Nov. 2005
Rodney D. Martin
November 28, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by .
Scottrade Reports Data Breach at Servicer
Scottrade, one of the nation’s largest online brokers, has alerted an undisclosed number of its customers that sensitive information about them may have been stolen by hackers, who hacked into the computers of a third-party service provider. The notices were sent to customers who used Scottrade’s eCheck Secure™ Service. The company that provided the eCheck service to Scottrade’s customers, Troy Group, Inc., recently disclosed to Scottrade that a computer hacker had broken into the eCheck servers. Information on those servers included a customer’s, name, driver’s license, date of birth, phone number, bank name, bank account number, Scottrade account number and, in some cases, Social Security number. “Alert for users of the eCheck Secure™ Service,” http://www.scottrade.com/docs/echeck.html, “Alert for Scottrade eCheck Secure™ Customers,” http://www.scottrade.com/security/
Assessing the Risk from Foreign Governments
Back on September 1, we linked to a Time Magazine story describing cyberattacks on U.S. government computers by a group of Chinese hackers thought to be working for the Chinese government. “Tracking Chinese Cyberspies,” In the News, September 1, 2005. CNet News.Com has a brief story that provides some additional information about the group, which has been dubbed “Titan Rain,” and measures being taken by the United States to counter the group’s incursions. “Security experts lift lid on Chinese hack attacks,” http://news.com.com/Security+experts+lift+lid+on+Chinese+hack+attacks/2100-7349_3-5969516.html?tag=html.alert
Meanwhile, security expert Bruce Schneier, speaking last week, stated that the threat of attacks by foreign governments is overstated. Schneier was responding to a report last week that the National Infrastructure Security Coordination Centre, which is charged with defending the critical national infrastructure of the United Kingdom, sees foreign governments as the most significant player in a “malicious marketplace” in which attackers seek to gather commercially and economically valuable information. "Foreign States Pose Greatest Threat to UK National Infrastructure," In the News, November 23, 2005. Schneier says the risks still come primarily from criminals. He suggests that the danger that foreign governments will align themselves with criminals, hackers and terrorists to threaten the Internet infrastructure is the stuff of movie thrillers and is over-hyped. He says focus on the criminal threat is under-hyped. Schneier feels that governments point to the risk of state-sponsored cyberterrorism in an effort to scare people into “handing over powers to the government and giving up their liberties.” He says this move will result in “a massive erosion of freedoms in our culture.” Full text of an interview with Schneier can be found at “Q&A: Security guru Bruce Schneier gives his take on cyberterrorism, biometrics, ID cards and the erosion of our freedoms,” http://news.zdnet.co.uk/internet/security/0,39020375,39237490,00.htm;
In a related story, the Washington Post reported yesterday that the Pentagon is working to expand its domestic surveillance authority. The Post reports that the White House is considering allowing a Pentagon agency known as the Counterintelligence Field Activity to investigate certain crimes within the United States, including treason, foreign or terrorist sabotage, and economic espionage. In addition, the Pentagon is promoting legislation that would allow the FBI, in certain circumstances, to share information it gathers about United States citizens with the Pentagon, CIA and other intelligence agencies. Currently, the FBI is prohibited from doing so. “Pentagon Expanding Its Domestic Surveillance Activity,” http://www.washingtonpost.com/wp-dyn/content/article/2005/11/26/AR2005112600857.html
Verizon Sues Cell-Phone Spammer
Verizon Wireless has filed suit against a Florida company it says sent 98,000 unsolicited text messages to the mobile phones of Verizon customers. Verizon notes that, unlike spam sent email accounts, spam sent to cell phone customers has a direct economic impact on the customer, since it costs 10 cents a message. It also has a potential impact on Verizon, if customers who are spammed call customer service to complain. Verizon estimates that each such call costs the company $5 to $8. “Verizon files suit over cell phone spam,” http://news.com.com/Verizon+files+suit+over+cell+phone+spam/2100-7348_3-5969552.html?tag=html.alert
Security Program for U.K. Colleges and Universities
In the United Kingdom, the Universities and Colleges Information Systems Association and the Joint Information Systems Committee have issued information security guidelines for colleges and universities. The guidelines are contained in the “UCISA Information Security Toolkit,” a 187-page document available online at “UCISA Information Security Toolkit Second Edition,” http://www.ucisa.ac.uk/ist;
“Press release: guidelines on information safety sent to all colleges and universities,” http://www.jisc.ac.uk/index.cfm?name=infosafety.
