Privacy & Security News BriefMay 25-June 1, 2008

Vol. 1, No. 32

TABLE OF CONTENTSBIOMETRICS................................................................................................................................................................3

DHS issues biometrics RFI___________________________________________________________________3

DATA BREACH............................................................................................................................................................3District hit by computer breach________________________________________________________________3A look into the dark underbelly of data breaches__________________________________________________3Over 300 local court files stolen, many including personal information_________________________________3State Street Data Theft Affects More Than 45,000_________________________________________________3City BPO accused of data theft________________________________________________________________4UCSF alerts patients about a security breach_____________________________________________________4Business Owners Have “False Sense of Security” When It Comes to Data Breaches______________________4Retailers keep silent about data security breaches__________________________________________________4

E-COMMERCE.............................................................................................................................................................4

EDITORIALS & OPINION..........................................................................................................................................4A not-so-protective law______________________________________________________________________4Strong data protection rules are needed to prevent emergence of surveillance society______________________5

EDUCATION.................................................................................................................................................................5Public Schools Improve Physical Security, But Cybersecurity Declines________________________________5

EMPLOYEE...................................................................................................................................................................580% IT Directors Say Accidental Leaks Worst____________________________________________________5

GOVERNMENT – U.S. FEDERAL..............................................................................................................................5Army aims to take guesswork out of cyberdefense_________________________________________________5

GOVERNMENT – U.S. STATES..................................................................................................................................5

HEALTH & MEDICAL.................................................................................................................................................6Hospitals, patients clash on privacy rights________________________________________________________6

IDENTITY THEFT.......................................................................................................................................................6Feds: ‘Bonnie’ in Philadelphia Identity Theft Case Up to Old Tricks__________________________________6

INTERNATIONAL........................................................................................................................................................6

AFRICA.....................................................................................................................................................................6

ASIA/PACIFIC.........................................................................................................................................................6AUSTRALIA______________________________________________________________________________6Data breach reporting a scramble______________________________________________________________6INDIA___________________________________________________________________________________6Software to track persons sending threatening e-mails______________________________________________6PHILIPPINES_____________________________________________________________________________7Technical working group studying RP data privacy bills____________________________________________7

SOUTH KOREA___________________________________________________________________________7China Gateway for Most Cyber-Attacks_________________________________________________________7

EUROPE....................................................................................................................................................................7Regulator warns of mobile Internet privacy concerns_______________________________________________7EU security agency calls for breach notification law_______________________________________________7EU cyber chief calls for more funding, support____________________________________________________7

MIDDLE EAST.........................................................................................................................................................8ISRAEL__________________________________________________________________________________8Histadrut, employers draft agreement over employee computer privacy________________________________8

NORTH AMERICA.................................................................................................................................................8CANADA________________________________________________________________________________8Facebook ‘violates privacy law’_______________________________________________________________8Police find stolen computer device containing health records_________________________________________8Net neutrality bill hits House of Commons_______________________________________________________8

SOUTH AMERICA..................................................................................................................................................8

LEGISLATION – FEDERAL.......................................................................................................................................9Attorneys Slam ‘Bailout Plan’ for Businesses_____________________________________________________9

LEGISLATION – STATE.............................................................................................................................................9TENNESSEE______________________________________________________________________________9New Law Aims To Stop Online Predators_______________________________________________________9

LITIGATION & ENFORCEMENT ACTIONS...........................................................................................................9Google Seeks Dismissal Of Street View Lawsuit__________________________________________________9

MOBILE/WIRELESS....................................................................................................................................................9RIM’s double-edged encryption sword__________________________________________________________9New Harris Interactive Study: During Economic Downturn, Mobile Advertising Seen as Key to Reaching On-the-Go Consumers_________________________________________________________________________10T-Mobile’s Parent Company in Trouble For Spying_______________________________________________10Do Hackers Pose a Threat To Smart Phones ?___________________________________________________10

ODDS & ENDS............................................................................................................................................................10Billboards That Look Back__________________________________________________________________10New York to Issue Enhanced Drivers Licenses___________________________________________________11TJX Fires Employee for Disclosing Security Problems____________________________________________11Critics cite privacy concerns over D.C. surveillance plan___________________________________________11

ONLINE.......................................................................................................................................................................11Privacy concerns could hurt online ad biz_______________________________________________________11Google Fights for the Right to Hide Its Privacy Policy_____________________________________________11

RFID.............................................................................................................................................................................12Concern about privacy, identity theft with microchipped Olympics tickets_____________________________12Batronics bring wristband to U.S._____________________________________________________________12

SECURITY...................................................................................................................................................................12Update: New Adobe flaw being used in attacks, says Symantec_____________________________________12Largest Public Power Grid at Cyber Risk, Feds Say_______________________________________________12Countering cyber terrorism in third-world countries_______________________________________________13Tired of waiting on Apple, researchers disclose iCal bug___________________________________________13Why data-loss prevention tools scare the hell out of some__________________________________________13

