STE WILLIAMS

Credit card company Visa has boasted that one of its US data centres possesses the ultimate security feature – a moat designed to trap would be ram-raiders from accessing the facility.

As reported by USA Today and Fast Company, which both seem to have been invited to the facility, the company’s Operations Centre East (OCE) can be found “somewhere on the eastern seaboard” of the USA. The site is apparently nondescript, so as not to draw attention to itself.

We’re not quite sure how it’s possible to hide the facility in plain sight given it boasts a moat.

Both of the sources we’ve linked to above use the same language to describe the watery defence:

“Hydraulic bollards beneath the road leading to the OCE can be quickly raised to stop an intruding car going 50 mph. Any speed faster, and the car can’t navigate a hairpin turn, sending it into a drainage pond that functions as a modern-day moat.”

The tier 4 data centre also packs sufficient redundant systems that Visa thinks it could run for a week without any contact from the outside world, other than data feeds. Paranoia has been taken to impressive heights with an off-site mail room that can be airlifted off-site should something nasty be slipped into the phone bill, to ensure that the health of data centre workers is not compromised.

EMC and Cisco are mentioned as the big winners in the data centre’s racks, which are housed in seven “pods” of 20,000 square feet apiece. Another two pods of the same size lie empty, awaiting future expansion. Presumably that extra space will help the data centre to go beyond the 24,000 “transaction messages” it processes every second. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/visa_data_centre_moat/

Oxford University boffins launched an interdisciplinary Cyber Security Centre on Monday. The new research hub aims to boost academic research into infosecurity.

The Oxford Cyber Security Centre aims to research threats such as cyber terrorism and cyber crime, as well as running studies on the trustworthiness of electronically stored information. The facility will act as the base for 12 permanent academic staff, more than 25 research staff and 18 doctoral students.

The current research activity of the group is already worth more than £5m, a figure Oxford hopes to grow by forming an inter-disciplinary brains trust that will drive developments in both the theory and practice of cyber security.

The centre will bring together researchers in computer science with academics from other disciplines, including business studies. Oxford institutions such as the Saïd Business School, the Oxford Internet Institute, the Blavatnik School of Government, the Oxford e-Research Centre and Oxford University Computing Services will contribute to the research effort.

The centre is already working on a range of research projects together with industry, government and military organisations. These research projects include studies into home network security, detecting insider threats in cloud computing environments, spotting malicious applications on smartphones as well as a study on risk and privacy in social network environments. Other research projects are looking into the use of steganography by terrorists and how it might be detected, mobile payment security and preventing denial-of-service attacks in wireless networks.

University dons hope to encourage government and private sector organisations to get involved in the research effort. Professor Sadie Creese, the centre’s director, explained: “Security requires a positive – and to a large extent open – collaboration between industry, government agencies and universities.”

The UK already boasts several centres of excellence in cyber security, including the Un‪iversity of Cambridge’s Computer Laboratory‬ and Cranfield University’s Defence Academy.

More details on the Oxford University Centre and its research projects can be found on its website here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/28/oxford_cyber_security_research_hub/

Credit card company Visa has boasted that one of its US data centres possesses the ultimate security feature – a moat designed to trap would be ram-raiders from accessing the facility.

As reported by USA Today and Fast Company, which both seem to have been invited to the facility, the company’s Operations Centre East (OCE) can be found “somewhere on the eastern seaboard” of the USA. The site is apparently nondescript, so as not to draw attention to itself.

We’re not quite sure how it’s possible to hide the facility in plain sight given it boasts a moat.

Both of the sources we’ve linked to above use the same language to describe the watery defence:

“Hydraulic bollards beneath the road leading to the OCE can be quickly raised to stop an intruding car going 50 mph. Any speed faster, and the car can’t navigate a hairpin turn, sending it into a drainage pond that functions as a modern-day moat.”

The tier 4 data centre also packs sufficient redundant systems that Visa thinks it could run for a week without any contact from the outside world, other than data feeds. Paranoia has been taken to impressive heights with an off-site mail room that can be airlifted off-site should something nasty be slipped into the phone bill, to ensure that the health of data centre workers is not compromised.

