STE WILLIAMS

An organisation representing US marketing bodies has launched a new advertising campaign to raise consumer awareness of online behavioural advertising (OBA).

The Digital Advertising Alliance (DAA) campaign, called ‘Your AdChoices’, consists of banner advertising designed to drive users towards “educational videos” and controls over how adverts are personalised to them, it said.

The DAA, which comprises four marketing bodies including the Internet Advertising Bureau (IAB) and Direct Marketing Association, said the initiative would help inform internet users about the way OBA works, but a privacy group told Out-Law.com that the campaign would not address privacy concerns over how consumer data was collected and used.

In 2010, the DAA published a self-regulatory code on OBA requiring advertisers and website operators signed up to the scheme to provide internet users with certain information about the personalisation of ad content.

One of the rules of the code requires OBA companies to post an interactive icon that indicates that ads have been served through personalised targeting. The icon links through to a website that contains information on how data collected from individuals is used to serve personalised ads. The website also enables users to manage controls over what data individual operators can collect about them.

Publishers and advertising networks use cookies to track user behaviour on websites in order to target adverts to individuals based on that behaviour.Companies use cookies to track user activity and build up a picture of that person’s interests, so that they can try to publish advertising towards goods and services they think the person will respond to.

“With widespread industry adoption of the DAA’s self-regulatory principles, the DAA remains committed to informing consumers about interest-based advertising, online data collection and use, and the simple way they can exercise control over their web viewing data,” Peter Kosmala, managing director of the DAA, said in a statement. “This highly creative public education campaign is an important step in that ongoing process.”

“The initial stage of this multi-phase online campaign includes banner advertising that directs consumers to the DAA’s Icon and links to a new, information website, www.youradchoices.com, which features three educational videos and a user-friendly consumer choice mechanism,” the DAA statement said.

The interactive icon features on 900 billion “ad impressions” every month and more than 400 companies, including American Express, Microsoft and Disney, are signed up to observe the OBA code, the DAA said. Earlier this month, the IAB said that companies signed up to the OBA framework should display the interactive icon, along with almost every ad that is served.

Last year IAB Europe issued guidelines on what website operators signed up to the voluntary OBA framework should do to comply with the rules. Posting an interactive icon, complete with accompanying explanatory language, is just one of the rules set out in the code.

Website operators must also give users access to any easy method for turning off cookie tracking on their own site, and must make it known to users that they collect data on them for behavioural advertising, the regulations stipulate. Websites adhering to the regulations also have to publish details of how they collect and use data, including whether personal or sensitive personal data is involved. Details of which advertisers or groups of advertisers they make the data available to also have to be published.

The code has been criticised by EU privacy watchdog the Article 29 Working Party, which has said the methods used for displaying information to users and allowing them to opt out of behavioural tracking are insufficient on their own to confer user consent to being tracked, as required by EU law.

Nick Pickles, director of privacy and civil liberties group Big Brother Watch, told Out-Law.com that although the DAA’s consumer education drive was a “positive step”, it was still “far from clear” whether self-regulation could deliver privacy for internet users.

“Internet users need to be confident that if the law is not being adhered to, there is a proper regulator who can take up their complaint and deliver an effective remedy. For UK web users, it is far from the case that they have such a regulator to protect their interests. Consumers still remain largely in the dark about just how much information is being collected about them online for advertising purposes, not just in browsing habits but also social networking and email scanning,” Pickles said.

Under the EU’s Privacy and Electronic Communications Directive storing and accessing information on users’ computers is only lawful “on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information … about the purposes of the processing”.

An exception exists where the cookie is “strictly necessary” for the provision of a service “explicitly requested” by the user – so cookies can take a user from a product page to a checkout without the need for consent, for example.

The Directive takes its definition of ‘consent’ from EU data protection laws, which state that consent must be “freely given, specific and informed”. The new laws were implemented into UK law in May. The amended Privacy and Electronic Communications Regulations state that website owners must obtain “informed consent” to tracking users through cookies. The UK’s Information Commissioner’s Office has the power to impose penalties of up to £500,000 on websites that breach the new regulations.

In June 2011, the EU Commissioner Neelie Kroes gave EU companies a year to standardise the way internet users could opt out of being tracked. She said the companies could learn from the advertising sector’s self-regulatory rules.

However, the European Data Protection Supervisor criticised Kroes’ recommendation of the OBA code and said the self-regulatory rules “failed to implement the new consent requirement”.

The IAB has insisted that its OBA code was not designed to be compliant with the EU Directive, but that it could be used alongside other methods in order to obtain consent.

Randall Rothenberg, IAB president and chief executive told Out-Law.com that the DAA’s advertising campaign will help users gain control over the things they see online.

