Tasks of the data protection officer

The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions.

NIST - Cybersecurity Framework draft Update.

Jan. 10. 2017 - The National Institute of Standards and Technology (NIST) has issued a draft update to the Framework for Improving Critical Infrastructure Cybersecurity - also known as the Cybersecurity Framework. 

Key objectives of the EU Commission in the field of cybersecurity

Increasing cybersecurity capabilities and cooperation.

The aim is to bring cybersecurity capabilities at the same level of development in all the EU Member States and ensure that exchanges of information and cooperation are efficient, including at cross-border level. In this area, the Directive on security of network and information systems (the NIS Directive) is the main instrument supporting Europe's cyber resilience.

White Paper The State of Information Security Law. By Tom Smedinghoff (Wildman Harrold)

This paper provides information about the expanding duty to provide security and the emergency of a legal obligation for compliance. Abstract: Information security is rapidly emerging as one of the most critical legal and public relations issues facing companies today. As the series of highly-publicized security breaches over the past few years has demonstrated, it is in many respects a time bomb waiting to explode. Creating, communicating, and storing corporate information in electronic form greatly enhances the potential for unauthorized access, use, disclosure, and alteration, as well as the risk of accidental loss or destruction. Concerns regarding corporate governance, individual privacy, accountability for financial information, the authenticity and integrity of transaction data, and the security of sensitive business data are driving the enactment of new laws and regulations designed to ensure that businesses adequately address the security of their own data. This paper discusses these points and provides information about the expanding duty to provide security and the emergency of a legal obligation for compliance (Dec. 2007). Link - In http://resources.sei.cmu.edu/library/asset-view.cfm?assetid=52927

New good practice guide by ENISA on disclosing vulnerabilities

ENISA publishes a good practice guide on Vulnerability Disclosure, aiming to provide a picture of the challenges the security researchers, the vendors and other involved stakeholders are confronted with when disclosing software/hardware vulnerabilities. The study gives a glimpse into the complex vulnerability disclosure landscape by taking stock of the current situation, identifying the challenges and good practices and proposes concrete recommendations for improvement.

The main part of the report, describes the main concepts behind vulnerability disclosure along with some figures of the number of vulnerabilities disclosed in the past 13 years. 

NIST Standards for Government Contractors?

Facebook users, have you turned off facial recognition? Here's why you may want to now: https://t.co/LmudRLQEMv

— F-Secure (@FSecure) September 3, 2013

Asymmetric Loss Functions for Forecasting in Criminal Justice Settings - Richard Berk (April 19, 2010).

The statistical procedures typically used for forecasting in criminal justice settings rest on symmetric loss functions. For quantitative response variables, overestimates are treated the same as underestimates. For categorical response variables, it does not matter in which class a case is inaccurately placed. In many criminal justice settings, symmetric costs are not responsive to the needs of stakeholders. It can follow that the forecasts are not responsive either. In this paper, we consider asymmetric loss functions that can lead to forecasting procedures far more sensitive to the real consequences of forecasting errors.

Theoretical points are illustrated with examples using criminal justice data of the kind that might be used for \predictive policing."

University of Pennsylvania - http://www-stat.wharton.upenn.edu/~berkr/loss%20copy.pdf

Malicious email

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new wave of malicious email attacks claiming to be a password reset confirmation from Facebook.

The From: address on the messages is spoofed using support@facebook.com to make the messages believable to recipients.

The messages contain a .zip file attachment with an .exe file inside. The .exe file currently has a detection rate of about 30 percent on VirusTotal. Our ThreatSeeker™ Network has seen up to 90,000 of these messages sent out so far today.

The malicious exe file connects to two servers to download additional malicious files and joins the Bredolab botnet which means the attackers have full control of the PC, such as steal customer information, send spam emails. One of the servers is in the Netherlands and the other one in Kazakhstan.

X - FORCE '09

X-Force 2009 Mid-Year Trend and Risk Report, il rapporto di IBM X-Force, il team di ricerca IBM che dispone del più grande database del mondo sulla vulnerabilità dei sistemi informatici, ha rilevato un aumento esponenziale degli attacchi anche provenienti da un sito web considerato sicuro.

In particolare il rapporto rivela che i c.d. “exploit web”, nascosti nei file pdf, hanno raggiunto livelli record, evidenziando una sorprendente evoluzione nelle tecniche di attacco; ad esempio gli attacchi attuati mediante alterazione del codice SQL, in cui i criminali inseriscono un codice maligno in siti web legittimi, alterando il funzionamento dei sistemi dei visitatori, sono aumentati del 50% negli ultimi mesi.

Il rapporto ha anche evidenziato una crescita rilevante degli attacchi tramite “Trojan Horse”, in particolare quelli che tentano di ottenere informazioni diversamente non disponibili, sono i più diffusi, sostituendo il “Phishing”ormai in netta diminuzione. Commentando il rapporto, Kris Lamb Director di IBM X-Force afferma che non esiste più una navigazione sicura e ogni sito web deve essere considerato sospetto.

Internet Crime Complaint Center

The Internet Crime Complaint Center (IC3) was established as a partnership between the Federal Bureau of Investigation (FBI) and the National White Collar Crime Center (NW3C) to serve as a means to receive Internet related criminal complaints and to further research, Develop, and refer the criminal complaints to federal, state, local, or international law enforcement and/or regulatory agencies for any investigation they deem to be appropriate. The IC3 (...).