The U.S. Congress delves into the issue of whether CISOs should report to CIOs, a topic that leads the Friday, May 27, 2016, edition of the ISMG Security Report.

Click player below image to listen to this report, which features:

HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee analyzing legislation that calls for the Department of Health and Human Services' CISO to report to a top agency administrator, rather than the CIO; The Chertoff Group Managing Director Jeremy Grant, former leader of the U.S. government's National Strategy for Trusted Identities in Cyberspace, explaining how improving identity management can boost business; Internet Security Forum Executive Director Steve Durbin, in an interview with BankInfoSecurity Executive Editor Tracy Kitten, outlining a role for global governments to help the private sector secure their IT; and David Powner, Government Accountability Office information technology issues director, warning about the insecurity of U.S. government legacy IT systems, some of which are a half-century old and rely on floppy disks for storage. About three-quarters of the federal government's annual $80 billion IT budget is devoted to operating and maintaining existing systems, and the amount earmarked for new investments has plunged by $7.3 billion since 2010.

Information Security Media Group premiered on May 24 the ISMG Security Report, a concise, on-demand audio report in which ISMG editors and other experts analyze the latest IT security news.

The ISMG Security Report will be posted on this and other ISMG websites on Tuesdays and Fridays, with each episode running about 10 minutes.

Check out our previous ISMG Security Report, which featured stories on unusual twists behind the latest ransomware attack; an analysis on new trends in ransomware prevention; U.S. regulators querying mobile device providers and wireless services on updating security on smartphones, tablets and other devices; and Europol's struggles with cyberthreat information sharing.

Look for our next report, which will be posted on Tuesday, May 31.

ISMG Security Report's theme music is by Ithaca Audio.

Correction: An earlier version of this post incorrectly stated that the ISMG Security Report debuted on May 25. The ISMG Security Report premiered on May 24.

Start preparing immediately for the EU's new General Data Protection Regulation, even though it doesn't go into force for two more years.

"We're advising our clients to start right now," says cybersecurity expert Brian Honan, who heads Dublin-based BH Consulting. "While two years sounds may sound [like] a long time, there's a lot of work to do." That includes coming to grips with changes to information-gathering and consent practices, Europe's first-ever mandatory data breach notifications for all organizations, as well as a new requirement for many organizations that handle people's personal information to appoint a data protection officer.

After years of related negotiations, the European Parliament and European Council on April 8 enacted the GDPR, which will go into force on May 25, 2018. It replaces the 1995 Data Protection Directive, which all EU countries interpreted and enacted by passing their own, national laws, which created a patchwork of similar - but slightly differing - laws across Europe.

By contrast, the new data protection regulation will apply equally across all 28 EU member countries, and it toughens Europe's already vaunted privacy protections for consumers. Furthermore, any organization worldwide that handles Europeans' personal data will have to comply. And organizations that violate the rules will face fines of up to 4 percent of their global annual revenues or €20 million ($22.4 million) - whichever is greater.

"There's a huge focus on privacy as part of the regulations, and this will impact companies that are looking to develop new products and new services within the EU," Honan says. "They will have to make privacy impact assessments on new services and products that they're planning to develop. So privacy has to be built in from the very beginning."

In this audio interview with Information Security Media Group (see audio player below photograph), Honan details:

How the GDPR builds on Europe's existing privacy and information-handling rules. The breach penalties facing organizations that violate the new privacy rules. How Europe's new mandatory breach notifications will reshape the region's information security perceptions. Why the new regulation could be a boon to law enforcement agencies battling cybercrime.

The message behind the GDPR is clear: Safeguard people's personal information, or else. "It's bringing this away from being an IT problem, to being a business problem," Honan says. "As part of your incident response you're going to need to have good legal and regulatory advice on how you make sure you comply with the regulations."

Honan is president of Dublin-based BH Consulting and the founder of Ireland's first computer emergency response team, IRISS-CERT. He's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.

Data today is money - especially in financial services, where account data is every hacker's target. How, then, can institutions mask that data and protect it when it's in non-production environments? Mike Logan of Delphix offers new insights.

"Data has real value," says Logan, VP of Masking at Delphix. "The data breaches we hear about all the time, they're happening because there's a lot of value in getting that data."

Recognizing the reputational and regulatory imperatives to protect data, financial institutions are looking for new, holistic solutions, Logan says.

"How do they solve this problem across all their different access points they have with their customers, their partners, their vendors," he says. "They have to protect the data no matter where it's going."

In an interview about data protection, Logan discusses:

Top data protection concerns for financial institutions; How data masking solutions have evolved; What distinguishes Delphix in the marketplace.

A senior leader with 30 years of experience, Logan is the Vice President of Masking at Delphix. His focus is to make Delphix a leader in the secure data virtualization market. He brings together a unique combination of management, consulting and technology depth and design thinking to transform a business through the use of next generation data solutions.

Prior to joining Delphix, he was President and co-founder of Axis Technology, LLC and was responsible for developing its proprietary data masking product DMsuite, which was subsequently acquired by Delphix. Before founding Axis, he was a senior technical leader at Oracle and Digital Equipment Corp, where he pioneered the delivery of data warehouses using parallel database technology for leading edge clients.

