Privacy and Information Security In the News -- Week of October 3, 2005

October 3, 2005

PC World Special Report: "The New Security War"

PC World Magazine's November issue has a series of articles on Internet security that are worth reading. "Is the Net Doomed," http://www.pcworld.com/reviews/article/0,aid,122499,00.asp, suggests the Internet is "the biggest crime scene in history." "Privacy in Peril," http://www.pcworld.com/news/article/0,aid,122498,00.asp, discusses data aggregators – such as ChoicePoint, the aggregator that gave records on 145,000 consumers to conmen earlier this year – and proposed legislation to limit them. These articles also have links to brief sidebars regarding spear phishing, malware that attempts to kill antivirus programs, and attacks launched through instant messaging.

California First in the Nation to Adopt Anti-Phishing Law

The Anti-Phishing Act of 2005 is now the law in California. Governor Schwarzenegger signed the bill into law on Friday. The bill allows a business whose Internet site is spoofed, or trademark is used, in a phishing attack to recover actual damages of $500,000, whichever is greater. An individual who falls victim to a phishing attack can recover the greater of actual damages or $5,000. The bill can be found at http://info.sen.ca.gov/pub/bill/sen/sb_0351-0400/sb_355_bill_20050831_enrolled.html

Of course, before you can sue them, you have to find them. And that is no easy feat. Seventy-five percent of phishing attacks are launched by 50 or 60 gangs in eastern Europe. (See "Further Insight Into Eastern European Phishing Gangs," In the News, September 29, 2005.)

Unattended PCs Pose Network Risk

Gartner, Inc., has issued an analysis concluding that unattended PCs on company networks pose a significant risk of insider misuse. Unattended PCs also pose a risk of outsider misuse when an employee leaves unattended a computer that is connected to the network remotely through a VPN. Gartner says that mandatory timeouts that require a user to log a computer back into the network after being idle for some period, while they may be effective, are extremely unpopular with employees. "Unattended PCs a menace: It's 10 a.m. and you're on break; so who's using your computer?" http://www.computerworld.com/securitytopics/security/story/0,10801,105043,00.html

Tales of Identity Theft

The New York Times ran a story Saturday profiling the impact of identity theft on three victims. The profiles provide a glimpse of the disruptive effect that identity theft has on its victims. "For Victims, Repairing ID Theft Can Be Grueling," http://www.nytimes.com/2005/10/01/technology/01theft.html?ei=5088&en=c42e59cb91c6842c&ex=1285819200&partner=rssnyt&emc=rss&pagewanted=all

October 4, 2005

The State of Internet Security

Business executives who are seeking a better understanding of the cyberthreats to their company should download a copy of Websense Security Labs' Security Trends Report for the first half of 2005. http://www.websensesecuritylabs.com/docs/WebsenseSecurityLabs20051H_Report.pdf. The 26-page report is an easy read and well worth the effort. Among the trends Websense identified are:

• Dramatic increases in the number of smaller banks and credit unions that are targeted in phishing scams.
• A greater use of keyloggers in phishing attacks to capture sensitive personal information. (The Websense report recounts on instance where cyberthieves attempted to transfer $420 million out of customer accounts at a London branch of a Japanese bank using information obtained with keyloggers.)
• "Toxic blogs" -- blogs that are used to distribute malicious software. (The study notes that most blog-hosting web sites do not check posted files for viruses.)
• Instances in which companies commissioned the writing of Trojan horses to steal information from competitors.
• Cyberextortion attempts where cybercriminals encode files on a business's computers and demand payment to obtain the decoder tool.

ChoicePoint Gets Tough on Fraud

ChoicePoint, Inc., the data broker that was duped into providing sensitive personal information to conmen earlier this year, is scrutinizing its customers to determine they're bona fide. According to the Associated Press, ChoicePoint is subjecting its customers to due diligence and has cut off various types of businesses, such as debt collectors, from receiving data. "ChoicePoint Tries to Find its Footing in Anti-fraud Effort," http://www.financetech.com/feed/showArticle.jhtml?articleID=171202600

The Government Gets Tough with Cyber Conman

A Florida man who allegedly used e-mail to con people into giving him contributions intended to aid in the Katrina recovery effort was indicted on Monday, announced the United States Justice Department. He is the first person to be indicted by the federal government for Katrina-related web fraud. "Man charged in Katrina Web scam," http://news.com.com/Man+charged+in+Katrina+Web+scam/2100-7348_3-5735475.html?tag=cd.top.

