The sanctions stem from privacy setting changes Facebook made in December 2009, without asking users’ permission.

The company told users they could keep full control of who could access their content on Facebook when, in fact, the company repeatedly allowed information to be shared and made public, as outlined in the FTC’s 19-page complaint.

The order is expected to give technologists and privacy advocates a new, more effective tool to monitor Facebook’s privacy practices, says Jeff Chester, executive director of the non-profit Center for Digital Democracy.

“We will have to come in and show how Timeline and the ever expanding data targeting practices violate the order,” says Chester. “This order does put the burden on privacy groups to make any safeguards stick. We have a chance to force the company to change the way it does business. ”

Bono Mack

And Federal lawmakers focusing on privacy issues will also be closely monitoring the aftermath of the FTC’s order, says Rep. Mary Bono Mack, R-Calif.

“In many ways this settlement clearly demonstrates that the privacy debate in Washington remains unresolved,” says Bono Mack. “Privacy policies should be transparent and understandable to everyone, and consumers should have an easy-to-understand way to opt out of sharing information, if they choose to do so.”

Facebook CEO Mark Zuckerberg insisted in a blog posting that the company has “a good history of providing transparency and control over who can see your information,” but admitted that “we’ve made a bunch of mistakes.”

IPO, Do Not Track form backdrop

The FTC’s sanction comes as Facebook readies itself for a high-profile initial public offering of stock, expected next spring. Today, co-incidentally on the same day the FTC’s sanction was announced, the Wall Street Journal reported Facebook’s IPO may ring in at $10 billion.

Meanwhile, the company has come under rising criticism in the U.S. and Europe for using Like buttons embedded on millions of websites to monitor Web surfing.

Facebook compiles tracking logs of the webpages viewed by each of its 800 million members, and millions more non-members, the company recently  disclosed in exclusive USA TODAY interviews.

Rockefeller

New federal laws are needed to help consumers “protect their personal information from companies surreptitiously collecting and using that personal information for profit,” says Sen. Jay Rockefeller, D-W. Virg, sponsor of a Do Not Track law that would restrict online tracking.

Rockefeller commended the FTC’s action. “Consumer privacy is a right, not a luxury,” he says. “This action against Facebook is just the first step toward protecting consumer privacy.”

Jules Polonetsky, Director and Co-Chair, Future of Privacy Forum, noted that the FTC order sends a message to other Internet-based companies the they need to get express consent from consumers to alter privacy practices.

“And if you are a custodian of user data, you need to have a formal program in place that ensures that data use and product development are overseen by privacy staff,” says Polonetsky. “These are guidelines that any company that interacts with consumer data would be wise to consider baseline requirements.”

What Facebook shall do

Included in the  8-counts of unfair and deceptive practices outlined in the FTC’s  complaint are charges that Facebook improperly disclosed information to advertisers and continued to display photos and videos even after they accounts were deactivated. The consent order, which must be approved by a judge, requires Facebook to:

• Obtain express consent before overriding users’ privacy preferences.
• Cut off access to a user’s material within 30 days after deletion of an account.
• Establish a comprehensive privacy program covering new and existing products and services.
• Submit to privacy program audits within 180 days and every two years after than for the next 20 years. Monitoring would be handled by an independent professional yet to be named.

Even after the consent order takes effect, Facebook users may not notice anything different. It’s not clear how the FTC’s order could affect Facebooks plans for new services, including “Timeline” pages that digitally map everything a user has ever done on the popular social network, and “Open Graph” applications designed to broadcast a  user’s surfing patterns widely across Facebook.

Chris Conley, a tech and civil liberties attorney at the ACLU’S Northern California affiliate, notes that Facebook’s privacy settings make no reference to Like button tracking.

“There’s no setting for a user to control that,” says Conley. “It’s questionable if something that doesn’t have a privacy setting today is covered by the FTC’s settlement proposal, or how the FTC would respond if Facebook started using this data in unexpected ways.”

A call for opt-in

Marc Rotenberg, executive director of the non profit Electronic Privacy Information Center, noted that the FTC stopped short of ordering Facebook to restore the more rigorous privacy settings that were in effect prior to December 2009.

