Privacy
Upcoming SlideShare
Loading in...5
×
 

Privacy

on

  • 2,328 views

 

Statistics

Views

Total Views
2,328
Views on SlideShare
2,328
Embed Views
0

Actions

Likes
0
Downloads
1
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Privacy Privacy Document Transcript

  • Privacy & Security News Brief November 17 – November 23, 2007 Vol. 1, No. 7 TABLE OF CONTENTS ........................................................................................................................................................................................1 ........................................................................................................................................................................................1 BIOMETRICS...............................................................................................................................................................4 Can biometrics secure the public's data?_________________________________________________________4 Cash, Credit or Fingerprints Please_____________________________________________________________4 Souder Says Biometrics the Solution, but Others Curse the Cure______________________________________4 DATA BREACH............................................................................................................................................................4 Laptops Stolen From Doctor's Office___________________________________________________________4 Personal Information Found In McKinney Dumpster_______________________________________________4 Deja vu all over again at Veterans Administration_________________________________________________5 Montana State University reports three data breaches in single day____________________________________5 11 laptop PCs stolen from Brussels embassy_____________________________________________________5 Security breach affects UConn Foundation donors ________________________________________________5 Students' personal data stolen_________________________________________________________________6 CDs containing state workers' information missing in Nevada _______________________________________6 Laptop theft concerns customers_______________________________________________________________6 Laptop with personal data missing_____________________________________________________________6 E-COMMERCE.............................................................................................................................................................7 Regulating e-commerce______________________________________________________________________7 EDITORIALS & OPINION..........................................................................................................................................7 Be your own personal privacy czar_____________________________________________________________7 Privacy and security: There’s always a tradeoff (Commentary: Although security can help ensure privacy, the two are not the same thing)___________________________________________________________________7 Protecting our privacy from federal bureaucrats___________________________________________________7 The Picture Of Conformity___________________________________________________________________8 EDUCATION.................................................................................................................................................................8 EMPLOYEE...................................................................................................................................................................8 Boeing bosses spy on workers_________________________________________________________________8 FINANCIAL..................................................................................................................................................................8 GOVERNMENT – U.S. FEDERAL.............................................................................................................................8 MySpace, Facebook ad plans violate privacy, groups tell FTC_______________________________________8 GOVERNMENT – U.S. STATES.................................................................................................................................8 HEALTH & MEDICAL................................................................................................................................................9 AMA Recommends Routine HIV Testing While Protecting Patient Autonomy, Privacy___________________9 Threats to Your Genetic Privacy_______________________________________________________________9
  • Whose records? Does medical privacy law hinder privacy?__________________________________________9 Federal patient privacy rule makes it harder to conduct medical research_______________________________9 IDENTITY THEFT.......................................................................................................................................................9 Used hard drives are ID theft paradise___________________________________________________________9 Don't Let Identity Thieves Enjoy a Holiday Shopping Spree on You _________________________________10 ID Thief Admits Using Botnets to Steal Data____________________________________________________10 ID theft can be a dead issue__________________________________________________________________10 INTERNATIONAL......................................................................................................................................................10 AFRICA...................................................................................................................................................................10 ASIA/PACIFIC.......................................................................................................................................................10 Flaws in Asia's Maturing IT Security Approach__________________________________________________10 EUROPE..................................................................................................................................................................11 AUSTRIA_______________________________________________________________________________11 Austrian privacy laws 'used to gag media'_______________________________________________________11 GREECE________________________________________________________________________________11 Head of Greek privacy watchdog resigns over police use of cameras to monitor protests__________________11 UNITED KINGDOM______________________________________________________________________11 Government policies threaten data privacy, warns information commissioner___________________________11 Doctors may be prosecuted if their laptops are stolen______________________________________________11 Public concern grows over data protection______________________________________________________12 MIDDLE EAST.......................................................................................................................................................12 NORTH AMERICA...............................................................................................................................................12 