Germany’s Schleswig-Holstein Data Protection and Privacy Commissioner Thilo Weichert has issued a call to end so-called data handling “safe harbor” for US companies doing business with European customers. In 2000, the European Commission agreed to recognize the US Department of Commerce “safe Harbor” principles, essentially allowing US companies to self-certify that they exercise good practices to protect the information about their European customers.

Safe harbor compliance entails:
1. Notice: An organization must inform individuals about the data processing and about possibilities to file inquiries or complaints;
2. Choice: An organization must provide a general opportunity for individuals to choose to object (opt out) and must ask for consent (opt in) for processing of sensitive data;
3. Onward Transfer: Disclosure of information is only permitted if the recipient adheres to the notice and choice principle;
4. Security: Protection of data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
5. Data Integrity: Observance of purpose limitation of data;
6. Access: Right to access personal information hold by an organization about the individual concerned;
7. Enforcement: Mechanisms for assuring effective compliance and data subjects rights.

Weichert’s statement is based on research by privacy research Chris Connolly who has done research showing that of 2,170 US companies that claim to be safe harbor compliant, many were in fact not. 940 out of the 2170 US companies do not provide information on how to enforce individuals’ rights. Strangely, 388 of these companies were not even registered with the Department of Commerce!

Reports are circulating that an investigation of the computer systems on the wreckage of Spanair flight 5022 has revealed that the systems were infected by malware. The flight crashed while taking off from Madrid, Spain, killing 154 people.

If true, it could be one of the first incidents in which computer malware resulted in the death of innocent people.

The United Arab Emirates, Saudi Arabia, Indonesia, and India are now planning to ban Blackberrys in their countries. The Blackberry service uses encrypted connections between devices and the email and web browsing service, which are operated from North America. The above countries have a policy of monitoring the email, messaging and browsing of their citizens, and even of foreign visitors to those countries.

It seems that RIM, the maker of Blackberry, is looking to add security back-doors so that governments in these countries can spy on Blackberry users in those areas.

The United Arab Emirates, Saudi Arabia, Indonesia, and India are now planning to ban Blackberrys in their countries. The Blackberry service uses encrypted connections between devices and the email and web browsing service, which are operated from North America. The above countries have a policy of monitoring the email, messaging and browsing of their citizens, and even of foreign visitors to those countries.

It seems that RIM, the maker of Blackberry, is looking to add security back-doors so that governments in these countries can spy on Blackberry users in those areas.

Charles Jester at security firm ESET has written a great article looking that how banks report online electronic crime.

We know from public reports and various lawsuits that cyber criminals have been targeting users of online commercial banking sites, breaking into their accounts, and transferring hundreds of thousands and sometimes millions of dollars.

But how are banks reporting these losses?

Banks in the USA must file a Suspicious Activity Report (SAR) with the US Treasury Department’s Financial Crimes unit, FinCEN.

Interestingly, Jester has been tracking the number of these reports. Since 2003, there has been a very large increase in SARs. However, these are all filed as “Other”, and there is no detail available as to what these SARs are reporting on. Jester suggests that this steep climb in SARs corresponds to the rise of phishing and malware that compromises online banking accounts. Here is the graph from his article.

By looking at public reports by the FBI and journalists like Brian Krebs (http://krebsonsecurity.com/), I estimate that online commercial bank account losses will reach $1 Billion in 2010 in the USA.

I did some quick calculations from NACHA fraud data around ACH transactions, and I compute that all fraud on the ACH networks in the USA looks to be about $6 Billion in 2009. NACHA downplays this by saying that fraudulent ACH transactions were only 0.02 percent of all the ACH transactions. But when you consider that approximately $30 Trillion was sent via ACH transfer in 2009, the fraudulent transactions would be 3.75 million transactions and add up to about $6 Billion. How much of this is related to online crime?

Charles Jester at security firm ESET has written a great article looking that how banks report online electronic crime.

We know from public reports and various lawsuits that cyber criminals have been targeting users of online commercial banking sites, breaking into their accounts, and transferring hundreds of thousands and sometimes millions of dollars.

But how are banks reporting these losses?

Banks in the USA must file a Suspicious Activity Report (SAR) with the US Treasury Department’s Financial Crimes unit, FinCEN.

Interestingly, Jester has been tracking the number of these reports. Since 2003, there has been a very large increase in SARs. However, these are all filed as “Other”, and there is no detail available as to what these SARs are reporting on. Jester suggests that this steep climb in SARs corresponds to the rise of phishing and malware that compromises online banking accounts. Here is the graph from his article.

By looking at public reports by the FBI and journalists like Brian Krebs (http://krebsonsecurity.com/), I estimate that online commercial bank account losses will reach $1 Billion in 2010 in the USA.

I did some quick calculations from NACHA fraud data around ACH transactions, and I compute that all fraud on the ACH networks in the USA looks to be about $6 Billion in 2009. NACHA downplays this by saying that fraudulent ACH transactions were only 0.02 percent of all the ACH transactions. But when you consider that approximately $30 Trillion was sent via ACH transfer in 2009, the fraudulent transactions would be 3.75 million transactions and add up to about $6 Billion. How much of this is related to online crime?

Cyber-fraudster Florin Necula, accused of electronically stealing credit and debit card numbers from ATM machines, swallowed a USB flash drive that contained evidence of his crimes.

Apparently the flash drive got stuck in his intestinal tract. Federal agents obtained a search warrant, and had a surgeon remove the device from Necula’s body. Wow. I didn’t realize you could get a search warrant to search your intestine!

Cyber-fraudster Florin Necula, accused of electronically stealing credit and debit card numbers from ATM machines, swallowed a USB flash drive that contained evidence of his crimes.

Apparently the flash drive got stuck in his intestinal tract. Federal agents obtained a search warrant, and had a surgeon remove the device from Necula’s body. Wow. I didn’t realize you could get a search warrant to search your intestine!

The latest version of the Zeus banking trojan steals not only usernames and passwords from infected computers, but it also appears to steal digital certificates and cookies from browsers. Cookies and certificates are often used by websites to authenticate a user, in addition to username and password. By stealing these credentials from a user’s computer, criminals can potentially access a variety of online sites and accounts of the victim.

One benefit to using a hardware PKI token is that the signing keys are stored on the device, and cannot be exported or stolen. This means that stealing a certificate from a browser is not effective, as you also need the private RSA key to be able to use the client-side certificate to log into a website.

The latest version of the Zeus banking trojan steals not only usernames and passwords from infected computers, but it also appears to steal digital certificates and cookies from browsers. Cookies and certificates are often used by websites to authenticate a user, in addition to username and password. By stealing these credentials from a user’s computer, criminals can potentially access a variety of online sites and accounts of the victim.

One benefit to using a hardware PKI token is that the signing keys are stored on the device, and cannot be exported or stolen. This means that stealing a certificate from a browser is not effective, as you also need the private RSA key to be able to use the client-side certificate to log into a website.