- Email: [email protected]
Controversy surrounds Phorm
NEWS/RESEARCH FOCUS customers remains a priority for TJX. Beyond the many millions of dollars we have spent to add significant security to our computer system, we are installing security measures which exceed those of many other retailers and current industry requirements.” The settlement must be accepted by the banks, which issued 90% of fraud claims after the breach, in order to go ahead. In return, banks agree not to sue TJX. The company has also settled with the Federal Trade Commission promising to put in place strong security policies and undergo an independent audit every two years for 20 years. Data brokers Reed Elsevier and Seisint have also settled with the FTC for allegedly allowing customers to use easy to guess passwords. “By now, the message should be clear: companies that collect sensitive consumer information have a responsibility to keep it secure,” said FTC chairman, Deborah Platt Majoras. “These cases bring to 20 the number of complaints in which the FTC has charged companies
with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America.” Website: www.tjx.com and www.ftc.gov
Controversy surrounds Phorm
T
he possibility of ISPs allowing tailored advertisement generation via the controversial Phorm program in the UK is facing criticism.
A Cambridge academic has published a detailed brief of Phorm operation, which he says is illegal. Richard Clayton believes Phorm carries out illegal interception as defined by the Regulation of Investigatory Powers Act. Phorm collects addresses and content of websites visited and then slots a user into advertising categories. The user then gets to see customised advertisements rather than random ones.
BT confirmed that it was planning a trial of the technology involving 10 000 broadband users. The Information Commissioner’s Office (ICO) says users have to opt in to use Phorm in line with European data protection rules. Phorm intended that users would only have to opt out. An ICO spokesman said in a statement: “The ICO has received a number of queries concerning the recent announcement by Phorm that three major UK Internet Service Providers have agreed to allow them to use technology, developed by Phorm, to present adverts to their customers based on the nature of the websites they visit. “Understandably, this has provoked considerable public concern. We have had detailed discussions with Phorm. They assure us that their system does not allow the retention of individual profiles of sites visited and adverts presented, and that they hold no personally identifiable information on Web users.” Website: www.phorm.com
Digging deeper for evidence Researchers have found a way of making more auditable data available for forensics. Paper: Run-time label propagation for forensic audit data Author: Florian Buchholz, Eugene H. Spafford Published: Computers & Security 26 (2007) Florian Buchholz, of James Madison University, and Eugene Spafford, of Purdue University, have proposed a way of gathering more audit data than the usual method. They have presented a method of propagating arbitrary meta-information bound to principals on a system in the paper - Run-time label propagation for forensic audit data. The academics have discussed implementing the idea on the 4
Computer Fraud & Security
FreeBSD operating system and have presented a proof-of-concept implementation. “If the need arises to investigate an incident as part of a forensic investigation or incident response, the information available to an investigator is often minimal as not everything is recorded on a permanent basis,” said the paper. “Most of the effort to date in the digital forensics community has been in the retrieval and analysis of existing information from computing systems. Little has been done to increase the quantity and quality of the forensic information on computing systems.” The authors present a methodology allowing a system to bind arbitrary
information in the form of a label to its principals. The labels are propagated to other principals and objects on the system. Labels are propagated based on information flow between subjects. The research focuses on capturing two types of information that current operating systems cannot supply: user influence and location information. “When examining processes and objects on the system we now can make statements as to whether or not they were influenced by external factors such as different users of remote locations,” said the paper. The authors say the limitations of the approach may include privacy, label accumulation, multi-threading and multi-processors and label retention. May 2008
with security deficiencies in protecting sensitive consumer information. Information security is a priority for the FTC, as it should be for every business in America.” Website: www.tjx.com and www.ftc.gov
Controversy surrounds Phorm
T
he possibility of ISPs allowing tailored advertisement generation via the controversial Phorm program in the UK is facing criticism.
A Cambridge academic has published a detailed brief of Phorm operation, which he says is illegal. Richard Clayton believes Phorm carries out illegal interception as defined by the Regulation of Investigatory Powers Act. Phorm collects addresses and content of websites visited and then slots a user into advertising categories. The user then gets to see customised advertisements rather than random ones.
BT confirmed that it was planning a trial of the technology involving 10 000 broadband users. The Information Commissioner’s Office (ICO) says users have to opt in to use Phorm in line with European data protection rules. Phorm intended that users would only have to opt out. An ICO spokesman said in a statement: “The ICO has received a number of queries concerning the recent announcement by Phorm that three major UK Internet Service Providers have agreed to allow them to use technology, developed by Phorm, to present adverts to their customers based on the nature of the websites they visit. “Understandably, this has provoked considerable public concern. We have had detailed discussions with Phorm. They assure us that their system does not allow the retention of individual profiles of sites visited and adverts presented, and that they hold no personally identifiable information on Web users.” Website: www.phorm.com
Digging deeper for evidence Researchers have found a way of making more auditable data available for forensics. Paper: Run-time label propagation for forensic audit data Author: Florian Buchholz, Eugene H. Spafford Published: Computers & Security 26 (2007) Florian Buchholz, of James Madison University, and Eugene Spafford, of Purdue University, have proposed a way of gathering more audit data than the usual method. They have presented a method of propagating arbitrary meta-information bound to principals on a system in the paper - Run-time label propagation for forensic audit data. The academics have discussed implementing the idea on the 4
Computer Fraud & Security
FreeBSD operating system and have presented a proof-of-concept implementation. “If the need arises to investigate an incident as part of a forensic investigation or incident response, the information available to an investigator is often minimal as not everything is recorded on a permanent basis,” said the paper. “Most of the effort to date in the digital forensics community has been in the retrieval and analysis of existing information from computing systems. Little has been done to increase the quantity and quality of the forensic information on computing systems.” The authors present a methodology allowing a system to bind arbitrary
information in the form of a label to its principals. The labels are propagated to other principals and objects on the system. Labels are propagated based on information flow between subjects. The research focuses on capturing two types of information that current operating systems cannot supply: user influence and location information. “When examining processes and objects on the system we now can make statements as to whether or not they were influenced by external factors such as different users of remote locations,” said the paper. The authors say the limitations of the approach may include privacy, label accumulation, multi-threading and multi-processors and label retention. May 2008