EMC and Cisco are mentioned as the big winners in the data centre’s racks, which are housed in seven “pods” of 20,000 square feet apiece. Another two pods of the same size lie empty, awaiting future expansion. Presumably that extra space will help the data centre to go beyond the 24,000 “transaction messages” it processes every second. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/visa_data_centre_moat/

A group claiming to be the re-animated corpse of the LulzSec hacking group is getting its lulz from messing up the love lives of army personnel. The personal details of tens of thousands of servicemen and women may have been exposed following a hack on a US-based military dating website.

“LulzSec Reborn” posted a message on PasteBin announcing the hack of MilitarySingles.com, claiming that it had swiped the site’s email database, snaffling more than 170,000 profiles in the process. The group also boasted it had obtained usernames, passwords and in some cases physical addresses of service personnel looking for love, and the men and women interested in hooking up with the boys and girls in uniform.

The motives for the purported hack – if any beyond pure devilment – remain unclear.

Militarysingles.com, which bills itself as the “dating website for single soldiers… and those interested in meeting them”, is run by a firm called eSingles Inc. The firm has yet to comment publicly on the hack, which remains unconfirmed. Nonetheless it would be a good idea for members of MilitarySingles.com to change their passwords, if only as a precaution. In addition, members of the site should double-check to make sure they aren’t using the same password and username combination elsewhere on the net, a common security mistake, as advised in a blog post commenting on the reported hack by net security firm Sophos here.

The original LulzSec gang began as a splinter group of Anonymous before mounting scores of high-profile hacks over as a seven-week period of mischief and mayhem prior to disbanding in late June last year. A number of its alleged members were arrested in a high-profile takedown operation earlier this month, largely on the evidence of the group’s alleged leader, Hector Xavier “Sabu” Monsegur. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/military_dating_website_hack/

The American Federal Trade Commission (FTC) is making a mistake by leaving web and data companies to regulate themselves, privacy watchdog Electronic Privacy Information Center (EPIC) said today.

Responding to the FTC’s report Protecting Consumer Privacy in an Era of Rapid Change (PDF) published yesterday, EPIC said the FTC “mistakenly endorses self-regulation and ‘notice and choice'” as the way to protect consumers from companies skimming their personal data.

The report (covered by The Register here) lays out the “best practice” it hopes companies will follow to protect data, and pushes hard on “Do Not Track” recommendations.

EPIC has clashed with the FTC before, over Google’s new unified privacy policy: EPIC claims that the FTC should have probed Google over the changes.

EPIC also said that the FTC should explain why it doesn’t use its Section 5 authority to enforce its decisions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/ftc_report_relies_too_much_on_self_regulation/

Security biz Symantec called time on a joint venture with Chinese telecoms equipment goliath Huawei because it feared the tie-up would prevent it from gaining access to classified US intelligence on cyber-threats, according to a new report.

The New York Times cited “two people briefed on the deal” as saying Symantec’s withdrawal was an attempt to allay any US concerns over its links to the Chinese tech giant at a time when the American government is looking to share more information on threats with the private sector.

If true, the report would seem to fly in the face of the well-rehearsed media line the two firms have been spinning since the end of the partnership was announced in November.

At the time, Symantec CEO Enrique Salem said the four-year Hong Kong-based venture had achieved all of its aims and that the security company would exit having made a good return on investment.

“Four years ago we established the Huawei Symantec joint venture for three specific reasons,” he said on a conference call announcing the news.

“First, to gain experience in building and selling appliances. Second, to increase penetration in the China market, and third, to move closer to the networking side of the telecoms segment. I’m pleased to say that we’ve achieved all of our objectives and believe this is the right time to sell our stake in the joint venture.”

Huawei has been dogged by speculation that it represents a risk to US national security – scuppering bids for network infrastructure firm 3Com, server tech biz 3Leaf and a deal to supply mobile telecom equipment to Sprint Nextel.

The rumours surround its links to the People’s Liberation Army (PLA), specifically its founder and CEO Ren Zhengfei who served in the PLA but, as Huawei is at pains to point out, had no military rank.

