privacy
DESCRIPTION
TRANSCRIPT
Privacy & Security News BriefJune 15-June 21, 2008
Vol. 1, No. 35
TABLE OF CONTENTSBIOMETRICS................................................................................................................................................................4
You’ll never be me, with Israel’s ID-U cyber identification__________________________________________4Boffins develop ‘gate recognition’ biometrics____________________________________________________4
DATA BREACH............................................................................................................................................................4Virgin Media loses CD containing customer bank details____________________________________________4Sensitive information found on state surplus computers_____________________________________________4Citibank Hack Blamed for Alleged ATM Crime Spree______________________________________________4Personal Details of Thousands of Patients Stolen From Hospital in New Security Blunder_________________5Patient’s records on stolen laptop______________________________________________________________5Finjan Finds Health and Business Data Being Auctioned Online______________________________________5UK government admits data breach_____________________________________________________________5List of Affected Customers Growing After Reports of Fraudulent Withdrawals__________________________5Data-Breach Study Released__________________________________________________________________5 2008 Data Breach Investigations Report___________________________________________________5SSNs Posted on State Web Sites_______________________________________________________________6Athens, UGA report spike in laptop computer thefts_______________________________________________6Unencrypted AT&T laptop stolen, details of managers' pay lost______________________________________6
E-COMMERCE.............................................................................................................................................................6
EDITORIALS & OPINION..........................................................................................................................................6Rigid federal mandates hinder privacy technologies________________________________________________6
EDUCATION.................................................................................................................................................................6Identity Management Streamlined at University of Texas Campuses___________________________________6
EMPLOYEE...................................................................................................................................................................7One in three IT staff snoops on colleagues_______________________________________________________7Top 5 mistakes of privacy awareness programs___________________________________________________7
GOVERNMENT – U.S. FEDERAL..............................................................................................................................7House leaders plan hearing on Google-Yahoo deal_________________________________________________7Feds need better privacy protection for data______________________________________________________7
GOVERNMENT – U.S. STATES..................................................................................................................................7CALIFORNIA_____________________________________________________________________________7California pols ask ISPs to block child porn______________________________________________________7LOUISIANA______________________________________________________________________________8Louisiana Gov. Jindal Joins HHS Secretary to Announce Electronic Health Record Demo_________________8WISCONSIN______________________________________________________________________________8Area authorities hamstrung by HIPAA regulations_________________________________________________8Local Police Share Secure Wireless Network in Wisconsin__________________________________________8
HEALTH & MEDICAL.................................................................................................................................................8
HIPAA Privacy Rule Impedes Biomedical Research_______________________________________________8Google Health Brings First Insurer Aboard_______________________________________________________8Health IT office awards contract to fight medical identity theft_______________________________________9
IDENTITY THEFT.......................................................................................................................................................9G8 nations talk ID crime at annual summit_______________________________________________________9
INTERNATIONAL........................................................................................................................................................9
AFRICA.....................................................................................................................................................................9
ASIA/PACIFIC.........................................................................................................................................................9AUSTRALIA______________________________________________________________________________9Education database raises privacy fears__________________________________________________________9
EUROPE....................................................................................................................................................................9EU______________________________________________________________________________________9EU endorses new border security rules__________________________________________________________9ITALY__________________________________________________________________________________10Italian Privacy Advocates and Jurists Launch New Privacy Institute__________________________________10SWEDEN________________________________________________________________________________10Swedish law allows tapping of emails and phone_________________________________________________10UK_____________________________________________________________________________________10FSA fines stockbroking firm £77,000 for weak data security________________________________________10Privacy watchdog concerned over surge in identity fraud___________________________________________10
MIDDLE EAST.......................................................................................................................................................10
NORTH AMERICA...............................................................................................................................................10CANADA_______________________________________________________________________________10Yukon government dismisses ombudsman’s concerns on child act___________________________________10Manitobans in class-action suit over missing laptop_______________________________________________11
SOUTH AMERICA................................................................................................................................................11
