Privacy and Information Security In the News -- Week of May 1, 2006

5/1/2006

May 1, 2006


A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.

Ransomware Programs Surface

Cnet News.Com reports that a second “ransomware” program in two months has been identified. The program is a Trojan horse that threatens to destroy a computer file every half hour until the computer’s user sends the hacker $10.99 via Western Union. A similar ransomware program was discovered in March. That program encrypted files on an infected computer and required the user to pay $300 to have them decrypted. “Trojan horse: Your money or your files,” http://news.com.com/Trojan+horse+Your+money+or+your+files/2100-7349_3-6066636.html?tag=html.alert

FBI Sought Information on 3,501 in 2005 Without Warrants

This past Friday, the FBI revealed that in 2005 it issued 9,254 national security letters to obtain information on 3,501 U.S. citizens and residents from their banks and credit card, telephone and Internet companies. The FBI can issue a national security letter without obtaining the permission of a judge or grand jury if it certifies that the records being sought are relevant to an investigation "to protect against international terrorism or clandestine intelligence activities. National security letters were at the center of the debate earlier this year when Congress reauthorized the U.S. PATRIOT Act. As part of a compromise, Congress required the FBI to report annually on the number of letters it issues. “FBI secretly sought data on 3,501 people in ’05,” http://msnbc.msn.com/id/12536627/

Laptop with Sensitive Data Stolen from Car of Vacationing College Employee

Sensitive data, including names and social security numbers, on 20,000 students, faculty and staff in the Vermont State College system were contained on a laptop computer that was stolen from the locked car of a Vermont college employee who was on vacation in Montreal. The data was not encrypted. “Vermont Loses Laptop Loaded with Student & Faculty Data,” http://www.consumeraffairs.com/news04/2006/04/vt_laptop_theft.html

Cornell Researchers Say Internet Addressing System Makes the Net Vulnerable to Attack

Researchers at Cornell University say that flaws in the Internet’s addressing system could allow malicious hackers to take over a third of the Internet and, using denial-of-service attacks, bring down 85 percent of Internet sites. When you visit a site on the Internet, your computer must consult with, on average, 46 different computers that hold components of the address of the site you wish to visit. If any of those servers is insecure, hackers could take advantage of that vulnerability. For example, the researchers said that if a hacker launched denial-of-service attacks against the uncorrupted servers, the hacker could force traffic to an infected server and from there to a site the hacker set up to defraud the user. Among the sites the researchers found to be vulnerable were the FBI’s website and the site for the Roman Catholic Church in the Ukraine. In the case of the FBI site, five of the six servers that are referenced to obtain the site’s Internet address were secure, but the sixth one was not, since it had not been patched for a well-known bug. “Big holes in net's heart revealed,” http://news.bbc.co.uk/1/hi/technology/4954208.stm


May 2, 2006


Security Breach at Ohio University

A hacker broke into a computer system at Ohio University that held information about 300,000 alumni and businesses, including the Social Security numbers of 137,000 individuals. The university is notifying alumni by email "I don't know what effect this will have long-term,” said Ohio University President Roderick McDavis. “My hope is that it will not have an adverse affect on our fundraising." “Security Breach At College Puts Alumni At Risk,” http://www.nbc4i.com/news/9142800/detail.html.

Best Practices in the Use of RFID Technology

The Center for Democracy & Technology has released a set of best practices to guide the use of radio frequency identification (“RFID”) technology. The best practices were developed by a working group that comprised nonprofit advocates, such as the National Consumers League and the American Library Association) and businesses, such as Procter & Gamble, Cisco Systems, I.B.M., Microsoft, and Visa USA. The working group developed three principles that address privacy concerns surrounding the implementation of RFID technology:

  • The principle of technology neutrality, which provides that “RFID technology in and of itself does not impose threats to privacy. Rather privacy breaches occur when RFID, like any technology, is deployed in a way that is not consistent with responsible information management practices that foster sound privacy protection.”

  • The principle of privacy and security as primary design requirements, which states that “[u]sers of RFID technology should address the privacy and security issues as part of its initial design. Rather than retrofitting RFID systems to respond to privacy and security issues, it is much preferable that privacy and security should be designed in from the beginning.”

  • The principle of consumer transparency, which says “[t]here should be no secret RFID tags or readers. Use of RFID technology should be as transparent as possible, and consumers should know about the implementation and use of any RFID technology (including tags, readers and storage of PII [personally identifiable information]) as they engage in any transaction that utilizes an RFID system.”