SEMINARS..................................................................................................................................................................14

PAPERS.......................................................................................................................................................................14Privacy in the Clouds_______________________________________________________________________14

2

Data Breaches: What the Underground World of “Carding” Reveals__________________________________14

3

ARTICLE SUMMARIES AND LINKS

BIOMETRICSDHS issues biometrics RFIThe Department of Homeland Security has issued a request for information for its U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) Biometric Land Exit Solution. Under the current system, visitors to the United States must provide a photo and fingerprints when applying for a visa. A visitor’s fingerprints are verified when he enters the country. Congress has urged DHS to perform similar biometric verification when a traveler leaves the country. US-VISIT program officials are asking for information to help implement this program. The program must not cause undue delay at the borders. Any device or procedure should be at least 97% accurate and should be available for implementation at any or all of the 167 land ports of entry.http://www.washingtontechnology.com/online/1_1/32830-1.html(Washington Technology – 5/20/08)

DATA BREACHDistrict hit by computer breachA hacker broke into Pocono Mountain School District computers, potentially compromising the personal information of 11,000 students. The information includes students’ birth dates, Social Security numbers, student IDs, home phones, and their parents’ names, phone numbers, and emergency phone numbers. Law enforcement had been notified of the incidenthttp://www.mcall.com/news/local/all-b4_3pocono.6436000may31,0,1422227.story (The Morning Call – 5/31/08)

A look into the dark underbelly of data breachesA Department of Justice report indicates that “carding,” the process by which large volumes of data are stolen; resold; and ultimately used by criminals to commit fraud, has evolved from the sale of a view pieces of sensitive information to the sale of whole identity packages containing multiple pieces of sensitive information. Stolen data is sold on “carding” web sites, where the price of the data is set according to the degree of difficulty in obtaining the data. While credit card information can sell anywhere from $0.50 to $5.00 per card, bank account information can sell anywhere from $30.00 to $400.00. The report makes suggestions for fighting “carding.”http://www.networkworld.com/community/node/28257(NetworkWorld – 5/30/08)

Over 300 local court files stolen, many including personal informationDuring an arrest in Louisville, Kentucky, 312 stolen court traffic files were found in the arrested individual’s possession. The files, all from November 2003, contain personal information including names, addresses, birth dates, Social Security numbers, and copies of drivers’ licenses. Someone managed to remove the files from their storage place in the jail building, even though they were under 24 hour surveillance.http://www.whas11.com/news/local/stories/whas11_localnews_080529_courtrecords.4000adb5.html(whas11.com - 5/30/08)

State Street Data Theft Affects More Than 45,000State Street, a Boston-based provider of financial services to institutional investors, announced that computer equipment containing the personal information of 45,000 people was stolen in December 2007. The personal information, including names; addresses; and Social Security numbers, belonged to 5,500 employees and 40,000 customers of Investors Financial Services, a company which State Street acquired last year. The company is working with local and federal law enforcement agencies. State Street declined to say if the stolen equipment had been recovered.http://www.cnbc.com/id/24875931(CNBC – 5/29/08)

4

City BPO accused of data theftAn Ahmedabad, India BPO has been accused of stealing data from Florida-based company, Noble Ventures Inc., and selling the information to the company’s rivals. The man was working on a two year contract with Noble Ventures to design and maintain its website. When his contract was cancelled, the man tapped into the company’s data bank and sold records to its rivals. The company became suspicious of data loss. Upon retrieval of the data, Noble Ventures noticed e-traces of their former web designer and notified police in Ahmedabad.http://timesofindia.indiatimes.com/Ahmedabad/City_BPO_accused_of_data_theft/articleshow/3081539.cms(The Times of India – 5/9/8)

UCSF alerts patients about a security breachThe University of California San Francisco has notified 2,625 patients of a potential data breach. On January 11, 2008, UCSF discovered unusual data traffic on one of its computers. An investigation determined that on December 2, 2007, an unknown individual installed an unauthorized movie-sharing program on the computer. Because installation of this program required high-level system access, UCSF is considering the incident a security breach. The computer contained files from the pathology department’s database. The data included patient names, dates of pathology service, health information, and Social Security numbers. http://pub.ucsf.edu/newsservices/releases/200805283/(UCSF News Office – 5/28/08)