EPIC and nine other groups filed the complaint that triggered the FTC probe. “If it was unfair to change the privacy settings, then the right response would be to change the settings back,” Rotenberg says.

Steyer

James P. Steyer, CEO of Common Sense Media, added: “It’s incredibly encouraging to see an industry leader like Facebook held to a higher standard of privacy protections. It’s our hope that this decision and its focus on the necessity of opt-in will lead other companies to follow suit. Until large tech companies start listening to the public, this kind of action from the FTC is critical. Government regulation and leadership is essential in order to help protect our privacy – and that of our kids – online.”

A poll by Common Sense Media conducted late last year found 75 percent of parents do not believe social networks were doing enough to keep their kids safe online.

Says Steyer: “With more than 7.5 million kids on Facebook, and even more using digital devices like smartphones and tablet computers, it’s imperative that other leaders in this industry hear the FTC’s message loud and clear: the concept of privacy is definitely not dead – especially for parents – and opt-in must become the standard all other companies employ.”

– By Byron Acohido

Reacting to details of Facebook’s tracking practices disclosed in LastWatchdog’s page 1A story in print editions of USA TODAY, Sen. Jay Rockefeller, D – W. Virg., said he intends to invite Facebook and others to a hearing to explain how they are using personal information.

“The USA Today story is disturbing,” says Rockefeller, sponsor of a Do-Not-Track bill that would empower consumers to limit ad networks from tracking where they go online. “No company should track customers without their knowledge or consent, especially a company with 800 million users and a trove of unique personal data on its users.”

Facebook spokesman Andrew Noyes noted that Facebook tracking systems are used to personalize content and help boost security. He also said that the company’s tracking practicies are spelled out in its Privacy Policy and Help Center web pages. “We appreciate Sen. Rockefeller’s interest in protecting consumer privacy and look forward to discussing this with him,” Noyes says.

Meanwhile, Rep. Mary Bono Mack, R-Calif., who chairs the House Subcommittee on Commerce, Manufacturing and Trade, directed her staff to bring in Facebook officials next week for a briefing to learn more about the wave of pornographic and violent images that spread through Facebook’s automated content-sharing systems. “The Chairman is very concerned about what took place and wants to make certain – to the extent possible – that it doesn’t happen again,” says spokesman Ken Johnson.

Bono Mack

Among the questions Bono Mack wants answered: How many people were impacted? What actually happened? How did it happen? Could the vulnerability be used to gather users’ personal information? What is Facebook doing to prevent future intrusions?

Noyes pointed out this CNN news story praising how Facebook responded to the systemic attack on its content-sharing technologies. “Protecting the people who use Facebook from spam and malicious content is a top priority for us,” says Noyes. “Our team responded quickly to eliminate most of the spam caused by this incident. We are now working to improve our systems to better defend against similar attacks in the future.”

Joseph Steinberg, CEO of Green Armor Solutions, says that the porn and gore spam attack is another reason users should not rely on Facebook’s security and privacy settings.

“Facebook has never been the poster child for security,” Steinberg says. “This situation reinforces that concept. If some form of beach occurred and information that you configured to be viewable by only your friends became viewable by the entire world it is unlikely that Facebook is going to compensate you. But they can gather information about you and advertise to you. In many ways, you are Facebook’s product, not its customer.”

The 1998 COPPA law bans website publishers and social networks from collecting or using information from children under 13. Enforcement, however, has been spotty.  And it’s common practice for website operators to  do the minimum to meet the letter of the law.

Among other things, the FTC has proposed updating the definition of “personal information” to include geolocation information and certain types of persistent identifiers, such as tracking cookies. And it  has  also proposed new methods and rules for obtaining verifiable parental consent.

In this LastWatchdog guest post, Paul Lipman, CEO of Total Defense, argues why he thinks the FTC’s proposed revisions fall short.

Lipman

By Paul Lipman.

On September 15th, the Federal Trade Commission  issued a long-awaited request for comments on proposed revisions to the Children’s Online Privacy Protection Act (COPPA), which gives parents control over what personal information Web sites may collect from children under the age of 13. While the sentiment behind this act is the right one, the proposed revisions don’t go far enough to protect children and families.

