Aug. 2005
Rodney D. Martin
Articles
Phishers Sinking to New Lows: Scammers Now Impersonate Small Financial Institutions. Washington Post. "The Armed Forces Bank scam is part of a growing trend in phishing to focus on smaller financial institutions, such as credit unions, smaller banks and insurance companies." http://www.washingtonpost.com/wp-dyn/content/article/2005/08/27/AR2005082700231.html?referrer=email&referrer=email
Does Anti-Phishing Tool Angle For Too Much Data? Dallas Morning News. "Microsoft Corp. will soon release a security tool for its Internet browser that privacy advocates say could allow the company to track the surfing habits of computer users. Microsoft officials say the company has no intention of doing so." http://www.dallasnews.com/sharedcontent/dws/bus/stories/DN-phishing_27bus.ART0.State.Edition2.230fa40d.html
A New Key to Fighting Identity Theft. Washington Post. America Online and E-Trade offer customers electronic tokens that display a new six-digit passcode every minute. http://www.washingtonpost.com/wp-dyn/content/article/2005/08/27/AR2005082700227.html?referrer=email&referrer=email
The Growing Problem of Identity Theft. Bankrate.com. "There is a growing public suspicion that thieves have never had easier access to our personal information, known as identifiers, than they do today, despite the reality that far more card fraud occurs offline than online." http://biz.yahoo.com/brn/050827/16620.html?.v=1
ID Theft Creates Opportunities For Data Companies. Reuters. "For its victims, identity theft means worry, headache and countless time spent restoring bad credit. But for some businesses, the collective fear that consumer identities may be stolen can mean opportunity." http://today.reuters.com/news/newsArticleSearch.aspx?storyID=25405
States Try To Combat Cyberthreats. Associated Press. "The scramble in Massachusetts, Michigan, Kansas and elsewhere to fend off the [Zotob] virus shows the vulnerability of states to potential shutdowns in service now that they offer everything from hunting licenses to physician discipline reports on the Internet and keep millions of computerized tax, voter registration and driving records." This article notes that the State of Michigan's computer security system fends of 22,000 e-mail virus attacks every day. http://www.detnews.com/2005/technology/0508/26/B08-293669.htm
Keeping the Trust. Darwin Magazine. "How to let customers know there's been a breach of their data and help them keep their faith in you." http://www2.darwinmag.com/read/feature/aug05_ponemon.cfm
India Collecting Worker Histories To Beef Up Outsourcing Security. The Associated Press. "The Indian outsourcing industry is starting to compile work histories of all its employees, in an effort to fight combat fraud." http://www.informationweek.com/story/showArticle.jhtml?articleID=170100561
Spam Forces Telewest To Provide Online Security. Times of London Online. "TELEWEST, the cable company, has been forced to introduce free online security measures for its more than 850,000 broadband users after spammers hijacked their customers' home computers, The Times has learnt." http://technology.timesonline.co.uk/article/0,,20410-1747934,00.html
U.S. Library Sues Over Controversial Patriot Act, Reuters. "A controversial Patriot Act clause allowing the U.S. government to demand information about library patrons' borrowing habits is being challenged in federal court for the first time by a library." http://today.reuters.com/news/newsArticleSearch.aspx?storyID=255533+25-Aug-2005+RTRS&srch=aclu
'Black Boxes' Keep Eye On Bad Drivers. "The program is believed to be the first in the state to target the drivers; it is also one of the first in the country to turn to the black boxes, which track everything from how fast a car goes to whether it takes corners too sharply." http://www.detnews.com/2005/commuting/0508/26/A01-294070.htm
Search Site To Add Free Blogs. San Francisco Chronicle. Zabasearch, one of the most complete site for searching for information about individuals, has now announced that beginning September 1, it will allow people to add comments about individuals. Imagine the opportunities for ex-spouses, disgruntled former employees, and others to air their complaints! http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/08/26/BUGFDED7141.DTL.
