STE WILLIAMS

The annual Virus Bulletin conference starts on Wednesday in Berlin, Germany.

Numerous Sophos researchers will be giving papers this year, and with two Naked Security regulars in attendance (Chester Wisnieweski and John Hawes), we hope to bring you a blow-by-blow account of who says what, and why, as the conference unfolds.

Even though the event hasn’t started, however, I’d like to tell you about a paper that two of my long-term friends and colleagues from SophosLabs will be presenting.

Vanja Svajcer and Sean McDonald will be presenting a mixture of research, analysis and proposal they’ve written up under the headline Classifying Potentially Unwanted Applications in the mobile environment.

At this point, you’re probably wondering:

• Why a write-up of a talk that hasn’t been given yet?
• Isn’t every application potentially unwanted to someone?

Taking the second question first, you need to know that Potentially Unwanted Applications, or PUAs, are programs that aren’t unequivocally malicious.

Nevertheless, PUAs sail close enough to the metaphorical wind that well-informed system administrators often want to ban them from (or at least to regulate them tightly) on their networks.

Often, security products can’t block this sort of application by default, no matter how reasonable that might seem, for legalistic reasons.

For example, it’s easy to argue that a computer virus – a self-replicating program that spreads without authorisation or control – should be blocked outright.

On the other hand, you can argue that software that isn’t intrinsically illegal, but merely happens to be ripe for abuse, ought to be given the benefit of the doubt, and should be classified somewhere between “known good” and “outright bad.”

Indeed, if you are the vendor of such software – spyware that is sold to monitor children, or to investigate an errant spouse, for example – you might even choose to argue such a matter through the courts.

That’s why most security software has a category of possible threats known as PUAs, or perhaps PUPs (potentially unwanted programs), or Potentially Unwanted Software. (That’s Microsoft’s name, and the acronym proves that at least someone in Redmond has a sense of humour.)

PUAs are programs that some people may want to use, that don’t openly break the law, and yet that many people will want to block.

And now to the second question.

I’m writing about Vanja’s and Sean’s yet-to-happen talk in order to offer you a chance, in the comments below, to pose questions (or blurt out opinions) that I can send to them, as part of helping them with their work.

I’ll pass your comments and questions to them to consider in the “question time” at the end of their talk, thus giving you a chance of having your say from a distance!

After all, most of us aren’t going to be attending the VB 2013 conference (though there is still time to register if you’re in the Berlin area), but we probably have some feelings – perhaps even strong feelings – about PUAs in the mobile ecosystem.

That’s down to adware, one of the mobile world’s biggest sub-categories of PUA.

In Sean’s and Vanja’s own words:

Has the world of PUAs changed with the advent of mobile apps? As the revenue model for application developers changes, should the security industry apply different criteria when considering mobile potentially unwanted applications?

In mid 2013, there are over 700,000 apps on Google Play and over 800,000 apps on iTunes, with numerous alternative application markets serving their share of Android apps. The major source of income for most of the apps are advertising revenues realised by integrating one or more of advertising frameworks.

The difference between malware, PUAs and legitimate apps for mobile platforms is often less clear than in the desktop world… This leads application developers as well as developers of individual advertising frameworks into confusion about which features are acceptable.

Indeed, if you think about it, the appearance of banner ads inside mobile apps seems much more tolerable, and tolerated, than the same sort of thing in desktop applications.

Even amongst online ad-haters, there seems to be a general recognition that ads in mobile apps, done gently enough, represent a fair way for developers to earn a crust without needing to charge an up-front fee.

(Or there’s a reasonable and modest fee – typically a dollar or three – that will turn the ads off but still reward the developers.)

Vanja’s and Sean’s concerns, if they will forgive me oversimplifying what they have argued, is that the computer security industry would like to be proactive in stamping out aggressive – possibly even dangerous and privacy-sapping – mobile adware behaviour.

At the same time, the security industry doesn’t want to spoil the ad-supported mobile app industry for those who are prepared to play fair.

But where do we draw the line?