Business Owners Have “False Sense of Security” When It Comes to Data BreachesIn a ranking of the biggest fears of the nation’s business leaders, suffering a data breach ranked last behind government fines, lawsuits, bankruptcy, and natural disaster. 45% of business leaders in a new survey indicated that they are more concerned about data breaches than they had previously been. A much greater percentage (76%) worries about personally being the victims of a data breach. While many executives aren’t concerned about a potential data breach, 86% think that safeguarding customer data is a high priority. In spite of the concern for protecting customer data, nearly two fifths of the business leaders surveyed said that they do not have an incident response plan in the event of a data breach.http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20080527005774&newsLang=en(Business Wire – 5/27/08)

Retailers keep silent about data security breachesIn a study based on interviews with 50 U.S. retailers, research company Gartner is reporting that out of those 50, 21 were certain they had had a data breach. Only 3 of those 21 retailers actually reported the breach to the public. While the small number of retailers questioned makes it impossible to draw broader conclusions from the research, the numbers do suggest that retailers are failing to disclose data breaches to their customers.http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=9278(ComputerWorld – 5/25)

E-COMMERCE

EDITORIALS & OPINIONA not-so-protective lawThe recently passed Genetic Information Nondiscrimination Act (GINA), which provides special protection for genetic information, may do more harm than good to the very people it was intended to protect. Rather than increasing privacy protection for all types of medical information, the Act only increases protection for information relating to genetic conditions. The new act will require insurance providers to segregate risk based on some other nongenetic medical information. The increased protection for genetic testing may discourage insurance providers to cover the costs of testing, for fear that under the new act, they may be violating a patient’s privacyhttp://www.ajc.com/opinion/content/opinion/stories/2008/05/27/genesed.html(ajc.com – 5/27/08)

5

Strong data protection rules are needed to prevent emergence of surveillance societyThomas Hammarberg, Commissioner for Human Rights for the Council of Europe, advised EU member states to enact strong data protection laws to prevent violations of basic human rights. Hammarberg fears that surveillance technology, used increasingly to combat terrorism, is resulting in the improper collecting, storing, sharing, and use of personal data. Hammarberg criticizes policies developing in the EU. One of these policies, a principle of “availability,” would promote the unhindered sharing of information between member states. To avoid the development of policies which hinder the rights of individuals within the EU, Hammarberg urges all members to take proactive measures to protect their citizens’ privacy.http://www.neurope.eu/articles/87078.php(New Europe – 5/26/08)

EDUCATIONPublic Schools Improve Physical Security, But Cybersecurity DeclinesThe 2008 School Safety Index, a report from CDW-Government, shows that while American public schools have improved their physical safety, cybersafety scores have dropped by 25% since last year. On a scale from 0 to 100, the national cybersafety average was 38.6. The average takes into account such factors as use of network access control, the authentication of users accessing a school’s network, cybersecurity breaches, the use of mass notifications and automated phone messages, and police access security cameras and notifications.http://www.informationweek.com/news/security/government/showArticle.jhtml?articleID=207800964(Information Week – 5/19/08)

EMPLOYEE80% IT Directors Say Accidental Leaks WorstThe results of an IT Director survey conducted by Secure Computing Corporation reveal that more than 80% of the 103 directors surveyed believe that internal threats (either unintentional data leakage or deliberate data theft) pose a greater threat to their organizations than do outsider threats. Only 17% believe that outsider threats (hackers) pose a greater threat to their organizations. These results could be due to the fact that 37% of the respondents had experienced leakage of sensitive information within the past year.http://www.darkreading.com/document.asp?doc_id=154975&WT.svl=wire_2(Dark Reading – 5/28/08)

GOVERNMENT – U.S. FEDERALArmy aims to take guesswork out of cyberdefenseThe Army Research Office is funding the work of private companies to develop predictive technologies to improve the efficiency of cybersecurity tools. The research focuses on the creation of a global system which gathers and correlates security events and provides users with early warning about coming attacks. While the project does focus on meeting Army requirements, the main goal of the program is to create a commercial service that could be used to help program security devices.http://www.gcn.com/online/vol1_no1/46306-1.html(Government Computer News – 5/20/08)

GOVERNMENT – U.S. STATES

6

HEALTH & MEDICALHospitals, patients clash on privacy rightsMany hospitals and health care organizations use patient information, without the explicit consent of the patient, for fundraising purposes. This type of solicitation is allowed under federal law. The University of California, San Francisco Medical Center’s fundraising efforts have recently led to the inadvertent posting of 6,300 patients’ data on the Internet. The Center had shared the patient information with a third party that searched the data for wealthy potential donors. The typical notice of these fundraising practices is provided in a booklet called “notice of privacy practices,” given to patients at check-in. The booklet describes how a patient’s data may be used, including for fundraising purposes. Although fundraising is critical for hospitals, many critics believe that explicit consent to use a patient’s data for fundraising would be more respectful of a person’s medical privacy.http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/05/27/MNPO10NRCR.DTL(San Francisco Chronicle – 5/27/08)