Based on these principles, the working group adopted the following best practices:

  • Notice – “Consumers should be provided with clear, conspicuous and concise notice when information, including location information, is collected through an RFID system and linked, or is intended by a commercial entity to become linked, to an individual's personal information either on the RFID tag itself or through a database.”
  • Choice and Consent – “Consistent with the guidelines for notice, consumers should be clearly notified when there is an opportunity to exercise choice with respect to the use of the RFID technology or with respect to the use of linked information collected on the RFID tag or associated with the RFID number. Consumers should be offered such choice before the conclusion of the transaction to obtain a good or service, wherever practicable, so that, when coupled with robust notice, consumers are given the tools to effectively exercise their choice with respect to the use of RFID technology.”
  • Onward Transfer – “Wherever practicable, a company collecting PII via the deployment of an RFID system should include in its contracts provisions requiring that the companies with which it shares PII, including its affiliates, subsidiaries and any third party companies, will afford that shared data a level of protection consistent with or greater than that afforded by the company collecting the information.”
  • Access – “When PII is maintained on the tag itself, individuals should have reasonable access to that information.”
  • Security – “Companies should exercise reasonable and appropriate efforts to secure RFID tags, readers and, whenever applicable, any corollary linked information from unauthorized reading, logging and tracking, including any network or database transmitting or containing that information and radio transmissions between readers and tags. In addition, companies should exercise reasonable and appropriate efforts to secure the linked information from unauthorized access, loss or tampering.”

These best practices are explained in more detail on the CDT’s site at http://www.cdt.org/privacy/20060501rfid-best-practices.php


May 4, 2006


Air Travelers Leave an Information Trail

David T.S. Fraser, at the Canadian Privacy Law Blog, pointed us to an interesting article on the website of the UK publication, The Guardian. The Guardian pulled a boarding pass out of the trash on the train from Heathrow Airport to Paddington Station to see what information might be learned about the traveler who had discarded it. Here is what they found:

We logged on to the BA [British Airways] website, bought a ticket in Broer's name [the name on the discarded boarding pass] and then, using the frequent flyer number on his boarding pass stub, without typing in a password, were given full access to all his personal details - including his passport number, the date it expired, his nationality (he is Dutch, living in the UK) and his date of birth. The system even allowed us to change the information.

Using this information and surfing publicly available databases, we were able - within 15 minutes - to find out where Broer lived, who lived there with him, where he worked, which universities he had attended and even how much his house was worth when he bought it two years ago. (This was particularly easy given his unusual name, but it would have been possible even if his name had been John Smith. We now had his date of birth and passport number, so we would have known exactly which John Smith.)

The Guardian attributes the problem to U.S. policies implemented before 9/11 to try to identify terrorists who are attempting to board planes to the States. The Guardian concludes that “the BA lapse shows is that companies cannot be trusted to gather this information without it getting out to criminals who would abuse it. The potential for identity theft is huge, but the number of agencies among which it will be shared is just growing and growing." “Q. What could a boarding pass tell an identity fraudster about you? A. Way too much,” http://www.guardian.co.uk/idcards/story/0,,1766266,00.html

FTC Sues to Stop Sale of Cell Phone Records

The Federal Trade Commission yesterday filed five lawsuits against online companies it alleges obtained and sold confidential records of cell phone users. The FTC Press release described the allegations in the complaint:

According to the FTC complaints in these cases, the defendants advertised on their Web sites that they could obtain the confidential phone records of any individual, including lists of outgoing and incoming calls, and make that information available to their clients for a fee. “The account holders have not authorized the defendants to obtain access to or sell their confidential customer phone records. Instead, to obtain such information, defendants have used, or caused others to use, false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier, to induce officers, employees, or agents of telecommunications carriers to disclose confidential customer phone records,” the FTC complaints state. The defendants then sold the records to third parties. According to a Commission complaint, one of the defendants, Integrity Security & Investigations Services, Inc., based in Yorktown, Virginia, also advertised, obtained and sold consumers’ financial records, including credit card information.

“FTC Seeks Halt to Sale of Consumers’ Confidential Telephone Records”

http://www.ftc.gov/opa/2006/05/phonerecords.htm

5-Month Old the Victim of Identity Theft

ABC News reports that someone used the identity of a 5-month old boy to obtain medical treatment and a prescription for medicine from a family clinic in Edmonds, Washington. The boy’s parents became aware of it when they received a note from the clinic saying the account would be referred to a collection agency if not paid promptly. Police have identified a suspect in the case. “5-Month-Old Baby's Identity Stolen,” http://www.abcnews.go.com/US/story?id=155878&page=1

