THE MAGAZINE

The Department of Homeland Security (DHS) has appointed 20 members to its Data Privacy and Integrity Advisory Committee, whose task it is to advise the DHS Secretary and Chief Privacy Officer “on programmatic, policy, operational, administrative, and technological issues within the DHS that affect individual privacy, as well as data integrity and data interoperability,” according to the committee’s charter. The members come from private-sector companies such as Oracle and Computer Associates, academic institutions such as The George Washington University, and think tanks like the Cato Institute.

There is a tension between security and privacy, and since 9-11 it can be argued that public opinion has leaned more toward the former at the expense of the latter. For that reason, groups that are fighting to maintain or increase the privacy rights of citizens are more important than ever.

The Center for Democracy and Technology (CDT) is a leading advocate for privacy in a technological age where fears of terrorism are cited as a rationale for government and law enforcement to have greater access to data. Over the past decade CDT has fought spyware, opposed greater use of wiretaps by the FBI on wireless phones and VoIP, and looked for a balance between protecting intellectual-property rights and allowing consumers fair use. No matter where you stand on these issues, it is helpful to understand the perspective of privacy advocates, such as the CDT.     @  You can get to the CDT’s Web site via SM Online.

One of the most ballyhooed differences is security; IE has been famously prone to flaws, while Firefox has remained largely outside of the virus and worm threatscape in part because it has fewer flaws and in part because it has fewer users and is not yet attracting the attention of hackers. That’s subject to change, of course, as more people adopt it.

It's government IT security grade time again, and as always, the news is not good. Seven agencies received a grade of F, including two-Commerce and Veterans Affairs-that respectively had a C- and a C in 2003. But there were improvements. The Agency for International Development received an A+, and the Department of Justice jumped from an F to a B-. @ The scorecard is available through SM Online.

Test your knowledge of tech terms.

Pour a quart of juice into an eight-ounce glass and most of the juice will end up on the counter. Similarly, when more information comes into a computer program’s temporary data-storage area than was meant to fit, some of that data will spill over and could corrupt or even overwrite the data in adjoining areas. Savvy attackers use this flaw to gain access to systems or destroy data. What are these attacks called?

Hint: The first word rhymes with slang for golfer; to get the second word, think of what happens to the juice in the eight-ounce glass.

Answer: Buffer Overflow

It's government IT security grade time again, and as always, the news is not good. Seven agencies received a grade of F, including two-Commerce and Veterans Affairs-that respectively had a C- and a C in 2003. But there were improvements. The Agency for International Development received an A+, and the Department of Justice jumped from an F to a B-. @ The scorecard is available through SM Online.

One card that works across the government as an ID and for access is a step closer to reality. In accordance with Homeland Security Presidential Directive (HSPD) 12, the National Institute of Standards and Technology (NIST) has released a standard specifying the architecture and technical requirements for a common identification standard for federal employees and contractors, such as a smart card with embedded biometric data.

Viruses poised to attack cars and machinery, NIST moves forward on federal ID standard, lowdown on Firefox.

 The Information Security Forum (ISF), a U.K.-based nonprofit group of more than 260 international corporate members from Adobe Systems to Zurich Financial Services, has released an updated version of The Standard of Good Practice for Information Security. This comprehensive standard allows organizations to measure the effectiveness of their security posture against an international benchmark. The latest version has added guidance on patch management and on mitigating threats posed by instant messaging. It has significantly updated sections on outsourcing, virus protection, and Web server security. Unlike most of ISF’s 200 or so publications, which are available only to members, The Standard of Good Practice is available to the public for free.

Get it via SM Online.

“Threats unseen are threats unbelieved,” says one terrorist in Hacking a Terror Network: The Silent Threat of Covert Channels, a new book by Russ Rogers. These unseen threats are the focus of Rogers’ book, about a fictionalized set of terrorists led by a young Arabic man who seeks revenge against the Americans whose bomb killed his brother.

Viruses poised to attack cars and machinery, NIST moves forward on federal ID standard, lowdown on Firefox.

Homebuilders fight construction site theft and a company fights personal Web surfing at work.

Westex Group, Inc., a trading and export management group in Washington, D.C., does not have a large staff. So Joju Sebastian, a technology consultant with the company, wondered why the company’s T-1 connection was being “bogged down big time” by persistent Internet use. He decided that it was time to track how the company’s 13 employees were using—and perhaps abusing—the Web. Sebastian brought the issue to the attention of the CEO, who agreed that the situation should be monitored.

Loss Prevention Threats and Strategies provides one good alternative for nonexperts. It encourages owners and managers to take responsibility for prevention and training, and it furnishes the necessary tools that managers will need to develop an effective security strategy.

It’s a pleasant surprise, then, that this introductory book is tight and on point—an efficient use of reading time. Intended to assist in preparation for the CPP exam, the book introduces learning objectives at the beginning of each chapter, followed by well-explained concepts and concise examples. Each chapter ends with a useful list of key terms and extremely beneficial discussion questions and exercises.

Mike Pickett, a veteran firefighter and educator, has produced a primer on explosives, including four videos and a short manual entitled Explosives Identification Guide, Second Edition. The first three videos deal with, respectively, commercial explosives, military ordnance, and bomb threats and searches. The fourth video provides basic information on weapons of mass destruction (WMDs). The accompanying guide complements this material.

Databases have assumed a large role in background checks, but Nadell cautions readers about depending on databases when they conduct any criminal history searches. The larger the database, the more potential for inaccurate information. The state criminal repositories, if available, are frequently out of date, at times by months. Information obtained from a database should be verified through direct contact with the courts, Nadell advises.