http://www.surety.com/news/category/blog/ Blog Spot en Surety Copyright 2008 2008-10-07T12:39:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_software_lets_user_manipulate_passport_data/ http://www.surety.com/news/article/in_case_you_missed_it_software_lets_user_manipulate_passport_data/#When:13:39:00Z Software Lets User Manipulate Passport Data Washington Post, September 30, 2008 Are you in need of a quick passport don’t doesn’t necessarily care if the personal information doesn’t match up to who you really are? If so, then you might want to check on Jeroen van Beck’s new tool that allows you to modify data on computer chips imbedded in dozens of country’s passports, including those from the U.S. van Beck’s software specifically targets electronic passports which include chips that contain a person’s name, date of birth, passport number and photograph. In a demo given to The Times Online, van Beck demonstrated the ease in which information can be changed, copied and deleted, all of which can help hide the true identity of the passport holder. According to the article, “Building on research from the UK, Germany and New Zealand, Mr van Beek has developed a method of reading, cloning and altering microchips so that they are accepted as genuine by Golden Reader, the standard software used by the International Civil Aviation Organization to test them. It is also the software recommended for use at airports.” While these chips are designed to be signed with cryptographic keys held by the issuing country, not all e-passport participating countries have agreed to share these keys. According to Adam Laurie, a freelance security researcher with RFIDiot.org, this in turn allows individuals to sign the bogus information using his/her own personal cryptographic key without too many countries realizing it. "This is the big problem with the whole thing: It relies on checking the digital signatures of the content on the passport, but if nobody's checking those signatures, you can't tell if the data is legitimate," Laurie said. Well said by Laurie. What good is a digital signature if no one is factually checking it? And digital signatures alone aren’t always the answer to ensuring that data has not been tampered. From start-up businesses to Fortune 500 companies to government institutions – they all need to be aware of content security risks and the ways in which criminals are manipulating them. Electronic passports are a great effort toward identification authenticity, but their effectiveness can only go as far as its security measures allow. Blog Spot 2008-10-07T13:39:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_anatomy_of_a_data_breach_a_global_perspective/ http://www.surety.com/news/article/in_case_you_missed_it_anatomy_of_a_data_breach_a_global_perspective/#When:13:38:00Z Anatomy of a Data Breach: A Global Perspective CIO, September 29, 2008 We’ve said it before, but data integrity’s role in regulatory compliance is key, so this is worth highlighting once more: In the wake of undiscovered data breaches and subsequent public exposure, regulatory compliance and security audit standards are becoming ever more important to protecting critical assets. Despite the increase in the number of data breaches via illicit means, internal controls seem to fail when it comes to the assurance that critical assets remain uncompromised. According to the Identity Theft Resource Center, 336 breaches have been reported in 2008 thus far, making the number 69 percent higher then this time last year – and these breaches pose a significant risk to compliance initiatives such as Sarbanes-Oxley (SOX), Graham Leach Bliley (GLBA), Payment Card Industry (PCI), or Health Insurance and Portability and Accountability Act (HIPAA). “With the significant increase in data exposure corporations can’t afford to take short-cuts when it comes to information assurance. Otherwise it is almost certain that one will become a victim of a serious exposure of sensitive information.” The article is a good read on a wide-variety of data breach issues; we recommend you take a look and think about how you are securing your organization’s data for compliance purposes. Blog Spot 2008-10-07T13:38:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_how_much_do_end_users_know_about_content_security/ http://www.surety.com/news/article/in_case_you_missed_it_how_much_do_end_users_know_about_content_security/#When:13:35:00Z How much do end-users know about content security? CRN Australia, September 30, 2008 This article makes a very critical point that we don’t want you to miss: “Data levels and the importance of corporate content have never been higher. Talk of potential new regulations aside, content security is still a hot topic in the industry and could well produce a huge opportunity for the local channel community.” “These pressures are coupled with constantly evolving security threats and emerging technologies”, said Patrik Bihammar, senior analyst for security solutions in A/NZ. “Organizations in A/NZ will need to continue to invest in IT security to maintain their security and risk posture and protect their assets and information against increasingly sophisticated threats targeting the core of any business, its information and intellectual property.” The article also shows that data security is a growing market globally, and highlights IDC’s recent prediction that the market for security solutions in Australia and New Zealand (A/NZ) will surpass $1.6 billion by 2011. Importantly, the article presents this inquiry to two security experts asking, “How high are levels of end-user awareness around the importance of content security?” According to Peter Croft, Managing