“The power of digital is in its ability to give people exactly what they want when they want and where they want it,” Rothenberg said.

“Now, alongside the DAA, the entire interactive industry has come together to strengthen our commitment to consumers – first, by self-regulating to assure their privacy rights and expectations are served; second by providing resources to allow them to understand and manage the use of their personal data; and third, to guide them toward the advertising, news, information, and entertainment that is most relevant to their interests,” he said.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/24/ad_campaign_launched_to_educate_consumers_about_online_behavioural_dvertising/

A one-billion-pound contract is up for grabs as three London councils hunt for IT hotshots to streamline their back-office systems – handling everything from criminal record checks and financial accounts to the payroll and psychometric testing.

Westminster Council is spearheading the search for an IT provider that will service its needs and those of Kensington Chelsea and Hammersmith Fulham councils. A further 17 local authorities, including Islington, Camden and Hackney, have signed up to use the procurement process.

The job, which could be worth up to £1.2bn, was advertised last week in the Official Journal of the European Union, and Westminster expects to have chosen a provider by the end of 2012.

The councils are seeking to make big spending cuts by outsourcing a slew of their backend admin services. Under the new contract the external provider would perform everything from Criminal Record Bureau checks to HR and sorting out staff wages. Simple tasks, such as help desks and document scanning, would be outsourced too.

The work will be advertised in four separate lots: HR and finance; e-sourcing; property asset data management; and business intelligence. The framework will last for four years and the contract, once procured, will last for five years with an option for a three-year extension. Back in June, Westminster CIO David Wilde explained that the separate lots would not necessarily all go to the same provider.

The business intelligence lot involves storing, crunching and manipulating council data. E-sourcing seems to involve the management of council websites and online help services.

Currently London councils use a patchwork of services – both in-house and external – to maintain their IT and admin work: under the new move, codenamed Programme Athena, the bevy of 20 councils hope to save money by rationalising their services and creating a London-wide ICT framework. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/24/council_contract/

The office of US Senator Chuck Grassley has confirmed that his Twitter account was taken over and used to launch anti-SOPA messages on Monday, US time.

According to Reuters, at least eight messages were sent by someone claiming to be part of Anonymous while the Senator was flying from Iowa to Washington.

In this video, the attacker apparently shows nearly ten minutes of tweeting-as-@ChuckGrassley:

The main message was “Dear Iowans, vote against ACTA, SOPA, and PIPA, because this man, Chuck Grassley, wants YOUR internet censored and all of that BS” – noted in many headlines as offering better grammar than the Senator typically uses.

Senator Grassley has since regained control over his account and had the password changed. While among sponsors of SOPA’s counterpart in the Senate, the Protect IP Act (PIPA), he withdrew his support last week. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/senator_grassley_twitter_crack/

Sourcefire, the security biz behind the commercial versions of the open-source Snort intrusion-detection software, is bowling itself at enterprises and touting tech designed to quickly detect and block malware outbreaks.

FireAMP offers a malware discovery and analysis tool that offers visibility of threats and outbreak control. The technology offers a means to limit the damage from virus infections, which Sourcefire argues are more or less inevitable, especially in the face of ever more sophisticated and numerous threats.

Oliver Friedrichs, senior vice president of Sourcefire’s Cloud Technology Group, told El Reg that “threats are getting by existing defences”. Sourcefire has positioned FireAMP to cover for the shortcomings of endpoint protection technology, rather than offering a replacement, at least with the first iteration of the technology.

“We’re not necessarily interested in replacing anti-virus or building better mousetraps,” explained Friedrichs, an ex-staffer at both Symantec and McAfe. “FireAmp could replace anti-virus, but it’s not going to replace it immediately, especially because firms have invested in conventional security software. We’re offering FireAMP as a way to shore up defences.”

“We don’t pretend our tool can detect 100 per cent of malware – nothing can,” he added.

FireAMP uses data analytics to analyse and block malware. Security analysts can write their own signatures for digital nasties in much the same way that they create Snort attack signatures, albeit in a slightly different context. Sourcefire claims the cloud-based approach the technology uses is capable of identifying and scoring threats missed by other security layers.

Whitelisting

The technology can be used to block particular strains of malware without running system scans. It can equally be used to whitelist benign apps, an approach that helps to reduce the possibility of false positives.

Deploying the technology involves deploying a “flight-recorder”-like client agent on PCs, which allows firms to quickly figure out which process introduced malware into their environment and how malicious files subsequently spread on their network. This agent communicates with a cloud-based analysis engine and is designed to co-exist with any anti-virus or security software running on computers (so it unlike running two anti-virus clients on the same PC, a set-up that would always ends in tears).