Legislative Activity
California RFID Moratorium Bill Stalls in Committee. RFID Journal. A bill to place a three-year moratorium on the use of RFID in driver's licenses, student IDs in public schools, public library cards and government benefit cards failed to make it out of committee. Proponents of the bill argued that "the unregulated use of RFID technology in identity documents would expose millions of Californians to surreptitious readings of those tags and that tag data could be used to access personal information." A coalition of industry groups argued the bill was too restrictive.
http://www.rfidjournal.com/article/articleview/1840/1/1/
The Crime Blotter
Three Indicted For Violating Anti-Spam Law. The Associated Press. "Three people accused of running a huge computer spam operation have been indicted on charges of violating a law aimed at cracking down on unsolicited e-mails, prosecutors said."
www.informationweek.com/story/showArticle.jhtml?articleID=170100643
Two Arrested in U.S. Computer Worm Probe. The Associated Press. Authorities in Morocco and Turkey have arrested two people believed responsible for a computer worm that infected networks at U.S. companies and government agencies earlier this month. http://www.washingtonpost.com/wp-dyn/content/article/2005/08/26/AR2005082600843.html
Web Of Crime: Internet Gangs Go Global. Toronto Globe and Mail. "Teens seeking notoriety may still be involved, but these days the likelier culprit is a hardened criminal in search of financial gain." This article provides a look inside "Web gangs" that are increasingly behind malicious attacks. http://www.globetechnology.com/servlet/story/RTGAM.20050825.gtsecurityaug25/BNStory/Technology/
Global Phishing Outbreak Hits Four Banks. VNUNet.Com. Financial institutions in Spain, Italy, Canada, and the United States have all been hit by phishing attacks in recent days. http://www.vnunet.com/vnunet/news/2141554/global-phishing-outbreak-hits
August 30, 2005
Hurricane Katrina
In the wake of Hurricane Katrina, companies all over the Mississippi Delta have had to implement their data recovery programs. CNETNews.com has an article describing some of the efforts and another that talks more generally about data recovery. See:
Additional Protections on Phone Data Urged
This morning's Washington Post has an article concerning the effort by the Electronic Privacy Information Center ("EPIC") to get the federal government to impose greater restrictions on telephone records. The article reports that your telephone records are available for sale on dozens of websites operated by data brokers and private investigators. See, "Privacy Group Urges FCC to Guard Phone Data," www.washingtonpost.com/wp-dyn/content/article/2005/08/29/AR2005082901811.html. To see EPIC's complaint to the FCC, go to http://www.epic.org/privacy/iei/ftccomplaint.html. You can view an example of a website that offers private phone records at http://www.epic.org/privacy/iei/exhibit_d.pdf.
Another Collegiate Data Breach
California State University reports on its website that a computer used by one of its financial administrators who handles financial aid has "experienced unauthorized access," revealing the names and social security numbers of 152 students and two financial aid administrators. The website indicates that the breach came from an outside source. The University has notified the affected individuals, as required by California law. Further information is available at www.calstate.edu/notice.
The Zotob Worm
Late last week, it was announced that arrests had been made in Turkey and Morocco in connection with the Zotob worm that infected computers at CNN, the New York Times, ABC News, and other corporations. (See "Two Detained For US Computer Worm," http://news.bbc.co.uk/1/hi/technology/4189996.stm.) Brian Krebs, of the Washington Post, reports in his blog that the hackers created the Zotob virus for money, getting paid to take down computer defenses to enable adware and spyware to access pop-up ads on infected machines. Krebs's blog includes an interesting conversation with one of the hackers. ("Conversation With a Worm Author," http://blogs.washingtonpost.com/securityfix/2005/08/a_couple_of_wee.html. Meanwhile, the FBI reports that Turkish officials have identified 16 more suspects in the case. Information Week, "FBI Reveals 16 More Suspects In Zotob Worm," http://informationweek.com/story/showArticle.jhtml?articleID=170101422.
Crime Pays
Notwithstanding the success in catching the Zotob hackers, the reality is that very few Internet criminals are ever brought to justice. The new issue of Newsweek has an article titled "Grand Theft Identity" that reports that fewer than 1 in 700 identity crimes leads to a conviction. Identity theft is a low risk, high payoff crime. According to Newsweek, identity theft losses in the United States total $53 billion a year. This article points a finger at the mishandling of information by American businesses. http://msnbc.msn.com/id/9108639/site/newsweek/
Medical Records of Teenagers
The Wall Street Journal recently ran an article, reprinted on the website of the Pittsburgh Post-Gazette, concerning the difficulties that healthcare providers are having converting the medical records of teenagers into electronic records. The article explains the problem as follows:
"[T]hese efforts risk running afoul of a complex patchwork of federal and state laws that allow adolescents to seek confidential family-planning and mental-health services without their parents' consent. Such laws make certain aspects of teens' health records off-limits to parents. However, electronic medical-records systems don't yet have a foolproof way to flag confidential material and hide it from parents -- something that can more easily be done with paper records. And as minors, teens can't on their own enter into the security agreements required to grant access to their online records."
