George Chetcuti

FTC's framework proposes that business should only retain consumer data as long as there is a legitimate need. The data retention period must be reasonable and appropriate. For instance, companies tend to retain old data for long periods of time which they may consider valuable for a future need; however, consumers might have provided their private data just for the current service or product! In addition, the archived consumer private information may be prone to identity threats and if such thefts occur they may go unnoticed for long periods of time. The commission states that businesses should promptly and securely dispose of data in any form, for which they no longer have a specific business need. In principle this is an excellent measure but what if businesses relate some dummy business activity as to proof that they still need the data?

Private data accuracy is another term that is referred to in the Commission's draft. Businesses need to ensure that data collected from their customers is accurate and should take reasonable steps to verify this. Lots of things can happen with erroneous or incomplete private data. If consumers are allowed to benefit from public or private services by means of identification verification then they may gain or lose if their data is incorrect. This can cause significant harm to individuals such as when accessing funds or health benefits. Conversely, mischievous persons may take advantage of a weak system!

The draft is open for discussion and as already noted above, the concept of specific business need as regards to retain related data i

Windows Server 2008 R2 and Windows 7 Service Pack 1 provides further improvements and hardens these Operating Systems. Although, SP1 includes previous updates which many organizations and users have deployed through Windows Update, Windows Server Update Services (WSUS) or third-party patch management systems, it is quite often the practice to use a Service Pack as a baseline. That is, having successfully deployed a service pack throughout the organization creates a reference point or standard which puts your mind at rest. Some machines or even servers might have missed some updates or an administrator might have skipped some problematic updates intentionally. By time, patch management standards are likely to end up in a mess!
However, before going for a full deployment of SP1 I suggest that you test your environment. If patch management inventory is available, look for machines that lack updates with respect to others and find out why. Test the most critical machines in a test or staging environment before updating production ones. Where possible, follow Microsoft recommendations before applying SP1 and run the System Update Readiness Tool to resolve update inconsistencies. There have been issues with some devise drives, hence it is recommended to update these with the latest versions and some users are reporting SP1 installation failures with an unknown error.
As most organizations run their servers in virtualized environments, you might encounter similar problems while SP1 tries to access some virtual devices. In fact, I had to disable guest add-ons on my virtualized setup in order to be able install SP1 successfully. For more details about this error and the troubleshooting steps I performed to find the problem go here.

The Windows Cmdkey command creates, lists and deletes stored user names and passwords form a computer. The Cmdkey command helps administrators and security executives lists the user stored credentials and aids in finding evidence or troubleshooting remote access issues! This tool may become handy when administrators want to give users access to a shared resource for temporary use without exposing any login details. For example, a user wishes to access a shared folder /data on server \\win2k8web for temporary basis. An administrator would use a username that has access to the shared resource and either through a remote script or manually from the user workstation types:

Cmdkey /add:win2kweb /user:usernamewithrights /pass:userpassword

Where the syntax is as follows:

Cmdkey /add:<Shared resource> /user:<UserName> /pass:<Password>

Doing so, a new set of credentials are added on the user workstation without making the user aware of the username and password details! Although, a curious and slightly technical user would find the username, I suggest that the administrator would then delete these credentials when the user is ready with his temporary work by typing the following:

Cmdkey /delete:win2k8web

The delete operation denies the user access to that shared resource within the same session while the user may need to log off and log on to access the shared resource after adding the new credentials. Other examples of the cmdkey command are the following:

cmdkey /add:Servername /user:Username

Will add a Username to the current logged on user to access

The safeguards that Federal Trade Commission (FTC) is proposing are quite reasonable and it is hard to understand why some were not implemented by the vendors in the first place. The approach of building applications and services led by security best practices would help create a safer environment. The safety measures are not just technical ones but include physical and administrative safeguards. The level of security required depend on the sensitivity of data, size and nature of the business operations and type of risks the business faces. So, what are we talking about?
For example, why Google email service is not encrypted by default and it's just an option that the end-user has to set? Google recently announced that they will make HTTPs the default protocol for their email services. The framework by FTC suggests that security controls are defined during the planning stages of an application and are revised during deployment and maintenance stages of the application. Some may argue that Google's gmail took off when cyber criminality was at its infancy, was it? Is it not the same scenario we have with Cloud service providers? How many vendors are building their infrastructure on security best practices? I am pretty sure that there are quite a number of secure cloud setups but we still lack common standards that regulate cloud computing services!
The FTC framework asserts that businesses should collect only the information needed to fulfill a specific legitimate need and nothing more! Typical example is where a local service provider collects information about unsecured wir

Another update by Google of its search ranking algorithm has caused anger amongst several businesses which according to CNNMoney had a negative impact on their websites traffic! Many businesses rely on search engines to drive traffic to their sites mainly on Google search engine as it is by far the most used engine. According to Google the goal of the new algorithm or changes is to move high-quality sites at the top of the search rankings. They (Google) were being criticized by many users that low quality sites were ranking high. It is quite normal that minor changes to the algorithm are performed on regular basis but this change was big and had immediate drastic effects,hopefully for improved search results! The IP address 64.233.179.104 would allow you to compare the old algorithm against the new one, where results from the 64.233.179.104 search would appear as they would have appeared before the latest changes. Check your website or blog, mine has lost some places but to more relevant content. It’s kind of a dirty game – some gain some lose. You find some businesses that focus entirely on SEO techniques to get their sites ranked higher and tend to forget about unique content, about the services or products they provide and about ethical issues! While Google tries to crack down on sites that try to fool the system, so often the new countermeasures manage to penalize legitimate websites as well.For more details read Google’s blog post – Finding more high-quality sites in search

The FTC (Federal Trade Commission) has proposed a framework for Businesses and Policymakers that would protect consumer privacy while encouraging the development of innovative new products and services. The draft focuses on three main elements which are the adherence to better privacy mechanisms by businesses throughout the whole process, provide simpler and meaningful privacy options to consumers and transparency of all data practices. These are categorized as Privacy by Design, Simplified Choice and Greater transparency. I will be providing you with some of the drafted best practices in future posts but let's start by explaining further the three main elements that make up the framework.

Privacy by Design: 'Companies should promote consumer privacy throughout their organization and at every stage of the development of their products and services.'

The framework suggests that companies should deal with data security from the beginning and not as an afterthought! Security best practices should lead the development of services and products which would include data accuracy, reliability, retention and other protective features. The draft insists of proper data management procedures that must be maintained throughout the whole life cycle of a product or service.

Simplified Choice: 'Companies should simplify consumer choice.'

The draft suggests that private data collected by businesses during rational operations, such as product fulfillment can do without the privacy options and the additional related steps presented to the consumers. The draft refers to these as common acc