However, this month a US defence contractor Northrop Grumman claimed that Huawei functions as an “advanced source of technology” for the Chinese military. It continued that joint ventures between Western and Chinese firms could lead to intellectual properpty theft and the long-term erosion of competitiveness for the former.

Huawei hit back at the security company’s allegations by saying that “no one has ever offered any evidence that Huawei has been involved in any military technologies at any time”.

The manufacturer has sought to build closer ties with US industry, ploughing $6bn into the faltering economy last month in the form of contracts with OEMs Qualcomm, Broadcom and Avago in California.

That hasn’t helped the firm in Australia: it emerged this week that similar security concerns were behind Huawei being asked to not bid for the National Broadband Network project there.

Symantec declined to comment on the NYT story while Huawei had not responded at the time of publishing. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/symantec_huawei_china_spying/

AVG is adding active “Do Not Track” technology to its security suites in a move designed to give consumers more control over their online privacy.

AVG’s new Do Not Track icon

lets users keep an eye

on stalkers… (click to enlarge)

The technology – available as a free service pack to AVG’s free and paid-for consumer security software packages – will enable users to actively block some advertising networks from sharing data and therefore goes beyond the Do Not Track header, which is passive and based on voluntary cooperation by advertising networks and websites.

Passive “Do Not Track” was introduced by the World Wide Web Consortium (W3C) and relies on websites’ voluntary adherence to notifications that particular surfers wish to avoid being tracked. However, websites are not obliged to abide by do-not-track requests and, in practice, the vast majority of sites fail to respect these types of privacy requests.

AVG’s active “Do Not Track” technology allows users to block tracking requests from their PCs, irrespective of whether or not an advertising network supports privacy requests. Yuval Ben-Itzhak, CTO at AVG, explained that the technology will block tracking cookies or information in URLs, among other tracking techniques. Granular controls will give users the choice of whether to block tracking directly or turn it on and off as desired, with site-specific preferences.

Websites commonly collect data about users via web analytic tools so they can serve up ads based on the content users are viewing. But this type of info-collection pertains only to activity on the website itself.

But tracking goes further than this because it can be used to collect and share data with third-party companies. For example, some forms of tracking allow advertisers to follow users around the internet and deliver targeted advertising across multiple websites after building a profile on consumers.

Consumers as well as policy-makers are growing increasingly concerned about this practice. Last month, the Obama administration proposed a “Consumer Bill of Rights” for privacy and the EU has previously proposed similar initiatives.

Tracking is not inherently bad, according to AVG, however users have a right to greater control over how data on their surfing habits is collected and shared. AVG’s technology is available as part of a service pack, released on Tuesday, to AVG’s free and paid-for security products.

Ben-Itzhak explained that once the service pack is installed, users will see an additional icon in their browser. Clicking on this icon will allow surfers to see the service services detected – for example web analytics, ad networks and social buttons placed by social networks – alongside controls governing whether or not the user allows or block these types of communications. Items in the icon’s menu will be displayed alongside links to the relevant data retention or privacy policies. The “social button” feature, for example, can block data being sent to Facebook from affiliate sites.

This move will make AVG the first antivirus vendor to provide active Do Not Track. Many browser vendors including Mozilla and Opera already support passive Do Not Track.

Ben-Itzhak told El Reg that while it would be technically possible for browser vendors to add active blocking protection, it isn’t available now and said it is best offered as an add-on to a security suite with links to the relevant privacy policies. He described the move to offer online privacy controls as a logical extension to previous enhancements of the AVG anti-virus scanner, such as Linkscanner, the firm’s occasionally controversial safe search component.

The latest AVG Service Pack also offers a feature called WiFi Guard – offering protection from unknown Wi-Fi access points. After installing AVG’s 2012 Service Pack, a pop‐up window automatically warns users if their device attempts to connect to a never‐before‐used public Wi-Fi access point.

The approach is designed to provide warning about rogue W-iFi hotspots, established by cyber-criminals using the name of a popular coffee shop chain, hotel or public Wi-Fi provider and designed to eavesdrop on private conversations or snaffle user credentials..