As a result, the article notes, a number of healthcare providers are leaving the records of teenage patients off their electronic records systems. For the entire article see, "Parents Barred From Teen Health Files," http://www.post-gazette.com/pg/05236/559320.stm
Data Mining by the Federal Government
The General Accounting Office released a report regarding its review of five programs in which the government mines personal information of Americans. The report concluded that, while the agencies had generally made progress in protecting personal information from disclosure since a GAO study one year ago, there were still deficiencies in the programs. These included, in some instances, the failure to disclose to individuals why information was begin collected, inconsistent with key security requirements, and the failure to comply fully with requirements to prepare a privacy impact statement. A one-page summary of the report is available at http://www.gao.gov/highlights/d05866high.pdf. The full 82-page report is available at http://www.gao.gov/new.items/d05866.pdf. A news story from the Associated Press appears in today's Detroit News at http://www.detnews.com/2005/technology/0508/30/TECH0-296901.htm.
Redesigning the Internet
The New York Times has a story regarding a project to reengineer the Internet to address security concerns. It notes that "when the Internet was designed in the 1970's, its engineers did not expect that the project would have to be scaled to cover much of the world's population, and security was not an important consideration." See "Early Look at Research Project to Re-engineer the Internet." http://www.nytimes.com/2005/08/29/technology/29internet.html
August 31, 2005
Evidence of a Growing Concern for Security at Microsoft?
In what is reportedly the first public statement of its kind by Microsoft, the company's 10-K acknowledges that actual and perceived security vulnerabilities in its products may subject the company to liability. The 10-K states that, "While our license agreements typically contain provisions that eliminate or limit our exposure to such liability claims, there is no assurance these provisions will be held effective under applicable laws and judicial decisions." The company's statement is evidence of the growing concern with information security and the evolving standards of liability for those who hold or process confidential consumer information. The company also acknowledged that Firefox, an open-source browser that claims to be more secure, has captured an increasing share of the browser market.
"Microsoft Acknowledges Threats From Firefox And Security Lawsuits," http://www.informationweek.com/story/showArticle.jhtml?articleID=170101907
Stolen Laptop Had Customer Information
J.P.Morgan Private Bank reportedly has advised some of its high net worth customers of the theft of a laptop that contained personal and financial information about them. The laptop was password protected but it is not clear whether the data was encrypted. J.P. Morgan has not indicated how many customers were affected. "Security Breach At J.P.Morgan: Computer Stolen From Private Banking Group," http://www.marketwatch.com/news/story.asp?guid=%7BC794C2B2-B783-4104-BC8E-4DBE14AA8E56%7D&siteid=google
More on the Zotob Worm Hackers
The story behind the Zotob Worm continues to develop. As reported yesterday, the number of suspects involved continues to grow. So does the number of viruses these hackers wrote. CNET News.com reports that the hackers were part of a credit card crime ring headquartered in Turkey. This morning, Brian Krebs, in his Security Fix Blog at the Washington Post, adds more light to the story and points to a Finnish blog that gives more background on Diablo10, one of the hackers arrested in connection with the Zotob Worm.
Intelligent Design?The author of this piece from SC Magazine, a British publication for IT professionals , discusses the increasing sophistication of hacking, analogizing it to evolution. The article ends with some practical tips to identify a pharming site. "Spotting The Pharming Websites," http://www.scmagazine.com/features/index.cfm?fuseaction=featureDetails&newsUID=41e08e7f-8ee3-4c23-8053-b6ca88091849
If the difference between phishing and pharming still confuses you, ZNet has a brief video that explains it in clear terms. "Phishing v. Pharming," http://news.zdnet.com/2036-2_22-5798698.html
How Much Protection for Medical Information?
