Tax-time seems like an appropriate time to make note of the IRS Safeguards Program

The Safeguards Program and staff are responsible for ensuring that federal, state and local agencies receiving federal tax information protect it as if the information remained in IRS’s hands.

These agencies and their contractors receiving federal tax information must protect the confidentiality of return information and are periodically reviewed by Safeguards personnel to ensure they meet the safeguarding requirements of IRC 6103(p)(4). These requirements include employee awareness programs, proper disposal, secure storage and computer security among others.

Discussion has been long underway regarding changes for the PCI DSS. It gets a refresh every two years and October 2008 was the last release (version 1.2). Here are two examples of what to expect this coming October:

1) Some have suggested that segmentation will be clarified. I suspect this will not be a significant update.

The problem with segmentation is not that it is difficult to do or understand. The problem has been that some assessors have made mistakes. A firm that shall remain nameless has tried to argue that Active Directory alone, for example, would constitute adequate access control for segmentation. A QSA should know this is not true.

Those responsible for the compliance language simply have to make it clear now that things like directory authentication are not sufficient alone for proper segmentation. Clarification or education of what we already (should) know is necessary but still a minor update. We will continue to do things the way we have been doing them, while some may be caught up to where they should have been.

2) Data discovery changes in October will be more significant.

A hint of what to expect can be found in the April 20, 2010 Visa Security Bulletin: Cardholder Data Security Best Practices for Visanet Processors. Companies who want to be PCI compliant need to be able to find all cardholder data within their storage, processing and network environments. This will become even more strict in that tools to scan and find the data will almost certainly be required. The card brands have always emphasized this but they are about to push the point even harder. Here is an extract of the Visa language that should be considered today:

Create a data matrix detailing all of the business lines and processes that handle cardholder data. Explain the need for such data and note whether the data is being stored, processed and/or transmitted.

Specify all of the resources (including networks, systems, applications, databases, services, components and users) for each business line and process that have access to card data and explain the need for that access.

Adopt data loss prevention (DLP) solutions to actively locate card data in real time across the organization’s resources (including networks, systems, applications, databases and components). Some DLP solutions can alert designated individuals when unauthorized and unprotected card data storage is found, and prevent attempted, unauthorized transmission of card data out of the cardholder data environment.

We are thus already talking with customers about solutions to monitor and find cardholder data in real time and then quickly establish whether it is outside authorized business processes.

The change is significant because few if any organizations have a truly comprehensive grasp of all cardholder data in their environments. This will have to change for compliance.

The change is also significant because the tools to automate the tasks required to give them a grasp do not yet work well enough to be production quality. This also will probably change for compliance. Run spider a few times and you will most likely find yourself resorting back to manual review of directories.

Three researchers at the University of Michigan claim to have found a way to break encryption by lowering the voltage going to a CPU. The processor makes mistakes as explained by the BBC in “Web security attack ‘makes silicon chips more reliable'”

The implications of the research do not stop at security. It is also helping to produce error correction systems that spot when transistors fail and ensure that data is not corrupted as a result.

I would still classify that as security. Data integrity is within scope of a security assessment of the chip, as is data availability.

The US Justice Department Press Release details a rare successful conviction of a 419 scammer:

Nora R. Dannehy, United States Attorney for the District of Connecticut, today announced that a federal jury in Bridgeport has found OKPAKO MIKE DIAMREYAN, 31, a citizen of Nigeria who sometimes resided in Accra, Ghana, guilty of three counts of wire fraud stemming from an alleged “advance fee” scam. The trial began on February 11 and the jury returned its verdict this afternoon.

The accused ran scams from 2004 garnering up to $1.5 million from victims in the US. He faces 20 years in prison and up to $250,000 for each of the three wire fraud counts. I found a ten page “RULING RE: DEFENDANT’S MOTION FOR JUDGMENT OF ACQUITTAL” from United States v. Diamreyan (D. Ct.) Case 3:309-cr-00260-JCH, Document 66, Filed 04/16/10.

The three counts of wire fraud charged in the Indictment are: Count One, a telephone call from Diamreyan in Ghana to Michael Pandelos in Connecticut on August 19, 2006; Count Two, a wire transfer via Western Union of $50 from Pandelos to Diamreyan on August 22, 2006; and Count Three, a wire transfer of $100 from Pandelos to Martine Janvier, Diamreyan’s wife, in Massachusetts on August 26, 2008.

The accused argued that there was insufficient evidence but the court ruled against him. The case and testimony give a good picture of how people become victims as well as a watermark of what is necessary to get to conviction.

AFF continues to grow as a problem. Ultrascan, based on cases they work with, now lists the top three countries with AFF fraud losses as the US ($2.1 billion) UK ($1.2 billion) and China ($936 million).