November 29, 2005
Online Sales Soar
Public opinion pollsters have been telling us, and data security vendors have been warning us, that consumers are increasingly concerned about conducting transactions over the Internet. See, for example, “Survey Shows Internet Users Shopping Less on Line,” In the News, October 27, 2005. So what are we to make of the news that Internet sales in 2005 are predicted to increase by 25 to 30 percent over 2004? In fact, in the two days following Thanksgiving, according to Visa, which processes 47 percent of all online purchases, online shopping soared by 32 percent over the same two days last year. What does this say about reports that consumers are becoming more wary of conducting business on the Internet? Presented with a survey question, consumers may express some doubts, but presented with the convenience of shopping on the Internet and the ease of comparing prices among vendors, an increasing number of consumers appear to be able to set those doubts aside.
Yesterday was “Cyber Monday,” the first workday after Thanksgiving. Cyber Monday got its name because it is historically the busiest day of the year for Internet transactions. Cyber Monday is thought to be so busy because online shoppers have returned to work where they can shop using their employer’s high speed Internet connections. Cnet News.com reports that in the week before Thanksgiving, 58 percent of purchases over the Internet occurred at work, but only 9 percent occurred during lunch time. “Talking turkey – online shopping jumps,” http://news.com.com/Talking+turkey+Online+shopping+jumps/2100-1038_3-5973836.html; “The Mall Had Its Day; Now It’s the Web’s Turn,” http://www.washingtonpost.com/wp-dyn/content/article/2005/11/27/AR2005112701179.html
The Problem with Antivirus Products
The head of Russian antivirus firm Kapersky Labs has published a paper that outlines in frank terms the problems faced by antivirus firms and by users who are choosing among antivirus products. In the paper, Eugene Kapersky says that many antivirus companies are simply unable to deal with the constantly increasing number of malicious programs and “are losing this ‘virus arms race.’” According to Kapersky, “malicious programs propagate so quickly that antivirus companies have to release updates as quickly as possible to minimize the amount of time that users are potentially at risk.” Unfortunately, says Kapersky, many antivirus companies are unable to release updates quickly enough to minimize the time that users are at risk. Further, antivirus programs and Trojans are frequently designed to hide themselves or to penetrate the system so deeply that removing them is very complex (think Sony rootkit). Kapersky says that many antivirus programs cannot remove malicious code and restore modified data without causing additional problems. Finally, Kapersky says that the antivirus programs are in the vast majority of cases incompatible so that two antivirus programs loaded on the same machine will disrupt each other, weakening their protections. “The contemporary antivirus industry and its problems,” http://www.viruslist.com/en/analysis?pubid=174405517.
Cybercrime Pays More than Drug Trafficking
Valerie McNiven, an advisor to the United States Department of the Treasury, says that in 2004, for the first time, the proceeds of cybercrime exceeded the proceeds from the sale of illegal drugs. “Cybercrime is moving at such a high speed,” she is quoted as saying, “that law enforcement cannot catch up with it.” “Cybercrime pays off more than drug trafficking, security expert says,” http://www.computerworld.com/securitytopics/security/story/0,10801,106574,00.html.
Privacy and Google
Adam Cohen, writing in the New York Times yesterday, expresses his concern with the vast quantity of personally identifiable information that Google collects on users of its popular products. Cohen says the cookies Google’s programs place on a users computers gather search data that Google retains. Those cookies are not set to expire until 2038. He notes that this personal information is subject to government subpoena and may, in fact, be obtained under the USA PATRIOT Act without the user ever knowing. He argues that while Google may have a legitimate need to collect and retain such data to improve its technology, the company – in line with its informal motto, “Don’t be evil” – should develop “an overarching privacy theory that is as bold as its mission to make the world’s information accessible. . . .” Cohen unfortunately does not outline what type of “overarching privacy theory” he has in mind. While Cohen expresses concern for the government’s ability to access Google’s data, his real concern appears to be that Google will use its database to pursue “lucrative business opportunities.” “What Google Should Roll Out Next: A Privacy Upgrade,” http://www.nytimes.com/2005/11/28/opinion/28mon4.html.
