IT Best Practices and Compliance Reporting Information

According to headlines on ComputerWorld yesterday, the largest spam attack in the past year is well underway.

“Arriving with subject headings touting Worm Alert!, Worm Detected, Spyware Detected!, Virus Activity Detected!, the spam carries a ZIP file attachment posing as a patch necessary to ward off the bogus attack. The ZIP file, which is password protected — the password is included in the message to further dupe recipients — actually contains a variant of the “Storm Trojan” worm, which installs a rootkit to cloak itself, disables security software, steals confidential information from the PC and adds it to a bot army of compromised computers,” according to the article by Gregg Keizer.

Postini has already counted nearly 5 million copies of the spam in the last 24 hours, and calculated that the run currently accounts for 87% of all malware being spread through e-mail. Spam rates have jumped as well; Postini said 79% of all e-mail is now spam, according to Adam Swidler, senior manager of solutions marketing at Postini, who was quoted in the article.

This attack is certainly a good reminder that systems need to have anti-virus and anti-spam software installed and operating, but, perhaps even more than that, it’s a great reminder to use common sense and don’t open emails or attachments unless you know their source.

It’s always gratifying to post your thoughts in a blog and then see it validated somewhere else.

A few weeks back, I shared my thoughts on why the Real ID Act was a really bad idea. In a recent edition of GCN, columnist William Jackson offered similar opinions to mine.

In his commentary, Jackson makes these important points:

1. The Real ID Act is an unfunded mandata
2. While the deadline for implementation is May 2008, Homeland Security still has yet to release compliance regulations for the Act
3. The Real ID Act requires interconnected databases of personal information on each of the 245 million people receiving cards, with absolutely no safeguards on the data or how it can be used
4. The Real ID Act was passed without that debate – it was slipped into a spending bill that provided relief funding for troops and tsunami relief

While 25 states are either urging Congress to repeal or reform the law, only Maine has actually passed a resolution refusing to comply.

I agree with Jackson – the issue is not what can be done to delay or reshape the act, as some in both the House and Senate are attempting to do, but, is a national ID advisable at all?

We all must understand – this is legislation that has passed. Without action, it will be implemented in just over a year.

No one should let that happen…

Frank Hayes, senior news columnist at Computerworld, is one of those writers that makes you want to read a magazine from the back to the front. Hayes’ column, Frankly Speaking, appears at the very back of each edition and is almost always a “must read.”

Last week, Hayes’ column, 8 Million Reasons, really struck a chord with me. Sometimes we spend so much time trying to blame somebody for problems, we fail to make the effort to identify ways to solve the problem.

One of the revelations coming from the TJX breach was the arrest of a Florida gang who had used some of the stolen cardholder information to obtain at least $8 million in Wal-Mart gift cards. Hayes’ identifies two key areas where IT could have thwarted or at least minimized the gift card scam.

1. After credit cards are reported stolen and have been deactivated, retailers should use the list of stolen card numbers to automatically search its own recent transactions for suspicious activity – such as the sales of gift cards. If they find cards that were purchased with stolen cardholder information, they could deactivate the card and recover some of the money.
2. Even if gift cards purchased fraudulently have been used, those transactions could be flagged so that if the merchandise is brought back for a refund, the transaction should be flagged to be spotted at that point. Again, merchandise is recovered and there is no further cash loss from providing a refund.

Hayes points out that IT has the ability to make this all possible automatically and continuously. The data is there, but the software and database performance isn’t.

It’s easy to point fingers in a case like TJX. The hard part is to do something about it. Taking steps to blunt the gift card scam is one really positive way to help blunt the value of stolen cardholder data.

TJX’s 10-K filing to the Security and Exchange Commission was made public Wednesday and has made for a whole new set of news stories, blog posting, and speculation.

The report seems to indicate that the TJX Companies, Inc. were employing encryption technology on their cardholder transactions and did delete confidential data on some sort of a regular basis. That’s the good news.

The bad news is the intruders apparently were able to capture the card information of 46 million users by installing software on the systems at TJX’s Framingham headquarters that copied the information prior to it being encrypted. TXJ also admitted that it appears the intruders had a copy of their encryption key, apparently as a back-up in case the software failed to work or the data was encrypted prior to the point where the software captured it.

Needless to say, the new questions will swirl around how rogue software was allowed to remain in their systems for so long without detection, as well as how the key was obtained.

The information in the 10-K only reveals TJX’s perspective of what happened. It will be interesting to see what is revealed as the SEC begins to dig into this further.

Have these latest revelations changed your perspective on the TJX breach at all? I’d be curious to hear whether these new details are swaying opinions, one way or the other.

I wrote a few weeks ago about the incredible abuses of data perpetrated by the Governor of Arkansas and the Chicago Elections Board. So, I just had to shake my head when I read Jim Rapoza’s column in eWeek.

Raposa calls out the schizophrenia that appears to be affecting Congress with the introduction of the Personal Data Privacy and Security Act of 2007 which is designed to provide prompt notification to victims when data breaches occur and to make companies accountable for the lack of security that may have led to the breach (think a national version of California SB 1386).

The flip side of this is Rep. Lamar Hunt’s Safety Law. It’s intent is to stop adults who exploit young people over the Internet. However, the law, if passed, would require ISPs and possibly every Web site to store all the data of Internet users just in case its needed in a future court case. There would potentially be no maximum time limit for this data to be retained. There’s even a possibility that this law could allow this data to be used for civil legal actions. Can you imagine the potential ramifications of that? Employers scouring over employee Internet use. Divorce cases with Internet activity disclosed.

Ironically, this same Rep. Smith was also the sponsor of the Telephone Records and Privacy Protection Act of 2006, which protects phone records and make pretexting illegal.

A reasonable balance needs to be found between individual privacy and the need to retain certain data necessary to identify illegal activity. But is Congress, with all of the various special interest groups pandering to them, the right people to find this balance?