COPPA was enacted on October 21, 1998 and took effect April 21, 2000. At the time, the legislation was created to address the growth of online marketing techniques targeting children. Web sites were collecting information from children without parental knowledge or consent and children didn’t understand the risks of revealing personal information online. As a result, the public pressured Congress to legislate.

Current rules

COPPA details what Web sites must include in a privacy policy, when and how to seek verifiable consent from a parent and what responsibilities a Web site has to protect children’s privacy and safety online, including restrictions on marketing to those under 13. COPPA requires websites to  do one of the following:

• Attain a signed form from the parent via postal mail or facsimile
• Accept and verify a credit card number
• Take calls from parents staffed by trained personnel
• Require an email accompanied by digital signature from a parent
• Require an email accompanied by a PIN or password

While the COPPA regulations were timely and forward thinking, the Web has come a long way since 1998. It’s unbelievable that it’s taken the FTC more than 10 years to look into amending the decade old act.

Consider that in 1998,  Mark Zuckerberg, co-creator of Facebook was a child himself, at only 14 years of age. Facebook and MySpace did not exist.  Instant messaging, online shopping and Internet auctions were in their infancies. And few parents feared the possible repercussions of their children dropping personal information into the Web-o-sphere, because there was no real reason or way to do so.

The FTC proposed amendments to COPPA  expand the definition of “personal information” to include a child’s location, along with any personal data collected through the use of cookies. The FTC also suggested that parental consent be obtained by getting scanned versions of signed consent forms or via videoconferencing.

Parent engagement

The revisions come in light of the increase in children operating mobile devices, using online social networking sites and participating in interactive gaming. Unfortunately, these revisions come at a time when it’s almost too little too late. The proposed changes are not enough to keep kids safe online or to keep up with the ever evolving Web.

Like in other aspects of a child’s development, the parent should be actively engaged. Online behavior, both on the PC and mobile device is no exception. The repercussions of digital actions are not apparent as to how personal data is actually used and monetized by corporations.

COPPA legislation should help parents become more involved. Laws such as the state child restraint law help ensure adequate protection is offered to children while riding in a vehicle by requiring the parent to use age and size specific child seats. In a similar way, COPPA legislation should act as the restraint law for children when they are online by requiring a parent or legal guardian to register the child for any and all online services.

When it comes to social networking, the government must find ways to discourage youth from openly and freely sharing personal information. Mobile Internet use should also be more clearly addressed by outlining restrictions for mobile applications, browsing capabilities and more.

Marketing tilt

Current legislation provides too many registration options allowing the parent to be circumvented too easily. To avoid this, I recommend authenticating the parent or guardian by tying the transaction to the parent’s credit card. While this is a documented option in today’s COPPA standard, it’s just one of the options and not a requirement.

We must note that most child friendly Web sites offer plenty of interesting and valuable content without requiring any registration whatsoever. Still, these Web sites encourage registration via tempting sweepstakes and coupon offerings thus, should require parental consent or a ban of tempting sweepstakes on child friendly sites altogether.

Today’s legislation still tilts the scale in favor of the online marketer. Parents should be aware and legislation must change to better protect children, our future leaders, online.

About the essayist. Paul Lipman, CEO of Total Defense, was previously Chief Strategy Officer at Webroot. Prior to Webroot, Lipman was General Manager of Global Services at Keynote Systems, joining Keynote via the acquisition of Enviz. Lipman holds an MBA from the Stanford University Graduate School of Business and a Bachelor’s Degree in Physics from Manchester University in England.

Traditional perimeter firewalls are still in wide use as a fundamental defense mechanism.  But a group of security vendors are pushing for wider use of so-called Next Generation Firewalls, or NGFWs, that integrate firewall, intrusion detection and prevention, application monitoring and authentication and policy-use  controls.

These vendors include NSS Labs, Barracuda, Check Point, Cisco, Fortinet, Juniper, Palo Alto Networks and SonicWall. In this LastWatchdog guest post, AlgoSec’s CTO, Professor Avishai Wool, of Tel Aviv University, makes the technical argument for more pervasive use of NGFWs. (Clarification. 02Nov2010. NSS Labs tests security products, including firewalls,  and publishes the results.)