IDENTITY THEFTFeds: ‘Bonnie’ in Philadelphia Identity Theft Case Up to Old TricksJocelyn Kirsch, a former Drexel University student, stole and used an acquaintance’s credit card in California, where she has been living while awaiting to plead guilty to a five-count information, which includes aggravated identity theft, money laundering, and fraud charges. Kirsch and her boyfriend, dubbed “Bonnie and Clyde,” lived a lavish, globe-trotting lifestyle for one year after obtaining $120,000 in goods and services from the theft of financial information from friends, neighbors, and coworkers. Although Kirsch has not yet been charged in the California theft, it could add more time to the two to five year sentence she was previously facing.http://www.foxnews.com/story/0,2933,360844,00.html(Fox News – 5/30/08)

INTERNATIONAL

AFRICA

ASIA/PACIFICAUSTRALIAData breach reporting a scrambleCompliance with a mandatory data loss notification system the Australian Law Reform Commission is recommending to the Australian government will create significant challenges for many businesses. For the most part, banks in Australia say they will be ready to comply with the new law when it takes effect. Financial institutions subject to anti-money-laundering laws generally already have data loss prevention systems in place. Many companies, however, are not prepared for the new law and will have to make significant changes to be compliant.http://www.australianit.news.com.au/story/0,24897,23762990-15317,00.html(Australian IT – 5/27/08)

INDIASoftware to track persons sending threatening e-mailsAfter bombings in Jaipur, India, an e-mail was sent by a group called Indian Muzahedeen to news channels through a cyber café. Many cyber cafes have implemented technology which photographs and fingerprints computer users. The software, called CRISH, automatically stores the photographs and fingerprints in a database of the computer with date, time, and the terminal where a user logged on. It is hoped that if similar threatening e-mails are sent from cyber cafes in the future, this technology will make it easier for police to locate suspects.http://www.hindu.com/thehindu/holnus/002200805271022.htm(The Hindu – 5/27/08)

7

PHILIPPINESTechnical working group studying RP data privacy billsThe technical working group for a new data privacy framework in the Philippines is recommending the adoption of the European Union framework on data privacy. The working group is pushing the EU model because the nation hopes to break into European and Australian markets. The group is also recommending that pending privacy bills should stick to one data privacy framework standard.http://newsinfo.inquirer.net/breakingnews/infotech/view/20080528-139338/Technical-working-group-studying-RP-data-privacy-bills(Inquirer.net – 5/28/08)

SOUTH KOREAChina Gateway for Most Cyber-AttacksA report titled “How to Counter Hacking From China,” reveals that 54% of all cyber-attacks on South Korean government websites and computer systems come from Internet sources in China. The U.S. is also a major source of cyber-attacks on the South Korean government, with 14% of all attacks originating in the U.S. Other major sources of cyber-attacks include Japan, Brazil, and Taiwan. To avoid the further loss of critical national and security information, the South Korean government is urged to increase its security efforts. http://www.koreatimes.co.kr/www/news/nation/2008/05/116_24499.html(The Korea Times – 5/20/08)

EUROPERegulator warns of mobile Internet privacy concernsSpeaking at a meeting in the EU Parliament on privacy and the internet, Giovanni Buttarelli, secretary general of the Italian Data Protection Authority, stated that searching the Internet via mobile phone poses greater privacy-related concerns than does traditional computer-based searching. Matching the information collected by search engines and the data collected by Telecom networks makes it possible to create a very accurate profile of a user. Buttarelli reminded search engine operators that they were required to abide by principles issued by EU Privacy regulators. These principles urge search engine operators to seek users’ permission to collect private data for targeted advertising.http://www.euractiv.com/en/infosociety/regulator-warns-mobile-internet-privacy-concerns/article-172783(EurActiv.com – 5/29/08)

EU security agency calls for breach notification lawThe European Network and Information Security Agency (ENISA), the European Union’s online security body, is calling for a continent-wide law requiring firms to notify customers of data security breaches. Andrea Pirotti, executive director of ENISA, said “Enisa calls for the EU to introduce mandatory reporting on security breaches and incidents for business, just as the US has already done.”http://www.vnunet.com/computing/news/2217652/eu-security-agency-calls-breach(vnunet.com – 5/28/08)

EU cyber chief calls for more funding, supportAndrea Pirotti, executive director of the European Network and Information Security Agency (ENISA) (the EU’s cyber security agency), is requesting more resources to protect the EU from cyber attacks. ENISA is one of the EU’s smallest agencies, with a staff of 50 and an annual budget of $13 million. ENISA, started in 2004 with a five-year mandate, needs a staff increased by at least 30 people and an extended mandate to 2012 in the short-term. In the long run, Pirotti hopes ENISA will become a permanently established agency. The agency coordinates the work of national cyber security agencies in the 27 EU member nations.http://www.businessweek.com/ap/financialnews/D90U6KH81.htm(Business Week – 5/27/08)

