March 6, 2006
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title and author of the article. If you have questions about a link, send us an e-mail by clicking here.
Stolen College Laptop held Records of 93,000 Students
Metropolitan State College, in Denver, Colorado, has sent a letter to 93,000 current and former students notifying them that a laptop containing sensitive personal information about them – including Social Security numbers – has been stolen. The laptop was stolen from the home of a school employee who had taken the data home to write a grant proposal and was also using the data to write a master’s thesis. The data was unencrypted. “College Loses Unencrypted Personal Data on Over 93,000 Students Contained on Stolen Laptop,” http://www.newsinferno.com/archives/913
I’m From the Government, Trust Me with Your Data . . . Maybe Not.
The provincial government of British Columbia sold at auction computer tapes containing highly sensitive information about 77,000 citizens who had applied for assistance from the government because of a medical condition. Along with the tapes, the government sold several used data tape drives that could be used to read the information off the tapes. The tapes included information about each person's medical conditions, and their social insurance number, date of birth, provincial health number, and address. “Privacy breach 'a wake-up call' : Sale of tapes by the provincial government exposes personal information and health records,” http://www.canada.com/vancouversun/news/story.html?id=ee7c35fb-1ae4-4140-9a82-bab28269ef2d
The Cincinnati Enquirer reported last week that hundreds – perhaps thousands – of Social Security numbers are available on the website of the Ohio Secretary of State. The Social Security numbers are included on UCC forms filed with the Secretary of State’s office. The Secretary of State failed to redact the Social Security numbers before posting them. The Secretary of State’s office says that it has now authority to redact information from the forms. “Ohioans' info online,” http://news.enquirer.com/apps/pbcs.dll/article?AID=/20060301/NEWS01/303010012/-1/all.
One day after that report, a class action lawsuit was filed in Federal Court seeking, among other things, an order requiring the Secretary of State to removed Social Security numbers that appear online. “Lawsuit Filed Over Social Security Numbers On State Website,” http://search.cincinnati.com/sp?aff=5&keywords=social%20security%20numbers
USA Today reports that Social Security numbers are available on government site in New York, Florida, and at least seven other states. “Social Security numbers found on state websites,” http://www.usatoday.com/money/industries/technology/2006-03-02-social_x.htm?POE=TECISVA
The Age of “Wholesale Surveillance”
Bruce Schneier, Chief Technology Officer of Counterpane Internet Security has written an interesting piece for the Minneapolis Star Tribune. In it, he argues that the “pervasiveness of computers has resulted in the almost constant surveillance of everyone, with profound implications for our society and our freedoms.” He says that computer technology allows for “wholesale surveillance” of our lives:
It's not "follow that car," it's "follow every car." The National Security Agency can eavesdrop on every phone call, looking for patterns of communication or keywords that might indicate a conversation between terrorists. Many airports collect the license plates of every car in their parking lots, and can use that database to locate suspicious or abandoned cars. Several cities have stationary or car-mounted license-plate scanners that keep records of every car that passes, and save that data for later analysis.
Our extensive use of computers leaves a “trail of electronic footprints,” he writes:
We used to walk into a bookstore, browse, and buy a book with cash. Now we visit Amazon, and all of our browsing and purchases are recorded. We used to throw a quarter in a toll booth; now EZ Pass records the date and time our car passed through the booth. Data about us are collected when we make a phone call, send an e-mail message, make a purchase with our credit card, or visit a website.
Schneier says that the by-product of computer use is stored information – information that has value, not only to the police but to corporations who want to improve their services and marketing. As computers get small and cheaper he says, the problem will only grow.