Wool

By Avishai Wool

The last few years have brought us arguably the most significant change in firewall technology in decades. Ever since “Stateful Inspection” was introduced by Check Point in the late 1990’s, firewall administrators and information security officers have been defining security policies based primarily on a connection’s source IP address, destination IP address, and service.

Now, with the so called “Next Generation” firewalls (NGFWs) promoted by Palo Alto Networks and Check Point R75, policy can also be defined based on the “application”.

To understand why this technical detail is an exciting development for organizations, we need a bit of background. Almost all organizations let their users browse the net. From a firewall point of view, this policy is implemented by allowing the “http” service (technically, tcp on port 80) from the internal net, to anywhere.

The trouble is that application programmers have realized this policy, and have adjusted: Almost every web-application now communicates over tcp/80. Since this port is practically certain to be open, there is no need for the application users to ask for a new rule through the firewall; the application will “just work”. This is very convenient for application developers, and also for application users.

But it is a serious concern for information security officers, because not all web-applications are born equal. While many web-applications are important business tools, others are not: some are inappropriate (think file-swapping applications), some are vectors for sensitive data loss (like personal network storage), and others are bandwidth hogs (like streaming video apps).

And lurking among all these we have the real nasty apps: cyber-warfare tools, corporate espionage trojans, identify-stealing ‘bots, viruses and worms, etc. And all these apps use tcp/80 – the good, the bad, and the ugly.

This leaves the information security officer with an unpleasant choice: Either block all the applications that use tcp/80, and disrupt business in a major way – or allow all apps, and assume the risk. Practically every firewall policy I have seen chooses business continuity over safety, and keeps tcp/80 open – with the associated heartburn for CISOs everywhere.

Now enter NGFWs. Through some pretty impressive technological advances, these devices can discriminate between applications that share the same port. NGFWs can enforce fine-grained policies like “block file-swapping applications”, or “allow Facebook but not its game applications”, or even “block the super-sneaky Skype application” – while allowing benign http traffic through the firewall.

The sales-pitch is indeed very compelling for many security-conscious organizations, and lots of organizations are indeed embracing the new technology.

However, once we are past the excitement over the cool new technology (and it is indeed cool!), we have to realize that NGFWs need to be managed. This will require some thought and planning. I’d like to raise two points you should think about when you are considering NGFWs.

The first point is policy granularity. For many years firewall policies were defined at a crude “service” granularity – lumping thousands of applications into a single “service”. And still, many corporate firewall policies have ballooned into monsters totaling thousands of rules.

Such giant policies are extremely difficult to keep secure – and invariably contain a surprisingly high number of errors. In fact, my research has demonstrated that there is a clear correlation between policy complexity and the number of errors in the policy; For firewall policies, “small is beautiful”.

Now imagine what will happen if instead of a single (albeit crude) rule allowing http, the policy will include 10,000 new rules, one per application… Without some careful design, the new policy could be even less secure just because of all the new errors that will creep in.

The second point is about “blacklisting” versus “whitelisting”. Fifteen years ago there was a raging debate among firewall administrators about how a good firewall policy should be structured. The “blacklisting” proponents suggested to “allow everything, and block the traffic you don’t want”, while the “whitelisting” aficionados argued to “block everything, and only allow the traffic you need”.

This debate was won by a landslide in favor of the more secure “whitelisting” approach: Today practically every firewall policy has a “default drop” rule and a great number of “allow” rules. Further, most regulations require such a structure to be in compliance.

However, this more secure approach has a cost: whitelisting causes a significant workload on firewall administrators. This is because every new connection potentially requires yet another firewall rule – which has to be planned, approved, implemented, and validated. Some organizations I’ve spoken to process hundreds of such rule-change requests every week, and as a result, suffer turnaround times of several weeks between change request and implementation.

With the advent of NGFWs, I think the blacklisting/whitelisting debate deserves a fresh look, and a conscious choice. Consider this: If you decide to whitelist at the application level (i.e., block outbound tcp/80 and only allow those web-applications you know about) – how many more change requests per week will you be processing? Can your existing team handle the extra load without degradation to turnaround time? Will you require additional headcount?

