Richard Nicholson

Everybody bring out the noisemakers, confetti, and party poppers. We've already covered 1Password 3 through its public beta. Fresh out of public beta, the one-stop password-managing shop known as Agile Web Solutions 1Password 3 is now available to one and all.

Needless to say, this is a very substantial upgrade to a highly-regarded Mac OS X app. 1Password 3 features 1PasswordAnywhere to view your 1Password Agile keychain in any modern Web browser on any operating system to copy and paste passwords, just as you would in the app itself. You can also attach and encrypt any file to any 1Password item to easily secure sensitive images or mission-critical files. It also has a brand new section for software licenses, allowing users to attach their own icons or drop in their own icon art to easily locate serial numbers. Other new features include the ability to edit 1Password items from the browser, metadata organization with tags, better control over syncing with 1Password Touch, new categories for accounts and financial information, improved searching, and a brand new interface. It is a paid upgrade for existing users of 1Password 2, but if you bought 1Password any time after February 1st, 2009, your existing license will work just fine with 1Password 3. If you bought it before then, there's an early bird discount through November 30th where single licenses can be upgraded for $20 and family packs for $30. Otherwise, 1Password 3 costs $40 for one user and $70 for a five user family pack.

As of today, 1Password 3 is available to try out for 30 days. Should you be unhappy with 1Password in any way, the developers are also offering a 30 day money-back guarantee-how nice! 1Password 3 requires Mac OS X 10.5 Leopard and is fully compatible with Mac OS X 10.6 Snow Leopard.

It's not a very good day when a security report concludes: Disruptive cyber activities expected to become the norm in future political and military conflicts. From the GAO: "The growing connectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt telecommunications, electrical power, and other critical services. But such was the case today as the Government Accountability Office today took yet another critical look at the US federal security systems and found most of them lacking.

As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow. " Within today's report, the GAO broadly outline the groups and types of individuals considered to be what it called key sources of cyber threats to our nation's information systems and cyber infrastructures. According to the Director of National Intelligence, a growing array of state and nonstate adversaries are increasingly targeting—for exploitation and potential disruption or destruction—information infrastructure, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries. From the GAO: Foreign nations: Foreign intelligence services use cyber tools as part of their information gathering and espionage activities. Criminal groups: There is an increased use of cyber intrusions by criminal groups that attack systems for monetary gain. While remote cracking once required a fair amount of skill or computer knowledge, hackers can now download attack scripts and protocols from the Internet and launch them against victim sites.

Hackers: Hackers sometimes crack into networks for the thrill of the challenge or for bragging rights in the hacker community. Thus, attack tools have become more sophisticated and easier to use. These groups and individuals overload e-mail servers and hack into Web sites to send a political message. Hacktivists: Hacktivism refers to politically motivated attacks on publicly accessible Web pages or e-mail servers. Disgruntled insiders:The disgruntled insider, working from within an organization, is a principal source of computer crimes.

The insider threat also includes contractor personnel. Insiders may not need a great deal of knowledge about computer intrusions because their knowledge of a victim system often allows them to gain unrestricted access to cause damage to the system or to steal system data. Terrorists: Terrorists seek to destroy, incapacitate, or exploit critical infrastructures to threaten national security, cause mass casualties, weaken the U.S. economy, and damage public morale and confidence. The Central Intelligence Agency believes terrorists will stay focused on traditional attack methods, but it anticipates growing cyber threats as a more technically competent generation enters the ranks. However, traditional terrorist adversaries of the United States have been less developed in their computer network capabilities than other adversaries.

Testifying before the Senate Judiciary Committee, Subcommittee on Terrorism and Homeland Security today, FBI Deputy Assistant Director, Cyber Division said that while the FBI has not yet seen a high level of end-to-end cyber sophistication within terrorist organizations, it is aware of and investigating individuals who are affiliated with or sympathetic to al Qaeda who have recognized and discussed the vulnerabilities of the U.S. infrastructure to cyber attack; who have demonstrated an interest in elevating their computer hacking skills; and who are seeking more sophisticated capabilities from outside of their close-knit circles. "In addition, it is always worth remaining mindful that terrorists do not require long term, persistent network access to accomplish some or all of their goals. The likelihood that such an opportunity will present itself to terrorists is increased by the fact that we, as a nation, continue to deploy new technologies without having in place sufficient hardware or software assurance schemes, or sufficient security processes that extend through the entire lifecycle of our networks," Chabinsky said. Rather, a compelling act of terror in cyberspace could take advantage of a limited window of opportunity to access and then destroy portions of our networked infrastructure.

European Union lawmakers renewed efforts Thursday to tackle the politically charged issue of whether governments can bar people from using the Internet, the same day that a new study was released claiming that Internet blocking by national governments is increasingly commonplace in Europe. The laws, dubbed the telecoms package, were scuppered in the summer, when the European Parliament voted overwhelmingly to insert a clause into one of the laws that would make it illegal for a national government to ban a European citizen from accessing the Internet. National governments and the European Parliament announced that they would open formal conciliation talks in a bid to overcome the obstacle to a wide-ranging group of new laws for the telecoms sector. National governments refused to accept the Parliament's amendment and the whole package of laws has been held up as a result.