If You Can't Be Found on Google, Do You Exist?

Apparently it is possible to live in this world and not show up on Google. But it takes some effort. Wired News has a story about some individuals who have chosen to live beneath the radar and the steps they take to be invisible to the Internet. Of course, unless they used pseudonyms in the article, you can now find them with Google News. "'UnGoogleables' Hide From Search," http://www.wired.com/news/privacy/0,1848,68998,00.html

IM Virus Attacks

Increased use by employees of instant messaging is apparently attracting an increased number of viruses at work. A San Diego security firm that tracts virus attacks says that in September they documented a record number of IM viruses. "September sees surge in IM threats," http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1130541,00.html

October 5, 2005

California Law on Affiliate Sharing Preempted

A federal District Court judge in California has held that California's attempt to regulate the sharing of personal information among affiliated entities (SB 1) is preempted by federal law. The federal Gramm Leach Bliley Act, and Fair Credit Reporting Act as amended by the FACT Act, regulate the ability of a financial institution to share information with affiliated and unaffiliated entities. The federal scheme requires a financial institution to give a consumer a right to opt out before it shares information (other than experience information) regarding creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living, with the financial institution's affiliates. California passed SB 1 to create a more restrictive scheme, requiring the financial institution to give a consumer the right to opt out before sharing any nonpublic personal information to an affiliate. Earlier the Ninth Circuit Court of Appeals concluded that federal law preempted the California act, but only to the extent of information within the federal definition of "consumer report." It sent the case back to the District Court to determine whether any part of SB 1 survived that preemption. In a decision released yesterday, the District Court concluded that it did not. http://west.epic.org/archives/abalockyeredca.pdf

October 6, 2005

Spam Attack Could Bring Down Cell Phone Networks

Two professors at Penn State University have written a paper describing how hackers could bring down a cell phone network by inundating the network's text messaging system with spam. Such attacks are similar to denial of service attacks aimed at computer systems or networks. The paper concludes that a single computer with a high speed connection to the Internet could launch an effective attack, and that all major cellular systems in the United States are vulnerable. "Text Hackers Could Jam Cellphones, a Paper Says," http://www.nytimes.com/2005/10/05/technology/05phone.html

Meanwhile Nokia has announced that it is adding antivirus protection to its line of smart phones that hold contact databases and other sensitive information held in the phone's memory. "Nokia to inoculate phones with antivirus," http://news.com.com/Nokia+to+inoculate+phones+with+antivirus/2100-7355_3-5889450.html

FTC Sues Company Over Spyware

The Federal Trade Commission has filed suit against a New Hampshire company it alleges downloaded spyware onto the computers of people who thought they were getting free peer-to-peer software. According to the FTC, the spyware, in turn, downloaded numerous programs onto each victim's computer, slowing it and generating pop-up windows. As summarized in the Commission's press release: "The FTC charged that the defendants have an obligation to disclose that their ‘free' software download caused spyware and adware to be installed on consumers' computers. But instead, the FTC alleges, they hide their disclosure in the middle of a two-page end-user licensing agreement buried in the "Terms and Conditions" section of their Web site. In addition, the FTC alleges that the defendants deliberately make their software difficult to detect and impossible to remove using standard software utilities. Although the defendants purport to offer their own ‘uninstall' tool, it does not work. In fact, it installs additional software, according to the FTC's complaint." Press Release: "FTC Seeks to Halt Illegal Spyware Operation," http://www.ftc.gov/opa/2005/10/odysseus.htm