Furthermore, perhaps CISOs will find it easier to define policy via blacklisting, via rules like “block social networks, file sharing and video streaming, and allow all other web traffic”?

As anecdotal evidence, compare how filtering web-proxies and web-application firewalls (that do a similar job using different technologies) are configured. As far as I can tell, blacklisting is the more common approach for web-proxies, although I have spoken to some organizations that whitelist. Should NGFWs follow the web-proxy blacklist style – or should they follow the classical firewall’s whitelist approach?

So far most of what I’ve read about NGFWs has been about the technology. But what about the management challenges? We should be arguing about them! What do the regulators (PCI-DSS, NERC, NIST) say? What should the internal audit guidelines be (CobiT)? How about Managed Security Service Providers (MSSPs)? What are the vendors teaching in their NGFW configuration classes?

I think we’re going to have a few interesting years until the dust settles.

LW: Cyberattacks, especially so-called advanced persistent threats that drill deep into corporate systems, continue to accelerate. How come?

Kaspersky: Unfortunatly for enterprises, the bad guys behind Stuxnet and DigiNotar and other such cyberattacks are extremely professional. They devote time and resources to what they’re doing, making them extremely difficult to stop.

LW: What should the good guys be doing?

Kaspersky: Enterprise networks need to be redesigned to where the digital certificate is just one layer. They need much more strict rules about who can get access to internal systems and they need to consider switching off access to certain assets.

LW: Security vendors have been preaching these same best practices for years. What’s different today?

Kaspersky: Today there are so many more attacks than even just two years ago. Companies are getting compromised everywhere, in the United States, Europe and Japan. Thousands of corporations have been attacked in Russia, so now Russia has finally joined the club of victims.

LW: So what’s next?

Kaspersky: We are now in a much bigger arms race. Enterprises will pay more attention to security and have stricter rules for security systems. The bad guys won’t stop. They’ll invest more into new attack technologies. It’s a new level of the arms race.

TL: What does this mean for employees who bring their personal touch tablets and smartphones to work, and spend time during the workday on Facebook and other social networks?

Kaspersky: I’m afraid there’s going to be no more freedom for social network use in certain kinds of strict work environments. Instant messaging and e-mail for personal use needs to be limited. Employees will have a front line computer, with full access, but any personal-use devices mst be disconnected from the corporate environment.

LW: Doesn’t that scenario run counter to the rising popularity of cool mobile devices and our increasing reliance on Web apps and cloud services?

Kaspersky: Yes, it is a big step. But for critical environments, very, very strict rules are needed. It is the only way to fight effectively with the bad guys. Enterprises don’t need to be paranoid. But they must pay attention to security and understand the different scenarios of how the bad guys can get in. They need to understand how much damage can be caused. Risk management must be much more strict.

Losing one’s smartphone or touch tablet has become a nightmare scenario for many.

The prospect of consumers and employees physically losing their information-packed mobile devices, or getting them hacked, has become the driver for a red-hot sector of the tech industry: supplying mobile security.

Research firm IDC says global spending on mobile security is on track to balloon to $1.9 billion by 2015, up from $407 million in 2010.

PC anti-virus companies Symantec, McAfee, Trend Micro and Webroot, among others, are stepping up efforts to market their mobile security services to consumers.

A subscription, which typically costs about $30 per year, includes anti-virus protection, backup data storage and technology to locate a lost or stolen mobile device. Some offerings also include safe browsing, parental monitoring and the ability to remotely lock a missing device and even wipe clean all the sensitive data it contains.

Mahaffey

“Security is not just about anti-virus anymore,” says Kevin Mahaffey, chief technical officer of Lookout Mobile Security, which specializes in security services for Android and BlackBerry handsets. “Security involves everything that could go wrong with your mobile device.”

The threat was highlighted last week after someone hacked into Scarlett Johansson’s text messages to steal and circulate nude photos of the actress.

Other players are moving to cash in. AT&T recently announced a partnership with Juniper Networks to develop a mobile security platform for businesses and consumers. New software services, delivered over the Internet, are expected to be available later this year. The idea is to integrate mobile security services into the wireless Internet connection supplied by AT&T, then sell annual subscriptions for different packages of security services.

