US Commerce Secret White House Cybersecurity Coordinator Announce Steps To Enhance Online Security & National Office for Identity Trust Strategy

FOR IMMEDIATE RELEASE
Friday, January 7, 2011
CONTACT OFFICE OF PUBLIC AFFAIRS
202-482-4883

Planned office will foster private-sector collaboration in growing confidence, privacy and convenience in online transactions

Remarks

At a forum with Silicon Valley business and academic leaders at Stanford University, U.S. Commerce Secretary Gary Locke and White House Cybersecurity Coordinator Howard A. Schmidt today announced plans to create a National Program Office to help foster an environment in which sensitive online transactions can be carried out with greater levels of trust.

The National Program Office, to be established within the Department of Commerce, would coordinate federal activities needed to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC), an Obama administration initiative aimed at establishing identity solutions and privacy-enhancing technologies that will make the online environment more secure and convenient for consumers. The national office would serve as the point of contact to bring the public and private sectors together to meet this challenge.

“The Internet will not reach its full potential until users and consumers feel more secure and confident than they do today when they go online,” Locke said. “A coordinated national strategy to significantly improve online trust will put e-commerce on stronger footing. The National Program Office will engage the best minds in the field from both the public and private sectors to give people greater confidence that their personal information is safe when they engage in online transactions.”

“With the full participation of industry and the general public, NSTIC plans to nurture the development of a secure and privacy-enhancing ‘identity ecosystem’ for the Internet,” Schmidt said. “This identity ecosystem would instill greater confidence in online transactions with less personal information being collected and stored with each transaction, lowering the risk of identity theft.”

Created in response to President Obama’s Cyberspace Policy Review, NSTIC is a key building block in the national effort to secure cyberspace. NSTIC strives to enhance online trust through increased security and privacy. It focuses on improving the ability to authenticate individuals, organizations, and the underlying infrastructure, such as servers and routers, involved in sensitive online transactions. At the same time, it provides consumers a choice - those who want to remain anonymous for activities like blogging will continue to be able to do so. Online service providers that opt in to such a system would follow a set of security and privacy guidelines.

NSTIC’s anticipated benefits for consumers include increased convenience, security and privacy. For example, implementation of NSTIC would allow users the option to obtain secure, interoperable credentials from a range of service providers that would authenticate their identity for a variety of transactions such as banking, accessing electronic health records and ordering products. This would simplify these transactions for users and reduce the amount of private information users must reveal to the many organizations they deal with online. Such a marketplace will ensure that no single credential or centralized database can emerge.

In the NSTIC vision, businesses would enjoy new market opportunities, with the ability to deliver services and transactions previously considered too risky. Government would be able to expand online services for constituents, so they can operate with greater efficiency and transparency; remove impediments to e-commerce; and increase public safety by bolstering the integrity of networks and systems.

As the Federal coordinator, the National Program Office would collaborate with other Federal partners, including the Department of Homeland Security and the General Services Administration on NSTIC implementation. The National Program Office would work to:

Build consensus on legal and policy frameworks necessary to achieve the NSTIC vision, including ways to enhance privacy, free expression and open markets;
Work with industry to identify where new standards or collaborative efforts may be needed;
Support collaboration within the government; and
Promote important pilot projects and other NSTIC implementations.
E-commerce worldwide is estimated at $10 trillion of business online annually. E-commerce sales for the third quarter of 2010 were estimated at over $41 billion; up 13.6 percent over the same period last year.

“Identity theft is rampant and growing. Increasingly sophisticated cyber hackers and thieves continue to steal personal information, bank account data and proprietary information. The NSTIC will take important steps forward to enhance the trust of user and consumer confidence in all of their online transactions,” said U.S. Senator Barbara A. Mikulski.

Senator Mikulski, who chairs the Commerce, Justice, Science subcommittee on Appropriations, added “I will be an active partner with Secretary Locke, NIST Director Gallagher and Cybersecurity Coordinator Schmidt to implement this important program. I can think of no better place than the National Institute of Standards and Technology for this important initiative to be housed.”

“Establishing this office represents an important step in the process of protecting the security and privacy of online transactions, said U.S. Senator John D. Rockefeller IV, Chairman of the Senate Committee on Commerce, Science and Transportation. “ It’s a critical piece of the larger cybersecurity puzzle. I look forward to working with the Administration this year in enacting comprehensive legislation that will address the challenges we face in securing cyberspace.”

Later this year, the Commerce Department plans to hold a workshop to highlight the existing initiatives in this strategy. Representatives from industry, academia, civil society organizations, standards-setting organizations, and all levels of government will be encouraged to attend and collaborate on the development of an interoperable identity ecosystem.

Did You Get Permission To Do That?

When a site wishes to integrate with another site, there are usually talks between the sites and permissions to be granted before such an activity takes place.

Seems that there has been an issue of not asking permission to ask ThePurseForum's members for their log in information - including their TPF password at Bags.Bonanza.com.