director at Clearswift Asia Pacific, Web 2.0 is a concept that business leaders are just now beginning to keep an eye on. With social networking sites such as Facebook and MySpace becoming a popular office tool for collaboration purposes, imagine how easy it is for employees to accidentally post private corporate information. Chris Barton ANZ Regional Manager at Sonicwall seems to agree. Although a recent survey suggests that Australian workers are less likely to download non-work related items onto their work computer, he says that social networks can threaten passwords, documents and general intellectual property. Take a complete look at these experts’ comments and think about your own corporate standards and security culture. How important is content security in your organization? Blog Spot 2008-10-07T13:35:00-05:00 http://www.surety.com/news/article/reminder_on_the_role_of_e_records_in_trade_secret_enforcement/ http://www.surety.com/news/article/reminder_on_the_role_of_e_records_in_trade_secret_enforcement/#When:18:54:00Z Earlier today, an entry on Wright’s Legal Beagle blog via the Content Management Connection blog caught our attention. While the Microsoft intellectual property (IP) lawsuit these entries described was settled more than three years ago, the light that specific case shed on email authentication and IP protection are timeless and worth revisiting. In case you aren’t familiar with the specifics of Burst.com v. Microsoft, here is a quick recap from Wright’s Legal Beagle: Burst had held conversations with Microsoft in which it confidentially (under non-disclosure agreement) revealed trade secrets about Burst's streaming media technology. Burst later alleged that Microsoft chose to use these trade secrets without Burst’s consent, and without compensation to Burst. So Burst sued, claiming misappropriation of trade secrets and breach of contract. During the discovery phase of the lawsuit, Microsoft was required to reveal all of its e-mail records on the topic, and Microsoft did turn over a large number of e-mails regarding its development and use of streaming technology. And while Microsoft turned over “millions of documents and emails” related to this case during discovery, they did not produce some of the same key exchanges as Burst.com. During a 2003 interview with ZDNet UK, Burst.com’s attorney voiced his suspicions: "Microsoft is a company that lives and dies by email -- that is how they communicate. Emails that should be there were not; for instance, there were a whole series of meetings between my client and Microsoft, and there are no emails discussing those meetings." Unable to overcome the setback caused by the missing emails, Burst.com and Microsoft settled this suit in 2005. In this instance, Burst.com clearly won because it employed better email retention practices. While there was never any specific question about the authenticity of the electronic emails Burst.com produced during this litigation, times have changed. Courts expect more. Given the lack of confidence many organizations have with their ability to authenticate emails for use during litigation, the Burst.com v. Microsoft case serves as an important reminder that electronic records – including email – can, and will be, called into court and it raises an important question about litigation preparedness: if necessary, are your electronic records ready to serve as the smoking gun you may need to protect your organization’s intellectual property? Blog Spot 2008-10-01T18:54:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_senate_passes_property_rights_bill/ http://www.surety.com/news/article/in_case_you_missed_it_senate_passes_property_rights_bill/#When:15:35:00Z Senate passes property rights bill Variety, September 26, 2008 Last week the Senate passed an intellectual property rights bill that intends to increase federal support to copyright laws. The Prioritizing Resources and Organization for Intellectual Property Act of 2008 increases federal resources for enforcing current copyright laws and is designed to better facilitate U.S. intellectual property (IP) policy. The president is expected to sign the bill, which supporters believe will not only represent an important step forward for IP protection, but also for the economy. We aren’t in the business of commenting on pending legislation, but any time we see intellectual property protection in the news, it catches our eye. Certainly it is no secret that IP serves as the lifeblood of nearly every organization, and the impact of stolen IP can represent a significant risk. Blog Spot 2008-09-30T15:35:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_compliance_scares_make_pack_rats_of_it/ http://www.surety.com/news/article/in_case_you_missed_it_compliance_scares_make_pack_rats_of_it/#When:15:34:00Z Compliance scares make pack rats of IT SearchCIO.com, September 24, 2008 After recently attending the IDC-Kahn Consulting Inc. Compliance in Information Management Forum, the author of this article walked away with contradicting opinions about e-mail storage – what should you keep and what should you toss? Opinions vary. On one hand, Sandra Hostetter, program manager for electronic content management and retention at Rohm and Haas Co., said at the event that her company’s policy is to delete e-mails after 60 days. On the other hand, speaker George Goldsmith, director of enterprise content management and litigation support at Forest Laboratories Inc., said that his company saves any and all e-mails. So who’s in the right here? When it comes down to it, there doesn’t seem to be one good answer. As the author points out, choosing a records management process depends heavily on the unique