Sean and Vanja identify several grades of adware aggression in the mobile world:

• Banner ads. (Appear in ad-sized windows in the app itself, and are visible only in the app.)
• Interstitial ads. (Typically fill the screen temporarily, for example between levels in gameplay.)
• Push or notification ads. (Use the operating system notification area to present their message.)
• Icon ads. (Appear outside the app, even after it exits, typically as home screen icons.)

So, what do you think? How far is too far in the ad-funded mobile ecosystem?

Let us know and we’ll pose your questions and comments from the floor at the Virus Bulletin conference…

Follow @duckblog

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0pvkrS5uvSU/

COSTA MESA, Calif., Sept. 30, 2013 /PRNewswire/ — A data breach is an issue that can affect any organization and National Cyber Security Awareness Month is an opportune time for organizations to start to prepare for an incident or enhance their current response plan. With experience handling thousands of breaches, Experian Data Breach Resolution is observing the commemorative month by providing key insight into how to overcome common mistakes companies experience when handling a data breach.

“While there has been great progress among businesses and institutions in data breach prevention, breaches can still occur and it’s important to execute the right steps after an incident,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Being properly prepared doesn’t stop with having a response plan. Organizations need to practice the plan and ensure it will result in smooth execution that mitigates the negative consequences of a data breach.”

Those possible outcomes can include a loss of customers, regulatory fines and class-action lawsuits. Studies show that a majority of organizations had or expect to have a data breach that results in the loss of customers and business partners, and more than 65% of companies have or believe they will suffer serious financial consequences as a result of an incident[1]. Among companies that had breaches, the average cost reported of incidents was $9.4 million in the last 24 months. These costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents[2].

Experian Data Breach Resolution will present on this topic at The International Association of Privacy Professionals (IAPP) Privacy Academy held in Bellevue, Seattle, on Oct. 1 at the conference session titled, “Managing the Top Five Complications in Resolving a Data Breach.” Those not in attendance can view the presentation through a live stream at http://www.ustream.tv/experiandbr and pose questions to the panelists in real time via Twitter using the hashtags #databreach and #iapp.

According to Bruemmer, three of the most common mistakes include:

— No engagement with outside counsel — Enlisting an outside attorney is

highly recommended. No single federal law or regulation governs the

security of all types of sensitive personal information. As a result,

determining which federal law, regulation or guidance is applicable

depends, in part, on the entity or sector that collected the information

and the type of information collected and regulated. Unless internal

resources are knowledgeable with all current laws and legislations, it

is best to engage legal counsel with expertise in data breaches to help

navigate through this challenging landscape.

— No external agencies secured — All external partners should be in place

prior to a data breach so they can be called upon immediately when a

breach occurs. The process of selecting the right partner can take time

as there are different levels of service and various solutions to

consider. Plus, it is important to think about the integrity and

security standards of a vendor before aligning the company brand with

it. Not having a forensic expert or resolution agency already identified

will delay the data breach response process.

— No single decision maker — While there are several parties within an

organization that should be on a data breach response team, every team

needs a leader. Determine who will be the driver of the response plan

and primary contact to all external partners. Also, outline a structure

of internal reporting to ensure executives and everyone on the response

team is up to date and on track during a data breach.

Depending on the industry, additional oversights may involve securing proper cyber insurance and following the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). The complete list and tips to overcome these issues will be addressed by Bruemmer at the IAPP Privacy Academy presentation.

For the Experian Data Breach Resolution schedule of presentations, visit http://www.experian.com/data-breach/events.html.

Additional data breach resources, including Webinars, white papers and videos, can be found at http://www.experian.com/databreach.

Read Experian’s blog at http://www.experian.com/dbblog.

About Experian Data Breach Resolution

Experian is a leader in the data breach resolution industry and one of the first companies to develop products and services that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on the Experian Data Breach Resolution division at ConsumerInfo.com, Inc. and how it enables organizations to plan for and successfully mitigate data breach incidents, visit http://www.experian.com/databreach.