CANADA_______________________________________________________________________________12 Opinion: Survey Finds One In Five Execs Say Their Companies Don't Use Anti-Virus Software___________12 School boards lack privacy protection__________________________________________________________12 SOUTH AMERICA................................................................................................................................................12 LEGISLATION – FEDERAL.....................................................................................................................................13 Privacy concerns plague Senate health IT legislation______________________________________________13 House passes Restore Act with no telecom immunity provision______________________________________13 Under bill, companies could face privacy suits___________________________________________________13 LEGISLATION – STATE...........................................................................................................................................13 NEW HAMPSHIRE_______________________________________________________________________13 Judge questions privacy argument of voter info law_______________________________________________13 LITIGATION & ENFORCEMENT ACTIONS.........................................................................................................14 Vets Can Sue VA Over Stolen Laptop_________________________________________________________14 Visa Gave TJX Until 2009 to Get PCI Compliant ________________________________________________14 MOBILE/WI-FI...........................................................................................................................................................14 Expect a rocky road for mobile data security, experts say__________________________________________14 Many Retailers Open to Wireless Attacks_______________________________________________________15 ODDS & ENDS............................................................................................................................................................15 The Picture Of Conformity: In a Watched Society, More Security Comes With Tempered Actions__________15 NYPIRG warns of travelers’ shopping privacy concerns___________________________________________15 Web Site Features Could Affect Trust in Candidates ______________________________________________15 ONLINE.......................................................................................................................................................................16 McAfee Sees Cybercriminals Targeting Web 2.0, Windows Vista, and Online Games____________________16 Facebook Encounters Difficulty Deleting Account________________________________________________16 The Facebook betrayal - users revolt over advertising sell-out ______________________________________16 Thousands of Unprotected Databases Litter the Internet____________________________________________16 2
  • RFID.............................................................................................................................................................................17 Enhanced driver's licence approval sparks privacy caution__________________________________________17 Public Trust of RFID_______________________________________________________________________17 SECURITY...................................................................................................................................................................17 DNS Servers in Harm's Way_________________________________________________________________17 Thumb twiddling Mozilla promises fix for privacy-biting bug_______________________________________17 Password Security Do's and Don'ts Outlined by Security and Privacy Company_________________________18 Corporate data control policies are failing_______________________________________________________18 Looming Online Security Threats in 2008_______________________________________________________18 'LoJack' For Backup Tapes? _________________________________________________________________18 SEMINARS..................................................................................................................................................................19 PAPERS.......................................................................................................................................................................19 Cyber Security Threat Assessment ____________________________________________________________19 Security Experts Report on Hazards of New Surveillance Architecture________________________________20 3
  • ARTICLE SUMMARIES AND LINKS BIOMETRICS Can biometrics secure the public's data? Ten years ago, it would have been unthinkable to have a society where bank cards had been replaced by iris identification, where passports were a thing of the past and school dinners were paid for using vein recognition. It would have seemed very Blade Runner or 1984. Well, that future has most definitely arrived with the burgeoning popularity of biometrics. And - surprisingly for IT take-up - the public sector seems to be the first in line. http://management.silicon.com/itdirector/0,39024673,39169254,00.htm (Silicon.com – 11/23/07) Cash, Credit or Fingerprints Please A growing number of customers in Germany are paying for their bills by fingerprint these days. With the touch of a digit to a light-sensitive pad, customers pay for their items, provided they have an account in the store's system that can be debited. Piggly Wiggly, the U.S. grocery chain, launched its biometric program in early 2005. It was one of the retail industry's largest commitments to biometrics and it has been closely watched from the start. Initially, the pilot project worked extremely well. But there was resistance. Security experts worried that hackers could steal fingerprint data, unleashing a new version of identity theft. And privacy experts decried the Orwellian aspect of the technology. http://www.abcnews.go.com/Technology/story?id=3902517&page=1 (ABC News – 11/22/07) Souder Says Biometrics the Solution, but Others Curse the Cure Rep. Mark Souder has become a crusader for biometrics ID cards, but admits the political environment is not yet ripe for making them a part of Americans’ everyday life. IDs encrypted with images of their holders’ fingerprints and irises would not only be the best tool to identify terrorists, says the Indiana Republican, but would go a long way toward helping people avoid the inconveniences associated with many homeland security initiatives. But despite worries about homeland security, even the strongest supporters of biometrics acknowledge that concerns about privacy and long-standing visceral objections to anything that could be considered a “national ID card” are likely to block progress on the issue. http://www.cqpolitics.com/wmspage.cfm?parm1=5&docID=hsnews-000002632196 (CQ Politics – 11/21/07) DATA BREACH Laptops Stolen From Doctor's Office Someone stole two laptop computers from a doctor's office in Murfreesboro. However, the doctor's office says patients should not worry. A representative of Family Practice Partners in Murfreesboro said patient information was not stored on those computers. That representative said all the information entered into the computers was sent to another server and not saved on the laptops. They also said anyone looking for the information would have to go through several password barriers. http://www.newschannel5.com/Global/story.asp?S=7384004 (News Channel 5 – 11/19/07) Personal Information Found In McKinney Dumpster A North Texas business reacted quickly today after learning someone in its office had inadvertently thrown files with personal information in a McKinney trash dumpster. They contained Social Security Numbers, bank statements, real estate contracts and moreState law requires companies to properly dispose of their documents. If they don't, they could face up to $50,000 in fines. CVS Pharmacy, Radio Shack, E-Z Pawn, and Lifetime Fitness are just some of the companies that have gotten in trouble under the two-year-old law. http://cbs11tv.com/local/mckinney.dumpster.texas.2.571626.html (CBS 11 TV – 11/19/07) 4
