September 19, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title or author of the article. If you have questions about a link, send us an e-mail by clicking here.
The Increasing Threat to Personal Computers
Later today, Symantec Corp. will publish a report detailing rapid growth in attacks by hackers, attacks that are increasingly motivated by a desire to steal sensitive personal information. According to today's Wall Street Journal, Symantec documented 10,866 new viruses and worms in the first six months of 2005, up 48% from the previous six months. Symantec found that almost 75% of the top 50 malicious programs acquired confidential information. The company reported that it had blocked 1 billion phishing e-mails in the first six months of 2005, a 90% increase from the previous period. "Huge Numbers of Spammers Hack Away at PCs," http://online.wsj.com/article/0,,SB112709853807444600,00.html?mod=rss_whats_news_technology (Subscription required)
England, "The Zombie Capital of the World"
According to Symantec Corp., the United Kingdom is home to one-third of the world's computers infected by bots, software that allows a computer to be used as an agent of a computer hacker. Worldwide, there are between 1 and 2 million computers that are infected with malicious bots. Computers infected with bots – called "zombies" – are used by spammers and phishers to send out millions of messages and used by attackers who conduct denial-of-service attacks on a web site by flooding it with hits. Symantec says that England is a hotspot for zombies, because broadband access is so widely available and used there. "Zombies take hold of London," http://www.techworld.com/networking/news/index.cfm?NewsID=4422
Increasing Threat of Keyloggers
Keyloggers copy your computer keystrokes and transmit them to a cyberthief. An article in the Sunday Los Angeles Times, describes how cybercriminals have begun to automate the process of taking advantage of that information, accessing thousands of accounts simultaneously. The article describes steps banks are taking to protect customer accounts from keylogging.
"Now, Every Keystroke Can Betray You," http://www.latimes.com/business/la-fi-keyloggers18sep18,0,4753197.story?coll=la-story-footer&track=morenews; also available at http://www.sun-sentinel.com/business/la-fi-keyloggers18sep18,0,7130999.story?coll=sfl-yourmoney
Federal Government Continues to Use Social Security Numbers in Face of Risk
While an increasing number of states have adopted laws prohibiting businesses from using a person's social security number as a password, those laws do not apply to the federal government, which routinely prints social security numbers on cards issued to members of the military and to Medicare patients. "U.S. Policy on Medicare Cards Is a Boon for Identity Thieves," http://www.latimes.com/business/la-fi-idtheft17sep17,0,888806.story?coll=la-home-business; see also "Medicare, Defense Cards Boon To ID Theft," http://www.sciencedaily.com/upi/?feed=TopNews&article=UPI-1-20050917-20070200-bc-us-identitytheft.xml
How Safe From Cyberthreats Is Our Critical Infrastructure?
Executives from the electricity, communications, chemical, and oil and gas industries testified before the House Science Committee last week, assuring Members of Congress that their industries had taken steps to protect themselves from cyberthreats. But not all the Members of Congress were convinced. Committee Chair Sherwood Boehlert (R – New York) complained that, "We still pay inadequate attention to cybersecurity research and operations in both the government and private sector."
"Is the U.S. Protecting Crucial Networks?," http://news.yahoo.com/news?tmpl=story&cid=1093&ncid=1093&e=5&u=/pcworld/20050916/tc_pcworld/122574
Advocating for Risk Management Officers
Speaking at the Gartner IT Security Summit in London, England, a Gartner vice president declared that security issues can no longer be left to IT security professionals who have little understanding of business. The Gartner vice president argued that companies should rely upon a risk management officer who understands the complexities of business. "Don't Trust Security To Techies Alone, Gartner Says," http://news.com.com/Dont+trust+security+to+techies+alone%2C+Gartner+says/2100-7350_3-5868906.html
Montana to Issue "Identity Theft Passports"
Beginning October 1, 2005, Montana will issue an identity theft passport to any person who is a victim of identity theft and reports it to state law enforcement officials. According to the Great Falls Tribune, the passport will enable a victim to demonstrate to financial institutions and law enforcement that he or she is recognized by the state as a victim of identity theft. "ID Theft Passport Could Help You Clear Your Name," http://www.greatfallstribune.com/apps/pbcs.dll/article?AID=/20050918/NEWS01/509180310/1002
Indiana Do-Not-Call Law Sustained in Challenge by Nonprofits
A federal judge in Indiana upheld the state's do-not-call statute in the face of a challenge by nonprofit organizations claiming the statute violated their right to free speech. At issue was a provision of the act that exempted nonprofit organizations when making fund raising calls, but only if they used their own employees or volunteers to make those calls. Several nonprofits that rely upon professional telemarketers challenged this requirement. The judge concluded that the state's justification that the "sheer volume of this category of calls unreasonably and objectionably intrudes on the residential privacy of individuals who have given notice that they desire not to be so disturbed" was content neutral and therefore did not violate the constitution. "Federal Judge Upholds State's 'No Call' Law," http://www.indystar.com/apps/pbcs.dll/article?AID=/20050916/NEWS01/509160538
News From Campus
Miami University has notified all 21,762 students who attended the school in the fall of 2002 that sensitive information about them, including social security numbers, was contained in a file that was available through the university's web site. The existence of the file came to light when an alumna of the school put her name in a search engine and up popped the file.