Bankrate.com has an article describing what it calls loopholes in HIPAA's protection of medical information. The article also argues that a lack of enforcement reduces protection under the Act. "Private Medical Information Isn't So Private," http://www.bankrate.com/BOS/news/pf/20050830a1.asp
President to Address Identity Theft
This morning's American Banker Online reports that President Bush will make a speech on Thursday regarding identity theft. http://www.americanbanker.com/article.html?id=2005083095H1TZCN&from=washregu (subscription required).
September 1, 2005
Phishing and Hurricane Relief
Following the tsunami and the subway bombings in London, cybercriminals were quick to set phoney websites purporting to be collect funds for the victims. (See "Phishing attacks triggered by bombings in London, UK," http://www.findarticles.com/p/articles/mi_m0ECZ/is_2005_August_5/ai_n14876481) If it has not already happened, we can expect soon to see scams and phishing schemes using the victims of Hurricane Katrina as the bait. Brian Krebs at the Washington Post Security Fix Blog thought he had found several such sites yesterday that were designed to steal credit card numbers. Later he discovered that was not true for those sites ("Katrina Phishing Scams Begin," http://blogs.washingtonpost.com/securityfix/2005/08/katrina_phishin.html). But his point is still well made.
Katrina aid sites are springing up quickly. HelpfromKatrina.com, helpkatrinasvictims.com, helpvictimsofkatrina.com, hurricanekatrinadonations.com, hurricanekatrinahelp.com, hurricanekatrinafund.com, hurricane-katrina-relief.com, katrinadisasteraid.com, katrinadisasterrelief.com, katrinadisaterrelief.com, katrinadonation.com, katrinadonations.com, katrinadonor.com, and Katrinadonors.com are just some of the sites that have been registered in the last few days. While many, if not most of these sites, are certainly legitimate, it is hard not to be skeptical about their validity. Do not be surprised when you see messages in your e-mail directing you to some of these sites.
While one could research the ownership of the sites, by using a site like www.whois.com, the easier approach for people who want to contribute is to give to organizations that you know and trust. To avoid phishing and other scams, people should not respond directly to an e-mail (and should not give credit card information to someone who calls.) Instead, they send a check in the mail or initiate a phone call to an agency they know to be valid. The Washington Post has a list of phone numbers of legitimate agencies that are collecting money for Hurricane relief. http://www.washingtonpost.com/wp-dyn/content/article/2005/08/29/AR2005082902136.html.
Recovering from Katrina
Telecom companies, banks and other businesses are scrambling to recover from the devastation of Katrina. Here is a sampling of articles describing those efforts:
New Charges Against Choicepoint SuspectsTwo Nigerian nationals living in California have been indicted in connection with the data breach at Choicepoint, which was announced on February 15, 2005. The two are charged with using sensitive consumer information stolen from Choicepoint, a data aggregator, to steal $2 million from bank and credit card accounts. The indictment also charged the two with defrauding Choicepoint, which spent $2 million in notifying its customers of the theft. "2 Charged In $4M Identity, Credit Scam," Long Beach Press Telegram, http://www.presstelegram.com/Stories/0,1413,204~21474~3033351,00.html.
Cardsystems Solutions Fate in the Balance
We may learn today the fate of Cardsystems Solutions, the credit card payments processor whose security breach potentially exposed 40 million accounts to fraud. VISA dropped Cardsystems earlier this summer, giving member banks until the end of October to find another processor. Mastercard, on the other hand, gave Cardsystems until yesterday to prove that it is complying with Mastercard's security rules. According to The Atlanta Journal Constitution, Mastercard will make a statement today regarding Cardsystems. "Cardsystems Could Learn Fate," http://www.ajc.com/business/content/business/0805/31bizcardsystems.html
Possible Fine for Failure to Preserve eMails
Earlier this week, the Wall Street Journal reported that the SEC was considering Morgan Stanley $10 million for more for failing to preserve e-mails that related to a number of investigations the SEC is conducting.
Spyware Changes Google Results
Leslie Walker, of The Washington Post, devotes her .Com column to a recently discovered spyware program that hijacks Google searches to present fakes results that direct you to a site where other spyware program is downloaded to your computer. Walker says the spyware industry has become big business, generating annual revenue of $2.4 billion. "Theft You Don't See," http://www.washingtonpost.com/wp-dyn/content/article/2005/08/31/AR2005083102486.html
Tracking Chinese Cyberspies
Time Magazine is running a fascinating story about a Chinese cyberespionage team that has allegedly gained access to extremely sensitive U.S. government systems. Time reports that the spies, dubbed "Titan Rain," are "thought to rank among the most pervasive cyberespionage threats that U.S. computer networks have ever faced." "The Invasion of the Chinese Cyberspies (And the Man Who Tried to Stop Them)," http://www.time.com/time/magazine/printout/0,8816,1098961,00.html.