The Service Pack for AVG 2012 is available for free from AVG’s site here. More details on the addition of Do Not Track technology can be found in AVG’s blog here.

AVG claims an installed base for its security suites and anti-virus scanners (free and paid for) of 108 million. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/avg_do_not_track/

Goldman Sachs has launched an investigation into its corporate email following accusations from a former senior employee that there is a “toxic and destructive” culture at the merchant bank.

Greg Smith, a former exec at the bank, alleged that employees privately referred to clients as “muppets” in internal email conversations as well as committing other transgressions of business etiquette.

Smith penned his damning critique after spending 12 years working at the firm in an op-ed piece in the New York Times, published on 14 March. The former executive director and head of the firm’s US equity derivatives business in EMEA alleged in the NYT piece that the culture at the firm changed during the time he worked there and that the “interests of the client continue to be sidelined in the way the firm operates and thinks about making money”. Smith didn’t make any allegations about criminal behaviour but rather described a consistent push to sell clients high-commission products that failed to meet their investment needs. He urged his former bosses to “weed out the morally bankrupt people, no matter how much money they make for the firm”.

Goldman Sachs quickly issued a defence, arguing that the bank continues to maintain a client-led culture. “We were disappointed to read the assertions made by this individual that do not reflect our values, our culture and how the vast majority of people at Goldman Sachs think about the firm and the work it does on behalf of our clients.”

It characterised Smith as a “disgruntled” ex-employee and pointed out it had recently been named as one of the best places to work in the UK, Smith’s last base of operations before he quit the investment banking firm.

“In a company of our size, it is not shocking that some people could feel disgruntled. But that does not and should not represent our firm of more than 30,000 people. Everyone is entitled to his or her opinion. But, it is unfortunate that an individual opinion about Goldman Sachs is amplified in a newspaper and speaks louder than the regular, detailed and intensive feedback you have provided the firm and independent, public surveys of workplace environments,” Goldman Sachs said.

Nonetheless, an audit of Goldman Sachs’ emails has been ordered by CEO Lloyd Blankfein in the wake of the affair, The Independent reports. The Telegraph adds that the “review of internal emails” was announced to the bank’s partners during a conference call last week.

We asked Goldman Sachs to comment on reports of an email audit but the bank did not get back to us.

The corporate emails of 30,000 staff will reportedly be examined as part of the audit exercises, a massive undertaking that will test the investment banker’s IT capabilities, according to independent specialists.

IT bods will need to create easy access to email troves

Spencer Allingham, technical director at IT optimisation specialist Condusiv Technologies, commented: “While investigating emails to tap into corporate culture will undoubtedly be revealing for the organisation, the sheer amount of work to recover past or deleted emails will be a vast drain on time and money if appropriate technology is not in place.

“For many IT departments it is a constant struggle to find the budget to update systems and improve efficiency, and it is at times like these that poor infrastructures are exposed, and can cause reputational damage, even putting companies head to head with legislation, if the investigation is a legal requirement.”

Allingham said that tighter financial regulations meant that email trawls like the one Goldman Sachs has been obliged to undertake are likely to become more commonplace in future. Failure to put a strategy in place that can accommodate such investigations could prove to be expensive if anything goes awry, he warned.

“The recent climate of Big Data and virtualisation has only extrapolated the issue of controlling the data deluge common to most corporate environments. Data now varies in content, sensitivity, form and also in how it’s stored, but as investigations such as the Goldman Sachs case proves, speed is key and access to data needs to occur irrelevant of changes in the IT infrastructure.

“It is therefore critical that IT departments see the trend of email investigations on the horizon and prepare their IT systems accordingly. Firms need to have the right technology in place to be able to steer clear of unnecessary complexity in such investigations, which threaten to compromise the core of their business. Essentially, inadequate technology could waste valuable time, and that is time taken away from customers – which could ultimately cost an enterprise on the bottom line.“ ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/goldman_sachs_email_audit/

A group claiming to be the re-animated corpse of the LulzSec hacking group is getting its lulz from messing up the love lives of army personnel. The personal details of tens of thousands of servicemen and women may have been exposed following a hack on a US-based military dating website.

