Your SlideShare is downloading. ×
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Privacy
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Privacy

1,155

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,155
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Privacy & Security News Brief July 13-July 19, 2008 Vol. 1, No. 39 TABLE OF CONTENTS ........................................................................................................................................................................................1 ........................................................................................................................................................................................1 BIOMETRICS...............................................................................................................................................................4 DATA BREACH............................................................................................................................................................4 Vets Home server held personal data____________________________________________________________4 Laptop with patient files stolen________________________________________________________________4 MoD admits loss of secret files________________________________________________________________4 University releases social security numbers______________________________________________________4 Identity Theft News: 2008 Data Breach count is 69% greater than 2007________________________________4 Bristol-Myers: Tape With Workers’ Personal Data Was Stolen_______________________________________5 Facebook bug leaks members’ birthday data______________________________________________________5 Security breach affects patients________________________________________________________________5 Potential jurors’ IDs put at risk in breach________________________________________________________5 Stolen computer contains Guard data___________________________________________________________5 Personal records from Houston attorney’s office found in trash dumpster_______________________________5 SSN Numbers breached at UT_________________________________________________________________6 ISU: Laptop with students’ info stolen__________________________________________________________6 Metro releases employees’ Social Security numbers________________________________________________6 E-COMMERCE.............................................................................................................................................................6 EDITORIALS & OPINION..........................................................................................................................................6 EDUCATION.................................................................................................................................................................6 Data security and higher education_____________________________________________________________6 EMPLOYEE...................................................................................................................................................................7 What’s behind rash of employee cybersnooping?__________________________________________________7 GOVERNMENT – U.S. FEDERAL.............................................................................................................................7 NebuAd Faces More Congressional Scrutiny_____________________________________________________7 Congress explores Yahoo-Google antitrust questions_______________________________________________7 File sharing’s threat to agency data is growing, analysts say_________________________________________7 GOVERNMENT – U.S. STATES.................................................................................................................................7 TEXAS___________________________________________________________________________________7 Texas Attorney General Helps Protect Texans From Identity Theft____________________________________7 HEALTH & MEDICAL................................................................................................................................................8 Privacy Advocates Worried, Wary About E-Rx Merger_____________________________________________8 Millions Believe Personal Medical Records Have Been Compromised, Survey Says______________________8 IDENTITY THEFT.......................................................................................................................................................8
  • 2. Online Games Can Lead to Identity Theft________________________________________________________8 INTERNATIONAL........................................................................................................................................................8 AFRICA.....................................................................................................................................................................8 ASIA/PACIFIC.........................................................................................................................................................8 NEW ZEALAND___________________________________________________________________________8 Autistic hacker’s talents to be used for good______________________________________________________8 EUROPE....................................................................................................................................................................9 Ixquick Earns Europrise’s First European Privacy Seal_____________________________________________9 EU______________________________________________________________________________________9 Privacy watchdogs try to ease data sharing compliance for multinationals______________________________9 GERMANY_______________________________________________________________________________9 Germany monitoring ‘problematic’ Google Earth street scanning_____________________________________9 ITALY___________________________________________________________________________________9 Fingerprints: Privacy Watchdog Says No to Discrimination__________________________________________9 Privacy: Pizzeti, Year Zero in Judicial Offices____________________________________________________9 UK______________________________________________________________________________________9 Privacy watchdog may get powers to raid________________________________________________________9 ‘No decision’ on giant database_______________________________________________________________10 A decade of data confusion__________________________________________________________________10 eBay UK pimps users’ privacy for targeted ads__________________________________________________10 UK companies fall behind on data leakage policies_______________________________________________10 MIDDLE EAST.......................................................................................................................................................10 NORTH AMERICA...............................................................................................................................................10 CANADA_______________________________________________________________________________10 Privacy chief seeking input on new ID plan_____________________________________________________10 Top court upholds solicitor-client privilege______________________________________________________11 Bell denies it invades privacy of Internet users___________________________________________________11 SOUTH AMERICA................................................................................................................................................11 LEGISLATION – FEDERAL.....................................................................................................................................11 Bill would require more privacy officers________________________________________________________11 LEGISLATION – STATE...........................................................................................................................................11 MASSACHUSETTS_______________________________________________________________________11 Prosecution vs. privacy_____________________________________________________________________11 LITIGATION & ENFORCEMENT ACTIONS.........................................................................................................12 Student admits living large on stolen IDs_______________________________________________________12 San Francisco IT workers in hijacking of city network_____________________________________________12 MOBILE/WIRELESS.................................................................................................................................................12 MMA Issues Mobile Privacy Guidelines________________________________________________________12 The Loopt app: A loopy privacy dilemma_______________________________________________________12 ODDS & ENDS............................................................................................................................................................12 Library confrontation point up privacy dilemma__________________________________________________12 Only Eight Percent of Americans are ‘Very Confident’ Their Personal Data is Safe______________________13 Ex-prosecutor on terrorism list: Fix mistake_____________________________________________________13 Printer dots raise privacy concerns____________________________________________________________13 FTC enforces do-not-call rules, fines cos. $95,000________________________________________________13 Will the Profit Motive Undermine Trust in Truste?_______________________________________________13 Software Helps Developers Get Started with PIV Cards____________________________________________13 ONLINE.......................................................................................................................................................................14 Firefox 3.0.1 patches Mac-only bug___________________________________________________________14 2
  • 3. Internet Expert Scott Cleland Recommends Comprehensive Approach to Privacy Law to Protect Consumers_14 Lawyers in YouTube lawsuit reach user privacy deal______________________________________________14 RFID.............................................................................................................................................................................14 Next-generation search to mine our RFID trail___________________________________________________14 Rhode Island governor vetoes RFID ban________________________________________________________14 SECURITY...................................................................................................................................................................14 Network Managers Fear Security Threats From Within____________________________________________14 Wormlike malware transcodes MP3s to try to infect PCs___________________________________________15 U.S. Fears Threat of Cyberspying at Olympics___________________________________________________15 Report: cybercrime groups to operate like the Mafia______________________________________________15 Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC________________________________15 New service tracks missing laptops for free_____________________________________________________15 Botnets winning spam wars__________________________________________________________________15 Hidden endpoints: Mitigating the threat of non-traditional network devices____________________________16 SEMINARS..................................................................................................................................................................17 PAPERS.......................................................................................................................................................................17 The Online Shadow Economy: A Billion Dollar Market for Malware Authors__________________________17 Strengthening Data Privacy in PeopleSoft_______________________________________________________18 3
  • 4. ARTICLE SUMMARIES AND LINKS BIOMETRICS DATA BREACH Vets Home server held personal data A backup computer server stolen from the Minneapolis Veterans Home contained telephone numbers, addresses, next-of-kin information, dates of birth, Social Security numbers, and some medical information of the home’s 336 residents. Burglars broke into the home and stole the server, a tool kit, a laptop, a guitar, and a computer game. Information on the computer was password protected. Authorities do not suspect the thieves intend to use the personal information, but residents, family members, and credit bureaus have been notified of the theft. http://www.startribune.com/local/25652209.html?location_refer=ErrorFirefoxHTMLShellOpenCommand (Star Tribune – 7/19/08) Laptop with patient files stolen A laptop stolen from the Falkirk and District Royal Infirmary’s (Scotland) audiology department contained names, addresses, and audiology details of patients. The laptop was stored in a locked cabinet and was password protected. The laptop has not yet been recovered, but authorities believe the risk that information will be accessed by thieves is very low. http://news.bbc.co.uk/2/hi/uk_news/scotland/tayside_and_central/7513602.stm (BBC – 7/18/08) MoD admits loss of secret files The Ministry of Defense has admitted to the loss of more than 650 laptops and more than 100 USB memory sticks since 2004. 