Schneier argues that the United States needs to adopt broad privacy protection similar to laws in European countries. He says we need to “enact legislation to protect our privacy: comprehensive laws regulating what can be done with personal information about us. . . leaving the market to sort this out will result in even more invasive wholesale surveillance.” “Bruce Schneier: Your vanishing privacy,” http://www.startribune.com/562/story/284023.html
March 7, 2006
Report Warns of Increasingly Targeted Attacks
Reuters reports that Internet security software company Symantec Corp. has concluded that criminal hackers shifted their focus in the second half of 2005 from launching broad attacks to breach computer systems to targeting individual PC users. Symantec says that hackers are beginning to prefer attacks on individual PC users because such attacks are less likely to be detected and draw public attention. Reuters quotes Vincent Weafer, senior director of Symantec Security Response, who said, “Instead of sending out a worm to hit a million desktops people are sending out smaller, aggressive attacks. Criminals want to now get on a system silently.''
Symantec reported that viruses, worms and Trojans that seek out confidential information from a user's PC accounted for 80 percent of the top 50 malicious software code threats, up from 74 percent in the previous six month period. Phishing scams accounted for one of every 119 e-mail messages, or 7.92 million messages a day, an increase from 5.7 million messages per day in the first six months of the year. “Cyber Criminals Stepping Up Targeted Attacks: Report,” http://www.nytimes.com/reuters/technology/tech-symantec-security.html?_r=1&oref=slogin
The shift to targeting individual PCs does not mean that hackers are targeting businesses less. In the News earlier linked to a story in which Businessweek Online discussed the increase in targeted attacks on businesses that were able to avoid company firewalls and gather a company’s sensitive information. That story is still available online. See, “Coming to Your PC's Back Door: Trojans,” http://www.businessweek.com/technology/content/jan2006/tc20060123_003410.htm?campaign_id=rss_tech.
Study Finds Blacks and Hispanics Slower to Discover Identity Theft
Nationwide Mutual Insurance Co. has announced the results of a study that showed that African Americans and Hispanics typically take a month and a half longer than the general population to discover that they have been a victim of identity theft. The study also found that criminals are more likely to target the checking and savings accounts of African Americans and Hispanics than other ethnic groups. “Blacks, Hispanics often victims of identity theft,” http://www.suntimes.com/output/currency/cst-fin-c-identity06.html
According to the study, “the most common African-American victim is a 38-year-old woman who is a college graduate or has some college education. The most common Hispanic victim is a 36-year-old married woman and a college graduate. The most common general population victim is a 46-year-old white male, who is married and a college graduate or has some college education. Victims in each group had an average household income between $50,000 and $75,000.”
NPR Asks “Is Anything Actually Private?”
NPR’s Morning Edition is running a series this week that asks the question “Is Anything Actually Private?” In Monday’s story, Morning Edition interviewed Brian Boucher, an author who found a roommate on the Internet whom he later discovered had stolen his Social Security number, credit card information, and the names of Boucher’s family members. After Boucher looked more deeply into his roommate’s identity, he discovered his roommate was a jewel thief listed on America’s Most Wanted. “Privacy Expectations at Odds with Reality,” http://www.npr.org/templates/story/story.php?storyId=5246847 Boucher wrote an article about his experiences in New York Magazine. “My Roommate, The Diamond Thief,” http://nymag.com/news/features/15590/index.html.
Today’s installment of NPR’s series looks at what information is available about people on the Internet. A link was not available before this message was sent.
March 8, 2006
U.S. Banks Shut Down Debit Card Transactions in Canada, Britain, and Russia
In a story that has been unfolding over the past month, Citigroup has blocked debit transactions in Canada, Britain and Russia, after identifying an unspecified number of unauthorized ATM transactions in those countries. Bank of America, Wells Fargo and Washington Mutual have reportedly taken similar steps. According to bank executives, data thieves apparently obtained debit card information and personal identification numbers by hacking the computer files of OfficeMax, but OfficeMax denies that its records were stolen. “Citigroup Blocks Cards in 3 Nations After Breach,” http://select.nytimes.com/mem/tnt.html?tntget=2006/03/08/business/08data.html&tntemail0=y&adxnnl=1&emc=tnt&adxnnlx=1141819365-qoWJ6M+XV+emVqA03C28vQ. For background, see “200,000 Debit Card Numbers Stolen by Hackers,” In the News, February 13, 2006
Fool Me Once, Shame on You, Fool Me Twice . . .
