InfoSec Philippines

Information Security, Technology News and Opinions

Archive for the ‘Presentations’ Category

The Philippine Data Privacy Act

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 10, 2009

The Philippine Data Privacy Act is apparently stuck in Congress. They adjourned on June 5 and started again on July 27.

In the same vein that the country currently has no Anti-Cybercrime legislation, the Philippines has no specific Data Privacy Act. One of the best sources of information regarding the current state of legislation is Mr. Philip Varilla’s presentation on “Privacy Framework in the Philippines“, which if one Googles for “Philippine Privacy Law”, can be found in the website of the Office of the Privacy Commissioner for Personal Data… of Hong Kong.

The presentation states that privacy is a basic right bestowed by the Constitution’s Bill of Rights Section 2, “The right of the people to be secure in their persons, houses, papers,”; and Section 3, “The privacy of communication and correspondence shall be inviolable except upon lawful order of the court, or when public safety or order requires otherwise as prescribed by law….”

It also states that the following Philippine laws are relevant:
– REPUBLIC ACT (RA) 8505 (An Act providing Assistance and Protection for Rape Victims…) SECTION 5. Protective measures.
– RA 8369 (An Act Establishing Family Courts, granting them Exclusive Original Jurisdiction over Child and Family Cases…) SECTION 12. Privacy and Confidentiality of Proceedings.
– Law on Secrecy of Bank Deposits Republic Act No.1405, as amended
– E-COMMERCE ACT (ECA) RA 8792

If one wants to understand the current state of data privacy in the Philippines, I suggest downloading the above presentation. Reading it made me wonder why the Philippines doesn’t seem to have HIPAA like legislation specific to HMO’s making them liable in case they do not protect your medical information.

The Philippines, being a member of APEC, will be aligning its Data Privacy legislation with the APEC Framework.
The APEC Framework can be downloaded here.

Other Related Links:
(Inquirer.net Feb 2009) RP joins APEC data privacy initiatives
The Electronic Commerce Act and its Implementing Rules and Regulations (40 page pdf)
(Out-law.com) Why the APEC Privacy Framework is unlikely to protect privacy [published Oct 2007]
Philippines Convenes Seminar to Explore New Privacy Legislation
(Inquirer.net Oct 2008)Senate must pass IP, data privacy laws
(Global Sky.com) Outsourcing in the Philippines: Is your privacy protected?
ARC Frequently Asked Questions
(Chan Robles) E-Commerce Act of 2000
(Scribed) Republic Act 8792
(GMA News Blog) Janette Toral’s Blog
(Digital Filipino) Salient Features of RA8792, The E-Commerce Law
(Wikipedia) Information privacy law
(Wikipedia) US Health Insurance Portability and Accountability Act
(Wikipedia) EU Data Protection Directive

Advertisements

Posted in encryption, Legal, Philippines, Presentations, Privacy | 1 Comment »

The Hacker Manifesto

Posted by Jaime Raphael Licauco, CISSP, GSEC on August 6, 2009

Since Black Hat USA(Presentations available here) and Defcon 17 concluded a week ago, I found it fitting to post here the classic, “Hacker Manifesto.” This comes from Phrack Magazine’s Volume One, Issue 7, Phile 3 of 10 originally entitled, “The Conscience of a Hacker” by The Mentor and written on Jan 8, 1986.


The Hacker Manifesto

by
+++The Mentor+++
Written January 8, 1986

Another one got caught today, it’s all over the papers. “Teenager Arrested in Computer Crime Scandal”, “Hacker Arrested after Bank Tampering”…

Damn kids. They’re all alike.

But did you, in your three-piece psychology and 1950’s technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

I am a hacker, enter my world…

Mine is a world that begins with school… I’m smarter than most of the other kids, this crap they teach us bores me…

Damn underachiever. They’re all alike.

I’m in junior high or high school. I’ve listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. “No, Ms. Smith, I didn’t show my work. I did it in my head…”

Damn kid. Probably copied it. They’re all alike.

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me… Or feels threatened by me.. Or thinks I’m a smart ass.. Or doesn’t like teaching and shouldn’t be here…

Damn kid. All he does is play games. They’re all alike.

And then it happened… a door opened to a world… rushing through the phone line like heroin through an addict’s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought… a board is found. “This is it… this is where I belong…” I know everyone here… even if I’ve never met them, never talked to them, may never hear from them again… I know you all…

Damn kid. Tying up the phone line again. They’re all alike…

You bet your ass we’re all alike… we’ve been spoon-fed baby food at school when we hungered for steak… the bits of meat that you did let slip through were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

This is our world now… the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us criminals. We explore… and you call us criminals. We seek after knowledge… and you call us criminals. We exist without skin color, without nationality, without religious bias… and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it’s for our own good, yet we’re the criminals.

Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

I am a hacker, and this is my manifesto. You may stop this individual, but you can’t stop us all… after all, we’re all alike.

Posted in Presentations | Tagged: , , | 3 Comments »

Info Sec News, Feb 5, 2009

Posted by Jaime Raphael Licauco, CISSP, GSEC on February 5, 2009

Seminars
ECCInternational will be giving a Certified BCMS (ISO 25999:2007) course from Feb 9-11. They will also be giving an ITIL Practitioner Program – Configuration Management on Feb 10-11, you can check out their Training Schedule here. ISO 9001:2008 IRCA Certified Lead Auditor Seminar will also be given either on Feb 9-13 or Feb 16-20. For details and specific dates, please contact Rose, Faith or Ness at 7505671 to 73 or email training@ccinternational.com.