Breach Notification , Data Breach

Underground Rumors Hint at Other Nine-Figure Breaches Jeremy Kirk (jeremy_kirk) • June 1, 2016    

MySpace on Tuesday confirmed it is resetting accounts affected by the release of 360 million usernames, email addresses and weakly hashed passwords. But according to one expert, there may be more huge data breaches to be announced, and a posting on an underground website points in that direction.

See Also: Detecting Insider Threats Through Machine Learning

Troy Hunt, who runs the breach notification service "Have I Been Pwned?," says there are rumors of "other things in the pipeline with nine figures."

"At the moment, there is a recurring pattern of very large breaches from a long time ago making an appearance," Hunt says.

Tied to LinkedIn, Tumblr Breaches?

May was a rough month for some major online services: 165 million leaked LinkedIn accounts, 65 million from Tumblr and 41 million from Fling, all from data breaches that occurred years ago.

The data from MySpace, LinkedIn, Tumblr and Fling are offered for sale on The Real Deal, an underground marketplace hosted on a Tor hidden service, which obscures its real IP address.

The seller goes by the nickname "peace_of_mind." It's a mystery if "Peace" is the actual hacker or simply a vendor for other parties who compromised the data. Either way, "there is something that has been a catalyst in his life that is causing him to liquidate," says Hunt, who loaded the MySpace breach data into his service on Tuesday night.

In its breach notification on Tuesday, MySpace took a bold leap, writing that "we believe the data breach is attributed to Russian cyberhacker 'Peace.' This same individual is responsible for other recent criminal attacks such as those on LinkedIn and Tumblr."

As of Wednesday morning, MySpace remains peace_of_mind's most expensive batch of data at 6 bitcoins, or around $3,180. The LinkedIn data costs $1,060, with Tumblr at $95 and Fling at $297, all payable in bitcoin.

Stolen MySpace credentials for sale via The Real Deal. Cost: 6 bitcoins. pic.twitter.com/b44RDDKaqF

Leaked Source, a paid-for breach notification service, also has the MySpace data. On Friday, Leaked Source wrote that it had obtained the information from someone going by the alias "This email address is being protected from spambots. You need JavaScript enabled to view it.."

A search of underground forums by ISMG turned up a post from March 4 on a Russian-language carding site - where stolen credit card data is traded - by someone with the same alias.

The post offered batches of account data from seven services: social networking service Vkontakte (137 million accounts); games marketplace Mobango (6 million); MySpace (380 million); social network Badoo (126 million); Russian portal and instant messaging service Qip (133 million); file-sharing service Dropbox (103 million); and search engine and web portal Rambler.ru (101 million).

Whether Tessa88 actually does have all of that data is an open question. But the number of MySpace accounts cited in the post - 380 million - is fairly close to the number that has actually been confirmed.

Dropbox's Chris Peterson, head of security engineering, told Information Security Media Group on Wednesday that the company was aware of the post. The data advertised are not credentials for Dropbox and came from another source, he said.

Officials from the other services named in the post could not be immediately reached for comment. But it's not unheard of for hackers to falsely advertise credentials in order to tease buyers, even if the originated from a different breach.

MySpace and more: "Tessa88" claims to have additional stolen credentials data for sale. pic.twitter.com/FiFsKD3vir

When Was MySpace Breached?

MySpace, the social networking service that faded in 2008 with the rise of Facebook, said accounts created prior to June 11, 2013, were compromised. Those accounts were on MySpace's old platform, which was updated in mid-2013.

Based on feedback from people who had MySpace accounts, Hunt says his gut feeling is that the breach occurred in late 2008 or early 2009. Several people who have reached out to him said they created accounts in 2009 or 2010, but are not in the breach.

It's often difficult to determine the date range of affected accounts for breaches. The data could have been stolen at different points in time from multiple locations and then clumped together, which can cloud analysis, he says.

"This is not necessarily black and white," Hunt says. "There actually could be many shades in this."

The passwords for the MySpace accounts were hashed using SHA-1, a cryptographic function that has been considered vulnerable to cracking for more than a decade. Hashing turns plain-text data into a cryptographic representation, which is safer for online services to store.

But it is possible to reverse hashes, particularly for weak algorithms such as SHA-1, back to the original passwords, using graphics processors and purpose-built decoding tools. Generally, the longer and more complicated a password is - such as a mix of lower- and upper-case letters, symbols and numbers - the more time is needed to calculate the plain text.

With its new platform, MySpace said it strengthened its security. It now double-salts password hashes. Salting involves adding other data to a password before it gets hashed, which makes the hash much more computationally intensive to attempt to revert back into plain text.

Collateral Damage

As far as the latest breaches go, the MySpace release will not likely offer any particularly new insights. "It is like every other data breach in every other way except for the volume of records," Hunt says.

But it still adds to the hefty batches of data floating around. Spammers would likely find the email addresses useful. Since people often ignore the advice of security experts and reuse passwords, that data could be useful for account takeovers.

"All that stuff will get reused," Hunt says.

That poses challenges for other web services, and some are already taking action. Last week, Reddit said it had proactively reset 100,000 passwords in the previous two weeks in light of the password dumps.

"Though Reddit itself has not been exploited, even the best security in the world won't work when users are reusing passwords between sites," it wrote.

Amazon and LinkedIn have also in the past proactively reset accounts when the services suspect suspicious activity, Hunt says.

Meanwhile, Facebook in 2013 noted that it was actively monitoring data dumps for any email and password combinations that matched Facebook users' credentials, and forcing affected users to reset their accounts before regaining access.