Ohio University Hit By Second Data Breach

Earlier this week, we linked to an article about a data breach at Ohio University that exposed information on about 300,000 alumni and businesses. Turns out Ohio University suffered a second breach, this one involving confidential commercial information. According to a report in Computerworld, FBI officials have informed the University that a server at the University’s Technology Transfer Department had been compromised. The server contained patent data and intellectual property files. The article indicates that the University was unaware of the second breach until it was notified by the FBI. “Ohio University reports two separate security breaches,” http://www.computerworld.com/securitytopics/security/story/0,10801,111113,00.html?source=x3888


May 5, 2006


Hacking RFID Tags

An article in the May issue of Wired Magazine recounts how hackers are able to steal information emitted by radio frequency identification (“RFID”) tags. The author, Annalee Newitz, recounts “5 tales from the RFID-hacking underground.” For example, she tells how a hacker demonstrated for her the ability, using a homemade USB device, to swipe information off an RFID office key while the key remained in the back pocket of its owner. She recounts other examples, as well, such as how computer science students at Johns Hopkins University cracked the RFID code on their ExxonMobil SpeedPass to allow them to fill their car with gas for free. Hackers even demonstrated to Newitz the ability to steal information from the RFID chip she had implanted in her arm.

Newitz says that, while it is possible to encrypt RFID signals, most commercial RFID tags are not secure because it is expensive. She says a typical passive RFID chip costs about a quarter, but a chip that can be encrypted costs about $5. Newitz writes:

This leaves most RFIDs vulnerable to cloning or - if the chip has a writable memory area, as many do - data tampering. Chips that track product shipments or expensive equipment, for example, often contain pricing and item information. These writable areas can be locked, but often they aren't, because the companies using RFIDs don't know how the chips work or because the data fields need to be updated frequently. Either way, these chips are open to hacking.

Newitz quotes Ari Juels, research manager at security firm RSA Labs, who says that "[t]he world of RFID is like the Internet in its early stages . . . Nobody thought about building security features into the Internet in advance, and now we're paying for it in viruses and other attacks. We're likely to see the same thing with RFIDs." “The RFID Hacking Underground,” http://www.wired.com/wired/archive/14.05/rfid_pr.html

Everything Old Is New Again

Scott Granneman, a professor at Washington University in St. Louis, has written an entertaining article pointing out that the schemes and deceptions used by cyberthieves today are rooted in history. He likens an attack on the Sumitomo Mitsui bank, in which thieves almost succeeded is stealing half a billion dollars, to a Confederate general’s scheme to convince Union General George McClellan that the Confederate force was much larger than it really was by having Confederate soldiers march in circles past the Union general’s encampment. He points out that ransomware programs that hold a user’s data hostage until the user pays for a decryption key are just another example of a stickup -- “your money or your life.” And he describes how the cyberthieves who have targeted the online gaming world, use a Trojan horse – which worked pretty well for the Greeks at Troy – to capture a gamer’s name and password that are later used to transfer the gamer’s virtual property to the cyberthief to be sold to other gamers for real money. Writes Granneman:

In one sense, all three of the criminal attacks I've discussed aren't original. In the case of Sumitomo Mitsui, the attackers used inside access, disguise, and keyloggers, while the perpetrators of ransomware use the same threat victims have heard for millennia: "Your money or your life!" Just substitute "data" for "life," and you're now in the 21st century.

Finally, the World of Warcraft Trojan is... well, a Trojan horse, and we know how old that is. Couple that with simple theft, and what seems shockingly new is revealed as a trick about the same quality as Magruder sending his men marching around and around to be seen through a gap in the pine trees: an "old wheeze". It took four years of blood and suffering to finally beat the Confederates; unfortunately, But IT security is just getting started. I have the feeling we're going to be dealing with the ramifications of these dirty tricks for a long, long time.

“Innovative ways to fool people,” http://www.channelregister.co.uk/2006/05/05/innovative_security_attacks/


Current and past issues of In the News are now available online at this link.


This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at rmartin@wnj.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.


"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.

NOTICE. Although we would like to hear from you, we cannot represent you until we know that doing so will not create a conflict of interest. Also, we cannot treat unsolicited information as confidential. Accordingly, please do not send us any information about any matter that may involve you until you receive a written statement from us that we represent you.

By clicking the ‘ACCEPT’ button, you agree that we may review any information you transmit to us. You recognize that our review of your information, even if you submitted it in a good faith effort to retain us, and even if you consider it confidential, does not preclude us from representing another client directly adverse to you, even in a matter where that information could and will be used against you.

Please click the ‘ACCEPT’ button if you understand and accept the foregoing statement and wish to proceed.

ACCEPTCANCEL