LEGISLATION – FEDERAL.....................................................................................................................................11House passes new surveillance law____________________________________________________________11 FISA deal worries privacy groups_______________________________________________________11
LEGISLATION – STATE...........................................................................................................................................11CALIFORNIA____________________________________________________________________________11Bill that would allow drugstores to share customer records killed____________________________________11
LITIGATION & ENFORCEMENT ACTIONS.........................................................................................................11Petroleum Wholesale cited for improperly dumping records________________________________________11Court Rules Employee Text Messages Are Private________________________________________________12TD Ameritrade close to settling data theft lawsuit________________________________________________12State worker cleared on child porn charges that were due to malware_________________________________12Local Man Sentenced For Deleting Medical Records______________________________________________12Network Engineer Gets Five Years For Destroying Former Employer's Data___________________________12
MOBILE/WIRELESS..................................................................................................................................................13Court Rules Employee Text Messages Are Private________________________________________________13Mobile warriors leaking company secrets_______________________________________________________13
ODDS & ENDS............................................................................................................................................................139 things you should know about your privacy and rights in the digital age_____________________________13Federal judge a victim of privacy breach or poor judgment?________________________________________13Hacker takes extradition fight to Lords_________________________________________________________13
ONLINE.......................................................................................................................................................................14Ask.com caves to Google’s privacy pressures____________________________________________________14
2
Tech Watchdogs, Web Ad Firm Trade Blows____________________________________________________14Facebook on the decline as ‘virus’ apps take hold________________________________________________14Firefox dumps privacy button________________________________________________________________14
RFID.............................................................................................................................................................................14U.S. School District to Begin Microchipping Students_____________________________________________14
SECURITY...................................................................................................................................................................15Instant Worm Creation Software Hits The Web__________________________________________________15Apple does about-face, fixes Safari’s ‘carpet bomb’ bug___________________________________________15eBay IT exec warns of application layer attacks__________________________________________________15New defenses for automated SQL injection attacks_______________________________________________15Be cautious about letting new iPhones into your company__________________________________________15Data Breaches Made Possible By Incompetence, Carelessness______________________________________16The new weakest links______________________________________________________________________16
SEMINARS..................................................................................................................................................................17
PAPERS.......................................................................................................................................................................172008 Data Breach Investigations Report________________________________________________________17Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information_______________17Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information______________________________________________________________________________17Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions_______17Evolving Data Security: What Progressive Organizations Are Doing Now_____________________________17
3
ARTICLE SUMMARIES AND LINKS
BIOMETRICSYou’ll never be me, with Israel’s ID-U cyber identificationIsraeli company ID-U Biometrics has created a supposedly full-proof identification system for online security. The system identifies a person based on the unique journey a person’s eyes take when they watch a moving object. Each person’s eyes exhibit their own characteristics when moving. Unlike fingerprints, voice ID or retinal scanning, this eye movement cannot be copied by another person. ID-U is hoping PayPal and eBay will use the system to make online consumer transactions safer.http://www.israel21c.org/bin/en.jsp?enDispWho=Articles%5El2158&enPage=BlankPage&enDisplay=view&enDispWhat=object&enVersion=0&enZone=Technology(Israel 21c – 6/18/08)
Boffins develop ‘gate recognition’ biometricsResearchers in India claim to be developing a system to identify individuals based on the way they walk. According to the researchers, when viewed from the side, every person has a unique gait that is “easily recognizable.” After a camera records a person’s walk, the recording can be converted into a silhouette and analyzed with height measurements and the periodicity of the gait. The method is unobtrusive and can even be used to identify a person from a distance.http://www.vnunet.com/vnunet/news/2218652/boffins-develop-gait(vnunet.com – 6/10/08)
DATA BREACHVirgin Media loses CD containing customer bank detailsA CD containing unencrypted bank account information, names, and addresses of 3,000 UK Virgin Media customers has been lost. The breach affects those customers that signed up for Virgin Media services at Carphone Warehouse stores this year. It is not known why the information was burned to a CD, as the company has a policy of secure FTP transfers.http://www.finextra.com/fullstory.asp?id=18619(finextra.com – 6/20/08)
Sensitive information found on state surplus computersThe Kansas Legislative Division of Post Audit has released a report revealing that several state agencies failed to remove sensitive data from machines made available for a public sale. The Adjutant General’s office, the Department of Administration, the Kansas Health Policy Authority, and the Kansas Sentencing Commission all made machines available for sale that contained confidential or sensitive information that could be recovered. Although the audit found the machines before they were made available to the public, the audit raises concerns about other machines that may have been sold, still containing sensitive information. A spokesman for the Department of Administration said that the state has not received any reports of identity theft resulting from the sale of state computers.http://www.saljournal.com/rdnews/story/HNS-computer-audit-6-18-08(Salina Journal – 6/20/08)