About Experian

Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2013 was

US$4.7 billion. Experian employs approximately 17,000 people in 40 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and Sao Paulo, Brazil.

For more information, visit http://www.experianplc.com.

Article source: http://www.darkreading.com/vulnerability/experian-data-breach-resolution-reveals/240161991

COSTA MESA, Calif., Sept. 30, 2013 /PRNewswire/ — A data breach is an issue that can affect any organization and National Cyber Security Awareness Month is an opportune time for organizations to start to prepare for an incident or enhance their current response plan. With experience handling thousands of breaches, Experian Data Breach Resolution is observing the commemorative month by providing key insight into how to overcome common mistakes companies experience when handling a data breach.

“While there has been great progress among businesses and institutions in data breach prevention, breaches can still occur and it’s important to execute the right steps after an incident,” said Michael Bruemmer, vice president at Experian Data Breach Resolution. “Being properly prepared doesn’t stop with having a response plan. Organizations need to practice the plan and ensure it will result in smooth execution that mitigates the negative consequences of a data breach.”

Those possible outcomes can include a loss of customers, regulatory fines and class-action lawsuits. Studies show that a majority of organizations had or expect to have a data breach that results in the loss of customers and business partners, and more than 65% of companies have or believe they will suffer serious financial consequences as a result of an incident[1]. Among companies that had breaches, the average cost reported of incidents was $9.4 million in the last 24 months. These costs are only a fraction of the average maximum financial exposure of $163 million that the companies surveyed (breached or not) believe they could suffer due to cyber incidents[2].

Experian Data Breach Resolution will present on this topic at The International Association of Privacy Professionals (IAPP) Privacy Academy held in Bellevue, Seattle, on Oct. 1 at the conference session titled, “Managing the Top Five Complications in Resolving a Data Breach.” Those not in attendance can view the presentation through a live stream at http://www.ustream.tv/experiandbr and pose questions to the panelists in real time via Twitter using the hashtags #databreach and #iapp.

According to Bruemmer, three of the most common mistakes include:

— No engagement with outside counsel — Enlisting an outside attorney is

highly recommended. No single federal law or regulation governs the

security of all types of sensitive personal information. As a result,

determining which federal law, regulation or guidance is applicable

depends, in part, on the entity or sector that collected the information

and the type of information collected and regulated. Unless internal

resources are knowledgeable with all current laws and legislations, it

is best to engage legal counsel with expertise in data breaches to help

navigate through this challenging landscape.

— No external agencies secured — All external partners should be in place

prior to a data breach so they can be called upon immediately when a

breach occurs. The process of selecting the right partner can take time

as there are different levels of service and various solutions to

consider. Plus, it is important to think about the integrity and

security standards of a vendor before aligning the company brand with

it. Not having a forensic expert or resolution agency already identified

will delay the data breach response process.

— No single decision maker — While there are several parties within an

organization that should be on a data breach response team, every team

needs a leader. Determine who will be the driver of the response plan

and primary contact to all external partners. Also, outline a structure

of internal reporting to ensure executives and everyone on the response

team is up to date and on track during a data breach.

Depending on the industry, additional oversights may involve securing proper cyber insurance and following the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH). The complete list and tips to overcome these issues will be addressed by Bruemmer at the IAPP Privacy Academy presentation.

For the Experian Data Breach Resolution schedule of presentations, visit http://www.experian.com/data-breach/events.html.

Additional data breach resources, including Webinars, white papers and videos, can be found at http://www.experian.com/databreach.

Read Experian’s blog at http://www.experian.com/dbblog.

About Experian Data Breach Resolution

Experian is a leader in the data breach resolution industry and one of the first companies to develop products and services that address this critical issue. As an innovator in the field, Experian has a long-standing history of providing swift and effective data breach resolution for thousands of organizations, having serviced millions of affected consumers. For more information on the Experian Data Breach Resolution division at ConsumerInfo.com, Inc. and how it enables organizations to plan for and successfully mitigate data breach incidents, visit http://www.experian.com/databreach.