For the second time this year, Providence Health Systems, of Seattle, Washington, has had to notify patients that information about them was stolen when employees’ cars were broken into. In January, we linked you to an article detailing how records of 358,000 patients of Providence Home Services in Oregon and Washington were lost when a thief stole computer backup disks and tapes from an employee’s car. On Monday, Providence Health System notified 122 hospice and home-care patients that sensitive information about them was contained on laptop computers stolen in two separate car break-ins on February 27 and March 3. In one instance, the employee left the computer in the car while visiting a patient. In the other instance, the employee left the computer in the car while stopping to run into a store. Providence says that both employees violated the company’s policy, which requires employees to keep laptops that hold patient records within eyesight at all times. The company says that since the latest thefts, it has begun encrypting patient information on laptops used by hospice and home health care workers. “Providence hit again in thefts of patient info,” http://www.oregonlive.com/business/oregonian/index.ssf?/base/business/1141716784147250.xml&coll=7. For previous story, see “Patient Records Stolen from Employee’s Car,” In the News, January 27, 2006.
Georgetown U’s Server Hacked Exposing Information on 40,000 Elderly Persons
In February, hackers broke into Georgetown University’s network server, exposing information about 40,000 elderly residents of Washington D.C., including their names, social security numbers, and birth dates. Georgetown reported the theft in late February. The data hosted on Georgetown’s system belonged to the District of Columbia Office of Aging. “Hackers Steal D.C. Residents' Data,” http://www.consumeraffairs.com/news04/2006/03/gu_hack.html
March 9, 2006
Records of 17 Million Porn Customers Available for Online Purchase
Wired News is reporting that sensitive personal information about 17 million customers of an online payment service called iBill has been “released onto the internet, where it's been bought and sold in a black market made up of fraud artists and spammers.” Wired News, which has examined the stolen data, says, while no credit-card numbers were included, the data does include names, phone numbers, addresses, e-mail addresses, internet IP addresses, logins and passwords, credit-card types and purchase amounts. The information released concerns transactions conducted between 1998 and 2003, when iBill was the leading credit card processor for adult entertainment websites. Wired News cites a computer expert who days the “17 million database entries he found is [sic] prime data for spamming, phishing attacks, pretext phone calls and even possible hacking of vulnerable computers at the IP addresses listed.” “Porn Billing Leak Exposes Buyers,” http://www.wired.com/news/technology/0,70356-0.html?tw=wn_index_1
Securing Home Wireless Networks
On Sunday, The New York Times reported about people who use the unprotected wireless networks of their neighbors. According to the article, freeloading neighbors raise more than an issue of breached etiquette. The article notes that “savvy users could piggyback into unprotected computers to peer into files containing sensitive financial and personal information, release malicious viruses and worms that could do irreparable damage, or use the computer as a launching pad for identity theft or the uploading and downloading of child pornography.” It quoted David Cole, director of product management for Symantec Security Response, who said, “[t]he best case is that you end up giving a neighbor a free ride. The worst case is that someone can destroy your computer, take your files and do some really nefarious things with your network that gets you dragged into court."
Brian Krebs, who blogs at the Washington Post, writes that, “[a] lot of people put off setting up their wireless routers for security because they get overwhelmed by the all the terminology (MAC, SSID, WPA, WEP, 802.11b, c, d and the rest of the alphabet soup that is the wireless standards industry).” For the overwhelmed, Krebs links to online videos he recently discovered that can guide you through the process of securing a wireless network using equipment from three popular manufacturers -- Netgear, Linksys and Apple Airport. “Video Guide: Securing Your Wireless Network,” http://blog.washingtonpost.com/securityfix/2006/03/video_guide_securing_your_wire_1.html
Battle over National ID Cards in the United Kingdom
By a vote of by 227 to 166, the House of Lords in the United Kingdom voted against the government’s plan that would require people to obtain a national identification card when they apply for the new biometric passport the UK is initiating. The government defended the plan saying that a national identification card is "in the public interest and in the interests of national security". “Ministers defeated over ID cards,” http://news.bbc.co.uk/1/hi/uk_politics/4778142.stm
“Privacy Nightmare” in Canadian Province
Earlier this week, In the News linked to a story about how the provincial government of British Columbia sold at auction computer tapes containing highly sensitive information about 77,000 citizens and at the same time sold several used data tape drives that could be used to read information from the tapes. See “I’m From the Government, Trust Me with Your Data . . . Maybe Not,” In the News, March 6, 2006. David T.S. Fraser, who writes the Canadian Privacy Law Blog, has called our attention to a series of news articles detailing additional privacy lapses by the government, that are being dubbed a “privacy nightmare.” “Privacy Nightmare in BC,” http://www.privacylawyer.ca/blog/2006/03/privacy-nightmare-in-bc.html.