Citibank Hack Blamed for Alleged ATM Crime SpreeTwo Brooklyn men were able to make fraudulent ATM withdraws totaling $750,000 in cash after hacking into a Citibank server. These crimes are the first to be linked to a breach of a major U.S. bank’s systems. Ordinarily, ATM pin numbers are obtained by phishing, “shoulder surfing,” and fake PIN pads attached to gas station pay-at-the-pump terminals. The accused apparently obtained the stolen information from internet carding websites and then made ATM cards to use in their fraudulent withdraws.http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html(Wired.com – 6/18/08)
4
Personal Details of Thousands of Patients Stolen From Hospital in New Security BlunderSix laptops storing the personal information of 20,000 patients were stolen from filing cabinets at St. George’s Hospital in South West London earlier this month. The data included patient names, postcodes, hospital numbers, and dates of birth. The information can be accessed if passwords are cracked. This data breach is the fourth for the hospital in the past year; more than 100 computers have been stolen from London hospitals in the last year.http://www.thisislondon.co.uk/news/article-23496327-details/Personal+details+of+thousands+of+patients+stolen+from+hospital+in+new+security+blunder/article.do(This is London – 6/18/08)
Patient’s records on stolen laptopA laptop containing the personal information of 11,000 patients was stolen from a UK doctor’s home. The information includes patients’ names, dates of birth, addresses, contact information, and confidential medical records. The information was not encrypted, contrary to Department of Health guidelines which require any confidential patient information to be encrypted when stored on portable devices.http://ukpress.google.com/article/ALeqM5g8iNPMcsfjtLDvAlPdRONHQBsB1Q(The Press Association – 6/18/08)
Finjan Finds Health and Business Data Being Auctioned OnlineSecurity firm Finjan has found more than 500 megabytes of health- and business-related data and Social Security numbers being auctioned on crimeware servers in Argentina and Malaysia. As more and more stolen data floods the market, cybercriminals have seen the prices of data drop dramatically. To counter this trend, criminals now steal premium data, encrypt the data, and control the sale to the highest bidder. The data found included log-in credentials for a well-known U.S. hospital and U.S. air carrier, Outlook account information, and SSNs.http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=208403968(InformationWeek – 6/18/08)
UK government admits data breachA computer containing “restricted” information was stolen from the office of a British cabinet minister. Although the computer contained no secret or top secret information, the way that the information was sent to the cabinet minister broke information security guidelines. This breach occurred just one week after an intelligence official left a file with top secret documents about al Qaeda and Iraq on a commuter train.http://www.ireland.com/newspaper/breaking/2008/0617/breaking106.htm(The Irish Times – 6/17/08)
List of Affected Customers Growing After Reports of Fraudulent WithdrawalsPolice in South Bend, Indiana are reporting account breaches from at least ten different banks and credit unions. Customers noticed money missing from their accounts in sums ranging from a few hundred dollars to several thousand. Most of the money was withdrawn from ATMs in Nigeria, Russia, Ukraine or Spain. Police are not sure how the data breach occurred, but Leo Ditchcreek, President and CEO of the Notre Dame Federal Credit Union, believes the problem stems from a data breach at South Bend-based First Source Bank in May. It appears that the breach affected not only First Source customers, but anyone who used a First Source ATM as well.http://www.wsbt.com/news/local/20146509.html(WSBT TV – 6/17/08)
Data-Breach Study ReleasedNearly nine in 10 data breaches could have been prevented had reasonable security measures been in place, according to a comprehensive report issued today by Verizon Business. The study also provides key recommendations to help organizations protect themselves and urges them to be proactive.http://www.govtech.com/gt/articles/372091?utm_source=newsletter&utm_medium=email&utm_campaign=DC_2008_6_17(Government Technology – 6/16/08)Also see:
5
2008 Data Breach Investigations Reporthttp://www.verizonbusiness.com/resources/security/databreachreport.pdf (Verizon)
SSNs Posted on State Web SitesThe Connecticut Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site for more than three years. An audit also uncovered that Social Security numbers of prospective nursing employees were available on an agency Web site for 19 months.http://www.hartfordbusiness.com/news5756.html(Hartford Business – 6/16/08)
Athens, UGA report spike in laptop computer theftsSo many laptops are disappearing from campus that University of Georgia police issued an e-mail asking computer users to keep closer track of their machines. Last month alone, when few students were on campus, UGA police took theft reports on 11 laptops and smaller computers. Ten of those were owned by UGA, but earlier this year, many of the stolen computers belonged to UGA workers and students, said UGA Police Chief Jimmy Williamson. http://chronicle.augusta.com/stories/latest/lat_061108_laptops.shtml(Augusta Chronicle – 6/11/08)
Unencrypted AT&T laptop stolen, details of managers' pay lostTelecoms carrier AT&T has admitted that it failed to encrypt a laptop that was stolen, which carrying the details of managers' salaries and other staff details. The laptop was stolen from an employee's car last month, and the firm is now planning to strengthen its laptop security procedures following the theft. Along with executive salary and bonus details - which could prove embarrassing if posted on the web - the laptop contained Social Security numbers and other personal details which would be useful to identity thieves.http://www.computerweekly.com/Articles/2008/06/10/231006/unencrypted-att-laptop-stolen-details-of-managers-pay.htm(ComputerWeekly – 6/10/08)
E-COMMERCE
EDITORIALS & OPINIONRigid federal mandates hinder privacy technologiesToo much regulation of online businesses and advertisers could impair e-commerce. While the government and some consumers are concerned with the collection and use of personal information by advertisers, some believe that a person’s greatest privacy concern should be government collection of personal information—not a businesses collecting information on what a consumer tends to buy. Rather than creating rigid regulations, the government should allow businesses to tailor privacy policies to respond to consumer preferences.http://www.mercurynews.com/opinion/ci_9593341(The Mercury News – 6/15/08)
EDUCATIONIdentity Management Streamlined at University of Texas CampusesThe University of Texas has developed the Identity Management Federation allowing participants at the university’s 16 institutions use local credentials for secure access to remote resources. Before the system was developed, a user at one location that wanted access to another locations’ system would have to go through a complicated process to gain credentials before access could be granted. The new system allows for collaboration and better safeguards IT systems.http://www.govtech.com/tt/articles/282215(Government Technology – 6/17/08)