8

MIDDLE EASTISRAELHistadrut, employers draft agreement over employee computer privacyHistadrut, the Israeli labor federation, and employers’ organizations have come to an agreement regarding how much privacy an employee should be entitled to on their workplace computer and what access should be permitted by an employer. The agreement follows a form of the European model, which gives an employee much privacy, even when the computer and server belong to the employee’s boss. This model contrasts the American model, which affords an employer much greater rights to examine an employee’s computer and e-mail. The negotiating teams developed the model so as to balance an employer’s property right and an employee’s privacy right.http://www.haaretz.com/hasen/spages/987933.html(Haaretz.com – 5/28/08)

NORTH AMERICACANADAFacebook ‘violates privacy law’The Canadian Internet Policy and Public Interest Clinic has filed a complaint against Facebook, listing 22 separate breaches of privacy law in Canada. The complaint states that Facebook collects sensitive information about its users and shares it without their permission. Facebook stated in response that it offers users “industry leading controls” over their private information and that “almost all Facebook data is willingly shared by users.” Representatives of the Clinic point out that even when a user selects the strongest privacy settings, personal information may still be shared by Facebook Friends with lower privacy settings. The Clinic hopes to launch a similar investigation into MySpace later this year.http://news.bbc.co.uk/2/hi/technology/7428833.stm(BBC – 5/31/08)

Police find stolen computer device containing health recordsNew Glasgow police have recovered a computer memory stick containing the personal information of 150 people who received child and adolescent mental-health services since August. The Pictou County Health Authority said that someone had admitted to stealing the device and trying to destroy it. Police believe that no information was released.http://www.cbc.ca/health/story/2008/05/30/pictou-device.html(CBC – 5/30/08)

Net neutrality bill hits House of CommonsThe private member’s bill, C-552, has been introduced in the House of Commons in reaction to moves by some of Canada’s largest Internet service providers to limit their customers’ use of the Internet. Bell Canada, Inc. and Rogers Communications Inc. have slowed the internet down at peak times of the day due to increased congestion on their networks caused by the use of peer-to-peer applications. The new bill seeks to amend the Telecommunications Act and “prohibit network operators from engaging in network management practices that favour, degrade or prioritize any content, application or service transmitted over a broadband network based on its source, ownership or destination.”http://www.cbc.ca/technology/story/2008/05/28/tech-netbill.html(CBC – 5/28/08)

SOUTH AMERICA

9

LEGISLATION – FEDERALAttorneys Slam ‘Bailout Plan’ for BusinessesCongress has passed a retroactive bill amending the Fair and Accurate Credit Transactions Act of 2003, a law that prohibited the printing of expiration dates and all but the last five digits of a person’s credit card number on a receipt. Under the bill, printing expiration dates on a receipt does not amount to a willful violation of the law, if the printing occurred between December 4, 2004 and May 20, 2008. To pursue a lawsuit under the new bill, an attorney would have to show that his client was the victim of identity fraud due to the printing of the expiration date. Some attorneys are angered that the law effectively kills certain lawsuits. Some attorneys believe that the amendment curtails efforts to fine businesses that are not more protective of their customers’ personal information. Others believe that the amendment will protect businesses who did not willfully violate the law and whose actions led to no actual harm.http://www.law.com/jsp/article.jsp?id=1202421752973(Law.com – 5/29/08)

LEGISLATION – STATETENNESSEENew Law Aims To Stop Online PredatorsA new law will require sex offenders in Tennessee to register their e-mail addresses, user names, and screen names to Tennessee’s Sex Offender Registry. Police believe the new requirement will make it easier to identify sex offenders “trolling for prey online.” Offenders who are caught lying about their internet information will be sent back to jail.http://www.myeyewitnessnews.com/news/local/story.aspx?content_id=d4264931-9d50-4e95-a0cd-4e1c10c75197(Eyewitness News Everywhere – 5/28/08)

LITIGATION & ENFORCEMENT ACTIONSGoogle Seeks Dismissal Of Street View LawsuitIn an effort to obtain images for Google Maps Street View, Google allegedly drove down a private road, took pictures of Aaron and Christine Boring’s residence, and turned around in the couple’s driveway. Google made these pictures available through its Google Maps Street View program. In a motion to dismiss the invasion of privacy lawsuit filed by the Borings, Google said that the Borings "live in a residential community in the twenty-first century United States, where every step upon private property is not deemed by law to be an actionable trespass." While Google’s assessment of the law may be correct, this view of privacy starkly contrasts Google’s previous statements made by Joe Kraus, director of product management that "Google lives and dies on protecting users’ privacy."http://www.informationweek.com/news/internet/google/showArticle.jhtml?articleID=208401206&subSection=Management(InformationWeek – 5/30/08)