“Everyone recognizes that mobile devices have gone from being a convenience to being a necessity,” says Ed Amoroso, chief security officer at AT&T. “As the value of the asset increases, attention to security increases, as well.”

Easy targets

Mobile devices are “uniquely more sensitive than PCs” since “the device is with you all the times,” says Trend Micro’s Tarek Alawdeen.

And because of their size, “smartphones and tablets are easier to lose or have stolen than laptops and notebooks,” adds Webroot’s Chad Bacher.

Corporations have special concerns. Many must comply with federal laws for safekeeping of financial and health records. Sensitive company records circulating via an array of mobile devices puts some companies at risk of violating record-keeping rules, says Chenxi Wang, principal security and risk analyst at Forrester Research.

Wang

“If you look at AT&T and Juniper’s announcement it’s not just about anti-malware and anti-theft, it’s more about helping enterprises maintain compliance and enforce security policies,” says Wang.

Many of the new mobile security services are built around defending users of Google Android smartphones and touch tablets from malicious software designed to steal data and take control of the device. “Very often we see malicious apps disguised as legitimate games, music, and ringtones which, if downloaded, can gain root access to your device in order to take control of your apps, transmit personal information from your device, control search results, or send texts and SMS messages to premium numbers.” says Bacher.

Several security firms have issued reports this year showing that Android devices are increasingly susceptible to attack. McAfee, for instance, found that Android devices faced 76% more threats from April through June than in the first quarter of this year.

The “Android Market is an open app store, where anyone can freely publish Android Apps, and it is up to the community of Android users to flag malicious or fraudulent apps,” says Trend Micro’s Alawdeen. “The end user has no way of knowing which apps are safe or malicious.”

Google spokesman Jay Nancarrow declined to comment.

Apple vulnerable

Apple devices need added security too, security experts say. McAfee recently began selling an app via Apple’s iTunes store that backs up iPhone- and iPad-stored photos and videos, locates lost devices and can remotely wipe information from a missing device. Apple provides a free app, called Find My iPhone, that provides basic functions for finding or locking down lost iPhones and iPads.

Several other independent app developers supply similar apps, and anti-virus giant Symantec is developing security offerings for Apple iOS, the operating system that runs iPhones and iPads.

“You stand to risk losing much more than contact information. You would lose personal, sensitive photos, like so many celebrities have,” says Symantec’s David Cole. “The person who finds your phone might have access to any of the websites you log into.”

Results of a recent Symantec survey of 12,704 respondents in 24 nations found that only 16% installed the most up-to-date security on their devices, while 10% reported being the victim of a mobile-related cybercrime.

Crook

The security companies are banking on a rising percentage of consumers and businesses finding value in spending about $30 a year on a subscription service to protect each of their mobile devices, says Stacy Crook, senior research analyst at IDC.

“Consumers are going to have to start seeing this as a must-have and be willing to pay for it,” says Crook. “We’ll have to see how the market shakes out. It could be a very good business to be in, especially if users have to pay for it every year.”

The Justice Department filed this lawsuit Wednesday, 31Aug2011, to block AT&T’s planned acquisition of T-Mobile, bringing into high relief the debate over whether corporations or consumers matter more as the U.S. struggles through an economic downturn.

AT&T has said that the proposed $39 billion merger between the nation’s No.2 and No.4 mobile service providers is crucial to improving mobile services nationwide.

AT&T general counsel Wayne Watts said the carrier was “surprised and disappointed,” and would seek a hearing so the “enormous benefits of this merger can be fully reviewed.”

Consumer groups and some politicians worry about having just two dominant mobile players, AT&T and Verizon, with Sprint Nextel a distant third. If consummated, the deal “would result in tens of millions of consumers all across the United States facing higher prices, fewer choices and lower-quality products for their mobile wireless services,” says U.S. Deputy Attorney General James M. Cole.

Federal Communications Commission chief Julius Genachowski says though the FCC hasn’t completed its review of the deal, the records it has seen also raise “serious concerns about the impact of the proposed transaction on competition.”