6
EMPLOYEEOne in three IT staff snoops on colleaguesIn a survey of 300 senior IT professionals, one-third admitted to secretly snooping on confidential data such as colleagues’ salary details, personal e-mails or board minutes. 47% of those surveyed said they had accessed information that was not relevant to their role. The survey also found that privileged passwords were changed far less frequently than user passwords—30% are changed every quarter, while 9% are never changed at all.http://www.msnbc.msn.com/id/25263009/(MSNBC – 6/19/08)
Top 5 mistakes of privacy awareness programsA list of the top five mistakes corporations make with their programs to regularly inform employees of measures taken to protect information. Those tope five mistakes are: 1.) Doing separate training for privacy, security, records management, and code of ethics. 2.) Equating “campaign” with “program.” 3.) Equating “awareness” with “training.” 4.) Using one or two communications channels. 5.) No measurement.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094458(Computerworld – 6/6/08)
GOVERNMENT – U.S. FEDERALHouse leaders plan hearing on Google-Yahoo dealHouse leaders are planning to hold hearings on the competition and privacy concerns arising out of a search advertising deal announced last week between Google and Yahoo. U.S. Representatives Bobby Rush and Ed Whitfield had intended to hold hearings on the privacy and competition issues raised by online advertising before the Yahoo/Google deal was announced. http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=privacy&articleId=9101098&taxonomyId=84(Computerworld – 6/19/08)
Feds need better privacy protection for dataIn a new report, the GAO recommends the creation of new laws to safeguard people’s personal information. Although the government collects, shares, and stores personal information as part of its efforts to fight terrorism, there are not adequate protections in place to safeguard this information. Laws such as the 1974 Privacy Act simply were not written to cover the increasingly sophisticated ways the government gathers data. The GAO suggests that the Privacy Act should be updated to reflect changing times.http://www.usatoday.com/news/washington/2008-06-17-privacy_N.htm(USA Today – 6/18/08)
GOVERNMENT – U.S. STATESCALIFORNIACalifornia pols ask ISPs to block child pornCalifornia’s governor and attorney general issued a press release asking Internet service providers in California to “remov[e] child pornography from existing servers and blocking channels” that disseminate the illegal material. Governor Arnold Schwarzenegger and Attorney General Edmund G. Brown, Jr. are asking ISPs in California to take steps similar to those announced by Verizon, Time Warner, and Sprint in an agreement with New York Attorney General Andrew Cuomo. Some worry that actions taken to block illegal material will hamper the free speech rights of those discussing and distributing legal content. Verizon, Time Warner, and Sprint have all said that they will not block any site, but instead will purge or erase any material cached in their servers.http://news.cnet.com/8301-10784_3-9973966-7.html(CNet – 6/20/08)
7
LOUISIANALouisiana Gov. Jindal Joins HHS Secretary to Announce Electronic Health Record DemoLouisiana Governor Bobby Jindal announced that the state has been chosen to participate in a national Medicare demonstration project which will provide incentives to physicians that use certified electronic health records to improve the quality of patient care. The project is expected to improve the quality of care for 3.6 million Americans. More than $18 million has been invested in Louisiana to help physicians and rural hospitals implement electronic health records. These records are said to allow for better privacy and security of health information and will result in fewer medical errors. The award by the Department of Health and Human Services will allow for the implementation of electronic records in 100 physician practices in Louisiana.http://www.govtech.com/gt/articles/371582?utm_source=newsletter&utm_medium=email&utm_campaign=DC_2008_6_17(Government Technology – 6/12/08)
WISCONSINArea authorities hamstrung by HIPAA regulationsTwo criminal cases in Wisconsin highlight frustrations faced by law enforcement officers attempting to get information on the release of suspects who are hospitalized. The federal Health Insurance Portability and Accountability Act and Wisconsin state laws, which in some ways are more stringent than HIPAA, make it difficult for hospitals to determine what information can be released to law enforcement officers. Ambiguity exists about whether Wisconsin law and HIPAA allow hospitals to orally tell police a patient’s release date. Some information can be released under HIPAA, but only when officers can show that the information is “relevant and material” to an investigation. While these ambiguities are frustrating, the need to get information about an uncharged suspect does not arise very often, and often, police simply request that suspects and victims sign a medical release during their first interview.http://www.greenbaypressgazette.com/apps/pbcs.dll/article?AID=/20080615/GPG0101/806150679/1978/GPGnews(Green Bay Press Gazette – 6/15/08)
Local Police Share Secure Wireless Network in WisconsinMiddleton, Fitchburg, and Sun Prairie Wisconsin, three similarly-sized towns on the outskirts of Madison, share an encrypted wireless network that links their police departments. The Multijurisdictional Public Safety Information System task force was formed four years ago to fix the departments’ records management systems. Since its formation, the task force has provided new high-tech equipment and cost savings to the police departments.http://www.govtech.com/gt/articles/366276?id=&story_pg=3(Government Technology – 6/9/08)
HEALTH & MEDICALHIPAA Privacy Rule Impedes Biomedical ResearchThe Association of Academic Health Centers (AAHC) has released a report saying that the privacy rule of HIPAA is having a negative impact on the advancement of biomedical research and the search for treatments that benefit society. The rule has created confusion for patients, misinterpretation by research participants, barriers to patient recruitment, and burdensome administrative procedures all of which increase research costs. The AAHC makes recommendations in its report for revision of the rule to improve biomedical research. http://www.earthtimes.org/articles/show/hipaa-privacy-rule-impedes-biomedical-research,434443.shtml(Earth Times – 6/16/08)
Google Health Brings First Insurer AboardBlue Cross Blue Shield of Massachusetts has announced that it will be the first health insurer to participate in Google Health. The free electronic service will be available to the insurer’s three million members sometime this fall. Users will be able to load their own medical data and create a profile, to search for information on health conditions or to ask for a second opinion on their diagnosis. Privacy watchdogs worry that Google Health will give the search engine even more power to collect and store users’ personal information.
