In the highly competitive world of securities trading there has been a noted uptick in software code theft according to Stockwatch.com, particularly among Alternative Trading System platforms (ATS).

Society Generale, Goldman Sachs and UBS have all been hit by software theft. In the case of Societe Generale, they noted that the bank’s security cameras showed an employee printing out hundreds of pages of code. I would guess that the printing was an attempt to evade the electronic security measures likely in place on the employees computer system which would have prevented them from copying the code to a flash drive. It’s notable that “old school” detection technology was what caught the perpetrator.

The Stockwatch article stated that Reuters stated that in the Goldman Sachs case a new employer offered a Goldman computer programmer $1.2 million a year whereas Goldman was only paying him $400,000. The article does not name the new employer, nor does it state whether the new employer enticed the individual to steal the code, or if they did so of their own accord.

Stockwatch is an excellent resource for news and information on companies and individuals, especially for Canadian publicly traded companies. If you spend a lot of time trying to identify corporate affiliations then I would recommend it.

A great article appeared in the July 2010 version of SANS Ouch! Newsletter on protecting yourself and your family when using Facebook.

Among my favourites are:

- Follow the Golden Rule. Assume that the personal information and photos you display are available to everyone and anyone, not just to your friends.
-To protect children from online predators, do not post a child’s name in a photo tag or caption. If someone else does, delete it if you can, or ask the member who owns the photo to remove the name.
-Do not mention being away from home. Doing so is like putting a “Nobody’s Home” sign on your front door. Be vague about the dates of your travel plans and vacations.

For more please visit the SANS site.

Every once in a while it’s a good idea to remind ourselves of why we do background due diligence on potential new hires, and more importanly why it is imporant to conduct the appropriate level of research into individuals depending on the position they are applying for. Doing these types of inquiries on a risk ranked basis is the proper way to achieve the best cost-benefit outcome. The BankInfo Security site has a good article on this very subject.

My view is that the first thing you have to do is verify that they are who they say they are. Verifying that they have a certain degree or job experience is secondary to the basic verification of identity.

For those readers interested in privacy issues relating to cloud computing it would be worth while to look at the March 29, 2010 report released by the Office of the Privacy Commissioner of Canada titled “Reaching for the Cloud(s): Privacy Issues related to Cloud Computing.”

The OPC identified nine key areas relating to privacy and cloud computing, including: Jurisdiction; Creation Of New Datastreams; Security; Data Intrusion; Lawful Access; Processing; Misuse Of Processing Data; Permanence Of Data; and Ownership Of Data.

The reorganization and repackaging of consumer data is addressed in “Creation of New Datastreams” but the issue of meta-data is also addressed in “Ownership of Data” where the report specifically states “Finally, there is also the secondary data that is generated by interactions with a cloud-based infrastructure – although it may well be “personally identifiable information” for the purposes of PIPEDA, users may not be aware of the creation/existence of this data.”

It is also worth reviewing the jurisprudence that is provided in the report. The OPC has provided some useful case law on its own ability to investigate cases internationally as well as enforcement of orders in Canada that were adjudicated in foreign jurisdictions.

Organizations that are selling or using cloud computing services should consider the Privacy Commissioner’s report in their security posture as it will likely be the basis for any privacy impact assessment or review conducted by that office.

This blog does not deal with the Internet security side of the equation very often, but I saw a post on the Hyperion Digital Identity Forum that I thought was interesting.

According to that post eBay in the United Kingdom may now be implementing a location based authentication scheme which aims to protect its users from being hacked. This is an interesting step towards account protection, provided of course that you never access your eBay account on business trips or vacations.

Perhaps the best way to implement this would be on an opt-in basis?

I am a regular reader of Steven Davis PlayNoEvil Blog, as should anyone be who is interested in game security and online fraud. Through one of the Playnoevil posts I learned about a string of posts on the WoW.com site relating to account security.

I think these are a very useful read for anyone interested in protecting online accounts, including individuals, game companies and policy makers.

For government departments that are considering developing a forensic audit capacity I would recommend the article written by Alan Gilmore in the Financial Management Institute of Canada’s FMI*IGF Journal Volume 20, No. 1, Autumn 2008. The article is published in both English and French and is available from the Financial Management Institute’s website.

There is a great article in the April 2009 edition of Canadian Security Magazine on the use of Social Media for real time intelligence gathering during crisis situations. The article features commentary by Jeannette Sutton and Leysia Palen of University of Colorado Natural Hazards Center.

Are these tools the complete solution to crisis management? Probably not, but having multiple sources providing information on a given incident can only can only lead to better decision making in real time. Furthermore, although the article doesn’t address this, having multiple witness accounts of a given incident can help with post crisis investigation as well.

There are several resources that I use frequently to learn about counterfeiting and intellectual property fraud cases that happen globally. This kind of research gives you a sense of what is happening in which jurisdiction (i.e. hotspots). They are also useful for determining which law enforcement agency you might want to engage with or which investigative or legal firms have an IP protection practices in a given geographical area.

The first is the International Chamber of Commerce BASCAP Initiative. This is essentially a portal for research on anti-counterfeiting activities around the world. You can research by geographical location, items of interest or enforcement agency which allows you to get some very good, very specific information.

The second source is the Knockoff Report, produced by Rob Holmes of IP Cybercrime in California. His blog focuses on brand protection activities and articles from both a policing and a private sector perspective (note the referral to the Gamasutra article on Sony PSP piracy).

Both of the above sites have e-news letters that you can subscribe to.

Honourable mention goes to the World Health Organizations IMPACT site and to the Interpol Site. The WHO IMPACT site provides some great information on counterfeit drugs and it also provides a mechanism to report incidences of counterfeit medicine, unfortunately it does not appear to be updated very often.

The Interpol site describes some of the initiatives that this organization has been involved with to help stop the spread of counterfeit goods, including medicines.

Finally, and I can’t believe I almost forgot, there is the Linked In Group on Anti-Counterfeiting.

In November 2008 I provided readers with a link to the European Network and Information Security Agency’s paper on privacy and security in virtual worlds. At the time I didn’t realize that the same organization had also had published a paper specifically looking at virtual worlds aimed at children called “Children on virtual worlds: What parents should know.” Readers may also be interested in that paper.

The Canadian Office of the Privacy Commissioner has recently posted a research paper on their website. The paper, which was written in April 2008, describes privacy concerns relating to virtual worlds, specifically Second Life.

It is titled “Second Life: Privacy in Virtual Worlds” and it provides a general background on these environments, some of the marquis cases that have affected user’s privacy and finally analyzes some of these concerns against the principles set forth in the Privacy Act.

It is a good read for researchers, but will also give virtual world/mmorpg businesses a sense of the direction that Canadian privacy authorities are heading in with respect to these environments.