Visa CEO Looks to Reward Good Security Practices

Visa USA, Inc., CEO John Coghlan says his company is looking for ways to reward business partners that impose security practices that enhance their protections against credit card fraud. Speaking at a "cardholder security summit" sponsored by Visa. Coghlan also called for the passage of federal legislation requiring notification of the victims of a data breach, but based on "an analysis of real danger." He argued that inconsistencies in the requirements of the twenty-one-state notification statutes create the need for a federal standard. "Visa CEO calls for data protection laws, incentives," http://www.computerworld.com/securitytopics/security/story/0,10801,105178,00.html

Italy Requires ID To Use Internet Cafes and Other Telecommunications Services

Italian authorities have ordered any person who makes available Internet, phone or fax services, such as at an Internet café, to obtain a copy of each customer's passport and to retain information regarding the machines that were used and when each customer logged in and logged out. According to the Christian Science Monitor, this information must be turned over to the police periodically. "Want to check your e-mail in Italy? Bring your passport," http://www.csmonitor.com/2005/1004/p07s01-woeu.htm

Conspiracy Theory: Opposition to RFID Technology From Fundamentalist Christians

Authors of a new book on RFID chips argue that the federal government and major consumer corporations are conspiring to track your every movement. Wired Magazine's review of the book says, "by assembling in one place a vast amount of documentation and history, and stretching it all together into a coherent narrative, the authors clearly hope to reach a broad group of ordinary consumers -- enough, perhaps, to mobilize a movement against the technology." In a separate "Christian edition" of the book, the authors include an additional chapter in which they link RFID chips to the Mark of the Beast in the Book of Revelation. Read the review at "Spychips Sees an RFID Conspiracy," http://www.wired.com/news/technology/0,1282,69068,00.html

October 7, 2005

Hunting Down Zombies and the Criminals Who Use Them

An article in the current issue of The New Yorker tells the story of computer engineers who regularly do battle with cybercriminals who take down a business's web site until the company agrees to pay protection money. "It's just a straight, old-fashioned protection racket, with a completely new method," says the head of the British National Hi-Tech Crime Unit. The article recounts how cybercriminals use bots, a remote-controlled program that they place on the computer without the owner's knowledge. These bots turn the computer into a "zombie" – a computer the hacker can run remotely. Hackers then marshal networks of zombies to flood a web site with hits, paralyzing it until the owner agrees to pay a ransom. The article says that computer engineers regularly face zombie networks of more than 50,000 computers. "THE ZOMBIE HUNTERS: On the trail of cyberextortionists," http://www.newyorker.com/fact/content/articles/051010fa_fact

"Stop Using Online Banking," Consultant Says

One participant at an Internet security conference in Dublin, Ireland, concluded that people should stop banking online because of the growing use of pharming attacks. In pharming, a cybercriminal hacks into a DNS server and redirects the user to a phony web site. SC Magazine, a British journal for security specialists, quotes David Perry, global director of education at Trend Micro, as saying, "I would avoid banking online as you just can't tell if you are experiencing a pharming attack." Others at the conference disagreed with Perry's dire warning. "'Don't bank online' warns expert," http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=5f865cac-6a85-4a20-89d1-c51b6c227b43&newsType=News

Writer Points Finger at Banks for Phishing

Bruce Schneier, writing in Wired Magazine, argues that banks should bear the ultimate responsibility for phishing attacks. He claims that banks have chosen to do little about phishing, choosing to accept the fraud losses rather than go to the expense of putting in adequate protections for customers. Schneier writes: "Financial institutions make it too easy for a criminal to commit fraudulent transactions, and too difficult for the victims to clear their names. The institutions make a lot of money because it's easy to make a transaction, open an account, get a credit card and so on." "A Real Remedy for Phishers," http://www.wired.com/news/politics/0,1283,69076,00.html?tw=wn_story_page_prev2

Visa Chief Proposes Certifying Industry Best Practices

The New York Times ran a story yesterday offering more details on comments made by Visa USA, Inc., CEO John Coghlan. Yesterday, we linked you to an article that reported that Visa wanted to reward companies that had quality security practices. The Times story indicates that Coghlan would like to see the formation of a private body that would certify companies that meet industry best practices. "Visa Chief Proposes Security Agency for Credit Card Industry," http://www.nytimes.com/2005/10/06/business/06cards.html

This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at rmartin@wnj.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49503.

"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.