Sourcefire’s technology allows the “patient zero” of outbreaks that get missed to be later identified, Friedrichs explained, adding that this saves time on computer forensics. File trajectory technology bundled within FireAmp shows how malware spread across a firm, he said. Once problems are identified, remedial actions can be carried out from the FireAMP console.

FireAMP, which is based on technology Sourcefire acquired from Immunet last year, comes only a month after it released a next-generation application-aware firewall, twin moves designed to allow it to sell kit outside its traditional IDS niche.

FireAMP is been positioned against gateway technology designed to thwart botnets from the likes of FireEye or Damballa as well as malware/based analysis and forensics tools from HB Gary and Guidance Software. All these technologies aim to cover for the security shortcomings of anti-malware suites in one way or another. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/sourcefire_anti_malware/

Computing pioneer and Enigma codebreaker Alan Turing is to be commemorated next month in a series of limited edition first day covers for stamps designed to celebrate the centenary of his birth and help raise some more funds for the renovation of Bletchley Park.

The covers, essentially snazzy envelopes specifically designed to carry a new set of stamps on their first day of issue, will be released on 23 February in four different designs.

Restricted to 500 copies each, the covers are going for £9.99 each and can be previewed here.

The first is a design created by Rebecca Peacock of Firecatcher Design which features a portrait of Turing himself. The other three are paintings by artists Steve Williams depicting the buildings which Turing and his fellow codebreakers lived in during the Second World War.

All four covers will also feature a first-class stamp depicting the Turing Bombe – the machine built to decipher the German Engima code – as well as a first day of issue postmark illustrating one of the bombe’s 36 rotor wheels.

The stamp-related tribute is all part of the centenary year of mathematical genius Turing, who has been credited with pioneering the development of everything from artificial intelligence to the modern computer.

More importantly, his work with colleagues at Bletchley unpicking Enigma and other German and Japanese codes is believed to have shortened the war by as many as two years.

Turing was also famously persecuted by the British government, and even forced to undergo chemical castration after being convicted of homosexuality in 1952. He committed suicide two years later, aged just 41.

In 2009, then Prime Minister Gordon Brown finally broke the establishment’s silence over Turing’s treatment, with a public apology for the “appalling” persecution he had suffered in the years following the war.

The money raised from the stamp sale will go straight into the coffers of Bletchley Park, which received an early Christmas present last month when Google pledged £500,000 to help restore the site. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/turing_first_day_covers/

Stringent proposals for the revision of Europe’s outdated 1995 data protection law are to be revealed by officials this coming Wednesday.

The European Commission’s vice-president Viviane Reding said in a speech in Germany on Saturday that the new regulation on handling sensitive data will, among other things, require internet firms to admit breaches of the rules within 24 hours of their occurrences.

The justice commissioner previously told this reporter that the so-called “right to be forgotten” would form a central part of the proposed reform of the DP law, which is expected to be policed on a national level by relevant data protection authorities if the bill is passed in Brussels.

Reding said that internet outfits that collect and retain data about their customers will be required to explain why it is necessary to hold such information on their databases.

As The Register has previously reported, the proposed revision to Europe’s 17-year-old data protection regulation will include the “right to ‘data portability'”, which Reding described as “an essential element of the legislative reform”.

According to the Financial Times, which has seen a draft of the proposals, internet companies could be fined up to 2 per cent of their global turnover if they are found to have violated the new data protection rules.

However, legislative reform of the EU’s current data protection rules could take more than a year to complete – the proposed bill must wind its way through the European Parliament and the Council of Ministers before the union’s 27 nations are required to splice the regulations into their own law books, which could yet meet fierce opposition.

In the UK, for example, the reform has been seen by Justice Secretary Ken Clarke as a dangerous move with the potential to compromise freedoms and security. Last year he lambasted Reding’s “one size fits all” approach and said that “imposing a single, inflexible, codified data protection regime on the whole of the European Union, regardless of the different cultures and different legal systems, carries with it serious risks”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/europe_data_protection_proposed_revision/

A Romanian hacker who admitted breaking into NASA’s network has avoided jail, receiving a three-year suspended prison sentence instead.

Robert Butyka, 26, from Cluj-Napoca, Romania, still faces a civil lawsuit over disputed damages of $500,000 against the space agency’s computer systems in a case due to be heard in March. Butyka, who was arrested by Romanian cyber-cops back in November, admitted hacking into NASA’s network in December 2010 at a hearing earlier this month prior to a sentencing hearing this week where he was put on probation for seven years.