658 laptops have been stolen, while another 89 have been lost. 121 memory sticks have been taken or misplaced; MoD has no idea when, where or how the memory sticks were lost. Three of the lost memory sticks contained information classified as “secret” and 19 contained “restricted” information. http://news.bbc.co.uk/2/hi/uk_news/7514281.stm (BBC – 7/18/08) University releases social security numbers The Social Security numbers of approximately 24,000 University of Maryland students were inadvertently printed on mailing labels for a parking brochure. When a Department of Transportation Services employee collected names and addresses for the brochure, Social Security numbers and email addresses would have appeared in the search. The employee removed email addresses from the labels, but failed to identify Social Security numbers because they were not separated by the typical two dashes. The university is not aware of any misuse of the Social Security numbers. http://media.www.diamondbackonline.com/media/storage/paper873/news/2008/07/17/News/Breaking.News.Univer sity.Releases.Social.Security.Numbers-3392208.shtml (Diamondback – 7/17/08) Identity Theft News: 2008 Data Breach count is 69% greater than 2007 The total number of data breaches recorded by the Identity Theft Resource Center between January 1st and June 27th is 342, more than 69% greater than the same period in 2007. The actual number is likely even higher due to underreporting. 80.7% of breaches are the result of electronic data breaches, while paper breaches account for only 19.3%. http://www.identitytheftdaily.com/index.php/20080716371/Latest/Identity-Theft-News-2008-Data-Breach-count- is-69-greater-than-2007.html (Identity Theft Daily – 7/17/08) 4
  • 5. Bristol-Myers: Tape With Workers’ Personal Data Was Stolen A backup computer tape containing the personal information of Bristol-Myers Squibb Co. employees was stolen while being transported from a storage facility. While the company declined to say how many employees were affected by the theft, the company had about 42,000 employees as of December 31st. The tape included names, addresses, dates of birth, Social Security numbers, marital status, and in some cases bank account information. At this time, Bristol has “no reason to believe that any of the personal information on the data tape has been inappropriately accessed by any unauthorized party, or that any identity theft, fraud or misuse of information has occurred. http://money.cnn.com/news/newsfeeds/articles/djf500/200807171514DOWJONESDJONLINE000844_FORTUNE5 .htm (CNN – 7/17/08) Facebook bug leaks members’ birthday data A test version of Facebook’s website exposed the birthdays of Facebook’s 80 million users. A new Facebook design ignored some users’ privacy settings set to restrict access to birth date data. The company could not say for how long the data was exposed or how many people viewed the test site. The bug was patched within hours of its discovery. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110241 (Computerworld – 7/17/08) Security breach affects patients The personal information of patients of Greensboro Gynecology Associates has been compromised after the theft of a backup tape of the office’s computer database. The tape was stolen from an employee who was delivering the tape to an offsite storage facility. The stolen information includes patients’ names, addresses, Social Security numbers, employers, insurance companies, policy numbers, and family members; although, no specific medical data was stored on the tape. The personal information of physicians and other staff members was also included on the tape. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110241 (News & Record – 7/16/08) Potential jurors’ IDs put at risk in breach District Court in Clark County inadvertently put tens of thousands of people at risk for identity theft during the past three years. The court’s computer software allowed prospective jurors’ confidential personal information to be released to a private contractor, court administrators said. http://www.lasvegassun.com/news/2008/jul/16/potential-jurors-ids-put-risk-breach/ (Las Vegas Sun – 7/16/08) Stolen computer contains Guard data The theft of a laptop and other computer equipment has potentially compromised the personal information of 2,000 Missouri National Guard members. The equipment included a list of names, Social Security numbers, and military units to which the soldiers are assigned. http://www.stltoday.com/stltoday/news/stories.nsf/news/stlouiscitycounty/story/20edd49f7e0113388625748800136c 90?OpenDocument (St. Louis Post-Dispatch – 7/16/08) Personal records from Houston attorney’s office found in trash dumpster Hundreds of files from a Houston law office were discarded in a public dumpster. The files contained personal financial records, documents with Social Security numbers, medical files, etc. The sheriff’s office contacted the law offices of William Weber, requesting that Weber pick up and properly dispose of the files. Although Weber described the discarded records as “no big deal,” he eventually did come to remove the boxes. Weber said his wife had made a mistake by dumping the records in the dumpster, after he had asked her to dispose of them. http://www.khou.com/business/stories/khou080711_tj_recordsfound.57f842ba.html (KHOU.com – 7/15/08) 5
  • 6. SSN Numbers breached at UT The personal information of 2,500 University of Texas students and faculty has been exposed online. Files containing confidential graduate applications, test scores, and Social Security numbers were inadvertently posted by at least four different UT professors to a file server for the School of Biological Sciences. The files were discovered in January, at which time, university officials restricted access to them. The university does not believe anyone, other than the person who made the initial discovery, ever accessed the files. http://www.kxan.com/Global/story.asp?S=8676383&nav=0s3d (KXAN.com – 7/15/08) ISU: Laptop with students’ info stolen A laptop containing the personal information of 2,500 current and former Indiana State University students was stolen from a professor while traveling in southern Indiana. The laptop contained names, grades, email addresses, and student identification numbers of those students who took economics classes from 1997 through the Spring 2008 semester. The use of Social Security numbers as student identification numbers was discontinued in 2003. The laptop was password-protected, encrypted, and used a biometric fingerprint reader