A copy of the proposed new text was leaked by Christian Engstrom, a Swedish computer programmer and free speech activist who was elected to the European Parliament in the summer as a representative of the fledgling Pirate Party. The European Parliament, the Council of national governments represented by Sweden, and the author of the telecoms laws, the European Commission held a three-way meeting Thursday, agreeing to reconvene on Nov. 4. "Parliament's delegation has agreed on a compromise proposal that will serve as a basis for negotiations and towards which the Council and the Commission will be able to converge," said French social democrat MEP Catherine Trautmann, describing Thursday morning's informal meeting as "a promising start" to the official phase of conciliation. Government attempts to block access to the Internet are mounting throughout Europe, but look set to backfire, according to a new study funded by financier George Soros' Open Society Institute. In Germany, Britain, Italy and Scandinavia, the measures are intended to block pages containing child pornography, while in France the proposed "three strikes" law would cut access to users who download pirated content. Entitled "Internet Blocking: Balancing Cybercrime Responses in Democratic Societies," the study shows how efforts to block Internet content are spreading throughout Europe. In Turkey, which borders the E.U. in the southeast and is trying to join the group, the telecommunications ministry has blocked more than 6,000 Web sites, including YouTube, Geocities, DailyMotion and WordPress, the study found.

Attempts to block offensive content all too often backfire, said one of the study's authors, Cormac Callanan, CEO of Irish consultancy, Aconite Internet Solutions. "Technically, it is difficult. It concludes that the measures are ineffective in achieving their stated goals because many technical ways exist to get around blocking technologies. Legally, it is problematic. Both politicians have in the past sat on the European Parliament's civil liberties committee, and were involved in debating Internet access issues contained in the proposed telecoms package. Above all, it represents a real threat to the free transfer of information and conflicts with basic democratic principles," he said in a statement The study has already been endorsed by two members of Parliament: British liberal Graham Watson and German social democrat Birgit Sippel. "Protection of children is a matter of the utmost importance, but this does not mean that the Commission can propose measures that may well be entirely ineffectual but which will have long-term consequences for the right of freedom of communication in Europe," Watson said.

About fifteen years ago, my husband and his colleague had their laptop computers stolen out of a car. A $14,000 hit to the departmental budget was a serious blow. They were fearful of reporting the incident to their boss, largely because the laptops had cost the company about $7,000 each.

And back in those days, no one gave much thought to exposure of the data on the stolen devices. Today, companies don't sweat much over the loss of the hardware, which has dramatically come down in price. My, how times have changed! The real cost of a lost laptop is in the potential or actual exposure of the data on the PC, especially if it is customer records or intellectual property. The cases represented missing or stolen computers belonging to companies in a wide range of industry classifications. Laptop Losers Hall of Fame In April 2009, Ponemon Institute released an Intel-sponsored report entitled "The Cost of a Lost Laptop." Ponemon interviewed 29 organizations that had experienced 138 separates cases of a lost laptop that was used by an employee, temporary employee or contractor.

In this study, the average value of a lost laptop is $49,246. This figure is derived from a calculation involving seven cost components, including: laptop replacement; detection and escalation; forensics and investigation; data breach reporting and mitigation; intellectual property loss; lost productivity; and other legal or regulatory costs. The top four industries with the highest average cost of a lost laptop are services, financial services, healthcare and pharmaceutical. The study reveals that the cost of a lost laptop varies greatly by industry. The bottom four industries are manufacturing, consumer products, retail and communications. In the cases covered by this study, the occurrence of a data breach accounted for 80 percent of the total cost.

Since the hardware costs don't vary much by industry, it's obvious that the data loss costs are the differential. And while the average cost is just over $49,000, it's possible for actual costs to reach much higher if the loss involves a data breach of thousands of sensitive records. The study reports that if a company becomes aware of the loss the same day it happens, the average cost is only $8,950. If it takes more than a week to discover the loss, the cost jumps to an average of $115,849. There are many other interesting - and some surprising - bits of information in this study. (See the full report here.) If your organization is looking for good statistics and other information to help you justify an investment in stronger laptop security measures, do have a look at this report. One factor in the cost of a lost laptop is how fast the company discovers and reacts to the loss. As I mentioned, Intel Corporation sponsored this study, although Ponemon Institute conducted the research independently. Certain laptops powered by the Intel Centrino 2 chipset have a core set of technologies known as the the vPro technologies.

Of course, Intel has a big interest in protecting lost or stolen laptops. One such technology is the Intel Anti-Theft Technology - PC Protection (Intel-AT), which uses a set of programmable and interdependent hardware-based triggers and responses to identify unauthorized attempts to access encrypted data or the operating system. One product you can use in conjunction with Intel-AT is the Altiris Manageability Toolkit for Intel vPro Technology from Symantec. Third-party software products, such as those described below, can send signals to the lost laptop to disable it from use by unauthorized people. Another is Computrace from Absolute Software, which allows you to delete data on missing computers and produce an audit log of the deleted files to prove your compliance with government and corporate regulations.