ThePurseForum put up a banner across their forum, below their header but above where you can read the threads for those Bonanza users who also use ThePurseForum. Bonanza is the parent company of Bags.Bonanza.com. Below is a copy of the banner (click it to enlarge it.)

Vlad & Megs of ThePurseForum acted quickly when they found Bags.Bonanza.com presenting its users with an option on their profile page to verify their PurseForum membership by providing Bonanza with their PurseForum username and password.

According to Vlad's original post, "This function on Bags.Bonanza.com is not authorized, sanctioned or supported by the PurseForum, its parent company and its owners."

Read more here: http://forum.purseblog.com/ebay-forum/attn-bonanza-users-635298.html

Below is a graphic of the link that users were seeing and the form where users would input their information.

Click the graphic to enlarge.They also advised their members about internet security in general.

Vlad & Megs are looking out for their members and the integrity of their site.
--

Bill Harding, the founder of Bonanza, posted this into ThePurseForum alert thread in post 64 of the thread:

"Hey all,

So exciting to see our name in lights, if not under the exact circumstances I would have chosen! :)

Given the tremendous overlap between TPF users and Bonanza users, we had hoped that increased integration between the sites could provide a win-win where we sent new traffic and new registrations to TPF, and our TPF users could get to re-meet each other on our site.

That said, we certainly understand if Vlad would rather not incorporate such functionality at this time, so we've taken down the site linker until such time that we are told Vlad is cool with it coming back into existence (if ever).

For the record, we never save users' password or sensitive information on our system longer than absolutely necessary. Like our imports from other sites, we have safeguards in place to ensure that all personal information is encrypted while we have it, and purged from our servers as soon as we have verified an established identity.

Our plan is to continue to build the most functionality and widest inventory of bags available online, at prices far lower for sellers than other marketplaces. We have already personally reached out to the big V&M to offer to discuss whether this functionality would be beneficial to our sites' mutual users. And we plan to continue to have a presence on tPf to the extent we're able.

Bill Harding
CEO
Bonanza.com"
--
Then, in response to some PurseForum members questions in post 75, he responded with:

"@AuntFlo: As pointed out by some others, tPf is not the first site that we let our users link their accounts to; generally speaking, we think that being able to connect accounts between the different sites you use is a useful idea for our mutual users. And we had hoped the traffic we hope to drive to tPf through the feature would make it a win-win. But again, we're fine taking the feature down, it certainly isn't a major aspect of the overall site, just a nicety we had hoped would make for a better experience.

@MissMollie: The tracking number showing up is an issue we only heard about recently; we will be looking into it today and it will likely be fixed by tomorrow.

@iluv: It's probably fairly clear at this point, but our primary rationale was user convenience. And the fact that we had already built out similar functionality to link with other sites meant that we already had the technology to temporarily store user info in a secure fashion. But we certainly don't want to step on toes for sites that aren't comfortable with such features, which is why we've taken it down.

Bill Harding
CEO
Bonanza"
--

It has always been a PurseForum rule that users can not have more than one user ID. Also, about a year ago, ThePurseForum decided not to allow company representatives to utilize their forums as means to interact with their customers. So, they "Sofa King Banned" Bill, Mark and Tom (of Bonanza) from using their site any longer.

While they were at it, they closed the Bonanzle/Bonanza thread where Bonanza staff would interact with their users. Bonanza was using information from the thread to detect conterfeit handbags and other designer items listed on Bonanza and their new handbag site.

Here is the link to that thread:

http://forum.purseblog.com/ebay-forum/bonanzle-fakes-421522.html

Now the question is, what kind of damage to Bonanza and their handbag site was caused by management simply doing what they wanted and not asking for the proper permissions first?

While we do not believe that Bonanza had any mailicious intentions, we applaud ThePurseForum staff for acting swiftly to protect their site and members.

McAfee Reveals That Online Security Fears Affect Consumer Online Purchasing Behavior More Than the Economic Downturn

Posted : Sat,   29 Aug 2009    07:42:46 GMT
Author : McAfee, Inc.
Category : Press Release
News Alerts by Email
Press Release News | Home

SANTA CLARA, Calif. - (Business Wire) The economic downturn has not affected the way consumers shop online, according to a study released today by McAfee, Inc., (NYSE:MFE), the world’s largest dedicated security company, and conducted by Harris Interactive®. Seventy-two per cent of consumers 1 said the economy has not changed the way they shop online. Instead, fears about online security and personal information are the biggest drivers behind terminated online sales. Nearly half of consumers have terminated an order or abandoned their shopping cart due to security fears. Even in an attempt to get a good deal, 63 per cent won’t purchase from a Web site that does not display a trustmark or security policy.

“Online retailers need to understand that consumers with intent to purchase are terminating their orders because they don’t feel safe online,” said Tim Dowling, vice president of McAfee’s Web Security Group. “Our research suggests that economic concerns and price have not affected the way people shop online, but instead security concerns are the driving force behind whether a transaction is completed or terminated. All Web sites, regardless of size, need to take measures to prove to customers that their personal information will be safe and secure when doing business online.”

Consumers Expect Trustmarks
There are a growing number of consumers that now demand trustmarks and refuse to shop on sites that don’t display them. The Harris Interactive® research revealed that one in five consumers refuse to purchase from a site that does not display a trustmark. To assuage consumer fears, e-tailers can prove their security measures and build trust with consumers by displaying a trustmark; in fact, about 60 per cent of consumers feel safer when shopping on sites with a trustmark.

Leveling the Playing Field for Small E-Tailers
The Harris Interactive® study also showed that, while all online retailers, regardless of size, need to demonstrate their security measures to customers, trustmarks can be a particularly important tool for smaller companies to equalize against their larger competitors. More than 90 per cent of consumers are concerned about their security when shopping on new or unknown Web sites, and 47 per cent of consumers look for trustmarks to feel safe when shopping on a lesser known site. By displaying a trustmark, the lesser known site can prove credibility to potential customers and gain market share from larger sites. In fact, one-third of consumers would rather buy from a smaller Web site with a trustmark than a larger, more well-known e-tailer.

“Our research shows that trustmarks begin to level the playing field for new and lesser known sites,” said Dowling. “For these sites, trustmarks like McAfee SECURE are necessary to build trust so customers will feel confident that their personal information is safe.”

Choosing the Right Trustmark Leads to Increased Sales
A recent Yankee Group whitepaper found that trustmarks, like McAfee SECURE™ with daily vulnerability scanning, deliver the highest level of protection, compared to reputation, privacy and SSL trustmarks. On average, sites that utilize McAfee SECURE services see a 12% increase in online sales conversions, and the trustmark is used by more than 14,000 e-tailers.

Sites that display a McAfee SECURE trustmark must pass rigorous daily tests for vulnerabilities that pose a threat to sensitive customer information. McAfee also conducts daily network perimeter scanning, testing for more than 10,000 network and Web application vulnerabilities, security testing to ensure protection against malware, and business practice review for Web site owners and online retailers. With the McAfee SECURE service, e-commerce merchants can also demonstrate PCI-compliance, the standard for the payment card industry.

The trustmark appears on the e-tailer Web site, and also in McAfee® SiteAdvisor® search results allowing merchants to stand out in those results. Online retailers can get additional exposure in McAfee’s secure shopping portal at www.mcafeesecureshopping.com. McAfee SECURE shopping only features e-tailers who have been certified using the McAfee SECURE services and directly reaches security-conscious shoppers.

The McAfee SECURE service is available today for Web site owners. Pricing is based on the number of IP addresses or page views. For more information, please visit: www.mcafee.com/mcafeesecure.

This Consumer Online Shopping survey was conducted online within the United States by Harris Interactive® on behalf of McAfee, Inc. between May 19 and May 26, 2009, among 516 adults, ages 18+, who shop online at least occasionally. No estimates of theoretical sampling error can be calculated; a full methodology is available.

About McAfee, Inc.
McAfee, Inc., headquartered in Santa Clara, California, is the world's largest dedicated security technology company. McAfee is committed to relentlessly tackling the world's toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the Web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. http://www.mcafee.com

McAfee, SiteAdvisor, McAfee SECURE and/or other noted McAfee related products contained herein are registered trademarks or trademarks of McAfee, Inc., and/or its affiliates in the US and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. Any other non-McAfee related products, registered and/or unregistered trademarks contained herein is only by reference and are the sole property of their respective owners.

1 For the purposes of this survey, “consumers” refers to U.S. adults ages 18+ who shop online at least occasionally.

McAfee, Inc.
Kim Eichorn, 408-346-3606
kim_eichorn@mcafee.com
or
Red Consultancy
Gina Weakley, 415-618-8809
gina.weakley@redconsultancy.com

Twitter Has Security Issues - Again

Twitter can be fun and some say it helps with their business but there sure have been a lot of security issues on their site.

There is now a video up on Dave Naylor's blog that talks about another Twitter exploit - embedded below.


Slater says - Twitter has knowledge, just haven' done anything about it - anyone who simply sees your tweets when you're logged into Twitter, can run codes in your browser which takes over your account and can lead to malware spreading, impersonation, or whatever other horrible thing the hacker decides to do.

Slater says these steps can prevent this from happening:

* If you’re not logged in to Twitter, there’s no opportunity to steal your details or impersonate you, however malicious code could still send you to other websites or otherwise annoy you, so it doesn’t completely fix the problem.

* Unfollow anyone you don’t know or don’t trust that could be exploiting this. Who’s to say they’re not already stealing your details? If you don’t see their tweets they can’t harm you.

* If you use something other than the Twitter website to view your tweets, you should be fairly safe, though without looking at each one individually it’s hard to be sure. Still, you’re likely to be pretty safe this way.

A side note: As for us, we are not going to log into Twitter any longer. Too many things have happened to our computer since we joined last spring. From now on, out only presence there will be our auto-feeds. It is simply not cost effective for us to risk our computer to this kind of thing.