to grant access. There is no evidence the laptop’s security was breached. http://www.tribstar.com/news/local_story_197221932.html (The Tribune Star – 7/15/08) Metro releases employees’ Social Security numbers Metro, the Washington-area transit system, accidentally published a document containing the Social Security numbers of 4,675 current and former employees. The document was posted online between June 9 and June 25, as part of a solicitation from Metro to companies wanting to provide worker’s compensation services. http://www.forbes.com/feeds/ap/2008/07/14/ap5213364.html (Forbes – 7/14/08) E-COMMERCE EDITORIALS & OPINION EDUCATION Data security and higher education Although colleges and universities experience the same data security issues as major corporations, universities are not designed to respond to these threats in the same way as businesses are. The implementation of a few basic steps will allow institutions of higher education to reduce risks and to effectively develop a database security strategy: (1) Establish a baseline. (2) Understand the vulnerabilities and exploitation methodologies. (3) Prioritize vulnerability remediation. (4) Continuously monitor and maintain systems. (5) Automate activities. (6) Stay patched. (7) Audit systems regularly. (8) Apply real-time intrusion detection to critical systems. (9) Extend protection to the database application layer. (10) Trust but verify. http://www.scmagazineus.com/Data-security-and-higher-education/article/112517/ (SC Magazine – 7/16/08) 6
  • 7. EMPLOYEE What’s behind rash of employee cybersnooping? The increased report of incidents of employees snooping on the personal data of celebrities is an example of the “Facebook factor.” Browsing the personal details of friends and even complete strangers on social-networking sites has made it so that it no longer seems unethical to do the same thing when accessing confidential records at work. Employers can take a few steps to minimize the “Facebook factor,” including flagging VIPs in a database and limiting access to those files, establishing tighter parameters for how frequently those accounts can be accessed, and performing regular spot checks of accounts. http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110280&pageNumber=2 (Computerworld – 7/17/08) GOVERNMENT – U.S. FEDERAL NebuAd Faces More Congressional Scrutiny Less than one week after NebuAd CEO Bob Dykes appeared before the Senate Commerce Committee, lawmakers are asking new questions about the company’s practices. A letter sent to Internet service provider Embarq questioned whether customers received adequate notice of a recent test of NebuAd’s targeted advertising program. Lawmakers also asked how consumers were notified, whether they were able to opt out of the test, and what information was gathered during the test. http://www.mediapost.com/publications/? fa=Articles.san&s=86668&Nid=45085&p=955354FirefoxHTMLShellOpenCommand (Media Post Publications – 7/16/08) Congress explores Yahoo-Google antitrust questions Both the House and Senate Judiciary Committees held hearings examining whether Yahoo’s advertising partnership with Google raises antitrust concerns. A Microsoft attorney testified before the senate hearing stating that the deal would reduce competition and would raise prices. Yahoo and Google representatives, however, said that consumers would benefit by receiving better targeted advertising from Internet companies. http://www.siliconvalley.com/news/ci_9887992?nclick_check=1FirefoxHTMLShellOpenCommand (SiliconValley.com – 7/15/08) File sharing’s threat to agency data is growing, analysts say Peer-to-peer file-sharing programs, such as Limewire, are increasingly compromising data and security systems of federal agencies. Peer-to-peer programs allow users to download files, usually music or movies, directly from another user’s hard drive. Without realizing it, employees are sharing documents and files on their computer when they access one of these programs. Peer-to-peer programs can also be used to exploit the computer systems of another user. Employees should be informed of the risks these programs pose to networks, and agencies should monitor traffic to watch out for peer-to-peer traffic or high traffic to sensitive data. http://www.nextgov.com/nextgov/ng_20080710_3088.php (nextgov – 7/10/08) GOVERNMENT – U.S. STATES TEXAS Texas Attorney General Helps Protect Texans From Identity Theft Settlement agreements reached between Texas Attorney General Greg Abbott and Select Medical Corp. and RadioShack will help prevent future incidents of identity theft. The state will receive almost $1.5 million that will fund future identity theft investigations and prosecutions. Both defendants were charged with violating state laws governing the disposal of customer records containing personal information. http://www.govtech.com/gt/articles/377760 (Government Technology – 7/16/08) 7
  • 8. HEALTH & MEDICAL Privacy Advocates Worried, Wary About E-Rx Merger The merger of SureScripts and RxHub, two major proponents of e-prescribing, is sure to accelerate a more wide scale implementation of e-prescriptions, as well as quicker adoption of electronic personal health records. Privacy advocates worry that the new company will not do enough to protect both the personal information that will now be shared between the two companies and the personal information that may be submitted electronically through an e- prescription. http://www.ihealthbeat.org/articles/2008/7/18/Privacy-Advocates-Worried-Wary-About-ERx-Merger.aspx?a=1 (iHealthBeat – 7/18/08) Millions Believe Personal Medical Records Have Been Compromised, Survey Says A new poll indicates that a significant number of Americans believe that their personal medical information has been compromised by organizations handling it. About 69% of adults have either read or heard about medical records containing personal health information being lost or stolen by hospitals, doctors’ offices, health insurers, employers or government agencies. 