Google's Solution for Organizing The World's Information
It has been a big couple of weeks for Google. Undaunted by copyright issues that had stalled Googles plans to scan the libraries at the University of Michigan and other major universities, Google has introduced two new products -- Google Desktop and Google Talk. The Onion, one of America's finest sources of satire, now reports that Google has yet another new product to organize the world's information. According to The Onion, Google intends to destroy all information it is unable to index, in a project named "Google Purge." "Google Announces Plan To Destroy All Information It Can't Index," http://www.theonion.com/content/node/40076. This is one way to ensure that Google is the comprehensive search engine.
September 2, 2005
Phishing and Hurricane Relief
In yesterday's issue of "In The News," we warned of bogus websites seeking to profit from the suffering caused by Katrina. Today, we can report that, indeed, bogus sites have been popping up and phishing messages have been sent. The SANs Internet Storm Center includes a report of a phishing message that directs the reader to a site that loads an unidentified virus. "Handler's Diary," http://www.isc.sans.org/diary.php?date=2005-09-01. The Sans site identities 230 Hurricane Katrina sites and has begun working through them trying to identify illicit sites. You can see their ongoing results at http://isc.sans.org/katrina.com.txt.
Jack Kapica at the Toronto Globe and Mail reports on email messages purporting to have news on Katrina, but come bearing a Trojan horse virus designed to gain unauthorized access to your computer. "Threat Exploits Disaster," http://www.globetechnology.com/servlet/story/RTGAM.20050901.gtattack09801/BNStory/Technology/
Caroline Mayer and Brian Krebs report on the Washington Post site that Mastercard identified 170 scam sites that capitalized on the tsunami at the end of 2004. "Scammers Hit Web In Katrina's Wake," http://www.washingtonpost.com/wp-dyn/content/article/2005/08/31/AR2005083102574.html. The chief research officer of the Sans Institute is quoted by CNET News.com as saying that Katrina-related scams are proliferating at a quicker pace. "Online Scams Emerge In Katrina's Wake," http://news.com.com/2102-7349_3-5845695.html
Disaster Recovery
CSO Magazine Online today offers a timely Q & A on business continuity and disaster planning. The article notes that many executives "are prone to ignoring 'disaster recovery' because disaster seems an unlikely event." In the aftermath a Katrina, the dust is likely to be blown off a number of disaster recovery plans "The ABCs of Business Continuity and Disaster Recovery Planning," http://www.csoonline.com/fundamentals/abc_continuity.html
Cardsystems Follow Up
CardSystems Solutions, Inc., the payments processor at the center of a security breach that potentially exposed sensitive information on 40 million cardholders, says it believes auditors have concluded that it complies with Mastercard's data-security standards. Mastercard had given CardSystems until August 31 to demonstrate that it was in compliance. No word yet on whether MasterCard agrees with CardSystem's assessment. "Cardsystems Auditor Completes Compliance Report," http://today.reuters.com/news/newsArticleSearch.aspx?storyID=198714+01-Sep-2005+RTRS&srch=cardsystems
Free Credit Reports . . . At a Cost
Caroline Mayer reports in the Washingon Post, that the effort to curb identity theft by giving consumers the right to a free annual credit report may actually have created the opportunity for cybercriminals to steal sensitive information by putting up phony websites offering free credit reports. Mayer reports that the FTC has identified 130 imposter sites that target consumers. "Order Free Credit Reports, Then Cross Your Fingers," Washington Post, http://www.washingtonpost.com/wp-dyn/content/article/2005/08/31/AR2005083102575.html.
President's Identity Theft Speech Postponed
Understandably, the President has postponed his schedule speech on identity theft to focus on the aftermath of Hurricane Katrina. The American Banker report that the President had intended to announce the appointment of a federal identity theft taskforce. http://www.americanbanker.com/article.html?id=20050901KIYC6SWV&from=washregu (subscription required)
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security . Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.
"Privacy and Information Security In The News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