Local reports of the sentencing hearing (in Romanian) can be found here. Commentary on the arguably lenient punishment received by Butyka, and how a how US hacker convicted of similar charges might fare, can be found in post of Sophos’ Naked Security blog here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/romanian_nasa_hacker_jailed/

The tit for tat between pro-Palestinian and pro-Israel hackers escalated at the weekend after a hacker called Hannibal claimed to have leaked the Facebook login details of “100,000 Arabs”.

Pro-Israel Hannibal warned on 13 January that he had access to “about 30 million e-mail [accounts] of Arabs”, adding that he would leak their login credentials over the next 55 years in retaliation for previous “Arab” hacks of Israeli websites. He then released, via Pastebin, what he claimed to be the login details of close to 85,000 Facebook accounts, although the actual figure appears to be far less.

But in his latest missive, issued on Saturday, he announced an even bigger data dump.

“I published until now hundreds of thousands of emails and Facebook accounts of Arabs … Today I published another 100,00 [sic] accounts of Arabs,” he wrote. “I post this 100k accounts list because I want show the my huge strength. The Arabs should learn a lesson and know not to mess with me.”

The text file links to what’s claimed to be 100,000 Facebook logins details spread across 14 file-sharing sites.

The hacker, who modestly reckons that people of the Jewish nation named him “general of Israel’s hackers”, then unexpectedly called a halt to the “cyber war” that has flared in the virtual Middle East in recent weeks.

“Israeli hackers, stop! Cyber war stops until further notice I will post again if they attack the State of Israel,” he wrote. “If they appear again, I again come to save Israel. Trust me. I’ll always be around.”

This particular cyber-spat kicked off at the start of January, when hacker OxOmar – who said he belongs to Saudi hacking gang Group-XP – claimed to have leaked the banking details of 400,000 Israelis.

Israel’s banks hit back, however, arguing that most of the data was either out-of-date or duplicate and that only 14,000 card records were exposed.

Israeli deputy foreign minister Danny Ayalon then drew the ire of Anonymous and others by comparing the hack to an act of terrorism and warning that there would be retaliatory action. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/israeli_hacking_followup/

US-based hosting firm DreamHost is advising customers to change their passwords following a database breach.

The firm warned on late on Friday that hackers had compromised customer FTP/shell access passwords. DreamHost began the process of resetting customer passwords over the weekend, a process that hit a few hiccups along the way (if entries on its status update page are any guide). Web panel passwords, email passwords and billing data were not affected by the breach, the company said. These passwords have also been reset as a precaution.

Compromised passwords could potentially be used to change the content of hosted sites or to (more likely) insert malicious code. The motives of the hackers – much less their identity – remains unclear.

In a blog post, DreamHost chief exec Simon Anderson said the company had been hit by a “previously unknown” attack. He attempted to allay fears by saying nothing bad had happened to customers as a result of the breach, possibly because DreamHost reacted quickly once a breach was detected.

“The bad news is that we detected access to one of our databases and took rapid action to protect customer accounts and passwords,” it said. “The good news is that it does not appear that any significant malicious activity has occurred on any customer accounts as a result of the illegal access.

“Early yesterday, one of DreamHost’s database servers was illegally accessed using an exploit that was not previously known or prevented by our layered security systems in place. Our intrusion detection systems alerted our Security team to the potential hack, and we rapidly identified the means of illegal access and blocked it,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/dreamhost_breach/

SharePoint admins are abusing their privileged status to sneak a peak at classified documents according to a poll that shows consistent abuse of security in Microsoft’s business collaboration server.

A third of IT administrators or somebody they know with admin rights have read documents hosted in Microsoft’s collaboration server that they are not meant to read.

Most popular documents eyeballed were those containing the details of their fellow employees, 34 per cent, followed by salary – 23 per cent – and 30 per cent said “other.”

Ironically, the poll found the jury almost split on whether the authors of documents themselves could be trusted to control the security privilege settings on their work.

IT admins are firmly in control of setting access rights within SharePoint; 69 per cent set the permission levels that say who reads what, by individual or by group.

The data comes from a Cryptzone SharePoint security survey of 100 individuals running or using SharePoint systems, which has just been released. Respondents worked for a range of companies of varying size.

The poll reveals a consistently healthy disregard for the security supposedly afforded to company documents by SharePoint. Forty-five per cent of respondents said they’d copied sensitive information to the drive of a local PC or to a USB stick; 43 per cent did it because of the need to work from home; while 55 per cent said they’d done it because the docs were needed by somebody who didn’t have access to SharePoint.

Ninety-two per cent of admins said they realised their actions made the material less secure while 30 per cent said they weren’t bothered because taking the information had helped them get their job done. ®

You can download a copy of the report here (warning: PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/01/23/sharepoint_leaky_security/