7% of those people believe that either their medical records or the medical records of a family member have been lost or stolen. Just over half believe that computerized records are lost more than paper records. http://www.govtech.com/gt/377526?topic=117671 (Government Technology – 7/16/08) IDENTITY THEFT Online Games Can Lead to Identity Theft Social-networking sites are increasingly becoming valuable sources of personal information for identity thieves. One Baltimore teenager was tricked into providing information for seven car loan applications by a Facebook game offering extra points in exchange for the information. Some suggestions are offered to help others avoid identity theft through Facebook and other social-networking sites: (1) Profile Picture—make sure it contains no information that could identify you, where you live, where you work, etc. (2) Quizzes—answering questions, such as “how much did you drink last weekend,” could be sold and used by marketers; be wary of answering personal questions. (3) Friend Requests—do not accept requests from people you do not know. (4) Phone number—do not post a phone number; it can be used in a reverse lookup to get your address. http://www.abcnews.go.com/GMA/Parenting/Story?id=5382302&page=2 (ABC – 7/16/08) INTERNATIONAL AFRICA ASIA/PACIFIC NEW ZEALAND Autistic hacker’s talents to be used for good A New Zealand teenager, who as the mastermind behind a botnet coding group infected a million computers and caused millions of dollars of damage, was discharged without conviction. Owen Thor Walker will have to pay $9,526 to a university his adware scheme caused damage to and $5,000 in other costs. He was also ordered to hand over his computer-related assets to the police. New Zealand police and international companies are interested in hiring Walker so that his hacking skills could go to good use. http://www.stuff.co.nz/4619629a10.html (stuff.co.nz/ – 7/16/08) 8
  • 9. EUROPE Ixquick Earns Europrise’s First European Privacy Seal Ixquick, a meta search engine, has been awarded Europrise’s First European Privacy Seal. Europrise, a consortium of nine European privacy organizations, guarantees IT products and services that comply with EU laws and privacy regulations. Ixquick deletes data that could tie searches back to a user, including IP addresses, within 24 hours. It also shuns the use of cookies to help websites track user activity. http://www.marketingvox.com/ixquick-earns-europrises-first-european-privacy-seal-039839/ (Marketing VOX – 7/15/08) EU Privacy watchdogs try to ease data sharing compliance for multinationals A committee of data protection regulators from EU member states has developed a toolkit to help global companies comply with EU laws that control the overseas transfer of data within their organizations. The Data Protection Directive prohibits the transfer of data to countries outside of the European Economic Area, unless adequate data protection exists. The use of Binding Corporate Rules (BCRs) is one way countries can ensure adequate data protection. http://www.out-law.com/page-9268 (Out-Law.com – 7/16/08) GERMANY Germany monitoring ‘problematic’ Google Earth street scanning Although German data protection agencies can find no legal grounds for challenging Google’s filming of German streets for its Google Earth application, they are still keeping close watch on the project. The Federal Commissioner for Data Protection has described the practice as “problematic.” Although there may be nothing unlawful about the practice the Commissioner has said “From a privacy viewpoint, we don’t welcome this activity.” http://www.siliconvalley.com/news/ci_9895987?nclick_check=1 (siliconvalley.com – 7/16/08) ITALY Fingerprints: Privacy Watchdog Says No to Discrimination The chairman of the Italian Privacy Watchdog addressed concerns associated with the creation of DNA and fingerprint databases in his annual report to Parliament. Francesco Pizzeti expressed the need to prevent these sorts of databases from being used in a discriminatory manner. He also advocated for clear legislation that would define when samples could be collected, for how long they could be stored, etc. http://www.agi.it/italy/news/200807161212-cro-ren0023-art.html (AGI – 7/16/08) Privacy: Pizzeti, Year Zero in Judicial Offices Francesco Pizzeti, chairman of the Privacy Watchdog, criticized the protection of personal information in judicial offices in his annual report to Parliament. Pizzeti urged the courts to raise the level of protection of sensitive information. A recent investigation of the Rome Courts resulted in measures being taken against the Court after repeated instructions to improve privacy were not complied with. http://www.agi.it/italy/news/200807161233-cro-ren0027-art.html (AGI – 7/16/08) UK Privacy watchdog may get powers to raid The UK government is investigating what additional powers and resources might help the Information Commissioner’s Office enforce the Data Protection Act. The Data Sharing Review recommended that the ICO be given more money and authority to fine organizations for “reckless” data breaches. It is hoped that the ICO will be a more effective regulator with greater enforcement powers. http://www.agi.it/italy/news/200807161233-cro-ren0027-art.html (ZDNet – 7/18/08) 9
  • 10. ‘No decision’ on giant database No decision has been made about whether a database should be created to store details of all phone calls, emails, and Internet use in the United Kingdom. Information Commissioner Richard Thomas has called for a full public debate about the database before Parliament votes in favor of its creation. Police and intelligence agencies can currently ask telecommunication providers for information on phone calls made, texts sent, and Internet sites visited. Under the current system, a privacy watchdog can review the request. http://news.bbc.co.uk/2/hi/uk_news/politics/7511671.stm (BBC – 7/17/08) A decade of data confusion The Information Commissioner’s Office called for a review of the ten-year-old Data Protection Act, saying that the law was quickly becoming out-of-date. The UK’s law is based on the European Data Protection Directive. Both the European Commission and the ICO have commissioned research into the law. The ICO, Richard Thomas, has said that the Act fails to meet new challenges of privacy, like the transfer of personal information across international borders and the growth in personal information online. http://www.computing.co.uk/computing/analysis/2221679/decade-confusion-4125448 (Computing – 7/17/08) eBay UK pimps users’ privacy for targeted ads eBay UK users will begin to see targeted advertisements based on the items they view and bid on. The program, AdChoice, allows users to opt-out if they do not wish to receive targeted advertising. AdChoice already targets advertising to U.S. eBay users. http://www.theregister.co.uk/2008/07/16/ebay_targeted_advertising/ (The Register – 7/16/08) UK companies fall behind on data leakage policies According to a Trend Micro report, fewer UK companies have policies to prevent data leaks than do companies in the US and Germany. 48% of UK companies have prevention policies, while 57% of German companies and 54% of US companies have similar policies. Only 57% of UK respondents received training on data policies. 69% and 66% of respondents in the US and Germany respectively received training on data policies. http://www.computerweekly.com/Articles/2008/07/14/231466/uk-companies-fall-behind-on-data-leakage- policies.htm (Computer Weekly – 7/14/08) MIDDLE EAST NORTH AMERICA CANADA Privacy chief seeking input on new ID plan A new Enhanced Driver’s License (EDL) will be equipped with an RFID chip containing citizenship information. The EDL will be used in place of a passport for those traveling between Canada and the U.S. As a cardholder approaches the border, antennas will be able to read EDL from 10 meters away. This concerns privacy advocates who fear that EDL information will be accessed by unauthorized persons without the card holder’s knowledge. Ontario’s Privacy Commissioner Ann Cavoukian urged concerned citizens to make their concerns known to lawmakers. http://www.thestar.com/article/461792 (The Star – 7/17/08) 10