About Experian

Experian is the leading global information services company, providing data and analytical tools to clients around the world. The Group helps businesses to manage credit risk, prevent fraud, target marketing offers and automate decision making. Experian also helps individuals to check their credit report and credit score, and protect against identity theft.

Experian plc is listed on the London Stock Exchange (EXPN) and is a constituent of the FTSE 100 index. Total revenue for the year ended March 31, 2013 was

US$4.7 billion. Experian employs approximately 17,000 people in 40 countries and has its corporate headquarters in Dublin, Ireland, with operational headquarters in Nottingham, UK; California, US; and Sao Paulo, Brazil.

For more information, visit http://www.experianplc.com.

Article source: http://www.darkreading.com/vulnerability/experian-data-breach-resolution-reveals/240161991

GOTHENBURG, Sweden, September 30, 2013 /PRNewswire/ —

Fingerprint Cards (FPC) purchases key wireless patents from a world-leading patent holder and thereby strengthens its IPR portfolio significantly. The purchase of a patent portfolio consisting of more than 100 granted patents covering markets such as the US, Europe and Asia include patents that are considered as essential for wireless communication.

J rgen Lantto, Executive Vice President, CTO and Head of Strategy and Product Management at FPC, comments: “This purchase is part of FPC’s aggressive efforts in becoming the leading supplier of fingerprint sensors for the mobile industry.

Our existing and growing IPR portfolio combined with the patent portfolio that we have purchased ensures that our IPR position equals our world-leading fingerprint sensor technology and market position.”

About Fingerprint Cards AB (publ)

Fingerprint Cards AB (FPC) develops, produces and markets biometric components that through the analysis and matching of an individual’s unique fingerprint verify the person’s identity. The technology consists of biometric sensors, processors, algorithms and modules that can be used separately or in combination with each other. The competitive advantages offered by the FPC’s technology include unique image quality, extreme robustness, low power consumption and complete biometric systems.

With these advantages and the ability to achieve extremely low manufacturing costs, the technology can be implemented in volume products such as smart cards and mobile phones, where extremely rigorous demands are placed on such characteristics. The company’s technology can also be used in IT and Internet security, access control, etc. Fingerprint Cards AB (FPC) is listed on the Nasdaq OMX Stockholm (FING B) and has its head office in Gothenburg.

Fingerprint Cards AB (publ) discloses this information pursuant to the Swedish Securities Market Act (2007:528) and the Swedish Financial Instruments Trading Act (1991:980). The information was issued for publication on September 30, 2013, at 08.00 a.m. (CET).

Article source: http://www.darkreading.com/mobile/fingerprint-cards-purchases-key-wireless/240161992

Bloomfield, CT –September 30, 2013 –NTT Com Security (formerly Integralis) the power behind WideAngle, the global information security and risk management brand, has found that when faced with financial, security, skills, or business agility pressures, mature cloud adopters are much more likely to remain committed to the cloud than to deploy applications and services in traditional data centers.

The findings are a key part of a global survey of 700 CTOs, IT directors and technical decision makers at organizations of 500+ employees, conducted to better understand how maturity of adoption affects organizations’ degree of trust and enthusiasm for cloud services.

“Although Cloud technology is still maturing, attitudes among IT professionals rapidly become more positive in every aspect once businesses have had time to evaluate the many benefits of private, public or hybrid cloud deployment for themselves,” explained Garry Sidaway, Global Director of Security Strategy at NTT Com Security.

“More than half of all respondents (55%), and 70% of advanced cloud adopters, now realize that the cloud offers greater agility than the data center, but only the more experienced adopters have learned to also value the security, cost and simplicity benefits of the cloud. This reflects a disparity between operational and board-level discussions prior to cloud adoption – until it has positively impacted the whole business, board-level objectives revolve largely around agility alone. Ultimately however, those companies assured enough to adopt the cloud for its agile deployment advantages, also benefit from the enhanced security of critical applications, lower operational costs and intuitive usability – it’s a win-win situation.”

