Category: Regulations

The letter came ten days after a federal appeals court in the Central District of California ruled that border agents could search laptops without reasonable suspicion of illegal activity. “In a free country, the government cannot have unlimited power to read, seize, store and use all information on any electronic device carried by any traveler entering or leaving the nation,” the signatories stated in the letter.

The level of surveillance by the United States government has become an increasing worry to civil-rights advocates as well as professional, minority and religious groups that believe their members could be targeted.

As part of its “War on Terror,” the Bush Administration has instituted a program to eavesdrop on Internet and phone communications, an initiative that violates the Foreign Intelligence Surveillance Act (FISA) and has become the focus of a battle in Congress to craft a new law to govern such wiretapping.

The Electronic Frontier Foundation, a digital-rights group and one of the sponsors of the letter, has requested information on the conditions that would trigger a digital search by border agents. “We don’t really know what the Department of Homeland Security’s procedures and practices are here,” said Marcia Hofman, a staff attorney with the EFF.

The case at the heart of the debate concerns whether evidence from the July 2005 search of a laptop owned by then-43-year-old Michael Arnold can be used by prosecutors. Returning from a three-week trip from the Philippines, Arnold was stopped by customs agents in Los Angeles International Airport and asked to show that his laptop was functioning, according to court filings. Perusing through the files in those folders, the agents found pictures of two nude women and decided to conduct a more thorough investigation, which turned up suspected child pornography.

The Association of Corporate Travel Executives, one of the letter’s signers, recommended that workers not use their personal laptops for international travel and limit the amount of proprietary and personal data stored on any notebook computer taken across borders. “In a time of heightened international security, it will take a brave Congress to rule that parties may not be subject to suspicionless searches,” Susan Gurley, the executive director of ACTE, said in a statement.

Following the ruling, there is nothing preventing authorities from a more comprehensive search program, said Fred Schneider, a privacy and security expert and professor of computer science at Cornell University. “It won’t be long before customs agents can efficiently perform a thorough search on every machine,” Jennifer Granick, civil liberties director at the EFF, said in a discussion of the impact of the ruling.

Encrypting the hard drive, having a separate account on the PC owned by the worker’s company, or traveling with a clean laptop and using an encrypted VPN to access data are all possibilities, Granick said.

http://www.securityfocus.com/news/11516?ref=rss

The Supreme Court of the state of New Jersey said that information about a person’s use of the internet was so private that police there cannot order ISPs to release surfing details of suspects with a municipal court subpoena. They must receive a grand jury subpoena, it said.

“The court holds that citizens have a reasonable expectation of privacy in the subscriber information they provide to internet service providers,” said the court’s ruling. “Law enforcement officials can obtain subscriber information by serving a grand jury subpoena on an Internet service provider without notice to the subscriber.”

Many are unaware that a numerical IP address can be captured by the websites they visit. After Reid’s ISP, Comcast, handed over details of her account, including the IP address from which she accessed the internet, she was found guilty of computer theft in connection with the hacking incident. Reid overturned that decision on appeal and at the Supreme Court of New Jersey stage, arguing that the evidence should be suppressed.

The court said that although Reid was successful in having the municipal warrant-obtained evidence suppressed, the police were not barred from approaching Comcast again and obtaining the records using an appropriate warrant.

http://www.theregister.co.uk/2008/04/24/us_rules_ip_addresses_private/

Requirement 11.3 addresses penetration testing, which includes network and application layer testing, as well as controls and processes around the networks and applications. Proper use of automated source code analyzer (scanning) tools.

The second option for Requirement 6.6 is a Web Application Firewall (WAF) which is a security policy enforcement point positioned between a web application and a client end point.

The Information Supplement provides recommended capabilities of a select WAF, additional recommended capabilities for certain environments, additional considerations for organizations implementing a WAF and additional sources of information on Web application security.

http://www.net-security.org/secworld.php?id=6053

Companies that are approved as PA-QSAs will be recognized in a Council maintained and published list and can begin conducting PA-DSS assessments in accordance with the PA-DSS Security Audit Procedures.

All companies that were previously recognized as PA-QSAs under Visa PABP will need to enroll and re-validate as a Council PA-QSA.

http://www.net-security.org/secworld.php?id=6025

The council noted that Visa created the standard to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 and PIN data, and support compliance with the PCI DSS.

PCI data security standards: Don’t blame PCI DSS for TJX troubles, IT pros say: Data breaches at TJX and elsewhere have some questioning the effectiveness of PCI DSS, but others say the real problem is how companies approach the guidelines. Banks neglect responsibility for data breaches, some say: TJX has become the poster child for bad data behavior, but some believe the bank and credit card companies aren’t accepting enough responsibility for the data breach epidemic.

The addition of PA-DSS comes as merchants fight for more control over the data they store and as attackers target Web applications with growing zeal.

Last month the National Retail Federation (NRF) sent a letter to the Payment Card Industry (PCI) Security Standards Council asking for changes in how the credit card industry requires merchants to store credit card data.

NRF Chief Information Officer David Hogan wrote that retailers should not have to store credit card numbers because doing so increases the risk that hackers will try to steal the information.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1281251,00.html

For many companies, especially large ones using older payment applications, Visa’s mandate could mean “tens of millions of dollars” in upgrades to new technologies over the next few years, said Jim Huguelet, an independent consultant in Bolingbrook, Ill. The mandates will also “by proxy” force vendors of payment applications to finally start implementing security features that have been recommended by Visa and others for some time now, he said.

“This is a really major step forward for the industry in asking payment application vendors to step up and support more directly the compliance efforts of their customers,” Huguelet said. “Now it has become clear that payment vendors have to make their software support security standards” or risk being cast aside by their customers, he said.

Visa’s mandates have been expected for some time and are designed to address long-standing security weaknesses in the applications merchants use to conduct payment card transactions. The biggest concern has been the fact that many payment applications now in use are designed to store data such as the full magnetic-stripe information from the back of cards, card-verification code numbers and PIN data. Storing that data has made payment systems an attractive target for hackers and has long been considered a fundamental security weakness. It is a practice that has been explicitly banned under PCI.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9044159&source=NLT_AM&nlid=1