Press Release: "Miami Notifying Students, Alumni Of Privacy Breach," http://newsinfo.muohio.edu/news_display.cfm?mu_un_id=55150256.
See article at http://news.yahoo.com/news?tmpl=story&u=/wlwt/20050916/lo_wlwt/2938433
September 20, 2005
Stolen Backup Tape Had Patient and Employee Information
The Children's Health Council in Palo Alto, California, has begun notifying people that it lost a backup tape that had sensitive information on thousands of patients and hundreds of employees. The tapes included social security numbers of between 5,000 and 6,000 patients, along with psychiatric and health records. Payroll information of past and present employees and credit card information belonging to parents of patients were also on the tapes. The backup tape was stolen from a locked room to which 15 to 20 employees had access. There was no sign of forced entry. "Children's Health Council Data Stolen," http://www.mercurynews.com/mld/mercurynews/news/local/states/california/the_valley/12682559.htm
Using Cameras to Find Toll Cheats
It is said that Europeans and Americans have opposite concerns when it comes to privacy. Europeans seem relatively unconcerned that their government collects information on them, but have adopted strict laws limiting the ability of businesses to do so. Americans, on the other hand, fear information in the hands of government but are relatively unconcerned (though this may be changing) when businesses collect data. With that in mind, how do you think Americans would respond to the following proposal? According to The Times of London, the British government is considering a "pay-as-you-drive program." The government originally proposed to track the movement of vehicles by means of satellite tracking devices in each vehicle. According to The Times, the Department of Transport has acknowledged that "a sizeable minority" of people had "strongly held beliefs on the subject." Enter some clever professors at Cambridge University. They propose that 10 percent of all vehicles be equipped with special computers and cameras that would gather license plate numbers from other cars on the road, compare those license plates against a computerized list of drivers who have paid tolls, and transmit a photograph to the government of any car whose driver had failed to pay. "Camera spies in million cars to trap toll cheats," http://www.timesonline.co.uk/article/0,,2-1787001,00.html.
Survey Says Customers Would Hold Bank Accountable for Data Breach
EDS has issued the results of a survey of 1,424 people regarding information sharing by financial institutions and the potential for a data breach. Ninety-three percent of those surveyed said they were very or somewhat confident that their banks would be able to protect their confidential information. But woe is the bank that suffers a data breach. Thirty percent of the respondents said they would close all their accounts at a bank that suffered a data breach and another ten percent said they would close some of their accounts. It would be interesting to see whether, in fact, banks that have suffered data breaches this year have experienced such massive defections.