8
http://www.efluxmedia.com/news_Google_Health_Brings_First_Insurer_Aboard_19013.html(eFluxMedia – 6/15/08)
Health IT office awards contract to fight medical identity theftThe Department of Health and Human Services has awarded a $450,000 contract to Booz Allen Hamilton to evaluate the scope of medical identity theft in the United States. The office of the national coordinator for health information technology at HHS is currently overseeing the development of a national system to provide most Americans with electronic health records by 2014. Booz Allen will examine how information technology can be used to prevent medical identity theft.http://www.nextgov.com/nextgov/ng_20080612_5663.php(nextgov – 6/12/08)
IDENTITY THEFTG8 nations talk ID crime at annual summitRepresentatives of the Group of Eight nations discussed identification crimes for the first time at the group’s annual summit. Identity crimes were chosen as a key theme of the summit because although there is widespread acknowledgement of the seriousness of the problem, the level of understanding among G8 ministers and countries is very different. With a better understanding of the issues involved, the G8 hopes to begin assessing what needs to be done about the problem.http://www.infoworld.com/article/08/06/12/G8_nations_talk_IDcrime_at_annual_summit_1.html(InfoWorld – 6/12/08)
INTERNATIONAL
AFRICA
ASIA/PACIFICAUSTRALIAEducation database raises privacy fearsA new intranet database called OneSchool will contain the photographs, personal details, career aspirations, off-campus activities, and performance records of Queensland, Australia school students. The database will be available only to school principles and an individual student’s teacher. Many parents and privacy groups, however, are concerned that the new database will put school students at risk of privacy breaches. Education Minister Rod Welford has said that previous paper records have not been as secure as the new database will be. Welford also stated that without the database, it will be more difficult for teachers to provide students with efficient service. He did, however, concede that it would be possible to keep a separate paper record for those who wanted to be excluded from the database.http://news.smh.com.au/national/education-database-raises-privacy-fears-20080616-2r6y.html(The Sydney Morning Herald – 6/16/08)
EUROPEEUEU endorses new border security rulesEU leaders have issued a declaration ordering their governments to draft tougher border security legislation. The measures would include fingerprinting and screening all foreign visitors and using a satellite system to keep out illegal immigrants. If all EU nations approve the measures, it would be one of the largest security overhauls in the European Union. While the measures, along with other new laws on returning illegal immigrants, have drawn some criticism, many see the laws as a way of using modern technology to improve security. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9094458
9
(AP – 6/20/08)
ITALYItalian Privacy Advocates and Jurists Launch New Privacy InstituteThe Italian Institute for Privacy has been launched by a group of Italian privacy advocates. The public policy think tank will be focused on the protection of personal privacy online for citizens in Italy and throughout the European Union.http://www.itnews.it/news/2008/0619080201933/italian-privacy-advocates-and-jurists-launch-new-privacy-institute.html(IT news – 6/19/08)
SWEDENSwedish law allows tapping of emails and phoneSweden has passed a bill that will allow officials to access all telephone and e-mail traffic in the nation. Google and Swedish telecommunications company TeliaSonera AB have called the measure “the most far-reaching eavesdropping plan in Europe.” Supporters of the bill say that it is necessary to protect the country from terrorist attacks. The new bill allows the National Defence Radio Establishment, an intelligence agency, to scan all international phone calls, e-mails and faxes for sensitive keywords without a court order. Critics believe the new legislation will violate the privacy and civil liberties of Sweden’s citizens.http://www.guardian.co.uk/world/2008/jun/20/2(The Guardian – 6/20/08)
UKFSA fines stockbroking firm £77,000 for weak data securityThe Financial Services Authority, the UK monitor of corporations that offer financial services, has fined the stockbroking firm Merchant Securities £77,000 for failures in the company’s data security systems. Although there are no reported incidents of data breach, the FSA hopes the large fine will encourage company’s to improve data security before a breach occurs. Merchant Securities has said that it has taken measures to improve security.http://www.computerweekly.com/Articles/2008/06/19/231115/fsa-fines-stockbroking-firm-77000-for-weak-data-security.htm(ComputerWeekly – 6/19/08)
Privacy watchdog concerned over surge in identity fraudThe Information Commissioner’s Office, a UK privacy watchdog, is urging organizations to improve data security after information revealed that reported incidents of identity fraud have risen 66% since last year. The credit information firm Experian has reported that more than 6,000 victims contacted the firm last year, compared to 3,500 last year. London residents are twice as likely to be victims of identity fraud as are residents in other parts of the UK. The average victim of identity fraud is between 26 and 45 years old and earns more than £50,000 a year, although renters are also at a higher risk of identity fraud.http://www.pressandjournal.co.uk/Article.aspx/661306?UserKey=0(The Press and Journal – 6/18/08)
MIDDLE EAST
NORTH AMERICACANADAYukon government dismisses ombudsman’s concerns on child actYukon’s ombudsman Tracy-Anne McPhee is concerned that a new child and family services act would violate privacy provisions aimed at protecting the personal information of Yukon citizens. The legislation would allow the government’s child and family services director to collect, use, and disclose personal information from any government department. The legislative assembly has denied McPhee’s request to be heard on the issue.http://www.cbc.ca/mobile/story/national/2008/04/18/child-act?staticMenu=regional&dynamicMenu=north
10
(cbc – 6/18/08)
Manitobans in class-action suit over missing laptopDozens of Manitobans have joined a class-action lawsuit over a stolen laptop that contained private information from 32,000 Canadian farmers, according to a Saskatchewan law office. The statement of claim was filed Monday morning in the Saskatchewan Court of Queen's Bench. It accuses federal Agriculture and Agri-Food Minister Gerry Ritz and the Carman-based Canadian Canola Growers Association of showing "reckless disregard" in the storage of unencrypted personal data on the laptop, stolen in March.http://www.winnipegfreepress.com/breakingnews/story/4187602p-4777954c.html(Winnipeg Free Press – 6/17/08)
