Privacy and Information Security In the News -- Week of November 7, 2005
November 7, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title or author of the article. If you have questions about a link, send us an e-mail by clicking here.
Commander of Botnet Army Indicted
A 20-year-old from California was indicted on Friday for infecting 400,000 computers with a worm that turned them into bots. The indictment alleges that the defendant advertised and sold the bots in groups of 10,000 for use in conducting distributed denial-of-service attacks or sending spam. The indictment alleges that he made $60,000 through his efforts. "California Man Charged in Far-Reaching Botnet Scheme," http://www.toptechnews.com/story.xhtml?story_id=39139. Among the infected bots were computers belonging to the Naval Air Warfare Center and the Defense Information Systems Agency. Last month, police in the Netherlands arrested three people who commanded a botnet army of 1.5 million computers. See "Update: Zombie Army Set at 1.5 Million Computers," In the News, October 21, 2005.
Use of National Security Letters Up 100 Fold; Information Used in FBI Data-Mining
The Washington Post has a lengthy article about the controversy over the FBI's authority to obtain information about people who are not suspected of any wrongdoing by issuing a national security letter. The FBI can issue a national security letter without obtaining the permission of a judge or grand jury if it certifies that the records being sought are relevant to an investigation "to protect against international terrorism or clandestine intelligence activities." The Post reports the FBI now issues over 30,000 national security letters a year, one hundred times the historic average. You can view a redacted national security letter at http://www.washingtonpost.com/wp-dyn/content/graphic/2005/11/06/GR2005110600131.html.
A 1995 guideline required FBI agents to destroy information about a U.S. citizen or resident that was obtained by a national security letter if the information is "not relevant to the purposes for which it was collected." Two years ago, however, Attorney General Ashcroft rescinded that guideline and required the FBI to retain the records, allowing it to disseminate them to other federal agencies. In addition, Ashcroft directed the FBI to store the information in a new Investigative Data Warehouse, and to develop technology to mine the data for hidden links among people.
The authority of the FBI to issue national security letters is currently being challenged in court by the ACLU on behalf of a company that manages records for three dozen libraries in Connecticut. In September, a federal judge ruled that the FBI's order prohibiting the company from disclosing the existence of the letter was unconstitutional. A hearing before the federal court of appeals was held this past Wednesday. "The FBI's Secret Scrutiny," http://www.washingtonpost.com/wp-dyn/content/article/2005/11/05/AR2005110501366.html
The Washington Post article was the subject of the Sunday morning news shows ABC News This Week. Appearing on the show, Senator Joseph Biden called the news of 30,000 national security letters a "stunner" and said, "It appears to me that this is, if not abused, being close to abused." Senator Chuck Hagel agreed saying, "It does point up how dangerous this can be." "FBI Patriot Act Plan Concerns Lawmakers," http://abcnews.go.com/Politics/wireStory?id=1286253.
Supreme Court Nominee Alito Once Proposed Licensing All Computers
Judge Samuel Alito's views on privacy are under microscope because of the central role that the right of privacy played in Roe v. Wade. The Electronic Privacy Information Center has uncovered a memo written by Alito in January 1972, on behalf of the Conference on the Boundaries of Privacy in American Society. Written in the days of punch card computing, and one year before the decision in Roe, the memorandum addressed government surveillance and the potential threat to privacy from computers. Under the heading "Privacy and the Computer," Alito wrote that:
The cybernetic revolution has greatly magnified the threat to privacy today. Computers have made it possible to store vast amounts of information in a relatively small space and to retrieve desired pieces of stored information quickly. The potential for invasions of privacy through the use of computers is growing rapidly; more computers are installed each year; more tasks are turned over to computers; and most important, computer systems are rapidly becoming centralized. Centralization, the creation of vast computer networks, opens the possibility of bringing together an enormous amount of information about every facet of an individual's life.
We believe the potential for invasions of privacy through the use of computers is so great that all private computer systems should be licensed by the federal government. We propose the creation of a federal regulatory agency to supervise the licensing of systems and the enforcement of all federal regulations.