Webcasts
CSO Online has published a podcast interview of Jim Routh who is the CISO of the Depository Trust and Clearing Corporation (DTCC). He is a veteran technology and security executive, having held positions at American Express and American Express Financial Advisors before joining DTCC.

(Simply Continuous) How To Keep Your Business Running in the Event of a Disaster


Whitepapers
There’s a recent (Winter 2009) presentation published by the Standford Applied Crypto group by John Mitchell on Phishing and Malicious JavaScript. Aside from Phishing, the presentation talks about how JavaScript is used to obtain information from your browser. John Mitchell teaches CS 142, Web Programming and Security, at Stanford University.

(SonicWall) Bottom-line benefits of telecommuting & secure remote access
(Quest Software) Finding Complete Identity Lifecycle Management that Fits


Insider Threat
I either gotta love this… or get paranoid about this: Within 90 minutes of getting fired, a former contract worker for Fannie Mae allegedly added a malicious script hidden within a legitimate script that ran each morning on the network, which was designed to disable monitoring alerts and all log-ins, delete the root passwords to the 4,000 Fannie Mae servers, erase all data and backup data, power off all the servers and then disable the ability to remotely switch on the machines. This was fortunately found by another employee within days of the firing.

(Computerworld) Ex-Fannie Mae engineer pleads innocent to server bomb charge
(CSO Online) Alleged Fannie Mae data bomb author working for Bank of America now?

Another recent example of an Insider Threat is of a former employee that still has access to the system, as this article reports, “Mysterious Text-Message Alert at U. of Florida Scares and Angers Students.


Psychology/Social Engineering
There’s good insight as to the psychology involved when it comes to Information Security in this article from (CSO Online) Are You Addicted to Information Insecurity?

And speaking of psychology, CSO Online’s Anatomy of a Hack is an in-depth article on how Social Engineering can be used. Also in connection to social engineering, the FBI also warns of Money Mule Scams.

A novel way of luring people to a website with malware was found in North Dakota. How? Stick a parking violation ticket on the windshield, with the supposed details of the infraction on a website.

Readers of this blog might also want to check out What the Web knows about you. Its a 6 page article on what attackers may be able to find out about you online. If you’re in the US and is considering searching your SS number, check out this article first on Search Engine Privacy Tips from the World Privacy Forum website.


Browser Security
CSO Online also did a an unscientific poll of security experts on browser security, and it turns out that IE isn’t viewed as being as insecure as it was just a few years back. In relation to browser security, Firefox just fixed a couple of vulnerabilities in their release of version 3.06 of their browser.

Also related, Browser secrets of secure connections talks about how browsers play a key part in determining the strength of cipher used between the client and the web server. The article references the Infoworld Test Center Guide to browser security.


New DNS Attack
(CSO Online) Porn Site Feud Spawns New DNS Attack – Botnet operators are adding code to launch a new type of distributed denial of service attack, security experts warn
(NetworkWorld.com) Porn Site Feud Spawns New DNS Attack – A scrap between two pornographic Web sites turned nasty when one figured out how to take down the other by exploiting a previously unknown quirk in the Internet’s DNS.
(NetworkWorld.com Slideshow) How DNS cache poisoning works – this also has tips at the end on how to defend this kind of attack.


Other Info Sec News
(CSO Online) SMB Security: Five Bright Ideas – Small businesses have to be crafty to handle security with fewer resources. Here are bright ideas for SMBs.

(Computerworld Blog) Security businesses move ahead in this economy

(Computerworld) Removing admin rights stymies 92% of Microsoft’s bugs

(Computerworld) Microsoft denies Windows 7 security feature contains bug

(Computerworld) Banks, customers feel the fallout of the Heartland breach

(Computerworld) Study: Data breaches continue to get more costly for businesses

(Computerworld) Obama health care plan said to boost security, privacy controls – Privacy advocates say $20B e-health proposal overcomes some HIPAA concerns

Posted in Change Management, conferences, Incident Management, ISMS, Presentations, Privacy, social engineering, Webinars, Whitepapers | Tagged: , , , , , , , , , , , , , , , , , | Leave a Comment »

Recently found Whitepapers and Presentations

Posted by Jaime Raphael Licauco, CISSP, GSEC on November 5, 2008

Joshua Beeman (University of Pennsylvania) and Kathy Bergsma (University of Florida) gave presentations at the Security Professionals Conference in April 2007 on Incident Tracking and Reporting.

Abstract regarding their presentation is as follows:
“The University of Florida and the University of Pennsylvania both regularly generate summary reports of computer incidents for information security managers. The reports help identify units that need improvement, assist with planning and risk assessment, and have contributed to an improvement in the security posture of both universities.”

Matt Tolbert (University of Pittsburgh) from the same conference presented on Effective Security Metrics.

Abstract is as follows:
“This presentation will show how the University of Pittsburgh successfully uses incident, operational, and compliance metrics to demonstrate the effectiveness of its security controls, as well as to substantiate funding for implementing and sustaining them.”

Both of the above links are from Educause Connect.

Posted in Incident Management, Metrics, Presentations, Whitepapers | Tagged: , , , , , , , | Leave a Comment »