InfoSec News

A comment on one of the articles earlier this week prompted me to dig around privacy legislation from various part of the planet, only to realise what a mess it is and I should probably just have mowed the lawn instead. It would have been easier on the brain. So just to give you something to think about over the weekend, or discuss at a BBQ. Is an IP address personal data? If you are in a rush, the conclusion I came to was it depends.

Just before we go on I will start all of this with I am not a lawyer (IANAL), just a security guy trying to make sense of things and likely getting some of it wrong. So if you have a need to know for sure, I suggest you ask a lawyer.

Before we get to IP addresses we'll need to define what personal data is. This seems to be fairly consistent between countries. This is likely because most privacy legislation is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data first adopted in 1980 after almost 10 years of discussion. Generally the definition of Personal data boils down to any information that can identify a particular individual. Some countries expand this by explicitly stating things such as race, religion, sex and other information that most of us would consider personal.

From an IP address perspective, do IP addresses fit that definition? This is where it starts getting very muddy. It appears that in some countries the answer is yes and in others it is no. To add a third option, some countries go with, only if it is combined with other items that identify a person.

When we started discussing this Swa, one of the other handlers pointed out this document Study of case law on the circumstances in which IP addresses are considered personal data It is a study of the various laws in the EU and how they relate to the EU directives regarding privacy (page 16 especially). The rest of the document is a good read, but the table on page 16 makes it very clear how confused privacy laws can be. The table shows, for example that in Austria there is no doubt, IP addresses are personal data. In the Netherlands they are not. In Bulgaria it is when combined with other information. In Italy it most certainly is. As for the rest of the world? In the US the answer seems to be no it isn't. In AU, the approach tends to be, when combined with other personal data it is. If you happened to know your local situation add it to the comments.

When I read the study from Timelex other questions popped into my head. So if IP addresses are Personal Data can I have web logs? Can I use a third party to track visits? Probably not, at least not if I'm based in those countries that say IP Addresses are personal data. Mind you many countries do have exemptions for research and security related activities, so sharing log extract, etc is still OK (remember IANAL so check if you need to be certain).

Other questions that popped in. Can I outsource to other countries? Maybe I can share the data with them, but can they give it back? Whose laws apply when I place stuff in the cloud? For example the ammendments to India's laws, according to informationweek.com, applies to data collected in India, but also data provided by overseas companies. What if you are a multinational? Which privacy laws apply?

Plenty to think about and I'm not suggesting that we should all become privacy experts or international privacy lawyers. What I am suggesting, however, is that you may need to point out that it needs to be thought about. After all our job is to help protect the organisation from risk.
If you want more info Wikipedia has some good links from their Privacy Law page. Some of the other resources around:

OECD Privacy Principles
OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
AU - http://www.privacy.gov.au
EU - http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm
UK - http://www.ico.gov.uk/
HK - http://www.pcpd.org.hk
CA - http://www.priv.gc.ca/

If you have some resources, preferably from official bodies, that you think others should know about, add them to the comments or send them in.
Enjoy the weekend.
Mark H (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
The people behind Megaupload might be working hard to get the site back up, but so are scammers.
Piston Cloud Computing co-founder Josh McKenty has laid out the same objective on several occasions, from speaking to attendees at the inaugural OpenStack design summit to addressing friends and colleagues at his company's launch party: "Let's finish where we started."
Microsoft has given details on a variety of ways in which the upcoming Windows 8 operating system does a better job than its predecessors at letting users manage their connections to Wi-Fi and mobile broadband networks.
Does the USA Patriot Act give the U.S. government too much access to data stored on the cloud servers of American providers regardless of where those servers are located? That's the concern among European IT leaders.
Avaya WinPDM Multiple Buffer Overflow Vulnerabilities
WhatsApp Multiple Security Bypass Vulnerabilities
Logsurfer 'prepare_exec()' Double Free Local Denial of Service Vulnerability
The Web site and office tools of online services company Zoho were knocked offline Friday by a power outage in its data center.
SSD-maker Micron Technology announced it has signed an agreement to purchase Virtensys, a maker of PCIe virtualization appliance.
Mozilla yesterday extolled the impact of its 12-hour participation in Wednesday's anti-SOPA strike, saying Firefox users and fans generated over a third-of-a-million emails to the U.S. Congress.
Cacti Unspecified SQL Injection and Cross Site Scripting Vulnerabilities
I had to check that my computer wasn't an old black-and-white television set showing blocky white text Thursday morning and that I wasn't clacking away on a 6502 computer over a 110-baud modem when I heard about Apple's announcements relating to iBooks 2, iBooks Author, and its new multimedia textbooks. That's because I've heard it all before.
The Anonymous hacking group recruited unwitting accomplices in Thursday's attacks against U.S. government sites, a security researcher said today.
Websites that load the top of their pages with ads, forcing visitors to scroll down to view content, will take a hit on their Google rankings.
[ MDVSA-2012:010 ] cacti
[ GLSA 201201-04 ] Logsurfer: Arbitrary code execution
Intel on Friday shuffled management as it enters a new fiscal year, appointing a new chief operating officer and new heads to run the PC and data-center groups.
AlienZ, who has hacked a few things this week and released a bit of data has now gone and hacked a Palestine website and left a message stating they are "We are AlienZ. We are Israel's cyber army.". This shows that more and more hackers are coming out every day and joining all sides to continue this cyber war, 2012 will end up being known for it.

@anon_4freedom aka SEPO today has hacked two stock market websites, very early today Ghana Stock Exchange Hacked and Data Leaked by was hacked and a dump of data was leaked and now Botswana Stock Market has been hacked as well.