This BIOS update allows for the remote shut down of a lost or stolen PC when an SMS message is sent via a designated cell phone. Certain models of Lenovo ThinkPad laptops offer a technology called Constant Secure Remote Disable. This solution also requires an embedded wireless WAN card in the PC as well as a mobile communications subscription to allow the PC to receive text messages. Should the PC turn up again, you can unlock it without loss of data. If the computer is lost or stolen, your text message will lock it down at the hardware level, turning it into a brick.

SystemTrack is a managed service offered by Dell. If you report a stolen device to Dell, Dell can forensically mine the PC over the Internet using a variety of procedures. SystemTrack links with a missing PC the next time it connects to the Internet and enables IT administrators to perform data and device security activities, including deletion of sensitive data, system lockdown and emergency retrieval of key files. All the solutions I've just described take some forethought to prepare a PC before it's ever lost or stolen. Still, as the old saying goes, an ounce of prevention is worth a pound of cure. What's more, these solutions often rely on multiple services or technologies to work just right.

Perhaps a little forethought on what to do about sensitive data on a lost or stolen laptop is better than the experience of a costly data breach.

A new agreement between the Internet Corporation for Assigned Names and Numbers (ICANN) and the U.S. Department of Commerce that creates international oversight of the nonprofit operator of the Internet's domain name system may not provide enough accountability, some critics said. ICANN and the U.S. Department of Commerce (DOC) announced the new agreement on the day an 11-year series of agreements expired. The agreement, announced Wednesday, seemed to enjoy widespread support, but some critics questioned how new review teams overseeing ICANN would be independent and whether the new agreement represented average Internet users.

Under those agreements, the U.S. government provided primary oversight of ICANN. One of the main changes in the new agreement, called an Affirmation of Commitments, is the creation of new review panels, which would check ICANN's compliance with the agreement every three years. They're likely to produce the politics that already exist within ICANN." ICANN has a long history of disagreement among stakeholder groups and calls by other nations for the U.S. to give up its oversight role. Volunteers would serve on those review teams, as would independent experts and representatives of the ICANN board of directors and the DOC. The problem is that ICANN's chairman or CEO and the chairman of ICANN's Governmental Affairs Committee (GAC), selected by all the nations involved with ICANN, would have the final say on the makeup of those review teams, said Brenden Kuerbis, operations director the Internet Governance Project, a group of academics focusing on Internet governance issues. "The review panels are not external to ICANN," Kuerbis said Thursday at an ICANN forum hosted by the Congressional Internet Caucus. "They're selected by the very people responsible for what ICANN does. ICANN's major problem isn't a lack of oversight, it's a lack of clearly defined rules for the organization and standards to measure performance, Kuerbis added. "If these rules don't exist - and they still don't - the review panels ... can just become another layer of politics and second-guessing, superimposed on what is already a messy and pretty diffuse process," he said. There will be public comment on membership of the review teams, and ICANN's board and CEO don't control GAC, he said. "It's going to be extremely hard [for ICANN] to game the process," he said.

However, ICANN Vice President Paul Levins disagreed that the review teams will be made up of ICANN allies. Another criticism of the new agreement is that it was negotiated between ICANN and DOC in secret, even as the agreement calls on ICANN to be accountable and transparent to the public and to use a bottom-up decision-making process. "Whatever deliberation occurred prior to the approval of this 'affirmation of commitments' was entirely secret - except for those favorite friends ICANN chose to invite into the smoke-filled room, or to whom the deliberations or decisions were leaked," Edward Hasbrouck, a travel blogger and ICANN critic wrote on ICANNwatch.org, an ICANN watchdog site. "In fact, the completely secret, nontransparent and unaccountable way in which these 'commitments' were adopted is clear and compelling evidence of ICANN's continuing 'lack' of any actual commitment to these principles, or indeed to any transparency or accountability; its continuing commitment to lie - as loudly and as prominently as it can - about its lack of accountability and transparency; and the continuing need for 'real' transparency and accountability," the blog post continued. It's clear that ICANN received input from outside groups, and the agreement addressed major concerns about U.S. control over ICANN, said Steve DelBianco, executive director of NetChoice, an e-commerce trade group and frequent ICANN critic. But other ICANN watchers offered support for the new agreement. The new agreement gives the U.S. government a continued role in ICANN oversight, but it spreads out the oversight to other governments and the private sector, he said. "ICANN's independence day will be known as Sept. 30, 2009," DelBianco said. "[The agreement] is very clever in the way it balances some of those forces that were speaking out." GAC, which has complained of not having enough oversight of ICANN, will now have more control, he said. "The way we relieved the pressure [on ICANN] was to give governments more say," he said.

Other supporters of the new agreement included registrar Go Daddy, the Software and Information Industry Association, and U.S. Representative Henry Waxman, a California Democrat and chairman of the House Energy and Commerce Committee. "This agreement is a perfect example of how a public-private partnership can work to the advantage of all stakeholders," Waxman said in a statement. "It will help insure that the Internet remains stable and secure for the people around the world who use it for work, study, entertainment, or to stay in touch with family and friends."