Data Breaches Announced
- Patient information posted on Internet. Information regarding patients at the Ohio State University Medical Center was mistakenly posted online. According to the Columbus Dispatch, the information included "names, addresses, phone numbers, birth dates, Social Security numbers and the reason the patients were making appointments." The information was being used to test a new patient registration program and somehow found its way onto a computer that could be accessed by the Internet. "OSU info on patients appeared on Internet," http://www.dispatch.com/health/health.php?story=dispatch/2005/11/04/20051104-A1-04.html
- Student SSNs posted on Internet. The University of Tennessee has notified 1,900 students that their social security numbers have appeared online since April 2004. The university will notify others this week. The university attributed the error to the mistaken configuration of an archive page. "University notifies staff, students of security breach," http://dailybeacon.utk.edu/showarticle.php?articleid=49071
- Employee data on stolen laptop. Safeway, Inc., has notified employees in California and Hawaii that their personal information – including social security numbers – may have been compromised when a laptop was stolen from a manager's home in August. "Safeway discloses security breach," http://www.montereyherald.com/mld/montereyherald/13090239.htm
SEC Sues Estonian Investment Firm for Trading on Inside Information Obtained Through Hacking
Last week, the Securities and Exchange Commission took action against two Estonian traders and their employer, Lohmus Haavel and Viisemann. According to an SEC Press Release, the two traders hacked into Business Wire, a distributor of corporate press releases. The traders were able to see headlines of press releases before they were made public. They made large trades on this information making over $7 million. The Estonians became customers of Business Wire, giving them access to the company's computer. They then used a computer program called a "spider" to gather headlines and send them to the traders. "SEC in legal fight with Estonians over financial hack," http://www.silicon.com/financialservices/0,3800010322,39153903,00.htm. NPR Audio report: "Estonian Traders Accused of Hacking Business," http://www.npr.org/templates/story/story.php?storyId=4987613
More on the SEC Warning to Online Investors
Last Thursday, the Securities and Exchange Commission issued a warning that cyberthieves were targeting online investors. See "SEC Warns Against Online Dangers," In the News, November 4, 2005. BusinessWeek Online has an article describing the events that prompted the SEC's warning. According to the article, the SEC is now "knee deep" in complaints from investors who have seen their accounts drained following hacking and phishing attacks, something that was not on the SEC's radar just six months ago. BusinessWeek cites an estimate that $20 million has been stolen from online trading accounts in cyberattacks in the last year. "Invasion of the Stock Hackers," http://www.businessweek.com/technology/content/nov2005/tc20051103_565150.htm,
November 8, 2005
Data Breach: Pizza Maker's E-mail Appears Online
For over a month, internal e-mail and thousands of customer comments submitted on pizza maker Papa John's web site were available to be viewed on the Internet. Apparently, Papa John's internal e-mail system had no password protection. Customer information disclosed included name, phone number and e-mail address. "Pizza chain caught without fully baked security," http://news.zdnet.com/Pizza+chain+adds+security+to+the+pie/2100-1009_22-5938572.html
Hidden Data Left in Documents
The New York Times has an article about the metadata left in word processing documents that reveal information about when, how, and by whom the document has been edited. Such revelations can be embarrassing, as in the case of the memorandum that prompted the article – an unsigned memorandum critical of Supreme Court nominee Alito, which the metadata revealed was composed by the Democratic National Committee. Metadata can also be used in litigation to establish facts critical to a party's case. Searching for metadata in key documents has become a standard practice in litigation. "Beware Your Trail of Digital Fingerprints," http://www.nytimes.com/2005/11/07/business/07link.html?pagewanted=1
More on the RFID Privacy Debate and One Solution Offered by IBM
Spychips, a book by Katherine Albrecht and Liz McIntyre, alleges that government and business are aligned in a conspiracy to spy on average citizens and track their every movement through the use of radio frequency identification (RFID) chips. "Conspiracy Theory: Opposition to RFID Technology from Fundamentalist Christians," In the News, October 6, 2005. The book has caused quite a stir. In the News has previously linked to articles on the debate over RFID chips. "Debating RFID Technology," In the News, October 12, 2005. Now Nicholas Chavez, the President of RFID LTD, has published a 24-page rebuttal to the book, taking it chapter by chapter. "The Original Spychips Rebuttal," http://www.packagedrfid.com/spychips_rebuttal.pdf