The Vancouver Sun reports that:
- 138 pieces of computer equipment, 31 laptop computers and nine cellphones belonging to the provincial government were stolen last year. Schools districts and colleges and universities accounted for the vast majority of the losses. But government agencies were hit as well. The Attorney-General’s ministry had four laptop computers and three other pieces of computer equipment stolen. The Public Safety and Solicitor-General's ministry had four laptops stolen. And the Health Service reported three laptops stolen.
- The provincial government sold hand-held organizers and Blackberries without removing sensitive information. The paper said one buyer reported that the BlackBerries all appeared to be filled with e-mails and addresses and contained user names and passwords for protected sites.
- Hackers broke into the provincial government’s computer network to place unauthorized software and movies on government hard drives. The leader of the National Democratic Party in the provincial parliament stated that, "The opposition has been advised that at least one breach of security that involved a minimum of 78 government computers and access through [the] highest level of passwords and involving several ministries occurred."
“Privacy nightmare: Sensitive files on stolen computers,” http://www.canada.com/vancouversun/news/story.html?id=a5900d95-6420-4810-b6f2-2773f727e07f
“Personal data sold with BlackBerries,” http://www.canada.com/vancouversun/news/story.html?id=806f9ce8-9ffd-4283-b888-8c57f43c5527
“Hackers get inside province's system,” http://www.canada.com/vancouversun/news/story.html?id=20b74870-ceb9-4723-a6ee-cf55548e2001&k=21513
March 10, 2006
Debit Card PIN Theft Shows Weakness in Two Factor Authentication Scheme
A leading expert on data security, Avivah Litan, of Gartner, has called the theft of 200,000 debit card numbers and debit card PINs “the absolute worst hack that has happened.” The statement was in reaction to news earlier this week that Citigroup and other major banks are blocking suspected fraudulent ATM transactions in Canada, Britain, and Russia. MSNBC reports that the problem is not just affecting major banks, such as Bank of America, Wells Fargo and Washington Mutual. Smaller banks, such as Ohio-based National City and Pennsylvania-based PNC have reportedly detected fraudulent activity affecting their customers debit cards. Even the Fitchburg Municipal Employees Federal Credit Union, in western Massachusetts, reports having 147 compromised accounts.
PIN-based debit cards have been thought to be more secure than credit cards because they require two factor authentication (a card and a PIN) to conduct a transaction. Last fall, federal bank regulators issued a guidance telling banks that single factor authentication will no longer be viewed as adequate for “high-risk transactions involving access to customer information or the movement of funds to other parties.” See “Bank Agencies Say Single Factor Authentication Not Enough,” In the News, October 14, 2005.
PIN-based debits cards have been the target of theft before. But stealing a PIN has been a labor-intensive effort, involving skimming individual cards at ATM machines and using hidden cameras or deception to obtain the users credit card. What makes this newly reported theft so serious is that someone was able to steal a large number of 200,000 debit card numbers and PINs in one fell swoop. It is posited that the cards were stolen from a retailer who retained PIN numbers on its computer system. Litan says that the retailer probably did not know it had such sensitive information in its system. “[I]t’s just using payment software and probably doesn’t even know what’s in there. The software is storing PINs just because it can. No one is paying attention to this stuff, it’s deep in the software.” “Debit card thieves get around PIN obstacle,” http://www.msnbc.msn.com/id/11731365/
Can Data Mining Find Terrorists?