“LulzSec Reborn” posted a message on PasteBin announcing the hack of MilitarySingles.com, claiming that it had swiped the site’s email database, snaffling more than 170,000 profiles in the process. The group also boasted it had obtained usernames, passwords and in some cases physical addresses of service personnel looking for love, and the men and women interested in hooking up with the boys and girls in uniform.

The motives for the purported hack – if any beyond pure devilment – remain unclear.

Militarysingles.com, which bills itself as the “dating website for single soldiers… and those interested in meeting them”, is run by a firm called eSingles Inc. The firm has yet to comment publicly on the hack, which remains unconfirmed. Nonetheless it would be a good idea for members of MilitarySingles.com to change their passwords, if only as a precaution. In addition, members of the site should double-check to make sure they aren’t using the same password and username combination elsewhere on the net, a common security mistake, as advised in a blog post commenting on the reported hack by net security firm Sophos here.

The original LulzSec gang began as a splinter group of Anonymous before mounting scores of high-profile hacks over as a seven-week period of mischief and mayhem prior to disbanding in late June last year. A number of its alleged members were arrested in a high-profile takedown operation earlier this month, largely on the evidence of the group’s alleged leader, Hector Xavier “Sabu” Monsegur. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/27/military_dating_website_hack/

The US Federal Trade Commission has issued its final report on the “best practices” companies should put in place regarding the collection of consumer information.

“If companies adopt our final recommendations for best practices – and many of them already have – they will be able to innovate and deliver creative new services that consumers can enjoy without sacrificing their privacy,” said FTC chairman Jon Leibowitz in a statement accompanying the release of the report, “Protecting Consumer Privacy in an Era of Rapid Change”.

“We are confident that consumers will have an easy to use and effective Do Not Track option by the end of the year,” Leibowitz added, “because companies are moving forward expeditiously to make it happen and because lawmakers will want to enact legislation if they don’t.”

The FTC’s final recommendations, a follow-up to its draft report issued last December, don’t have the force of law, but the commission urges Congress to enact legislation that does.

The recommendations in Monday’s report focus on three core areas, which the FTC defines as Privacy by Design, Simplified Choice for Businesses and Consumers, and Greater Transparency.

The first of those three concepts recommends that privacy protections be built into online offerings. Companies should, the report contends, ensure that their products and services provide “reasonable” data security and protection of data accuracy, and that the collection and retention of consumers’ data be limited.

“Simplified Choice,” the FTC notes, means that consumers should be allowed to choose what data a company can share about their online activities, and with whom that data can be shared. In addition, companies should provide a Do Not Track option that is a “simple, easy way” for customers to control tracking and sharing of their online perigrinations.

The FTC’s transparency recommendations not only suggest that companies clearly explain to customers what data they’re collecting, but also provide access to that data so that customers can review what information has been collected about their online activities.

The commission states that there has been ongoing voluntary progress in online privacy, and that companies have begun to compete with one another on the provision of privacy. “In response to Google’s decision to change its privacy policies to allow tracking of consumers across different Google products,” the report notes, “Microsoft encouraged consumers to switch to Microsoft’s more privacy-protective products and services.”

That said, the FTC argues that “self-regulation has not gone far enough,” and that “basic privacy concepts like transparency about the nature of companies’ data practices and meaningful consumer control are absent.”

In light of the lack of industry-wide privacy safeguards, the report calls on Congress to enact legislation that is “technologically neutral and sufficiently flexible,” and that includes “civil penalties and other remedies” to be made available for use against companies that fail to protect consumer privacy.

As has become traditional in reports issued by Obama-administration commissions, the FTC’s lone Republican, J. Thomas Rosch – who recently called upon Congress to cut the commission’s budget – appended his dissent to the report, saying in part that its recommendations “would install ‘Big Brother’ as the watchdog over [information collection] practices not only in the online world but in the offline world.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/26/ftc_online_privacy_report/