November 30, 2005
Cyber Monday Update
Cyber Monday Materialized. The New York Times reports that online traffic to Internet shopping sites peaked on Monday at 27.7 million visits. The most popular sites were eBay (11.7 million visits), Amazon (5.6 million visits) and Wal-Mart (3 million visits). Online traffic on Saturday, Sunday, and Monday totaled more that 72 million visits and resulted in sales at retail websites of $925 million dollars, up 26 percent over the same period last year. “Sales Climb at Retailers on Internet,” http://www.nytimes.com/2005/11/30/technology/30cyber.html
But is it Real? Businessweek online debunks the “myth” of Cyber Monday, noting that the term was coined as a marketing hook just a couple of weeks ago by Shop.org, an association of online retailers. The first Monday after Thanksgiving is in fact only the 12th busiest day of the year for online shopping, according to Businessweek. “Cyber Monday Marketing Myth,” http://www.businessweek.com/bwdaily/dnflash/nov2005/nf20051129_9946_db016.htm?campaign_id=search
Marketing hype or not, the increase in sales on Cyber Monday and over the holiday weekend still suggest that concerns over identity theft have not put a dent in online selling, as some had predicted.
Sony in Spitzer’s Sights
Investigators from the office of New York Attorney General Elliot Spitzer visited major retailers and were still able to purchase Sony CDs with digital rights management software that loads hidden monitoring programs on user’s computers. Sony had announced that it had recalled all those CDs. Sony has already been sued by the State of Texas over the CD fiasco. “Spitzer Gets on Sony’s CD Case,” http://www.businessweek.com/technology/content/nov2005/tc20051128_573560.htm.
IM Worms Hit Record in November
The number of worms being spread over major instant messaging networks, such as AOL Instant Messenger and MSN Messenger, hit an all-time high in November, tripling the number reported in October. “November a Record Month for IM Worms,” http://blogs.washingtonpost.com/securityfix/2005/11/november_a_reco.html
Cashing in on the Disaster Economy
Wired Magazine has an interesting article about entrepreneurs and venture capitalists who are seeking to cash in on the heightened concerns with security after 9/11 by backing security-related firms. Calling it the “disaster economy,” the article describes the “homeland security industrial complex, a world where doomsday scenarios double as marketing pitches, patriotism mingles with capitalism, and the spoils go to whoever can placate a skittish society.” The article observes:
The government is spending billions of dollars subsidizing R&D for technologies that both threaten privacy, like video surveillance and data mining, and those that protect it, like encryption, network security, and anonymization applications. VCs and Wall Street are spending billions more. Private corporations, increasingly concerned for the safety of their operations and data (think about those empty office towers in downtown New Orleans) have joined the security frenzy. Spending projections echo the dotcom predictions that once poured forth so liberally from research firms like Forrester and Jupiter: a $400 million-security sensor market for 2005; an $800 million video analysis market by 2009; $10 billion for biometrics and $36 billion for physical security technology (such as body armor and explosives screening) by 2007. The industry is thought to be worth up to $200 billion today.
“Fear, Inc.,” http://www.wired.com/wired/archive/13.12/homeland.html
December 1, 2005
U.S. Government Site Used in Phishing Scheme
Cybercriminals have been using a site operated by the United States government to carry out a phishing scheme. The criminals have sent email messages around the world, purportedly from the Internal Revenue Service, informing recipients that they are entitled to a $571.94 tax refund. The message directs the recipient to visit a site that appears to be part of a real U.S. government website (www.govbenefits.gov), to provide sensitive personal information and request the refund. President Bush has recently promoted govbenefits.gov as a one-stop site that Hurricane Katrina victims can visit to learn the benefits for which they could qualify. “Press Release: President Bush Recommends GovBenefits.gov as One Stop for Federal Benefits,” http://www.govbenefits.gov/govbenefits/pressroom.jhtml?dispatch=release&pid=101.
Unfortunately, the cybercriminals have taken advantage of a feature of the government site that redirects the recipient’s computer to a phony phishing site that purports to be an official IRS site. For example, the following link uses the same government site to redirect you to the page on the Warner Norcross & Judd LLP website where we archive In the News:
http://www.govbenefits.gov/govbenefits/externalLink.jhtml?url=http://wnj.com/privacynews.html
This link could easily be masked to read more simply as:
http://www.govbenefits.gov/Privacy News
The feature is called an “open redirect” and, according to Cnet News.com, is not uncommon. By sending a recipient to a government site, the cybercriminals give their phishing message an air of authenticity. According to Cnet News.com, the government “is aware of the issue and is working to fix it.”