To address privacy concerns with RFID chips, IBM has developed an RFID tag for use on consumer products that can be modified to protect a consumer's privacy. Once the consumer purchases an item with the RFID tag, the consumer can clip the tag to shorten the antenna, disabling the ability to read the tag from a distance of more than a few inches but preserving the ability of the tag to be read in the event the consumer returns the item. According to the IBM developer, the clip technology has advantages over an alternative method of protecting privacy called the "kill command." The kill command would allow a consumer to ask a merchant to kill the RFID tag at the point of purchase. The IBM developer notes that with the kill command the consumer has no way of actually knowing if the merchant complied with the request. In addition, once the kill command is executed, the information on the tag becomes useless for warranty or other legitimate purposes. "IBM Proposes Privacy-Protecting Tag," http://www1.rfidjournal.com/article/view/1972/
Audio Report: More on National Security Letters
The NewsHour with Jim Lehrer last evening ran an interview with The Washington Post reporter who broke the story about the FBI's greatly expanded use of national security letters. See "Use of National Security Letters Up 100 Fold; Information Used in FBI Data-Mining," In the News, November 7, 2005. In the interview, the reporter offers more details on why the FBI has increased the use of national security letters and how it uses the information it obtains. You can listen to the interview at "FBI Expands Demands for Information on Americans," http://audio.pbs.org:8080/ramgen/newshour/expansion/2005/11/07/20051107_sweep28.rm?altplay=20051107_sweep28.rm
November 9, 2005
Detailed Anti-Phishing Study Prepared for the Department of Homeland Security
The Anti-Phishing Working Group has published a new report that discusses current and potential methods of combating phishing. The 58-page report, which was commissioned by the Department of Homeland Security, states that it is intended for "technically sophisticated readers such as security practitioners, executives, researchers, and others who wish to understand methods employed by online identity thieves and countermeasures that can prevent such crimes." Nonetheless, portions of the report are especially useful reading for those of us who don't fit that description.
The section titled "Types of Phishing Attacks," beginning on page 6 is an excellent description of the many forms a phishing attack might take. For those who are not inclined to dig into the whole report, the section beginning on page 45, titled "Non-Technical Best Practices," and the "Conclusions," beginning on page 47, will offer a good overview of the types of measures that companies can take to protect themselves and their customers from phishing attacks. "Online Identity Theft: Phishing Technology, Chokepoints and Countermeasures," http://www.antiphishing.org/Phishing-dhs-report.pdf.
ChoicePoint Warns an Additional 17,000 of Data Theft
In February 2005, ChoicePoint, a data aggregator, announced that it had given access to sensitive personal information about 145,000 consumers to persons posing as a legitimate business. Now, in its most recent SEC filing, ChoicePoint disclosed that it notified an additional 17,000 consumers in September that their information was also stolen. ChoicePoint warned that more notices could still go out. "ChoicePoint warns consumers about fraud," http://seattlepi.nwsource.com/business/1310AP_ChoicePoint.html; "ChoicePoint filing: 17,000 more may be fraud victims," http://atlanta.bizjournals.com/atlanta/stories/2005/11/07/daily25.html?jst=b_ln_hl
Aussies Take on the Zombies
The Australian government has enlisted the aid of five Internet service providers ("ISPs") to help it hunt down and disable zombies -- computers that are infected with a virus that turns a computer into a virtual robot for someone sending spam or launching a denial-of-service attack. The program will be operated on a three-month trial basis. Each of the five participating ISPs will receive a list of IP addresses of computers that have exhibited zombie-like behavior. The ISPs will then contact the computer owner and help the owner disinfect the computer. If the owner is unable or unwilling to do so, the ISP may disconnect the computer. "Australian government gears up for zombie battle," http://news.zdnet.co.uk/internet/security/0,39020375,39235796,00.htm
On the Hill
The House Financial Services Financial Institutions and Consumer Credit Subcommittee will hold a hearing this morning on the Financial Data Protection Act of 2005 (HR 3997). The bill would mandate a national standard for the protection of sensitive consumer information, require institutions to notify consumers in the event of a data breach if their information has been compromised and could be used by identity thieves, and require institutions to provide consumers notified of a breach with free credit monitoring for six months.