MOBILE/WIRELESSRIM’s double-edged encryption swordThe data encryption technology of Research in Motion Ltd (RIM)’s BlackBerry has made it the preferred smart phone for the North American business world. Unfortunately, this technology has government officials in several countries worried that terrorists are using the devices to communicate. Others do not like that sensitive data is being routed abroad through RIM’s Canadian Network Operating Centres. The company is left trying to passive the fears of foreign governments on one had, while attempting to ensure customers and shareholders on the other that it will not cave to pressures to release encryption keys.http://www.theglobeandmail.com/servlet/story/LAC.20080528.RRIM28/TPStory/Business(ReportonBusiness.com – 5/28/08)

10

New Harris Interactive Study: During Economic Downturn, Mobile Advertising Seen as Key to Reaching On-the-Go ConsumersA Harris Interactive study on people’s attitudes towards the economy and technology reveals that even in a time of economic downturn, people have no intention of buying viewer cell phones or of using their cell phones less frequently. 41% of consumers do not intend to stop or cut-back on the purchase of cell phones. This trend offers businesses an important medium for advertising. The study reveals that by offering the right incentives, mobile advertising can be an effective tool in a slowing economy. Most teens and adults involved in the study said they would be receptive to mobile advertising if incentives such as cash, coupons, free minutes, and music downloads were offered.http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20080528005912&newsLang=en(Business Wire – 5/28/08)

T-Mobile’s Parent Company in Trouble For SpyingThe owner of T-Mobile, Deutsche Telekom, is being accused of hiring investigators to track phone conversations between members of its supervisory board and reporters. The company was attempting to discover internal media leaks. Deutsche Telekom has willingly handed the case over to prosecutors. Company spokesman, Mark Nierwetberg, described the company’s willingness to cooperate in the investigation, "By handing over information to the prosecutor, we’re using the sharpest knife we have to solve the problem. . . We’re not in any way trying to hide anything."http://www.switched.com/2008/05/28/t-mobiles-parent-company-in-trouble-for-spying/(Switched – 5/28/08)

Do Hackers Pose a Threat To Smart Phones ?Smart phones, phones equipped with Internet, e-mail, multimedia programs, and even word-processing and spreadsheet capabilities, are vulnerable to malicious viruses and software. The risk to a smart phone is relatively low, mainly because it is inefficient to write a virus for phones. However, there are 300 to 500 known versions of malicious software written for phones. Other threats include third-party applications such as games and ringtones. Consumer scan protect themselves by being mindful of what they download and through security programs from companies like Symantec and McAfee. Because most smart phones are used for business purposes, the real burden falls on IT departments to take measures to protect smart phones and the information they transmit.http://online.wsj.com/article/SB121184343416921215.html?mod=googlenews_wsj(The Wall Street Journal – 5/27/08)

ODDS & ENDSBillboards That Look BackQuividi, a two-year-old company based in Paris, designs billboards with tiny cameras to gather details about passers-by. Details, including a person’s gender, approximate age, and how long someone looks at a billboard, are collected and transmitted to a central database. This information allows the company to tailor a digital display to the person standing in front of the billboard. The company says that it is not storing the information. The cameras use software to determine a person is standing in front of the camera. Then, the camera analyzes facial features to judge the person’s gender and age. Although these billboards have been available in Europe and Asia, the company is hoping to break into the U.S. market and recently installed a billboard in New York City. Although the company says it has no plans to store the information, privacy advocates worry that Quividi and other companies could potentially store the information.http://www.nytimes.com/2008/05/31/business/media/31billboard.html?_r=1&pagewanted=2&hp&oref=slogin(The New York Times – 5/31/08)

11

New York to Issue Enhanced Drivers LicensesAn agreement between New York State and the Department of Homeland Security will permit the state to issue an Enhanced Drivers License (EDL). A resident can use EDL in place of a passport when crossing into the U.S. from Canada, Mexico, the Caribbean, and Bermuda beginning June 1, 2009. New York will be the second state in the country to offer EDL. Participation in the EDL project will be voluntary. An EDL will cost New Yorkers $30 more than a regular license. It is hoped that EDL will boost the upstate New York economy by expediting commerce flowing across the New York-Canada border.http://www.govtech.com/gt/articles/325331?utm_source=newsletter&utm_medium=email&utm_campaign=GTSN_2008_5_27(Government Technology - 5/27/08)

TJX Fires Employee for Disclosing Security ProblemsA TJX employee was fired after disclosing to an online forum that the company has not improved security since discovering a massive data breach in January 2007. After suffering the data breach, TJX changed its company log-in policies requiring employees to use stronger passwords. The employee reports that the TJ Maxx store he worked at failed to comply with the new policies. The store set the log-in protocol to accept blank passwords and also ran the store server in administrator mode, making it more susceptible to hackers. When the employee reported the problems to his manager and no action was taken, he posted anonymously to a computer security site called Sla.ckers.org reporting the problems. He was later fired for disclosing confidential information about the company.http://blog.wired.com/27bstroke6/2008/05/tjx-fires-emplo.html(Wired – 5/27/08)