state of each organization. “While records management has its established rules, electronic information management is an entirely new ball of wax. And I don't see that the Federal Rules of Civil Procedure made it any less complex. Experts say the rules are vague and remain open to interpretation. As a result, how to handle electronic information is vague and remains open to interpretation.” Sure, saving every last e-mail may make pack rats out of IT professionals, however if it works for them, so be it. The important thing is, is that every organization have a process in which all employees understand and implement. Forcing compliance will create a standard that you and your company will be able to confidently rely upon should your records be challenged in a court of law. Blog Spot 2008-09-30T15:34:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_records_management_for_the_masses_scalable_ecm_soluti/ http://www.surety.com/news/article/in_case_you_missed_it_records_management_for_the_masses_scalable_ecm_soluti/#When:15:32:00Z Records Management For The Masses: Scalable ECM Solutions For Smaller Organizations ECM Connection, September 22, 2008 Depending on the size of your organization, enterprise content management solutions may or may not have been a hard thing to come by in recent years. However, as technology continues to evolve, small business (who historically were financially hindered from investing in records management solutions) now have a variety of management options to choose from. As this article points out, investing in ECM solutions also comes with value added benefits. An electronic management solution can not only store and organize your e-files, but it can help your company establish a compliance process. “With an ECM system, you can configure who has access to your records, and you can deny access to unauthorized users. Approvals and denials are documented. Audit trails provide indisputable verification of who accesses information, and when that information is accessed. Privacy regulations are met, and operations are executed far more efficiently than they would be using a paper-based system.” These capabilities are crucial and should be embraced by all businesses that have intellectual property (IP) to protect. Controlling the accessibility of your company’s information can help manage the authenticity of electronic records and protect your company’s sensitive information from unwanted outlets. For more on how to do this, check out our white paper on securing electronic records in ECM environments. Blog Spot 2008-09-30T15:32:00-05:00 http://www.surety.com/news/article/anything_but_a_childs_game_intellectual_property_security_lessons_learned_f/ http://www.surety.com/news/article/anything_but_a_childs_game_intellectual_property_security_lessons_learned_f/#When:10:50:00Z This year’s steel-cage legal tussle pitted America’s most iconic doll, Barbie, against her new-age rival, the Bratz doll. In case you’ve missed the developments that led to this summer’s trial between the dolls’ respective manufacturers, Mattel and MGA Entertainment, check out this Wall Street Journal article. In short, however, the intellectual property battle boiled down to the following facts: • 1998: Designer Carter Bryant left Mattel and, inspired by then-current teenage fashion styles, had the original idea for Bratz dolls. • 1999: Bryant rejoined Mattel, signing a new contract to design clothes for the Barbie line. • 2000: Bryant used a vacation day from Mattel to discuss his doll idea with MGA. He subsequently accepted a position with MGA and began development of the Bratz line. • 2002: Mattel received an anonymous letter indicating that Bryant had created the Bratz dolls while still employed by Mattel. • 2004: Mattel filed suit against Bryant, accusing him of creating Bratz on Mattel time, thus stealing Mattel intellectual property. • 2006: Mattel expanded its suit to include MGA. In that same year, Bryant agreed to a confidential settlement with Mattel – leaving Mattel and MGA to duke it out. (Video credit: Wall Street Journal) Accusations of stolen intellectual property? This case was certainly right up our alley. Had the case involved electronic records, you’d certainly would have seen it included on our Wall of Shame shortly after a jury awarded Mattel $100 million, finding that the Bratz line was created using intellectual property wrongfully taken by a Mattel employee. According to Litigation Daily, the first part of the case came down to the ever-important question of timing (http://amlawdaily.typepad.com/amlawdaily/2008/07/the-am-law-l-16.html): When did former Mattel designer Carter Bryant sketch the design that became the MGA-produced Bratz doll? To make Mattel's case, Quinn brought in a document examiner who performed indentation analysis on notebooks that Bryant used while a Mattel employee. The Bratz drawings had been torn out, but the document expert was able to show that traces of the drawings remained on blank pages in Bryant's notebook. As manufacturing R&D increasingly moves from paper-based records to electronic records, this case presents a critical reminder that evidence of intellectual property ownership can – and likely will be – one day challenged in court, and that in that instance, it is your company’s responsibility to prove that your electronic records of invention and ownership are authentic. Have questions about how to do this? Check out this whitepaper from Atrium Research on Record Integrity and Authentication for Electronic R&D, this case study on how one global company is securing its intellectual property, or this whitepaper from CSC’s Leading Edge Forum on digital intellectual property