  • 11. Top court upholds solicitor-client privilege The Supreme Court of Canada refused to allow the federal privacy commissioner to view confidential communications between a lawyer and a client as part of an investigation into whether a fired employee’s privacy rights had been violated. The fired employee, Annette Soup, had requested documents related to her firing from her employer, the Blood Tribe Department of Health. Her employer refused to hand over the documents claiming the attorney/client privilege. The privacy commissioner had requested the documents only to verify that the privilege had been properly claimed. The Court determined that access to these documents for the purpose of verifying the proper invocation of the privilege was a role that should be reserved for the courts. http://www.canada.com/topics/news/story.html?id=43811591-f0b0-42a8-a98f-dccc952eec8d (Canada.com – 7/17/08) Bell denies it invades privacy of Internet users Bell Canada denies that it violates the privacy of Internet customers with the use of deep packet inspection technology. Bell claims that it does not view the content of data being transmitted when it uses the technology; instead, the company only determines what type of data is being transmitted. Deep packet inspection is used by the company to throttle peer-to-peer file-sharing the company says is clogging the network. Privacy advocates worry that deep packet inspection can, in fact, be used to view the content of the data being transmitted. http://www.canada.com/montrealgazette/news/business/story.html?id=0af90bc4-e8bf-4adc-be41-e92b90ec85d6 (The Gazette – 7/15/08) SOUTH AMERICA LEGISLATION – FEDERAL Bill would require more privacy officers A new bill before the House of Representatives would require a privacy officer in each of the Homeland Security Department’s components. DHS has nine components, four of which have full-time privacy officers. Although the Department has a chief privacy officer, those divisions with a full-time privacy officer generate more Privacy Impact Assessments. A privacy officer in each department would ensure that privacy considerations are integrated into DHS decision-making processes. http://www.fcw.com/online/news/153141-1.html (FCW.com – 7/15/08) LEGISLATION – STATE MASSACHUSETTS Prosecution vs. privacy A bill which would lengthen sentences for sex offenders in Massachusetts will also give law enforcement officials expaneded access to citizens’ telephone records, e-mail, and Internet records. Prosecutors have been able to obtain telephone records without warrants since 1966. The new bill allows prosecutors to claim that they have “reasonable grounds to believe” that the records are “relevant and material to an ongoing criminal investigation.” Telecommunications companies will have blanket immunity for their involvement. A warrant will still be needed to access the content of telephone, e-mail, and Internet records. http://www.boston.com/bostonglobe/editorial_opinion/editorials/articles/2008/07/19/prosecution_vs_privacy/ (The Boston Globe – 7/19/08) 11
  • 12. LITIGATION & ENFORCEMENT ACTIONS Student admits living large on stolen IDs 22-year-old Jocelyn Kirsch faces six years in prison after admitting that she and her boyfriend were involved in an identity theft scheme the couple’s lavish lifestyle. The couple obtained $116,000 in goods and services by stealing the identities of friends and neighbors in the Philadelphia area from 2006 to 2007. The couple tried to claim at least another $122,000 in goods and services before they were caught when a check for $2,250 for salon services bounced. http://www.cnn.com/2008/CRIME/07/15/couple.fraud.ap/index.html (CNN – 7/15/08) San Francisco IT workers in hijacking of city network Terry Childs, a 43-year-old network administrator for the city of San Francisco, has been arrested for taking control of the city’s computer network and locking out city administrators. Childs is in jail on $5 million bail. Childs is accused of tampering with the new Fiber Wide Area Network after being disciplined for poor performance. He is accused of electronically spying on his supervisors and their attempts to fire him. Administrators still have no access to the network, although it is up and running. http://news.cnet.com/8301-1009_3-9991769-83.html?tag=nefd.top (CNet – 7/15/08) MOBILE/WIRELESS MMA Issues Mobile Privacy Guidelines The Mobile Marketing Association has released a set of global privacy guidelines for mobile marketers. The code involves voluntary guidelines in five categories—notice, choice and consent, customization and constraint, security, and enforcement and accountability. Until a third party is found to enforce the code, marketers are expected to evaluate their own practices and to certify compliance with the code. Privacy advocates believe the Federal Trade Commission should proactively enforce privacy standards, rather than leaving compliance n the hands of advertisers. http://www.mediapost.com/publications/?fa=Articles.san&s=86663&Nid=45085&p=289294 (Media Post Publications – 7/16/08) The Loopt app: A loopy privacy dilemma The iPhone 3G’s Loopt application allows users to track their friends on a graphic map. The application was originally designed to allow a store to send an SMS-text bulletin or coupon when you are in close proximity to it. For now Loopt only updates your location when you log-in to the application. Some are concerned that Loopt might eventually allow others to track a person’s location at all times. http://news.cnet.com/8301-13544_3-9990088-35.html (CNet – 7/13/08) ODDS & ENDS Library confrontation point up privacy dilemma A children’s librarian at the Kimball Public Library in Vermont refused to allow police to search the library’s public access computers without a search warrant. Police were looking for information on a missing 12-year-old girl; they were acting on a tip that the girl sometimes used the computers to communicate on her MySpace account. Because the investigation was not a Patriot Act case, librarians were firm in their convictions that police must first obtain a warrant before librarians would allow them to search the library’s computers. The computers were shut down until police obtained a warrant. http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/07/19/national/a104017D48.DTL (San Francisco Chronicle – 7/19/08) 12