Critics cite privacy concerns over D.C. surveillance planD.C. is expected to spend $9.6 million on a centralized security camera surveillance system. Many fear that this effort will not only lead to privacy abuses, but that CCTV systems are largely just examples of “feel-good technology” that have little impact on curbing crime. A similar system in London has been described as an “utter fiasco.” New York and London, both who have CCTV systems, have had numerous complaints of bored police officers becoming Peeping Toms eavesdropping on citizen’s private behavior. Other complaints show that police will often focus on dark-skinned youth when watching for crime. http://www.examiner.com/a-1409968~Critics_cite_privacy_concerns_over_D_C__surveillance_plan.html?cid=temp-popular(examiner.com – 5/27/08)

ONLINEPrivacy concerns could hurt online ad bizGrowing discomfort with the tracking of a consumer’s online behavior by Google, Yahoo, and other internet companies could slow the growth of internet advertising. Evidence that targeted advertising will face increasing regulation can be seen at the state and federal level—both the New York and Connecticut state legislatures are working to pass consumer privacy bills and the Federal Trade Commission has called for industry self-regulation. 42% of internet users have said that they would opt out of online tracking if they had the option.http://www.reuters.com/article/marketsNews/idUSN2843537620080528(Reuters – 5/28/08)

Google Fights for the Right to Hide Its Privacy PolicyGoogle is the only one of the major internet companies that does not provide a link to its privacy policy on its home page. Google believes that it is important to maintain the style of its homepage, which is relatively free of links and any information besides its search box, and does not want to place an extra link on the page. After buying DoubleClick, Google applied to join the Network Advertising Initiative, a trade group that sets standards for companies that collect internet data for targeted advertising. The group requires that members provide “clear and conspicuous notice” of how a site uses and collects data. This requirement has been interpreted to mean that a link will be placed on a company’s home page. http://bits.blogs.nytimes.com/2008/05/27/google-fights-for-the-right-to-hide-its-privacy-policy/?ref=technology(The New York Times – 5/27/08)

12

RFIDConcern about privacy, identity theft with microchipped Olympics ticketsRFID chips are embedded in all Beijing Olympics tickets. Tickets for the opening and closing ceremonies, however, are embedded with a chip containing the bearer’s photograph, passport details, address, e-mail, and telephone numbers. China hopes the tickets will keep troublemakers, such as terrorists or protestors with Tibetan flags and anti-China banners, away from the high-profile ceremonies. The tickets raise privacy concerns, as well as concerns over potential identity theft. Many also fear that the process of matching tickets to the correct ticket holder will cause chaos and delay at the entrance gates. Minister of Science and Technology Wan Gang has said, “We’re fully prepared and we are confident we can overcome all the difficulties.” Even if this is true, security professionals fear that the process of matching ticket to ticket-holder will distract from other security procedures, such as frisks and bag searches, that might actually discover weapons or banners.http://sportsillustrated.cnn.com/2008/olympics/wires/05/28/2080.ap.as.spt.oly.china.ticket.security.1021/(Sports Illustrated – 5/28/08)

Batronics bring wristband to U.S.A new RFID-enabled wristband system automates the administration of a patient’s pain medication. The wristband system was used in clinical trials for cancer patients at the Halifax Health Medical Center in Daytona Beach, Florida. 84% of nurses involved in the study said that the new system saved them time. 95% of the patients involved in the study found the device easy to use and felt that they were better able to manage their pain. The system works with a locked Medication on Demand (MoD) device. Nurses use an RFID identification card to fill the MoD with the appropriate medications. A patient’s wristband is programmed with the appropriate dosage and frequency. When a patient approaches the MoD, he selects a number between 1 and 10 on a dial to indicate his pain level. The MoD reads the wristband to administer the appropriate medication.http://www.rfidnews.org/news/2008/05/27/batronics-brings-wristband-to-us/(RFID News – 5/27/08)

SECURITYUpdate: New Adobe flaw being used in attacks, says SymantecAn unpatched bug in Adobe Systems’ Flash Player software has allowed criminals to hack into about 220,000 websites. Hackers added scripts to these pages, redirecting victims to one of at least 57 servers which install attack code. Once a computer has been compromised, the hackers install several malicious programs designed to steal World of Warcraft usernames and passwords. Hacked websites include web pages for small towns, business and nonprofit organizations. The flaw affects Flash Player version 9.0.124.0 and 9.0.115.0. The attack is targeted towards the Windows platform. Although anti-virus products can block the malicious code and the software it downloads, McAfee Security Research Manager David Marcus has said that this sort of widespread attack on an unpatched flaw is likely to be pretty successful.http://www.infoworld.com/article/08/05/27/New-Adobe-flaw-being-used-in-attacks-says-Symantec_1.html(InfoWorld – 5/27/08)