There were weak spots in the last quarter of 2011 for sector bellwethers Google, IBM, Intel and Microsoft, but corporate demand for technology appeared to remain resilient going into what is expected to be a year of slower growth for global IT spending.
A judge on Friday shot down Oracle's offer to put its Java patent-infringement claims against Google over the Android mobile OS on hold, in exchange for a speedier trial on its copyright claims.
The OpenSSL Project has released new versions of the popular OpenSSL library in order to address a denial-of-service (DoS) vulnerability that was introduced by a critical patch issued on Jan. 6.
DC4420 - London DEFCON - 24 January 2012
InfoSec Southwest 2012 Open Registration
[Suspected Spam] Barracuda Spam/Virus WAF 600 - Multiple Web Vulnerabilities
Webcalendar 1.2.4 'location' XSS
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Vulnerability
Re: pwgen: non-uniform distribution of passwords

Information Assurance Clas Consultant
... sector clients providing CLAS security architecture advice as well as guidance on security issues associated with interalia Encryption, Remote System Access, Firewalls, Access Control and Internet products in line with current HMG Infosec policy. ...

Sen. Patrick Leahy, the lead sponsor of the controversial Protect IP Act, today criticized the "knee-jerk' reaction of fellow senators to this week's protests against the bill. He vowed to press on with it.
Megaupload users are crying foul after their personal files, not necessarily copyright-infringing material, stored with the file-sharing service was seized on Thursday along with a trove of illegally distributed copyrighted works.
Yesterday saw many major Web sites going into blackout to protest SOPA and PIPA ... but, to their shame, a few of the biggest opted out
U.S. Senate Majority Leader Harry Reid has postponed a vote on the controversial Protect IP Act, scheduled for Tuesday, as a growing number of senators voice opposition to the copyright enforcement bill.
Researchers showcased unpatched security flaws in software used to control critical industrial systems by oil, gas, water and electrical distribution plants at the 2012 SCADA Security Scientific Symposium (S4) on Thursday.
U.S. Senate Majority Leader Harry Reid has postponed a vote on the controversial Protect IP Act, scheduled for Tuesday, as a growing number of senators voice opposition to the copyright enforcement bill.
The rules governing e-discovery apply to social media and trump both a social media website's privacy guidelines and an individual user's privacy preferences.
The district court in Mannheim, Germany has decided that Apple did not infringe on a patent asserted by Samsung Electronics against the iPhone and iPad, as the legal battle between the two companies continues unabated.

Evening Standard

The cyber crimewave
Evening Standard
Those defending the UK's cyberspace rely on this camaraderie, as pay is low: the competition by GCHQ was for a position with an annual salary of £25000 - about half as much as an Infosec expert could earn at a private company, and much lower than on ...

and more »
Holiday sales of new tablets and e-readers have catapulted e-book borrowing at many of the nation's libraries, raising the question of how libraries can keep up with demand -- especially when some publishers still balk at e-book lending.
Nokia plans to launch a Windows Phone 7 handset for the Chinese market in the first half of this year, positioning itself to be among the first companies to officially bring Microsoft's mobile OS to the country, a Nokia spokesman said Friday.
Windows' contribution last quarter to Microsoft's revenue hit its lowest point since Vista's swan song more than two years earlier, according to figures released by the company Thursday.
X.Org XServer ScreenSaver Lock Bypass Vulnerability

Posted by InfoSec News on Jan 20


By Jeffrey Roman
Bank Info Security
January 19, 2012

Recently discovered viruses, consisting of Trojans and other malware, at
City College of San Francisco have stolen personal banking information
and other data from perhaps tens of thousands of students, faculty and
administrators, says John Rizzo, president of the board of trustees.

The college first noticed the infection in late...

Posted by InfoSec News on Jan 20


By Kim Zetter
Threat Level
January 19, 2012

MIAMI, Florida -- A group of researchers has discovered serious security
holes in six top industrial control systems used in critical
infrastructure and manufacturing facilities and, thanks to exploit
modules they released on Thursday, have also made it easy for hackers to
attack the systems before they’re patched or taken...

Posted by InfoSec News on Jan 20


By Brid-Aine Parnell
The Register
19th January 2012

A computer programmer has been charged with stealing source code worth
$9.5m from the Federal Reserve Bank of New York, according to the FBI
and prosecutors.

Bo Zhang, a 32-year-old from Queens in New York, was cuffed on suspicion
of swiping the Government-wide Accounting and Reporting (GWA) software,

Posted by InfoSec News on Jan 20


By Fahmida Y. Rashid

Based on SE Linux, SE Android—developed by the U.S. National Security
Agency—is a security-enhanced version of Google's mobile platform with
stricter access-control policies.

The National Security Agency has publicly released SE Android, a secure
version of Google's mobile...

Posted by InfoSec News on Jan 20


By Nancy Gohring
IDG News Service
January 19, 2012

The hacker group Anonymous is claiming responsibility for attacks that
have taken down websites run by Universal Music, the U.S. Department of
Justice and the Recording Industry Association of America in retaliation
for the government's removal of the Megaupload websites....

Posted by InfoSec News on Jan 20


By Ericka Chickowski
Contributing Editor
Dark Reading
Jan 18, 2012

Oracle's Tuesday release of its Critical Patch Update (CPU) garnered a
continuation of criticism from the database security community, with
researchers pointing to a mounting list of unfixed vulnerabilities that
date back to 2009,...

Posted by InfoSec News on Jan 20


By Sophie Curtis
19 January 2012

SQL injection attacks have been around for more than ten years, and
security professionals are more than capable of protecting against them;
yet 97 percent of data breaches worldwide are still due to an SQL
injection somewhere along the line, according to Neira Jones, head of
payment security...
Internet Storm Center Infocon Status