protection. Blog Spot 2008-09-29T10:50:00-05:00 http://www.surety.com/news/article/corona_pd_sets_the_stage_for_conversation_on_government_20/ http://www.surety.com/news/article/corona_pd_sets_the_stage_for_conversation_on_government_20/#When:18:33:00Z In a recent case study, we pointed out a problem that many law enforcement agencies are facing: growing paper archives. One California police department, which averages 17,000 new records entering into its system a year, including case files, citations and animal control records, decided to research innovative methodologies in order to streamline its document management processes. Through Laserfiche® (provided by ECS Imaging, Inc.) and AbsoluteProof® (provided by us), the City of Corona Police Department (CPD) will be reducing the storage space needed for the growing heap of paper and will also eliminate employment costs associated with funding staff. But the main perk the CPD gets by implementing these two solutions is tamper-proof records through AbsoluteProof’s data authentication technology. AbsoluteProof’s digital timestamp validates the date and time of any document that is generated, while also maintaining the integrity of any electronic record. No matter what part of the process, each document will have proof that an electronic record existed at a specific point in time during the chain of custody and was never manipulated. So where are other areas of government that could benefit from this? On Sept. 22, The City of Elk Grove, north of Corona near Sacramento, issued a press release from the city’s human resources department announcing that it has moved toward a paperless environment and is now offering its job applications through an automated employment application process. While it will replace pen and paper—will it ensure document integrity? BestWeek reported this month that the West Virginia Offices of the Insurance Commissioner are going green when it comes to rule and form filings by insurers. Once the New Year rolls around, all insurance rate, rule and form filings must be submitted through the System for Electronic Rate and Form Filing (SERFF), with related fees paid through electronic funds transfers, according to the state. The news report says West Virginia will become the 14th state to adopt the NAIC’s SERFF system, a rapidly growing trend. The DC Department of Consumer and Regulatory Affairs (DCRA) has also caught the bug to go green and has introduced its new online system PULSE, which will allow tens of thousands of licensed professionals in the District to apply for professional licenses, renew existing licenses, check on continuing education, and perform other tasks such as updating an address, according to a Sept. 18 release DCRA issued. Currently regulating roughly 72,000 practitioners in 127 occupations and professional licensing categories, from plumbers, accountants and real estate agents, DCRA will see a reduction of paper by the tons. By going this route, it will also “streamline the licensing process, provide easier access to online resources and eliminate many redundant business practices,” said the article. Robert Whelan, the president of Pearson VUE, which licensed the technology for DCRA said his system is “a natural progression of our vision for technology, efficiency, and sustainability for our products and services.” While the reasons behind each agency's move to electronic records likely varies—green initiatives in support of the environment, improved efficiencies to maximize space and avoid time spent combing through crazy amounts of paper, cost savings, improved services for the tax payer, etc.—the reason they all need to be concerned about data integrity, and thus consider a content security solution like AbsoluteProof, remain the same. All of these government records—whether they contain HR information, professional license information, criminal case files, police citations, etc.—contain sensitive information. In each instance, the government agency that maintains the electronic records has a responsibility, both legally if they want or need to use the electronic records for legal proceedings, and ethically, as custodians of this sensitive information to ensure that the data contained in the records is not subject to accidental or malicious tampering. With the advent of technology, there’s always been ways of doing things better and, not to mention more efficiently. The next step for these government agencies is taking responsibility in providing peak data integrity as they move toward electronic records. Blog Spot 2008-09-26T18:33:00-05:00 http://www.surety.com/news/article/in_case_you_missed_it_the_internet_communications_and_data_protection_blog/ http://www.surety.com/news/article/in_case_you_missed_it_the_internet_communications_and_data_protection_blog/#When:17:11:00Z The Internet, Communications and Data Protection Blog ICDP, September 2008 Being that we’re constantly scouring the Web for the latest IP, email security and data protection intel, it’s only fair that we share any Earth shattering discoveries with you. Recently, we came across the Internet, Communications and Data Protection (ICDP) blog which is ran by Sonnenschein Nath & Rosenthal, an international law firm serving non profits, businesses and individuals. This blog tends to highlight both low and high profile new stories that deal with Internet, security and privacy legal issues. Interested in learning more about the Sarah Palin email intrusion? Or how about the new ID theft bill that was recently passed? Take a look at the blog today and see how you like it. It’s certainly another good resource to have under your belt. Blog Spot 2008-09-23T17:11:00-05:00