  • 13. Only Eight Percent of Americans are ‘Very Confident’ Their Personal Data is Safe A new survey reveals that only 8% of Americans are “very confident” in the ability of U.S. governments, retailers, and banks to secure their personal data. 79% of American consumers cited loss of trust and confidence, damage to reputation, and reduced customer satisfaction as consequences of security and privacy breaches experienced by organizations they deal with. A significant majority of consumers also believe that organizations are not spending enough money on improvements to online security and privacy. http://www.govtech.com/gt/377806?topic=117671 (Government Technology – 7/16/08) Ex-prosecutor on terrorism list: Fix mistake Jim Robinson, a former assistant attorney general and a former U.S. attorney in Michigan, is on the U.S.’s anti- terrorism watch list. Robinson does not know why he was put on the list in the first place and has been trying to be removed since 2005. While the Transportation Security Administration says that inconveniences like Robinson’s are inevitable in the fight against terrorism, the ACLU worries that no one knows how the list is compiled or what uses it is being put to. http://www.cnn.com/2008/US/07/16/watch.list/index.html (CNN – 7/16/08) Printer dots raise privacy concerns Microscopic yellow dots printed on each page run through a color laser printer are causing concern for privacy advocates. The dots identify a printer’s serial number and in some cases can even tell the time and date a page was printed. The dots can be read with a blue LED light, which are used primarily by the Secret Service to identify counterfeiters. Although the use of the dots is limited, some worry that the dots may eventually be used to identiying political dissidents or whistle-blowers. http://www.usatoday.com/tech/news/surveillance/2008-07-13-printer_N.htm (USA Today – 7/15/08) FTC enforces do-not-call rules, fines cos. $95,000 Two telemarketing companies have been ordered to pay a total of $95,000 in fines for ignoring the federal do-not- call list and for hanging up on customers. Planet Earth Satellite Inc. must pay $20,000 for calling consumers who phone numbers were on the National Do Not Call Registry. Star Satellite LLC was ordered to pay$75,000 for calling consumers and failing to connect them to a live telemarketer within two seconds of answering the call. http://news.yahoo.com/s/ap/20080715/ap_on_hi_te/ftc_dish_telemarketers;_ylt=AqZyqpDtTuijOIKeG4NsT64jtBA F (Yahoo News - 7/15/08) Will the Profit Motive Undermine Trust in Truste? Truste, a ten-year-old nonprofit organizaiton that certifies that websites meet some minimum standards to protect the privacy of their users, is converting to for-profit status. The group will use its money to develop more automated ways to help smaller websites develop privacy policies. The company also hopes to expand into newer areas of privacy, such as targeted advertising and using cellphone locations in marketing. http://bits.blogs.nytimes.com/2008/07/15/will-profit-motive-undermine-trust-in-truste/index.html (New York Times – 7/15/08) Software Helps Developers Get Started with PIV Cards The National Institute of Standards and Technology (NIST) has developed two demonstration software packages that show how Personal Identity Verification (PIV) can be used with Windows and Linux systems for logon and digital signing and verification. The demonstration was meant to assist software developers responsible for developing products in response to Homeland Security Presidential Directive 12, which requires government employees and contractors to use secure identity credentials to access federal facilities and computers. http://www.nist.gov/public_affairs/techbeat/tb2008_0709.htm#piv (NIST – 7/9/08) 13
  • 14. ONLINE Firefox 3.0.1 patches Mac-only bug Three critical vulnerabilities in Firefox 3.0 were patched this week, including a Mac-specific bug. Firefox 3.0.1 addressed bugs in Ruby (the object-oriented) scripting language, a bug in how Firefox processes GIF images, a problem with the anti-phishing/anti-malware blacklist, and took care of a printing problem. http://www.computerworld.com/action/article.do? command=viewArticleBasic&taxonomyName=security&articleId=9110318&taxonomyId=17&intsrc=kc_top (Computerworld – 7/18/008) Internet Expert Scott Cleland Recommends Comprehensive Approach to Privacy Law to Protect Consumers Precursor President Scott Cleland testified before the House Energy and Commerce Internet Subcommittee on broadband regulations and privacy. He focused on the need for a comprehensive approach to Internet privacy. Primarily, he was concerned that Internet applications, like Google and Yahoo, are not subject to the same privacy laws and regulations as broadband providers. He stated, “Americans’ privacy should not be an unrestricted commodity to sell to the highest bidder.” http://www.prweb.com/releases/Scott-Cleland-Privacy/72008/prweb1119024.htm (PR Web – 7/17/08) Lawyers in YouTube lawsuit reach user privacy deal Viacom and Google have reached a deal to protect the privacy of YouTube viewers in the copyright infringement lawsuit against the video-sharing site. Google will provide Viacom a viewership database that blanks out YouTube username and IP addresses that could be used to identify individual video watchers. The two parties are still determining how to handle YouTube viewership data of YouTube Google employees. http://www.reuters.com/article/rbssTechMediaTelecomNews/idUSSP28516420080715 (Reuters – 7/15/08) RFID Next-generation search to mine our RFID trail The Information Grand Voyage Project is developing new search techniques that will be able to analyze data held on RFID chips in phones and cards. What exactly this information will be used for is still unclear, but it could be used to search anything from an electronic travel pass to details on a chip’s e0cash functions. http://www.techradar.com/news/world-of-tech/future-tech/next-generation-search-to-mine-our-rfid-trail-425771 (techradar.com – 7/17/08) Rhode Island governor vetoes RFID ban Rhode Island Governor Donald Carcieri vetoed a bill which would have banned the use of RFID to track students in the state’s schools. The governor believes that these sorts of decisions should be left to school districts and parents. http://www.secureidnews.com/news/2008/07/16/rhode-island-governor-vetoes-rfid-ban/ (Secure ID News – 7/16/08) SECURITY Network Managers Fear Security Threats From Within A recent survey conducted by The Strategic Counsel and commissioned by management and security software vendor CA showed that a majority of CIOs, CSOs, CTOs and other senior IT security executives consider security threats from within an organization a bigger threat to business than external attacks. The results revealed that 44% of respondents identified internal breaches as a key security challenge over the past 12 months, compared with 42% in 2006 and 15% in 2003. http://www.pcworld.com/businesscenter/article/148653/network_managers_fear_security_threats_from_within.html (PC World – 7/19/08) 14