Simply going to www.govbenefits.gov would not redirect a user to the phony site. That would only happen if the user used the entire link provided by the cybercriminals. The phishing site has been shut down. “Phishers use IRS tax refund as bait,” http://news.com.com/Phishers+use+IRS+tax+refund+as+bait/2100-7349_3-5977588.html?part=rss&tag=5977588&subj=news
December 2, 2005
FTC Settles with DSW Shoes over Data Breach
The Federal Trade Commission announced yesterday that it had reached a settlement with DSW Shoes, Inc., a retailer whose computer systems were hacked earlier this year, exposing information on 1.4 million credit and debit card holders and 96,000 checking account holders. The matter is the second case in which the Federal Trade Commission has alleged that the failure to provide reasonable and appropriate security for sensitive customer information constituted an unfair practice under the Federal Trade Commission Act.
The FTC’s complaint alleges that DSW:
- created unnecessary risks to sensitive information by storing it in multiple files when it no longer had a business need to keep the information;
- failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks;
- stored the information in unencrypted files that could be easily accessed using a commonly known user ID and password;
- failed to limit sufficiently the ability of computers on one in-store network to connect to computers on other in-store and corporate networks; and
- failed to employ sufficient measures to detect unauthorized access.
Under the terms of the settlement, DSW must adopt a comprehensive data security program and obtain, and provide to the FTC, an independent audit every other year for the next 20 years.
According to DSW’s filings with the Securities and Exchange Commission, the data breach exposed the company to losses between $6.5 and $9.5 million.
The following documents from the DSW case are available on the FTC’s website:
The DSW settlement comes just months after a similar settlement between the FTC and BJ’s Wholesale Clubs, an east coast retailer. BJ’s was the first case in which the FTC alleged that the failure to provide reasonable and appropriate security for sensitive customer information constituted an unfair practice under the Federal Trade Commission Act. In five other information security cases, the FTC brought its claims under the unfair the deceptive practices prohibition of the Act, alleging that the defendant in each case had promised, but failed, to maintain the security of the consumer information. In BJ’s, and now in DSW, the defendants made no such promise. But the FTC alleged that the failure to maintain a secure system – even without any misrepresentations to consumers – violated the Federal Trade Commission Act.
The BJ’s case resulted in alleged damages of approximately $13 million and has led some card issuing institutions to sue Fifth Third Bancorp, which processed BJ’s credit and debit card transactions. A United States District Court recently ruled that claims by two such card issuers could proceed on allegations that Fifth Third should be held liable to them, as third party beneficiaries of its merchant processing contract with BJ’s, for failing to ensure that BJ’s complied with Visa’s operating regulations that required it not to retain or store cardholder information. See decisions in Sovereign Bank and Pennsylvania State Employees Credit Union.
Cybercriminals Recycling Abandoned Websites
Do you want to learn how to hack into Paypal? Maybe you would like to sell or buy some stolen credit card accounts. Well, look no further than the website of the Grand Rapids, Michigan-based Christian rock group Sojourn. There you will find instructions on how to hack into Paypal, offers to sell stolen accounts from Citibank, HSBC and other banks, and information about other nefarious transactions. What’s going on? Reuters reports that cybercriminals are increasingly using abandoned websites to ply their craft and sell their wares. In the case of Sojourn’s site, the cybercriminals have adopted the band’s abandoned message board as a way to communicate out of view. Experts say that it is harder to track criminal activities on dormant sites. “Cyber criminals peddle wares on ignored websites,” http://www.itnews.com.au/newsstory.aspx?CIaNID=21291&src=site-marq.
Norton Antivirus – The New Target of Hackers
Earlier this week, we linked to a story about the challenge antivirus companies face in keeping up in a “virus arms race.” “The Problem with Antivirus Products,” In the News, November 29, 2005. For Norton Antivirus and its manufacturer, Symantec, the challenge has become a little more personal. BusinessWeek Online reports that hackers are targeting Symantec’s antivirus program, which accounts for 64% of the antivirus market, and is installed on an estimated 50 million personal computers around the world. According to Businessweek, “hackers are bypassing or disabling the Symantec software in their efforts to access personal information or spread viruses and worms. And there’s mounting evidence that hackers are trying to use Symantec software as an actual gateway into corporate serves and PCs.” “Norton Gets a Bit Less Secure,” http://www.businessweek.com/technology/content/dec2005/tc20051201_834834.htm
Note:Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.