SOUTH AMERICA
LEGISLATION – FEDERALHouse passes new surveillance lawIn a 293-129 vote, the House approved a compromise bill updating the Foreign Intelligence Surveillance Act. The bill sets new electronic surveillance rules that will shield telecommunications companies from lawsuits that arise from the government’s warrantless eavesdropping on phone and computer lines. 40 lawsuits have been filed against telecommunications companies by those who believe their phone calls and e-mails were illegally monitored. The bill directs a federal district court to review certifications from the attorney general saying that wiretaps were needed to detect or prevent a terrorist attack. If the paperwork is in order, the judge will dismiss the lawsuit.http://news.yahoo.com/s/ap/20080620/ap_on_go_co/terrorist_surveillance_23(AP – 6/20/08)Also see:
FISA deal worries privacy groupshttp://www.securityfocus.com/brief/758 (SecurityFocus - 6/18/08)
LEGISLATION – STATECALIFORNIABill that would allow drugstores to share customer records killedA California bill which would have allowed drugstores to share people’s prescription-drug records with mass-mailers failed to gain a single vote of support in the Assembly Health Committee. Both California citizens and lawmakers were outraged by the bill that had been approved by the Senate. While Senator Calderon, the bill’s writer, said that he wanted to institute the legislation to prevent deaths resulting from a failure to take prescription drugs, many believed that the main benefactor of the legislation would be drug companies. The bill was not clear about who would be allowed to pay for the direct mailers, leading many to fear that personal information would be sold to drug companies.http://www.latimes.com/news/columnists/la-fi-lazarus18-2008jun18,0,2297374.column(Los Angeles Times – 6/18/08)
LITIGATION & ENFORCEMENT ACTIONSPetroleum Wholesale cited for improperly dumping recordsTexas Attorney General Greg Abbott charged Houston-based Petroleum Wholesale, L.P. for exposing its customers to identity theft. The company, which operates Sunmart Travel Centers & Convenience Stores in ten states, improperly discarded customer records containing Social Security numbers, bank account numbers, and credit or debit card information. The records were found in a publicly accessible trash container outside of the company’s former headquarters. The company will be charged with violating the 2005 Identity Theft Enforcement and Protection Act, with penalties of up to $50,000 per violation of the Act.
11
http://www.hcnonline.com/site/news.cfm?newsid=19788139&BRD=1574&PAG=461&dept_id=532238&rfi=6(Houston Community Newspapers – 6/19/08)
Court Rules Employee Text Messages Are PrivateThe U.S. Court of Appeals for the Ninth Circuit has ruled that text messages transmitted on devices their employer paid for are private. In 2002 the Ontario, California police department issued pagers to its officers. If an officer went over the capped limit of text messages a month, he was able to repay the department to avoid an audit of his messages. The police chief eventually decided to investigate whether overage charges stemmed from personal or professional use. Arch Wireless, the pager service provided, provided transcripts of archived messages sent to and from Officer Jeff Quon, an officer that had previously paid overage charges. The Court determined that allowing officers to pay overage charges created an expectation of privacy under the Fourth Amendment and that department search of the messages was illegal. Arch Wireless was also subject to the Stored Communications Act, prohibiting a provider from releasing the contents of communications without consent from the sender or recipient.http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=208700666(InformationWeek – 6/19/08)
TD Ameritrade close to settling data theft lawsuitThe online brokerage firm TD Ameritrade is close to settling a class-action lawsuit over the theft of contact information for more than six million customers. Ameritrade will agree to pay $1.9 million in legal fees, cover the cost of one year of anti-spam service for victims, hire a security firm to test the company’s defenses against hackers, and is pledging $55,000 to groups that work to fight spam. After conducting an investigation, Ameritrade has said that no incidents of identity fraud resulted from the breach. Those affected by the lawsuit will be contacted after the settlement receives preliminary approval.http://www.nytimes.com/aponline/business/AP-Broker-Data-Theft.html?_r=4&scp=9&sq=privacy&st=nyt&oref=slogin&oref=slogin&oref=slogin&oref=slogin(The New York Times – 6/18/08)
State worker cleared on child porn charges that were due to malwareA fired Massachusetts state employee has convinced a court to dismiss charges against him after proving that child pornography found on his work laptop had been downloaded by malicious software. Michael Fiola was charged with possessing child pornography after IT administrators found images in the temporary internet files on his browser. Fiola hired a forensics expert to prove that his state agency had not properly configured the laptop and that antivirus software wasn’t working on the machine, allowing the malicious software to download the images. Fiola plans to sue the agency over his firing.http://news.cnet.com/8301-10784_3-9970660-7.html(CNet – 6/17/08)
Local Man Sentenced For Deleting Medical RecordsA San Diego man has been sentenced to five years in prison and has been ordered to pay more than $409,000 in restitution for hacking into the Council of Community Health Clinics’ database and deleting patient medical records. The man was the Clinics’ technical services manager; after receiving an unfavorable job review, the man resigned and began hacking into the Clinics’ systems. The hack affected records for thousands of patients.http://www.10news.com/news/16624959/detail.html(San Diego News – 6/16/08)
Network Engineer Gets Five Years For Destroying Former Employer's DataA San Diego network engineer, Jon Paul Oson, was sentenced to more than five years in prison this week for intentionally damaging computers at his former workplace. The sentence issued Monday is one of the longest imposed to date in the United States for computer hacking, according to the Office of the U.S. Attorney in San Diego. Oson was convicted last summer of accessing the network of his former employer, The Council of Community Health Clinics (CCC), without authorization. CCC provides various services to 17 regional health clinics in San Diego and Imperial counties in California.http://www.informationweek.com/news/security/attacks/showArticle.jhtml;jsessionid=EWOBWDQ4RAUCKQSNDLOSKH0CJUNN2JVN?articleID=208403740(InformationWeek – 6/12/08)