November 10, 2005
Privacy Legislation Stalls in House on Issue of Credit Freeze
The House Financial Services Committee, which held a hearing yesterday on Financial Data Protection Act of 2005 (HR 3997), postponed any vote on the legislation until at least February 2006. American Banker reports that Democrats on the committee pushed to include a credit freeze provision in the bill. Such a provision would permit a consumer to prohibit a consumer reporting agency from selling a copy of the consumer's report or credit score without the consumer's permission. The National Association of Attorneys General sent a letter to Congress earlier this week calling a credit freeze "one of the most effective tools available . . . to stop the harm that can result from data heists." "Data Bill Put Aside; Will Freeze Be Put In?," http://www.americanbanker.com/article.html?id=20051109F69VE8AT&from=home. (Subscription required).
The Senate Judiciary Committee will today once again take up the Personal Data Privacy and Security Act of 2005 (S. 1789).
Consumer Records Lost When Credit Reporting Agency's Laptop Stolen
TransUnion, one of the three national credit reporting companies, has acknowledged that sensitive information, including social security numbers, about 3,600 consumers was lost when a laptop computer was stolen from one of the firm's branch offices. "TransUnion notifies consumers of data loss," http://www.computerworld.com/securitytopics/security/story/0,10801,106083,00.html?source=NLT_PM&nid=106083
Reporter Finds Protected Health Information in Dumpsters; No Wonder National Survey Says Americans Are Concerned About Privacy of Medical Information
WZZM Television in Grand Rapids, Michigan, went dumpster diving last week behind the offices of several medical practices. While many of the dumpsters were secure, the reporter also found many that were not. And in half of those, the reporter says she found documents containing information that is considered protected health information under HIPAA. The information included patients' names and addresses, at least one social security number, and even diagnoses. The story is in two parts: "Medical Privacy: Trashed," http://www.wzzm13.com/news/news_article.aspx?storyid=46270; "Medical Privacy Trashed Part 2," http://www.wzzm13.com/news/news_article.aspx?storyid=46310. Thanks to David T.S. Fraser in the Canadian Privacy Law Blog for calling our attention to this story from our own backyard. http://www.privacylawyer.ca/blog/2005/11/incident-michigan-reporter-finds.html
David also pointed us in the direction of a story about the National Consumer Health Survey conducted for the California HealthCare Foundation. That survey found that 67% of Americans surveyed are "very concerned" or "somewhat concerned" about the privacy of their medical information. Other significant findings of the report include:
- 52 percent very concerned that insurance claims information could be used by employers to limit their job opportunities.
- 67 percent said they were aware that federal laws protected the privacy of personal medical records.
- 66 percent believe their paper medical records are "very secure" or "somewhat secure." 58% felt that electronic records were more secure than paper records.
An Executive Summary of the study is available from the California HealthCare Foundation at http://www.chcf.org/documents/ihealth/ConsumerPrivacy2005ExecSum.pdf. A more detailed report of the survey results is available at http://www.chcf.org/documents/ihealth/ConsumerPrivacy2005Slides.pdf.
