Security News Curated from across the world
Norris also says only 10% of spam originates in New Zealand and the bill is aimed at reinforcing international law.
Internet New Zealand’s Executive Director Pete Macaulay says with around 80% of emails being spam, it is important to free up the internet. But he says the bill puts an unfair emphasis on Internet Service Providers for enforcement.
http://tvnz.co.nz/view/page/411419/600773
A similar bill was pitched in March but was defeated by the timetable for the general election.
The Labour MP for Glasgow South called for amendments to the Computer Misuse Act of 1990 in his Ten Minute Rule Bill a type of Private Member’s Bill that rarely becomes law, but serves to raise Parliamentary awareness of a need for legal reform. Tom Harris’s Computer Misuse Act 1990 (Amendment) Bill picks up on the key recommendations of an inquiry into the original Act by the All Party Parliamentary Internet Group, known as APIG, published in June 2004.
Like Mr Wyatt’s recent proposal, Mr Harris’s Bill amends section three of the Computer Misuse Act in order to explicitly criminalise all means of interference with a computer system, in particular creating a specific offence for denial of service (DoS) attacks. The Bill also increases the tariff for hacking offences (dealt with in section one of the Act) from six months to two years, and from five to ten years for further related offences.
“We welcome this Bill particularly as it reflects the work of the All Party Group over the last two years and especially my own Ten Minute Rule Bill from earlier this year. We hope that the Government adopts the measures proposed in the Bill as a matter of urgency, reflecting the significant threat that cybercrime poses to the UK.”
In his speech to the House of Commons, Harris highlighted the inconsistency between the severe financial consequences of hacking attacks that can cause losses of millions of pounds and the sentences currently possible to punish such attacks. He gave some examples of DoS attacks, including one that had been launched by one of his own constituents, a gun enthusiast, who bombarded a gun control website with so many emails that its server crashed. “This is an issue that up until now hasn’t been taken seriously enough. So much of the UK economy depends on the internet, and so many services are vulnerable if we allow these attackers to go unpunished. It’s time we faced up to this new threat.”
Wyatt’s bill ran out of Parliamentary time. It would otherwise have been read a second time. Nobody opposed Mr Harris’s bill and it is scheduled for a second reading on 2nd December 2005.
http://www.theregister.co.uk/2005/07/15/mp_pitches_denial_of_service_law_to_parliament/
Joe Barton, R-Texas, and John Dingell, D-Mich., the chairman and ranking minority member of the House Committee on Energy and Commerce, respectively, floated a draft bill requiring businesses engaged in interstate commerce to encrypt sensitive personal data.
The IT industry, however, has become increasingly vocal on the need for Congress to act. “The public has been crying out for help, and businesses have not responded,” said Mike Gibbons, vice president of Federal Security Services for Unisys Corp., based in Philadelphia. “I say the sky has already fallen; it’s just a matter of when a piece is going to hit you.”
Definitions are a thorny issue in identity-theft legislation. Many details will likely be left to regulators, who will have to show nuanced technological understanding. For example, a blanket mandate to encrypt sensitive data is not practical, but mandated encryption for data traveling over the Internet or backed up on tapes might make sense, industry experts say.
The Barton-Dingell draft bill would require companies holding sensitive data to hire an information security officer, and the bill sets up a national breach notification requirement, pre-empting state laws.
If a breach could result in identity theft, the compromised company must provide a free credit report and a one-year subscription to a credit-monitoring service to potential victims.
“I intend to support tough legislation mandating enhanced security practices and swift and strong punishment for those who violate the law and harm consumers,” Dingell said.
The latest proposal in the Senate focuses more on penalties than on technology mandates. It sets fines for failing to provide adequate security and strengthens criminal penalties for hackers and identity thieves, as well as anyone attempting to cover up a security breach. Companies that have personal data on more than 10,000 Americans would need to have privacy and security programs and screen third-party data processors.
The Barton-Dingell proposal will be aired at a hearing that the House Subcommittee on Commerce, Trade and Consumer Protection plans to hold in the near future.
http://www.eweek.com/article2/0,1759,1835281,00.asp?kc=EWRSS03119TX1K0000594
That’s remarkable but not as extreme as the second requirement: The Web master or mailing list operator might have to “cover the cost” of 12 monthly credit reports of each person whose e-mail addresses was lost or purloined.
For a popular site with 10,000 registered users, that would be a princely sum.
Independent Web site owners should not be bankrupted by making them cough up that kind of cash: The penalty is unrelated to any harm.
Other sections of the proposed law, called the Personal Data Privacy and Security Act, are highly rigid. For example, anyone running an ad-supported Web site or mailing list with 10,000 or more registered users must “implement a comprehensive personal data privacy and security program,” create a “risk assessment” to “identify reasonably foreseeable” vulnerabilities, “assess the likelihood” of security breaches, “assess the sufficiency” of policies to protect against them, publish the “terms of such program,” do “regular testing of key controls” to test security, select only superior “service providers” after doing “due diligence,” and regularly “monitor, evaluate and adjust” security policies.
Specter and Leahy probably intended to target large businesses that employ teams of corporate lawyers and would view this as just more government paperwork. “We don’t want to place any undue limitations on mailing lists, Web sites, and so on,” Schmaler said.
http://news.com.com/The+coming+Web+security+woes/2010-1071_3-5772012.html
Signing up for the registry is free, and parents soon will be able to add their children’s instant message IDs, mobile phone numbers, fax numbers and pager numbers.
E-mail senders must comply with the new law by Aug. 1.
Violators face up to three years in jail or fines up to $30,000 if convicted of breaking the law, and could face civil penalties of up to $5,000 per message sent.
Some Internet safety experts have said anti-spam laws have been difficult to enforce and others worry the lists will give hackers a way to get access to a large database of children.
Public Service Commission Chairman Peter Lark said safeguards, including encryption of e-mail addresses and other information, will keep the Michigan registry secure.
Utah is getting ready to set up a similar registry for children there.
http://newsobserver.com/24hour/technology/story/2530584p-10910230c.html