12
MOBILE/WIRELESSCourt Rules Employee Text Messages Are PrivateThe U.S. Court of Appeals for the Ninth Circuit has ruled that text messages transmitted on devices their employer paid for are private. In 2002 the Ontario, California police department issued pagers to its officers. If an officer went over the capped limit of text messages a month, he was able to repay the department to avoid an audit of his messages. The police chief eventually decided to investigate whether overage charges stemmed from personal or professional use. Arch Wireless, the pager service provided, provided transcripts of archived messages sent to and from Officer Jeff Quon, an officer that had previously paid overage charges. The Court determined that allowing officers to pay overage charges created an expectation of privacy under the Fourth Amendment and that department search of the messages was illegal. Arch Wireless was also subject to the Stored Communications Act, prohibiting a provider from releasing the contents of communications without consent from the sender or recipient.http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=208700666(InformationWeek – 6/19/08)
Mobile warriors leaking company secretsA survey of 1,000 U.S. and UK mobile workers found that almost two-thirds of those surveyed had eavesdropped on someone else’s confidential business transaction while traveling on business. 10% of those surveyed had been able to use the overheard information for their own business purposes.http://www.vnunet.com/vnunet/news/2219437/mobile-warriors-leaking-company-secrets(vnunet.com – 6/19/08)
ODDS & ENDS9 things you should know about your privacy and rights in the digital ageNine tips and suggestions on how to protect your privacy: 1.) We know where you are. 2.) Cars have black boxes, too. 3.) Bits don’t go away. 4.) Your cell phone could be listening to you. 5.) Be careful when you throw out your old computer. 6.) What’s your iPod worth? 7.) “On the Internet, nobody knows you’re a dog”—Wrong! 8.) Buy a song on iTunes and it isn’t really yours. 9.) Be safe—in simple ways.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9100978&pageNumber=2(Computerworld – 6/19/08)
Federal judge a victim of privacy breach or poor judgment?After sexually explicit material was found on a Web site maintained by Chief Judge of the U.S. Court of Appeals for the Ninth Circuit Alex Kozinski, some are asking whether the judge was the victim of a privacy breach or if he simply exercised bad judgment. Those defending the judge claim that someone broke into and accessed a private folder containing information clearly not meant for the public. Others believe that if the judge did not intend for the images to be made public, then he should not have allowed them to be accessed only from the Web.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9099578&pageNumber=1(Computerworld – 6/17/08)
Hacker takes extradition fight to LordsA British man accused of carrying out “the biggest military computer hack of all time” is appealing his extradition to the U.S. to the House of Lords. Gary McKinnon is accused by the U.S. of causing £475,000 in damages by gaining access to 97 computer systems of the Pentagon and U.S. military. McKinnon is opposing his extradition because he was warned by U.S. prosecutors that if he did not agree to extradition and a guilty plea, his jail sentence would be a life sentence rather than a couple of years in prison. McKinnon has said that the hack was motivated by curiosity and that he was only able to get into the networks because of lax security. Lawyers for the UK Home Secretary have argued that no threats were made to McKinnon and that the extradition should go forward.http://business.timesonline.co.uk/tol/business/law/article4157963.ece?token=null&offset=12(Times Online – 6/17/08)
13
ONLINEAsk.com caves to Google’s privacy pressuresAsk.com has released an open letter to the public informing users that the browser has added a privacy link to its home page. The letter highlights the fact that Google has failed to listen to the requests of several privacy groups to add a link to its home page. The letter ends by strongly encouraging others in the industry to follow Ask.com’s example. http://news.cnet.com/8301-10784_3-9972371-7.html(cnet – 6/18/08)
Tech Watchdogs, Web Ad Firm Trade BlowsWatchdog groups Free Press and Public Knowledge have released a report claiming that online advertising firm “‘NebuAd commandeers users’ Web browsers’ to load tracking cookies and collects information from users in order to place ads from ISPs.” NebuAd has called the statement misleading and takes issue with the way the groups disregarded the privacy controls the company has in place to protect Internet subscribers.http://techdailydose.nationaljournal.com/2008/06/tech_watchdogs_and_web_ad_firm.php(Congress Daily – 6/18/08)
Facebook on the decline as ‘virus’ apps take holdFacebook’s development platform allows developers to launch new applications on the social networking site; this feature keeps Facebook interesting to users. Unfortunately, developers are finding Facebook to be a less appealing option to launch their applications. Posts per day on a Facebook developer forum have dropped from 461 in January 2008 to 222 in April 2008. The ability to launch new applications might keep the site interesting for users, but it also allows for applications with little utility to spread quickly through the network. These applications are better classified as viruses.http://www.zdnetasia.com/news/security/0,39044215,62042816,00.htm(ZDNet Asia – 6/18/08)
Firefox dumps privacy buttonFirefox has decided not to include Private Browsing with the release of the final version of Firefox 3. The feature would have disabled all caching, cookie downloads, history records, and form data during browsing. The company believed that the button would have “touched a lot of code” and may have crashed the browser.http://www.theinquirer.net/gb/inquirer/news/2008/06/16/firefox-dumps-privacy(The Inquirer – 6/16/08)