"Consumers Insist Financial Institutions Remain Vigilant in Protecting Their Privacy: EDS Survey," http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=104&STORY=/www/story/09-19-2005/0004110135&EDATE
Report Foresees Growth of Hacking of Internet Calls
It should not surprise us that hackers are beginning to focus on Voice over IP systems ("VoIP"), which are becoming increasingly popular as an alternative to ordinary cell or landline phones. The BBC says a report predicts that within 18 months VoIP will become a significant target of hackers. "Hackers Target Net Call Systems," http://news.bbc.co.uk/1/hi/technology/4259554.stm
Criminals Stalemate Credit Card Companies
Reuters reports that security experts at a VISA and MasterCard conference say the credit card industry is at a stalemate with organized criminals, who are supported by former KGB agents. "We build a 10-foot wall," Reuters quotes an expert as saying, "and the bad guys build an 11-foot ladder." "Online Fraud 'Ahead' Of Credit-Card Companies-Experts," http://today.reuters.com/news/newsarticle.aspx?type=technologyNews&summit=&storyid=2005-09-19T235240Z_01_FLE985868_RTRIDST_0_TECH-FINANCIAL-CREDITCARD-FRAUD-DC.XML
More on the Symantec Security Study
Yesterday's In The News discussed survey results that were to be released yesterday by Symantec. Symantec's press release can be found at: "Symantec Internet Security Threat Report Identifies Shift toward Focused Attacks on Desktops; Threats Increasingly Motivated by Profit and Desire to Perpetrate Criminal Acts," http://home.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20050918005019&newsLang=en
MacWorld reports that Symantec has found evidence that hackers are increasingly hacking Macs and that Mac users have a "false sense of security." The article also says that Firefox users too should be concerned about security threats, since, over the past six months, researchers have found nearly twice as many vulnerabilities in Firefox as in Internet Explorer. "Symantec: Mac Users Deluding Themselves Over Security," http://www.macworld.com/news/2005/09/19/security/index.php.
September 21, 2005
UK Grocer Amasses Database on Every UK Consumer
Tesco is the United Kingdom's leading grocer, holding one third of the market. Tesco is also an information company. According to the Guardian Unlimited, Tesco has amassed a database containing information on every consumer in the UK. Tesco obtains much of the information through its Clubcard. To this, Tesco adds information it gleans from other data aggregators, from the Internet, and from government. According to the Guardian Unlimited, Tesco's data reveals how an individual "thinks, works, and more importantly shops." Tesco classifies consumers in ten different categories. "Tesco stocks up on inside knowledge of shoppers' lives," http://money.guardian.co.uk/news_/story/0,1456,1573990,00.html.
In the UK, unlike in the United States, citizens can get access to information about them in a business database by filing a request under the UK's Data Protection Act. See "Data Protection - Frequently Asked Questions," http://www.dca.gov.uk/ccpd/faqdp.htm#1a.
Potential Conflict Over Release of Canadian Data Housed in the US
CA Magazine has an excellent article on the conflict between Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and the USA PATRIOT Act. PIPEDA requires organizations to obtain a consumer's consent before gathering, using or disclosing personal information. But Canadian companies that maintain data on systems in the United States are also subject to the Patriot Act, which permits the FBI to obtain a secret order requiring access to such data. The article discusses the conflict between Canadian privacy laws and the Patriot Act. "Privacy Versus Patriots," http://www.camagazine.com/index.cfm/ci_id/27809/la_id/1.htm.
MasterCard to Put RFID Chip in Debit Cards
MasterCard has announced that it will begin issuing debit cards with radio frequency ID ("RFID") chips so that a cardholder can wave her card past a card reader rather than handing the card to a sales clerk. The card, which MasterCard calls "PayPass," will be accepted at numerous merchants, including McDonald's, 7-Eleven, CVS, Ritz Camera, United Artists Theatres, and Meijer Stores, among others. Public announcements do not address how MasterCard intends to protect the cards from being read by unauthorized readers. "MasterCard Says Millions No-Touch Cards To Be Issued," http://today.reuters.com/news/newsArticleSearch.aspx?storyID=176381+19-Sep-2005+RTRS&srch=mastercard.
Verizon Settles with Seller of Phone Records
Verizon Wireless has entered a settlement agreement with a Tennessee company that Verizon alleged was selling cell phone records over the Internet. According to The Washington Post, companies that sell cellp hone records often obtain them under false pretenses and sell them for fees starting under $100. "Verizon Wireless, Records Vendor Settle," http://www.washingtonpost.com/wp-dyn/content/article/2005/09/19/AR2005091901693.html.