AT&T maintains that absorbing T-Mobile would result in expansion of the best available mobile broadband technology to 55 million people, or 97% of the U.S. market. It has the backing of The Association for Competitive Technology, which represents 3,000 small- and midsize technology firms. “This is a profoundly misguided decision,” Morgan Reed, ACT’s executive director, says of the lawsuit.

AT&T made similar promises of improved services and pricing when it moved to acquire Cingular in 2004, “only to betray those promises” after securing federal approval, says Harvey Rosenfield, founder of the non-profit Consumer Watchdog advocacy group. “The last thing beleaguered American consumers need right now is higher prices and shoddier cellphone service,” he adds. “That’s exactly what would happen if AT&T was permitted to buy T-Mobile.”

AT&T has agreed to pay T-Mobile a $3 billion break-up fee and provide it with services that could be worth billions more, if the deal falls through, notes Chenxi Wang, principal analyst at Forrester Research. “The DOJ is definitely on the path to block the acquisition,” she says.

Another possibility: The parties could agree to a settlement, says Carrie MacGillivray, analyst at IDC. “There is still a chance the deal will go through if the Department of Justice can wring enough concessions out of AT&T,” she says .

Ranking U.S. cellphone firms

The largest cellphone companies in the U.S., and the number of devices on their networks:

Verizon Wireless, 106.3 million

AT&T, 98.6 million

Sprint Nextel, 52.1 million

T-Mobile USA, 33.6 million

MetroPCS Comm., 9.1 million

U.S. Cellular, 6.0 million

Leap Wireless International, 5.7 million

Source: AP

–Byron Acohido

Wolfgang Kandek, chief technology officer of vulnerability management firm Qualys, brought his son, Filipe, 14, with him to Vegas, to participate in DefCon Kids. In this LastWatchdog guest post, dad discloses his big takeaways:

Kandek

By Wolfgang Kandek

My 14 year old son attended DEFCON this year for the first time and he took part in DEFCON Kids. On Saturday he was in the Social Engineering Capture the Flag (CTF) contest where he was teamed up with another 10 year old participant and had to solve a 6-step scavenger hunt. The scavenger hunt involved decryption of secret messages, collection of information from multiple people on the DEFCON show floor and a good dose of critical thinking.

On Sunday he participated in the classroom sessions – at the end his favorites were “When you can remember your locker Combination” by Deviant and “Coding in Scratch” by Chris Hoff.

As a parent I loved seeing the interest sparked in my son by the challenges and class interactions. All instructors were extremely competent and focused on the benefits of gaining a real understanding of the technologies involved and when appropriate they discussed the moral and ethical questions involved (i.e. lock picking and social engineering).

As a security professional I see every day how the lack of security knowledge is impacting the computer industry and society in general. I believe initiatives like DEFCON Kids are essential in preparing the next generation for a life in the digital domain.

As a side note: Everybody my son met at DEFCON during the challenges was enthusiastic in helping and their eyes literally lit up when their assistance was requested in locating somebody or a certain room. While the Kids were solving their crypto challenges I was approached by numerous participants that were wondering what was going on and the most common comment was: Awesome, I will bring my kid next year.

The study, conducted by messaging security firm Proofpoint and Osterman Research, polled 632 IT professionals and found that 84 percent of organizations allow their employees to use consumer devices and services, including iPads, iPhones, Facebook and Twitter to conduct business communications.

Some 73% of respondents said they are using a combination of policy and trust to keep a handle on mobile devices and social networks; 51 percent use policy, technology and trust; and only 11 percent rely on “employee good judgment” alone.

Steele

“The consumerization of mobile devices is becoming the norm, and organizations worldwide are realizing increased productivity and simplified communications by allowing their workforce to use their own devices,” says Gary Steele, CEO, Proofpoint. “The security and compliance issues around mobile are a great concern among a lot of these organizations, and they are finding that implementing security programs with policies that secure the devices and the data accessed on them help to put those concerns at rest.”

Langevin

A spokesman for Rep. Jim Langevin, D-R.I., has just contacted LastWatchdog to point out that Langevin’s cybersecurity bill, which is the major comprehensive one in the House, is not exactly the same as the White House proposal.

The major difference is that Langevin’s bill calls for a  National Office for Cyberspace with the Office of the President to oversee the security of agency information systems and infrastructure. While the Langevin bill entrusts the Department of Homeland Security with a  significant role, this is a bit different than the White House and Senate versions, which basically center everything in DHS.

Here is a  summary of Langevin’s proposed cybersecurity  legislation, much of which passed the House last year and was held up because the Senate was planning to cover even more ground in its own bill, but that never got done:

Executive Cyberspace Coordination Act of 2011, sponsored by Rep. Jim Langevin, D-Rhode Island

Background

In 2011, the CSIS Commission on Cybersecurity for the 44th Presidency released their second report with recommendations to increase the Federal government’s ability to protect itself and the American public from increasing cyber threats. Similar to the first report released in 2008, the second edition continues to recommend that the White House take a leadership role and direct national strategy for cyberspace; the public sector enlist the help of the private sector in providing better quality software; and the American public be better engaged in what was previously a private discussion about the digital threats that could disrupt their everyday lives. The second report notes that after two years, the only significant progress has been the extent to which the American public is discovering the profound effects of the internet on their daily lives, and the importance of government efforts to ensure the safety of our networks.

Many in both the government and private sector are frustrated with the pace of progress in cybersecurity. Analysts and senior officials in Washington talk about a “cyber 9/11″ scenario, reflecting a belief that as a nation, we will be unable or unwilling to take any meaningful action on cybersecurity until after a catastrophic event. The Executive Cyberspace Coordination Act of 2011 will update our nation’s federal cyber policy and bring strong cyber protections to our nation’s power grid and other critical infrastructure.

National Office for Cyberspace

The bill establishes a National Office for Cyberspace (NOC) within the Executive Office of the President to coordinate and oversee the security of agency information systems and infrastructure. This office will have strong budgetary oversight powers that are backed by financial pay-for-performance authorities, while remaining accountable to Congress. Federal agencies will be responsible for reporting on their information security threats, practices and history to the NOC before submission of their budgets to OMB. The Director of the NOC would be appointed by the President, subject to Senate confirmation, and will also have a seat on the National Security Council. This will allow the Director to review agency information security budgets and make recommendations back to the Agencies as well as the President.

Increased coordination for Departments of Defense and Homeland Security

Recognizing the need for closer cooperation between the Departments of Defense and Homeland Security, the bill brings both agency partners to the table to better coordinate their resources but under the appropriate authority of the Office of the President.

Closing Gaps in Authority to Protect Critical Infrastructure

Homeland Security Presidential Directive-7 provides authority to the Secretary of Homeland Security to coordinate the protection of critical infrastructure. This bill clarifies this authority to include the creation, verification, and enforcement of measures with respect to the protection of the information systems that control critical infrastructure. This does not give DHS control over private systems, but it allows them to establish risk-informed security practices and standards for critical infrastructure.

Secure Federal Acquisition Policies

The bill requires the development of secure acquisition policies to be used in the procurement of information technology products and services, including a vulnerability assessment for any major system and its significant items of supply prior to development.

Establishing Cyber Challenge Programs for Students

Given the great deficiency of advanced cybersecurity capabilities in today’s workforce, it is imperative that the government support educational programs designed to engage students in the skill sets that they will need to keep our country competitive and safe online into the future.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.

Agency Annual Independent Audit

The bill requires agencies to obtain an annual independent audit of their information security programs to determine their overall effectiveness and compliance with FISMA requirements. Audits would also be required of contractors responsible for managing agency systems or programs on their behalf.

Agency Automated and Continuous Monitoring

This legislation sets forth requirements for agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies and potential risks caused by cyber incidents or threats to an agency’s information technology assets. These activities are intended to move agencies away from current manually intensive, compliance focused, periodic assessments.

Enhancing the Public Private Partnership for Critical Infrastructure

The bill requires DHS to work with the Department of Defense and Commerce, the National Institute of Standards and Technology and the sector specific Federal regulatory agencies to establish standards to protect critical infrastructure. These efforts will also be carried out with the consultation of appropriate private sector bodies, including private owners and operators of the infrastructure affected. This will ensure that standards are based on the recommendations of cyber experts as well as those with first hand knowledge of the reality of the challenges facing each industry.