FEMA Faulted on Security of the National Emergency Information System
The Inspector General of the Department of Homeland Security has issued a report indicating that FEMA has not established appropriate controls over sensitive data on the National Emergency Management Information System. The report concluded that FEMA has failed to implement "effective procedures for granting, monitoring, and removing user access," and failed to conduct contingency training and testing. As a result, the report concludes, "there is an increased risk that unauthorized individuals could gain access to critical [Emergency Preparedness and Response] database resources and compromise the confidentiality, integrity, and availability of sensitive [National Emergency Management Information System] data. "Security Weaknesses Increase Risks to Critical Emergency Preparedness and Response Database," http://www.dhs.gov/interweb/assetlibrary/OIGr_05-43_Sep05.pdf
Sony Sued Over Secret Rootkit
Sony BMG Music Entertainment has been sued in a class action in California after it came to light that Sony had included special software on music CDs, which was loaded on a user's computer to hide digital rights management tools that prevent the making of unauthorized copies of the CD. See, "Sony Uses Hacker Tool to Hide Rights Management Tools," In the News, November 3, 2005, http://www.wnj.com/Privacy_Bulletin_Week_of_10-31-05.html. The software used was a rootkit, a tool used by hackers to hide any trace of viruses left on computers. The complaint alleges Sony violated three California statutes that prohibit unfair and/or deceptive trade acts, unfair business practices, and the use of software that assumes control of another's computer or misrepresents the right or ability of a user to uninstall the program. Brian Krebs, in his Security Fix Blog for The Washington Post, reports that a second class action suit will be brought soon in New York. "Calif. Lawsuit Targets Sony," http://blogs.washingtonpost.com/securityfix/2005/11/calif_ny_lawsui.html
November 11, 2005
Foreign Phishers Recruit Americans to Counterfeit Credit Cards
Okay. So you are a hacker in Eastern Europe who has set up a successful phishing site. What do you do with the credit card numbers all those gullible people so freely give you? How about recruiting a little help to use those cards? That is what hackers in 19 countries are alleged to have done. The U.S. Secret Service has arrested 12 people in Arizona who, it alleges, were recruited in chat rooms to use stolen credit card numbers to make counterfeit credit cards. Five more are still at large. According to the Secret Service, the 17 people used those counterfeit cards to obtain money at ATMs, sending half their proceeds ($300,000) to the hackers. "17 Charged With ID Theft In Arizona, Linked To Foreign Phishers," http://www.informationweek.com/story/showArticle.jhtml?articleID=173601750
FTC Shuts Down Spyware Operation
The Federal Trade Commission went to court yesterday and received a temporary restraining order against a group of companies it alleges secretly downloads adware and spyware onto the computers of unsuspecting visitors to a web site that offered free music files, browser upgrades, and ringtones. The court also froze the assets of the companies. The FTC alleges that the adware and spyware caused pop-up boxes to appear on infected computers, promoting various freeware, such as ringtones, music files and song lyrics. One pop-up warned users that their Internet browsers were defective and offered a free upgrade or security patch. But, according to the FTC, when a user requested the upgrade or patch, the company instead loaded spyware onto the user's computer. The FTC complaint alleges that the spyware enabled the companies to, among other things, track a user's Internet activity, change a user's Internet homepage, insert a frame in the window in which advertisements could be run, and cause pop-up advertisements to appear on the computer even when the user is not using an Internet browser. FTC Press Release: "FTC Shuts Down Spyware Operation," http://www.ftc.gov/opa/2005/11/enternet.htm
Sony Update: Hackers Exploit Sony's Rootkit
"This is no longer about digital rights management or content protection, this is about people having their PCs taken over."
Sam Curry, Vice President, eTrust Security Management Division, Computer Associates, quoted by CNET.News.Com
The British Internet security research firm, Sophos PLC, announced yesterday that it had discovered the first instances in which a hacker had sent a virus that takes advantage of Sony BMG Music Entertainment's copy protection CD software. That software sparked controversy, and at least one class action lawsuit, when it came to light that Sony's copy protection program used a rootkit -- a program used by hackers -- to hide parts of the copy protection program. Sophos said a hacker sent a virus called the Stinx-E Trojan to computer uses in Great Britain. The Trojan carries a program that breaks down the computer's virus protection, and is designed to use the Sony rootkit to hide its tracks. "Hacker uses Sony's anticopy software to install PC virus," http://www.computerworld.com/securitytopics/security/story/0,10801,106110,00.html?source=NLT_PM&nid=106110
CNET.News.Com reports that the first Trojan horse detected did not work well. But over the course of the day on Thursday others emerged that were more effective. "'Bots' for Sony CD software spotted online," http://news.com.com/Bots+for+Sony+CD+software+spotted+online/2100-1029_3-5944643.html?tag=nefd.lede
Lack of a Federal Data Security Bill Pleases Privacy Advocates
Wired Magazine has a report that is really not news. Wired reports that it is unlikely that a data security bill will pass Congress before the end of the year. That is not surprising given the number of bills still floating around and the number of different committees still vying to take the lead on the issue. According to Wired, the failure for a single bill to gain traction is just fine with privacy advocates, who are happy to see state laws govern data breaches. Privacy advocates say that state laws already on the books in over 20 states offer more protection than any of the federal legislation currently being considered. "No Fed Security Laws, Hurrah!!," http://www.wired.com/news/politics/0,1283,69525,00.html?tw=rss.TOP
Note: Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.