Largest Public Power Grid at Cyber Risk, Feds SayIn a report titled “TVA Needs to Address Weaknesses in Control Systems and Networks,” the Government Accountability Office reports that the network controlling the nation’s largest public electric company is vulnerable to cyber-hackers because it fails to take basic best-practice security measures. The Tennessee Valley Authority delivers electricity to most of Tennessee and parts of Alabama, Georgia, Kentucky, Mississippi, North Carolina, and Virginia. According to the report, TVA needs to complete security plans, prioritize its patch management, test its supervisory control and data acquisition (SCADA) network for security, and execute security training. While the report focuses on TVA, the problems exist throughout the power industry and fixing TVA alone will not address widespread security issues.http://www.cio.com/article/368963/Largest_Public_Power_Grid_at_Cyber_Risk_Feds_Say./2(CIO – 5/27/08)

13

Countering cyber terrorism in third-world countriesThe SANS Institute has committed $1 million in time and services for a joint project with the International Multilateral Partnership Against Cyber-Terrorism (IMPACT). The project will help to increase the cybersecurity of developing countries. The project will provide high-quality security for national cyberinfrastructure and government websites and will train instructors so member governments can maintain high-capacity cyberdefenses. SANS will also work with IMPACT to create a shared internet early warning system to detect and combat attacks in their early stages and provide information as the attacks potentially spread around the world.http://www.securecomputing.net.au/news/76825,countering-cyber-terrorism-in-thirdworld-countries.aspx(Secure Computing Magazine – 5/26/08)

Tired of waiting on Apple, researchers disclose iCal bugCore Security Technologies has disclosed three vulnerabilities in Apple’s iCal calendar program. Core stated in its disclosure that the three bugs “may allow unauthenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application.” Core first reported the bugs to Apple on January 30, 2008. The company spent the next four months asking Apple when the company would patch the bugs and delaying the deadline for releasing its findings at the request of Apple. When Apple had neither patched the vulnerabilities nor informed users of the vulnerabilities by May 21, 2008, Core released the information on its own website, in a bulletin posted on Bugtraq, and in Full Disclosure mailing lists.http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9087898&source=rss_topic17(Computerworld – 5/22/08)

Why data-loss prevention tools scare the hell out of someChief security officers caution that while data-loss prevention (DLP) gear might improve corporate security, it may also be disruptive to a company’s business practices. DLP content-monitoring equipment offers security managers a view of their business’s daily communications. This equipment can highlight internal data-management practices which violate regulations. In spite of the disruption caused by finding internal business practices that need to be fixed (such as one company that found that it’s CEO’s salary and Social Security number were being inadvertently transmitted), most that have implemented DLP content-monitoring find that although it may be disruptive, DLP should still be implemented as an important component of a company’s corporate security.http://www.networkworld.com/news/2008/052208-dlp.html?fsrc=netflash-rss(NetworkWorld – 5/22/08)

14

SEMINARSMaking the Future of the Internet Economy Work for Citizens, Consumers and WorkersJune 16, 2008Seoul, Koreahttp://thepublicvoice.org/events/seoul08/

The Practical Privacy SeriesJune 16-17, 2008City University of New York, New York, NYhttps://www.privacyassociation.org/index.php?option=com_content&task=view&id=1464&Itemid=138

Cyberlaw: Expanding the HorizonsJune 18-20, 2008Washington, D.C.http://www.abanet.org/cle/programs/n08ceh1.html

Ethics, Technology and IdentityJune 18-20, 2008The Haguehttp://www.ethicsandtechnology.eu/index.php/news/comments/ethics_technology_and_identity/

Future of Trust in ComputingJune 30-July 2, 2008Berlin, Germanyhttp://www.tc-conference.com/

Value Privacy, Secure Your Reputation, Reduce RiskJuly 7-9, 2008St. John’s College, Cambridge, UKhttp://www.privacylaws.com/templates/AnnualConferences.aspx?id=641

The Privacy SymposiumAugust 18-21, 2008Harvard University, Cambridge, MAhttp://www.privacysummersymposium.com/

_____________________________________________________________________

PAPERSPrivacy in the Cloudshttp://www.ipc.on.ca/images/Resources/privacyintheclouds.pdf (Ontario Information Privacy Commissioner)

Data Breaches: What the Underground World of “Carding” Revealshttp://www.cybercrime.gov/DataBreachesArticle.pdf (U.S. Department of Justice)

15