  • 15. Wormlike malware transcodes MP3s to try to infect PCs Malicious software poses a threat to Windows users who download music files on peer-to-peer networks. The malware inserts links to dangerous web pages within ASF (Advanced Systems Format) media files. When a user plays an infected file, it launches Internet Explorer and loads a malicious web page. The page then asks the user to download a codec, a trick to get someone to download malware. http://www.computerworld.com/action/article.do? command=viewArticleBasic&taxonomyName=security&articleId=9110324&taxonomyId=17&intsrc=kc_top (Computerworld – 7/18/08) U.S. Fears Threat of Cyberspying at Olympics Some members of the U.S. government are concerned about potential threats to U.S. laptops and cellphones during the Beijing Olympics. Intelligence agencies would like to warn business people and other travellers about the threat posed by Chinese hackers. The State and Commerce Departments, however, are concerned that such a warning would offend the Chinese. http://online.wsj.com/article/SB121625646058760485.html (The Wall Street Journal – 7/17/08) Report: cybercrime groups to operate like the Mafia While computer hackers used to work by themselves stealing and reselling credit card numbers, the new breed of hacker is attempting to create a business with repeat customers. Cybercrime companies, which operate like legitimate companies, are growing. These businesses create a hierarchical structure, much like the mafia. This structure makes these businesses very successful and any business using the Internet vulnerable. http://arstechnica.com/news.ars/post/20080716-report-cybercrime-groups-starting-to-operate-like-the-mafia.html (ars technica – 7/16/08) Unpatched Windows PCs fall to hackers in under 5 minutes, says ISC The SANS Institute’s Internet Storm Center estimates that a hacker will find and compromise an unpatched Window’s PC in less than five minutes after it is connected to the Internet. The German Honeypot Project, another security researcher, estimates a PC’s survival time at 16 hours, rather than just five minutes. Whichever time is correct, researchers emphasize the short time that it takes hackers to locate an unpatched PC and remind PC users of the importance of patching a machine. http://www.computerworld.com/action/article.do? command=viewArticleBasic&articleId=9109938&source=rss_topic17 (Computerworld – 7/14/08) New service tracks missing laptops for free Researchers at the University of Washington and the University of California, San Diego have developed free software to be downloaded onto a laptop. The software sends encrypted notes about the computer’s whereabouts to Internet servers. If the laptop goes missing, users download another program that picks up this information from the servers. The software, Adeona, provides the IP address that the computer last used and data about what routers it used ot connect to the Internet. This information can help law enforcement track down the criminal. http://www.computerworld.com/action/article.do? command=viewArticleBasic&taxonomyName=security&articleId=9110128&taxonomyId=17&intsrc=kc_top (Computerworld – 7/14/08) Botnets winning spam wars New research indicates that anti-spam systems are losing their battle against botnet spam. By the time systems have identified a compromised PC or server responsible for sending the spam, most botnets will have moved on to a new machine. Given the massive volume of botnet spam, the only way to stem the tide is to filter it out with costly technologies at the ISP level. http://www.infoworld.com/article/08/07/09/Botnets_winning_spam_wars_1.html? source=rss&url=http://www.infoworld.com/article/08/07/09/Botnets_winning_spam_wars_1.html (InfoWorld – 7/9/08) 15
  • 16. Hidden endpoints: Mitigating the threat of non-traditional network devices Non-traditional network devices, such as printers, physical access devices, web-based security cameras, and vending machines, pose a security threat to the networks they are connected to. Five key steps will help secure non- traditional network devices: (1) Modify the network security policy to address the problem. (2) Monitor the organization’s purchasing requests. (3) Conduct regular scans of the network and compare them to past history. (4) Properly configure any network connected device. (5) Interrogate non-traditional device vendors about their security testing process. http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1319144,00.html (SearchSecurity.com – 7/3/08) 16
  • 17. SEMINARS The Privacy Symposium August 18-21, 2008 Harvard University, Cambridge, MA http://www.privacysummersymposium.com/ Navigate 2008 August 18-20, 2008 New Castle, New Hampshire http://navigateprivacy.org/index.php?option=com_content&task=view&id=9&Itemid= Youth Privacy Online: Take Control, Make It Your Choice! September 4, 2008 Toronto, Canada http://www.ipc.on.ca/index.asp?navid=56&fid1=26 Access to Information: Twenty-Five Years On September 8, 2008 Ottawa, Canada http://www.ipc.on.ca/index.asp?navid=56&fid1=26 The 2008 IAPP Privacy Academy September 22-24, 2008 Orlando, Florida http://www.privacyacademy.org/index.php?option=com_content&task=view&id=12&Itemid=26 International Symposium on Data Protection in Social Networks October 15-17, 2008 Strasbourg, France http://www.privacyconference2008.org/ Privacy in Social Networking Sites Conference October 23-24, 2008 Delft University of Technology, The Netherlands http://www.ethicsandtechnology.eu PIPA Conference 2008: Privacy 2.0 November 17-18, 2008 Calgary, Canada http://www.verney.ca/pipa2008/ _____________________________________________________________________ PAPERS The Online Shadow Economy: A Billion Dollar Market for Malware Authors http://searchsecurity.bitpipe.com/detail/RES/1210960402_338.html? li=136045&src=KA_RES_20080723&asrc=EM_KAR_4088088&uid=5509471 17
  • 18. Strengthening Data Privacy in PeopleSoft http://searchsecurity.bitpipe.com/detail/RES/1210361737_919.html? li=135945&src=KA_RES_20080723&asrc=EM_KAR_4088273&uid=5509471 18

×