In his blog, Schneier on Security, security expert Bruce Schneier takes issue with the use of data mining to uncover future terrorist plots. Schneier maintains that data mining will not uncover terrorist plots and will waste valuable resources as the government chases down false alarms. Schneier explains:
Data mining works best when there's a well-defined profile you're searching for, a reasonable number of attacks per year, and a low cost of false alarms. Credit card fraud is one of data mining's success stories: all credit card companies data mine their transaction databases, looking for spending patterns that indicate a stolen card. Many credit card thieves share a pattern -- purchase expensive luxury goods, purchase things that can be easily fenced, etc. -- and data mining systems can minimize the losses in many cases by shutting down the card. In addition, the cost of false alarms is only a phone call to the cardholder asking him to verify a couple of purchases. The cardholders don't even resent these phone calls -- as long as they're infrequent -- so the cost is just a few minutes of operator time.
Terrorist plots are different. There is no well-defined profile, and attacks are very rare. Taken together, these facts mean that data mining systems won't uncover any terrorist plots until they are very accurate, and that even very accurate systems will be so flooded with false alarms that they will be useless.
The lack of a well-defined profile, in Schneier’s view saps data mining of its strength in fighting terrorism. “In hindsight,” he says, “it was really easy to connect the 9/11 dots and point to the warning signs, but it's much harder before the fact. Certainly, there are common warning signs that many terrorist plots share, but each is unique, as well. The better you can define what you're looking for, the better your results will be. Data mining for terrorist plots is going to be sloppy, and it's going to be hard to find anything useful.” Schneier cites reports that the NSA provided the FBI with over 1,000 tips a month based on data mining, none of which panned out. Says Schneier, “the cost was enormous: not just the cost of the FBI agents running around chasing dead-end leads instead of doing things that might actually make us safer, but also the cost in civil liberties. The fundamental freedoms that make our country the envy of the world are valuable, and not something that we should throw away lightly.” “Data Mining for Terrorists,” http://www.schneier.com/blog/archives/2006/03/data_mining_for.html
Conversations with a Bot Herder
Blogging in the Washington Post, Brian Krebs recounts a discussion he had recently with a “bot herder” – a hacker who controls a network of infected computers. The article shows just how easy it can be for someone to establish a botnet and use it to launch denial of service attacks on to pass on adware and spyware. “[W]hat blew me away, writes Krebs, “was how he created the botnet, which is powered by a worm that spreads only through known network security holes in Microsoft Windows and which require no action on the part of the victim other that the failure to apply security patches and (maybe) use a simple firewall. Had he decided to spread his worm through more conventional means -- via Web links sent in instant message or as attachments in e-mail -- his botnet could probably have grown to twice its current size.” As it was, the hacker controlled 35,000 computers. “Shadowboxing With a Bot Herder,” http://blog.washingtonpost.com/securityfix/2006/03/post.html
Krebs’ blog links to an article he wrote in February for the Washington Post Magazine, in which he explored how hackers use infected computers to steal identities, extort money and send spam. The lengthy article is well worth a read. “Invasion of the Computer Snatchers,” http://www.washingtonpost.com/wp-dyn/content/article/2006/02/14/AR2006021401342.html
Porn Biller Framed?
Yesterday, In the News led with a link to a story about how the records of 17 million customers of an online payment service called iBill were somehow released onto the Internet. In a story in today’s Wired News, iBill maintains that it was framed. It says it cross checked its database against the 17 million customers and found only three in common. “Porn Biller Says It Was Framed,” http://www.wired.com/news/technology/0,70380-0.html?tw=rss.index
Current and past issues of In the News are now available online at this link.
This message is provided by the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full service law firm with four offices in Michigan. Our Privacy and Information Security Taskforce includes lawyers from across the firm’s practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, Suite 900, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Taskforce. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9.a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an email message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.