September 22, 2005
Injunction Stayed in Connecticut Library Case
Last week we linked you to an article about a federal judge in Connecticut that had granted a preliminary injunction against the government preventing it from barring a library from publicizing the fact that the government had sought access to library records. (In the News, 9-13-2005.) The New York Times reports that the Second Circuit Court of Appeals has stayed that injunction until the court can hold a hearing. The court has required the parties to submit briefs by October 10, 2005. "Librarians Must Stay Silent in Patriot Act Suit, Court Says," http://www.nytimes.com/2005/09/21/nyregion/21library.html.
Federal law Held to Ban Cell Phone Spam
Wired News reports that the Arizona Court of Appeals has concluded that the federal Telephone Consumer Protection Act, which prohibits the use of auto dialers to call cell phones, applies as well to sending unsolicited text messages to cell phones. The Court rejected the defendant's claim that a ban would violate its First Amendment right to free commercial speech. "Cell-Phone Spam Is Now a Crime," http://www.wired.com/news/business/0,1367,68932,00.html?tw=rss.TOP
Low-Tech Crime Nets $7 Million and 14 Years in Prison
A baggage handler at the Baltimore-Washington International Airport was sentenced to spend 14 years in jail for his part in an identity theft ring. He stole mail containing checks and credit cards passing through the airport and sent it to criminals in New York City who, in turn, used the stolen items to draw cash from the accounts of unsuspecting consumers. The scheme is estimated to have netted $7 million. "BWI Baggage Handler Gets 14 Years for Mail Theft Scheme," http://www.airportbusiness.com/article/article.jsp?id=3591&siteSection=5
Audio: Hacking for Profit on the Rise
NPR's Morning Edition ran a story yesterday regarding the increasing use of computer attacks to make money. The story discusses the use of botnets in phishing schemes and in efforts to pump up revenues from pay-per-click arrangements. It is a nice summary of a number of the trends mentioned in In the News over the past several weeks. "Transition Seen from Hacker Posturing to Criminality," http://www.npr.org/templates/story/story.php?storyId=4857144&ft=1&f=1019
September 23, 2005
Credit Reporting Agencies to Require Data to Be Encrypted
The three leading credit reporting agencies in the United States have agreed to require persons who submit data on consumers to do so in an encrypted form. The companies will develop a shared encryption method that would have to be adopted by banks, retailers, and other companies that submit data. "Credit Cos To Adopt One Data Protection Standard," http://today.reuters.com/business/newsArticle.aspx?type=ousiv&storyID=2005-09-22T212403Z_01_FLE276920_RTRIDST_0_BUSINESSPRO-FINANCIAL-CREDIT-FRAUD-DC.XML; "Credit Bureaus to Require Data Encryption," http://www.americanbanker.com/article.html?id=20050922G68MK9KN&from=technology
Action Stalled on Federal Privacy Bill
The Senate Judiciary Committee yesterday voted on the nomination of John Roberts to be Chief Justice but did not find time to vote on the Personal Data Privacy and Security Act, a bipartisan bill sponsored by Committee Chairman Arlan Specter and Ranking Member Patrick Leahy. The bill would require the disclosure of data breaches and increases the penalty for computer fraud that involves personal data. It also would give consumers access to certain public records and limit the sale and displaying of social security numbers. When passed, as expected, the bill will join several others still receiving consideration by the House and Senate. "Roberts Vote Could Stall Data Privacy Law," http://www.internetnews.com/security/article.php/3550676
New Jersey Has Credit Report Freeze Law
New Jersey's governor yesterday signed into law a bill enabling a consumer to put a freeze on his or her credit report, thereby blocking access to the report without the consumer's express authorization. "U.S. State Attacks ID Theft As Congress Squabbles," http://today.reuters.com/news/newsArticleSearch.aspx?storyID=250492+22-Sep-2005+RTRS&srch=credit+report
Hearing to Be Held Today Regarding Breach Notification Statute
A hearing is being held today in California to determine whether VISA and MasterCard are required to notify 264,000 California customers that their credit card information was stolen in connection with the data breach at CardSystems, disclosed earlier this year. "Credit Card Court Battle Tests Laws," http://hosted.ap.org/dynamic/stories/C/CREDIT_CARDS_BREACH?SITE=CATOR&SECTION=HOME&TEMPLATE=DEFAULT
This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Taskforce at Warner Norcross & Judd LLP, e-mail Rodney Martin at email@example.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.
"Privacy and Information Security In The News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone.