing email: an envelope that gives email senders control over the messages they send.  It means that you no longer have to fall prey to the network effect of insecure email accounts.  You can limit your audience and exert some control over the data you share with others.

Sunday, January 4, 2015

Data breaches multiply: 'Be aware'Coping with bigger, more frequent cyberattacks

Data breaches multiply: 'Be aware'Coping with bigger, more frequent cyberattacks
Cyberattacks getting bigger, more frequent

Posted: Sunday, January 4, 2015 12:00 am | Updated: 2:12 am, Sun Jan 4, 2015.
IT professionals are well aware of the massive breach at Sony Pictures that derailed the release of “The Interview” and leaked scripts, movies, financial information, emails and the personal information of tens of thousands of employees. Fred Menge, founder of Tulsa-based information security and digital forensics company Magnir, said he’s not surprised the hack got such widespread attention.

Saturday, January 3, 2015

The new data security law: Just plain bull

The new data security law: Just plain bull



The new data security law,  if not plain bull, is certainly a fight amongst bulls.
Who is in the ring?
The Federal government versus the state government. The banking groups versus the retailers.
And let’s not forget the ring master—the bully—the master of ceremonies in this circus.
Do you believe that the new data security law will protect your data?
These are desperate times for data security. Desperate people are vulnerable.
You should appreciate President Obama’s effort. His executive order for data security makes us feel good.
And, it is good to have gotten his attention. I especially like the sound of ‘executive.’
Just don’t succumb to the bull.


Bullies don’t obey law.
Historically.
So why would the new data security law be the exception?
But then again, he is not trying to convert the bully. The hackers. Those damn thieves.
He is trying to contain the bulls
Will he succeed?
It’s showtime!
On November 12, 2014, financial industry groups told congressional leaders that robust oversight will help U.S. retailers protect consumers from cyberattacks–Bloomberg BNA
The financial industry group further contends that:
“It is only when coupled with the development of strong internal data protection standards and robust oversight that the retail community will find itself in a better position to protect consumers and their confidential personal financial information from criminal abuse,” wrote the American Bankers Association, the Consumer Bankers Association, The Clearing House, the Credit Union National Association, the Financial Services Roundtable, the Independent Community Bankers of America and the National Association of Federal Credit Unions.
So the financial services industry has clearly identified the speck of dust in the retailers eye.
Do you smell the self-righteousness?
But the retailers argue that  financial institutions should be  required to provide the ‘same detailed notice to their customers as is required of other businesses under law.’
And, that despite a major data security breach recently reported by JPMorgan Chase & Co.,  a detailed notice has not been given to customers.
And by the way,
It is not only JPMorgan Chase’s data that has been breached.  Several other banks  have suffered similar breaches.
Apparently, the financial industry thinks that they should be exempt.
Exempt from providing you and I with a detailed notice when our personal information have been pilfered on their watch.
A case of  the special child syndrome?
According to them, the Gramm-Leach Bliley Act (GLB Act), is all the data security law they need.
It’s on!
While the bulls continue to lock horns over minutiae, the bully is licking his chops. His teeth dripping with the blood from our carcass–our data.
My data and yours.
So will the president’s new data security law succeed?
It has potential.
So it could succeed.
If,
And,
Only if,
The bulls fight the bully instead of each other.
 Further reading:

Friday, January 2, 2015

A guide to cloud compliance on SoftLayer

A guide to cloud compliance on SoftLayer


Twitter222FacebookGoogle+LinkedInRedditStumbleUpon
Cloud security, compliance and the certificates that help support cloud communication have all come a long way. When it comes to compliance and regulatory-driven organizations, it is important to understand how technologies like cloud and virtualization are now able to create a more robust environment.
To ensure that data is secure in data centers and cloud, providers must adhere to certain compliance standards and regulations. These standards ensure trust that data and security practices are meeting expectations in the data center.
There are a multitude of industry and federal regulations that could potentially impact a cloud service provider.
The SoftLayer compliance department works with independent auditors and third-party organizations to meet the industry’s most stringent guidelines to provide you reports and information for your own compliance needs. SoftLayer uses the NIST SP 800-53 catalog of security and privacy controls originally defined for the US federal government. SoftLayer certifications, attestations and compliance capabilities include the following:
Service Organization Controls 2 (SOC2) – SoftLayer provides a comprehensive SOC2 Type II report for all of its data centers, evaluating controls and their effectiveness. Each control is tested through independent examination of processes including validation of system components, logs and records. The SOC 2 Examination and Compliance Report is regulated by the American Institute of Certified Public Accountants (AICPA) Trust Services. The Trust Services Principles are used to define adequate control systems and establish industry standards for services providers such as SoftLayer to protect their customers’ data and information.
Safe Harbor – SoftLayer has certification indicating that they provide privacy protection as defined by the US Department Of Commerce’s Safe Harbor directive. Safe Harbor is a framework to bridge the differences between the EU-US and Swiss-US approaches to privacy. It provides a streamlined means for US organizations to comply with EU data privacy directives and Swiss data protection laws. Certifying to the Safe Harbor will assure that EU organizations know that your company provides adequate privacy protection, as defined by the directive.
Cloud Security Alliance–STAR Registrant – The Cloud Security Alliance is a non-profit organization that works to promote the use of best practices for providing security assurance in cloud computing. Cloud Security Alliance’s mission is Security, Trust, and Assurance Registry (STAR), which is a freely accessible registry that documents the security controls provided by various cloud computing services .
Payment Card Industry (PCI) Compliance – PCI Compliance and network security are of primary concern for credit card data processing in business. To ensure consistent standards, PCI Security Standard Council incorporated best practices to protect cardholder data and recommend validation from a third-party Qualified Service Assessor (QSA). SoftLayer helps customers’ internal security controls to meet PCI compliance by assisting with third-party auditor security guidelines and providing proof of physical and environmental controls maintaining strict information security policies.
HIPAA Compliance – The US Health Insurance Portability and Accountability Act requires specific security controls for businesses that store or process protected health information online. The SoftLayer cloud platform meets all of the necessary requirements for HIPAA on the data center/service provider side.
SoftLayer Cloud Infrastructure Compliance Capabilities
SoftLayer provides a security-rich environment for deploying and running customer workloads. This is achieved through a combination of:
• Certified physical and logical security of the SoftLayer data centers
• Architecture and operational responsibilities in the SoftLayer offerings
• Additional security capabilities delivered by IBM Business Partners
Please write your comments below or connect with me on Twitter @@santureddy1982.
   

Santhosh Reddy

About Santhosh Reddy

Santhosh Reddy is a Competitive Analyst in the Market Development and Insights (MD&I) Organization in IBM based out of Bangalore, India. He leads the cloud competitive intelligence and strategy team. He has over 10 years of experience in consulting, business and market intelligence. His current focus is on conducting deep technical level competitive analysis on various cloud (IaaS, PaaS, storage etc,.) offerings. He also works on various competitive deal benchmarking and pricing studies.

This entry was posted in SoftLayer and tagged , , .