Only 8% of companies surveyed could be considered ‘advanced in cloud adoption’, having adopted the cloud across all or most of their departments. In the case of these cloud adopters, 61% said that they favored the cloud for security and cost critical deployments, 67% for its more accessible skill demands, while 70% of this group said they’d opt for cloud-based deployment when business agility was critical.

The survey also found that 70% of companies have seen financial benefit due to the widespread adoption of cloud. Across the industry as a whole, 30% of IT budget is dedicated to cloud computing. Every company surveyed uses some form of cloud computing outside of the IT department, with 11% of companies having already replaced traditional data centers with the cloud. An encouraging 45% of all respondents believe that cloud computing will eventually replace traditional data centers completely.

Sidaway concluded: “Globally cloud adoption seems to be based on how quickly issues such as security and cost can be reconciled. Once businesses have the right policies in place, they rapidly advance the number of services and applications delivered via the cloud model. Whatever stage businesses are at, security of cloud deployment is recognized as playing an increasingly important role as they seek to move into new territories and be competitive on the global stage.”

About the survey

Research methodology: NTT Com Security (formerly Integralis) commissioned market research company, Vanson Bourne to conduct independent research among 700 IT decision makers at organizations of 500+ employees in the USA/Canada, UK, Germany, Nordics, Singapore, Japan and Hong Kong in May and June 2013. The research was conducted online and by telephone in the public and private sectors across organizations in finance, retail, pharmaceutical, telecommunications, utilities, petrochemicals and healthcare.

About NTT Com Security (formerly Integralis)

NTT Com Security (formerly Integralis) is the power behind WideAngle, a global information security and risk management brand. WideAngle delivers a portfolio of managed security, business infrastructure, consulting and technology integration services. WideAngle helps organizations lower their IT costs and increase the depth of IT security protection, risk management, compliance and service availability. NTT Com Security AG, is headquartered in Ismaning, Germany and part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. For more information, visit http://www.nttcomsecurity.com

Article source: http://www.darkreading.com/management/ntt-com-security-survey-reveals-mature-c/240161993

Bloomfield, CT –September 30, 2013 –NTT Com Security (formerly Integralis) the power behind WideAngle, the global information security and risk management brand, has found that when faced with financial, security, skills, or business agility pressures, mature cloud adopters are much more likely to remain committed to the cloud than to deploy applications and services in traditional data centers.

The findings are a key part of a global survey of 700 CTOs, IT directors and technical decision makers at organizations of 500+ employees, conducted to better understand how maturity of adoption affects organizations’ degree of trust and enthusiasm for cloud services.

“Although Cloud technology is still maturing, attitudes among IT professionals rapidly become more positive in every aspect once businesses have had time to evaluate the many benefits of private, public or hybrid cloud deployment for themselves,” explained Garry Sidaway, Global Director of Security Strategy at NTT Com Security.

“More than half of all respondents (55%), and 70% of advanced cloud adopters, now realize that the cloud offers greater agility than the data center, but only the more experienced adopters have learned to also value the security, cost and simplicity benefits of the cloud. This reflects a disparity between operational and board-level discussions prior to cloud adoption – until it has positively impacted the whole business, board-level objectives revolve largely around agility alone. Ultimately however, those companies assured enough to adopt the cloud for its agile deployment advantages, also benefit from the enhanced security of critical applications, lower operational costs and intuitive usability – it’s a win-win situation.”

Only 8% of companies surveyed could be considered ‘advanced in cloud adoption’, having adopted the cloud across all or most of their departments. In the case of these cloud adopters, 61% said that they favored the cloud for security and cost critical deployments, 67% for its more accessible skill demands, while 70% of this group said they’d opt for cloud-based deployment when business agility was critical.

The survey also found that 70% of companies have seen financial benefit due to the widespread adoption of cloud. Across the industry as a whole, 30% of IT budget is dedicated to cloud computing. Every company surveyed uses some form of cloud computing outside of the IT department, with 11% of companies having already replaced traditional data centers with the cloud. An encouraging 45% of all respondents believe that cloud computing will eventually replace traditional data centers completely.