RFIDU.S. School District to Begin Microchipping StudentsA Rhode Island school district has announced plans to track students through RFID chips placed in their book bags. Chips will be put into the schoolbags of 80 students at the Aquidneck School during a pilot program. Each chip will be read by a device installed in one of two school buses. Parents and school officials could log into the program to determine when a student has entered and exited a bus and to determine the location of the school bus. The program is being provided to the school district at no cost and, therefore, did not require approval from the Rhode Island ethics commission.http://www.naturalnews.com/023445.html(Natural News – 6/16/08)
14
SECURITYInstant Worm Creation Software Hits The WebA point and click interface for turning .exe files into self-replicating worms makes malware creation an easy prospect for attackers. The tool noted by security vendor Panda Security possesses several characteristics that make it a dangerous prospect for security pros. Through its GUI, the attacker can control several aspects of the worm before turning it loose.http://www.securitypronews.com/insiderreports/insider/spn-49-20080619InstantWormCreationSoftwareHitsTheWeb.html(SecurityProNews – 6/19/08)
Apple does about-face, fixes Safari’s ‘carpet bomb’ bugApple has updated the Windows version of Safari, by patching four vulnerabilities. One of those vulnerabilities caused Microsoft to urge users to stop using the Safari browser. The update will fix the attacks security researcher Nitesh Dhanjani disclosed last month. Dhanjani called these attacks “carpet bomb” attacks because of the way they would litter the Windows desktop with malware. Apple had originally said that it did not consider the vulnerabilities a security threat because Safari had no option to require a user’s permission to download a file. Apple was heavily criticized for this stance and was encouraged to take measures to correct the problem.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101239&intsrc=news_ts_headFirefoxHTML\Shell\Open\Command(Computerworld – 6/19/08)
eBay IT exec warns of application layer attacksDave Tyson, eBay’s senior director of information security operations and business continuity planning, believes that the greatest threat to companies with strong interaction with customers over the Internet will be application layer attacks. Speaking at the Infosecurity Canada 2008 conference Tyson said that while many companies are prepared for attacks at the network level, few are really prepared for these new threats. Often, these attacks are not avoided because of a company’s failure to follow fundamental security principles. Tyson said that companies will need to protect themselves against these security attacks by “bak[ing] security principles right into the infrastructure.”http://www.itworldcanada.com/a/Daily-News/7c426e25-a14b-410f-b7cb-eacb78da8856.html(itWorldCanada – 6/12/08)
New defenses for automated SQL injection attacksRecently, analysts at the SANS Institute's Internet Storm Center discovered a tool that automates the process of finding and exploiting websites vulnerable to SQL injections. The automation illustrates the increasingly popular technique of using parts of legitimate sites to host and deliver malware. This tip, take a looks at SQL injection attacks and examine how to find, isolate and address the malicious pages of an otherwise safe website. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1317069,00.html(SearchSecurity.com – 6/12/08)
Be cautious about letting new iPhones into your companyWhile Apple’s new iPhone 3G has enhanced security features allowing the phones to be connected more securely into corporate networks, Gartner Inc. analysts warn that companies should not be quick to provide iPhones with the same access to internal applications that PCs would normally enjoy. While the iPhone can perform many of the same functions as a PC, it has not yet been proven that the device can be locked down in the same way that a computer could be.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9096719&source=rss_topic17(Computerworld – 6/11/08)
15
Data Breaches Made Possible By Incompetence, CarelessnessEighty-seven percent of data breaches could have been prevented with reasonable security precautions, according to a study of over 500 forensic investigations conducted by Verizon Business Security Solutions. Verizon (NYSE: VZ)'s study of actual data breach investigations from 2004 through 2007 suggests that incompetence and carelessness represents the greatest threat to business information. http://www.informationweek.com/news/security/client/showArticle.jhtml?articleID=208403240InformationWeek – 6/11/08)
The new weakest linksWeb apps are rife with small vulnerabilities that can open the door to big trouble. Thinking like a hacker can help you find them. Kevin Johnson doesn’t strike you as someone who could break into your network and wreak havoc with your organization’s data. He looks like a friendly guy, a jovial family man quick to crack a joke. But don’t be fooled. No matter how many precautions you take or how closely you monitor your equipment, he can get inside. Luckily, Johnson, of the security consulting firm Intelguardians, is not a malicious hacker. He is a penetration tester, a security professional whom organizations pay to break into their networks to expose weaknesses. He always finds some.http://www.gcn.com/print/27_13/46418-1.html?topic=&CMP=OTC-RSS#(GCN – 6/9/08)
16
SEMINARS Future of Trust in ComputingJune 30-July 2, 2008Berlin, Germanyhttp://www.tc-conference.com/
Value Privacy, Secure Your Reputation, Reduce RiskJuly 7-9, 2008St. John’s College, Cambridge, UKhttp://www.privacylaws.com/templates/AnnualConferences.aspx?id=641
The Privacy SymposiumAugust 18-21, 2008Harvard University, Cambridge, MAhttp://www.privacysummersymposium.com/
The 2008 IAPP Privacy AcademySeptember 22-24, 2008Orlando, Floridahttp://www.privacyacademy.org/index.php?option=com_content&task=view&id=12&Itemid=26
PIPA Conference 2008: Privacy 2.0November 17-18, 2008Calgary, Canadahttp://www.verney.ca/pipa2008/
_____________________________________________________________________
PAPERS2008 Data Breach Investigations Reporthttp://www.verizonbusiness.com/resources/security/databreachreport.pdf (Verizon)
Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Informationhttp://www.gao.gov/new.items/d08536.pdf (GAO)
Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Informationhttp://www.gao.gov/new.items/d08795t.pdf (GAO)
Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functionshttp://www.gao.gov/new.items/d08603.pdf (GAO)
Evolving Data Security: What Progressive Organizations Are Doing Nowhttp://searchsecurity.bitpipe.com/detail/RES/1210095210_275.html?li=130268&src=KA_RES_20080618&asrc=EM_KAR_3857262&uid=5509471
17