Sidaway concluded: “Globally cloud adoption seems to be based on how quickly issues such as security and cost can be reconciled. Once businesses have the right policies in place, they rapidly advance the number of services and applications delivered via the cloud model. Whatever stage businesses are at, security of cloud deployment is recognized as playing an increasingly important role as they seek to move into new territories and be competitive on the global stage.”

About the survey

Research methodology: NTT Com Security (formerly Integralis) commissioned market research company, Vanson Bourne to conduct independent research among 700 IT decision makers at organizations of 500+ employees in the USA/Canada, UK, Germany, Nordics, Singapore, Japan and Hong Kong in May and June 2013. The research was conducted online and by telephone in the public and private sectors across organizations in finance, retail, pharmaceutical, telecommunications, utilities, petrochemicals and healthcare.

About NTT Com Security (formerly Integralis)

NTT Com Security (formerly Integralis) is the power behind WideAngle, a global information security and risk management brand. WideAngle delivers a portfolio of managed security, business infrastructure, consulting and technology integration services. WideAngle helps organizations lower their IT costs and increase the depth of IT security protection, risk management, compliance and service availability. NTT Com Security AG, is headquartered in Ismaning, Germany and part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world. For more information, visit http://www.nttcomsecurity.com

Article source: http://www.darkreading.com/management/ntt-com-security-survey-reveals-mature-c/240161993

Microsoft has published its second Law Enforcement Requests Report, covering the first half of 2013.

The quick summary: not much increase over last year’s numbers.

A total of 37,196 requests were received, covering 66,539 separate users.

20.6% of the requests did not result in data being handed over, the bulk of the rejections being due to “no information found” rather than Microsoft resisting the demands of the police.

The US is well ahead of the field, with 7,014 requests affecting 18,809 users, but this is unsurprising given the number of US citizens online, well ahead of most other countries.

Others countries lots of hits include the major economies of Western Europe, with France, the UK and Germany all scoring fairly highly.

Brazil and Australia come in at just over 1000 requests each; Spain and Italy just under.

A somewhat surprising second place goes to Turkey though, not far behind the US with 6,226 requests. Given Turkey’s estimated 36 million internet users, compared to over 250 million in the US, this may be a little worrying for any privacy-loving Turks out there.

However, those 6000-odd requests cover just 7,333 separate users, putting Turkey in the lower end of the table if sorted by the number of people covered by each request. The US is near the top by this measure, with an average of over 2.5 users covered by each request.

Skype data has been rolled into the main report, but is also published separately to allow comparison with previous numbers.

There was a slightly lower fail rate in the Skype requests than in the overall figures, with a notable rise in the ratio of requests rejected for “not meeting legal requirements” – 7.3% compared to 2.4% for Microsoft services in general.

As in 2012, no Skype content was handed over, with positive responses limited to user metadata such as names, regions and IP address information.

In most regions no content was provided for any Microsoft service, but the US is a significant outlier in this area, with over 10% of requests earning the cops access to email text, stored photos or documents.

This figure is a little down on the 2012 stats, which show that 13.9% of US requests led to actual content.

The only other regions with notable percentages in this area are Brazil, with 5.8%, and Canada on 4.3%, although the small overall number of requests from Canada means that only three actual instances of data handed were over. Both Brazil and Canada were among the very small number of countries that also got their hands on content in 2012.

In the absence of content, the metadata provided may include billing information and “IP connection history”, which can reveal a fair amount about what people are doing across different services, and indeed where they are over time.

But accessing actual content seems considerably more intrusive, especially in the case of emails and other personal communications. It is somewhat cheering to know that Skype conversations and chats have not been subject to disclosure.

At least, not so far, and not to the “law enforcement” agencies covered in the report.

Noticeably absent is data on national security-related requests from other government agencies such as the NSA: detailed information on requests from a range of agencies could apparently not be made available for legal reasons.

All we have is a vague summary of the numbers of “National Security Letters” issued, showing figures so far this year of under a thousand covering between 1000 and 2000 people.

This again suggests little change over last year, when MS saw somewhere between 1000 and 2000 “Letters” affecting 3000-4000 “identifiers” in the full twelve month period.

These Letters apparently only allow access to metadata and must come from “senior FBI officials.”

Microsoft stresses its commitment to providing more complete data, with a court case pending, but for now can say no more than that data passed to security agencies only affects “a tiny fraction” of users.

Following similar transparency reports from web giants Google, Facebook and Yahoo, Microsoft’s latest data, limited as it is, provides some food for thought on the extent law enforcement is using internet usage history to track down miscreants.

It would be good to know more about what those non-law enforcement types are snooping on, though.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7lM2e7xrlJo/

Microsoft has published its second Law Enforcement Requests Report, covering the first half of 2013.

The quick summary: not much increase over last year’s numbers.

A total of 37,196 requests were received, covering 66,539 separate users.

20.6% of the requests did not result in data being handed over, the bulk of the rejections being due to “no information found” rather than Microsoft resisting the demands of the police.

The US is well ahead of the field, with 7,014 requests affecting 18,809 users, but this is unsurprising given the number of US citizens online, well ahead of most other countries.

Others countries lots of hits include the major economies of Western Europe, with France, the UK and Germany all scoring fairly highly.

Brazil and Australia come in at just over 1000 requests each; Spain and Italy just under.

A somewhat surprising second place goes to Turkey though, not far behind the US with 6,226 requests. Given Turkey’s estimated 36 million internet users, compared to over 250 million in the US, this may be a little worrying for any privacy-loving Turks out there.

However, those 6000-odd requests cover just 7,333 separate users, putting Turkey in the lower end of the table if sorted by the number of people covered by each request. The US is near the top by this measure, with an average of over 2.5 users covered by each request.

Skype data has been rolled into the main report, but is also published separately to allow comparison with previous numbers.

There was a slightly lower fail rate in the Skype requests than in the overall figures, with a notable rise in the ratio of requests rejected for “not meeting legal requirements” – 7.3% compared to 2.4% for Microsoft services in general.

As in 2012, no Skype content was handed over, with positive responses limited to user metadata such as names, regions and IP address information.

In most regions no content was provided for any Microsoft service, but the US is a significant outlier in this area, with over 10% of requests earning the cops access to email text, stored photos or documents.

This figure is a little down on the 2012 stats, which show that 13.9% of US requests led to actual content.

The only other regions with notable percentages in this area are Brazil, with 5.8%, and Canada on 4.3%, although the small overall number of requests from Canada means that only three actual instances of data handed were over. Both Brazil and Canada were among the very small number of countries that also got their hands on content in 2012.

In the absence of content, the metadata provided may include billing information and “IP connection history”, which can reveal a fair amount about what people are doing across different services, and indeed where they are over time.

But accessing actual content seems considerably more intrusive, especially in the case of emails and other personal communications. It is somewhat cheering to know that Skype conversations and chats have not been subject to disclosure.

At least, not so far, and not to the “law enforcement” agencies covered in the report.

Noticeably absent is data on national security-related requests from other government agencies such as the NSA: detailed information on requests from a range of agencies could apparently not be made available for legal reasons.

All we have is a vague summary of the numbers of “National Security Letters” issued, showing figures so far this year of under a thousand covering between 1000 and 2000 people.

This again suggests little change over last year, when MS saw somewhere between 1000 and 2000 “Letters” affecting 3000-4000 “identifiers” in the full twelve month period.

These Letters apparently only allow access to metadata and must come from “senior FBI officials.”

Microsoft stresses its commitment to providing more complete data, with a court case pending, but for now can say no more than that data passed to security agencies only affects “a tiny fraction” of users.

Following similar transparency reports from web giants Google, Facebook and Yahoo, Microsoft’s latest data, limited as it is, provides some food for thought on the extent law enforcement is using internet usage history to track down miscreants.

It would be good to know more about what those non-law enforcement types are snooping on, though.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7lM2e7xrlJo/

Catch up with the last seven days of security stories in our weekly roundup.

Watch the top news in 60 seconds, and then check out the individual links to read in more detail.

Monday 23 September 2013

• Firefox burns Chrome in our trustworthy browser poll

Tuesday 24 September 2013

• California gives teenagers an ‘eraser button’ to delete their web mistakes
• SSCC 117 – Apple all over the news, lots of patches, browser trust and Facebook privacy [PODCAST]
• Teen privacy “eviscerated” by planned Facebook changes
• LinkedIn denies hacking into users’ email

Wednesday 25 September 2013

• Recycled Yahoo email addresses still receiving messages for previous owners – passwords included
• Fake reviews land SEO companies in hot water
• Siri offers the latest backdoor into your iPhone – just ask nicely!
• Facebook wants to auto-fill your credit card details – would you trust it? [POLL]
• Twitter button problem causes “torrent download” confusion – here’s what happened

Thursday 26 September 2013

• Apple releases iOS 7.0.2 – swiftly squashing two lockscreen bugs
• “Mailbox” app on iPads and iPhones runs JavaScript from emails – vulnerability or feature?
• Data-stealing botnets found in major data brokers’ servers
• Using heartbeats as passwords to secure medical devices

Friday 27 September 2013

• Facebook finally wins $3 million payout in Power Ventures spam lawsuit
• Game apps under fire from consumer law makers
• Online dating scam costs lovelorn Canadian $500k
• How to avoid being one of the “73%” of WordPress sites vulnerable to attack
• Sky-high error in Apple Maps leads drivers onto airport runway
• Schoolboy arrested over Spamhaus DDoS, world’s biggest cyber attack

Saturday 28 September 2013

• Copying fingerprints, Firefox trusted, Facebook not, Yahoo recycles – 60 Sec Security [VIDEO]

Sunday 29 September 2013

• £1.01 billion kept out of cybercrooks’ hands, claim UK e-cops

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dVR-EO5KCuY/

Catch up with the last seven days of security stories in our weekly roundup.

Watch the top news in 60 seconds, and then check out the individual links to read in more detail.

Monday 23 September 2013

• Firefox burns Chrome in our trustworthy browser poll

Tuesday 24 September 2013

• California gives teenagers an ‘eraser button’ to delete their web mistakes
• SSCC 117 – Apple all over the news, lots of patches, browser trust and Facebook privacy [PODCAST]
• Teen privacy “eviscerated” by planned Facebook changes
• LinkedIn denies hacking into users’ email

Wednesday 25 September 2013

• Recycled Yahoo email addresses still receiving messages for previous owners – passwords included
• Fake reviews land SEO companies in hot water
• Siri offers the latest backdoor into your iPhone – just ask nicely!
• Facebook wants to auto-fill your credit card details – would you trust it? [POLL]
• Twitter button problem causes “torrent download” confusion – here’s what happened

Thursday 26 September 2013

• Apple releases iOS 7.0.2 – swiftly squashing two lockscreen bugs
• “Mailbox” app on iPads and iPhones runs JavaScript from emails – vulnerability or feature?
• Data-stealing botnets found in major data brokers’ servers
• Using heartbeats as passwords to secure medical devices

Friday 27 September 2013

• Facebook finally wins $3 million payout in Power Ventures spam lawsuit
• Game apps under fire from consumer law makers
• Online dating scam costs lovelorn Canadian $500k
• How to avoid being one of the “73%” of WordPress sites vulnerable to attack
• Sky-high error in Apple Maps leads drivers onto airport runway
• Schoolboy arrested over Spamhaus DDoS, world’s biggest cyber attack

Saturday 28 September 2013

• Copying fingerprints, Firefox trusted, Facebook not, Yahoo recycles – 60 Sec Security [VIDEO]

Sunday 29 September 2013

• £1.01 billion kept out of cybercrooks’ hands, claim UK e-cops

Would you like to keep up with all the stories we write? Why not sign up for our daily newsletter to make sure you don’t miss anything. You can easily unsubscribe if you decide you no longer want it.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dVR-EO5KCuY/