  • Deja vu all over again at Veterans Administration In what's become a fairly familiar routine for them of late, the U.S. Department of Veterans Affairs is investigating a potential data breach -- the theft of three computers containing personal data on potentially 12,000 individuals. Two desktop PCs and one laptop containing that data were stolen from a VA medical facility in Indianapolis -- ironically enough, on Veterans Day. The records belong to patients who were treated at the hospital and include Social Security numbers and other personally identifiable information. "It appears from this most recent breach that there are still some in the VA, even some responsible for the security of such data, who don't realize the importance of the security of the names and data of our veterans," U.S. Rep. Steve Buyer (R-Ind.) said in a prepared statement. According to Buyer, the VA notified his office of the breach on Thursday and is working to ascertain the names and data of the people who might have been affected by the theft. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9047482 (Computer World – 11/16/07) Also see: • 3 VA laptops with thousands of patient records stolen http://www.indystar.com/apps/pbcs.dll/article?AID=/20071115/LOCAL/711150543 (Indianapolis State – 11/15/07) Montana State University reports three data breaches in single day On Nov. 2, the university sent out letters to 216 students informing them about the potential exposure of their Social Security numbers and other personal data after a removable storage device containing the data was stolen. That same day, an outside security analyst informed the university's data security staff that he had discovered an Excel spreadsheet containing the names and Social Security numbers of 42 people on the university's Web site. When investigating the Excel spreadsheet issue, the university's security staffers discovered another Excel spreadsheet was similarly exposed and contained the names and Social Security numbers of 14 individuals. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9047084 (ComputerWorld – 11/15/07) 11 laptop PCs stolen from Brussels embassy Eleven laptop computers were stolen from the Japanese Embassy in central Brussels earlier this month, leading to fears that personal information on about 12,700 Japanese living in Belgium may have been exposed, the embassy said Wednesday. The robbery is believed to have taken place early Nov. 3. Security guards alerted by an alarm found the lock broken on the seventh-floor entrance to the embassy in an office building. Some of the stolen computers held electronic data on matters such as the expats' residence certification, overseas voting registration and passport information, according to the embassy. The residence certification contains details such as a person's name, birthdate, permanent address in Japan, occupation, family information and passport number. http://www.yomiuri.co.jp/dy/world/20071115TDY02303.htm (Daily Yomuri Online – 11/15/07) Security breach affects UConn Foundation donors Information about 10 online donors to the University of Connecticut Foundation - including their names, addresses, and the last four digits and expiration dates of their credit cards - was accessed through a vendor's security breach between Oct. 23 and Nov. 1. About 89,000 other people had only their e-mail addresses accessed without authorization, UConn Foundation spokesman John Sponauer said. The foundation was one of 92 clients of the vendor, Convio, affected by the breach, Sponauer said. http://www.zwire.com/site/news.cfm?newsid=19018393&BRD=985&PAG=461&dept_id=161556&rfi=6 (Journal Inquirer – 11/13/07) 5
  • Students' personal data stolen Parents of 560 students in Edmonton Catholic schools are shocked after a memory stick containing their personal information was stolen earlier this month. The names, addresses and phone numbers of the students were stored on a memory stick, a pocket-sized device used to store computer data that acted as a backup copy for R.L. Smith Transportation Inc. An employee took the memory stick home every night in her purse. Company president Gordon Mayes said they found out about the loss of the memory stick after the employee had quit and called in to ask for her last cheque. When asked about the return of the memory stick, she explained her car had been stolen, along with her purse, Mayes said. http://www.canada.com/edmontonjournal/news/cityplus/story.html?id=6b127142- f6f6-4c76-94bc-8a066d05fb1c&k=94289 (Edmonton Journal – 11/13/07) CDs containing state workers' information missing in Nevada Hundreds of CDs containing payroll information about state employees, including Social Security numbers, have either been lost or stolen over the last three years, state Personnel Director Todd Rich said. Rich said his department sent a total of more than 13,000 CDs to 80 agencies for review every two-week pay period over the last three years. He said as many as 470 are still missing. "We haven't had any notification from anybody that, `Hey, my identity has been stolen,'" Rich told the Nevada Appeal. He said it would be up to Attorney General Catherine Cortez Masto whether to issue a breach notification. If so, he said, it would be done by agencies with missing discs. The system has been tightened to prevent unauthorized people from getting employee information, Rich added. http://www.lasvegassun.com/sunbin/stories/nevada/2007/nov/11/111110005.html (Las Vegas Sun – 11/11/07) Laptop theft concerns customers Chico-based Butte Community Bank notified an undisclosed number of customers this week that a laptop computer probably containing their names, addresses, Social Security numbers and account numbers was stolen in mid- October. Bank officials refused to say how many customer were mailed the notice, which was dated Oct. 24. They said the laptop was stolen from a bank employee who carries it from branch to branch, but declined to say exactly where it went missing. Customers throughout Butte County appeared to get the notice. Some employees of the Enterprise-Record, the Paradise Post business account and a woman living in Stirling City are on the list. Butte currently operates 10 branches in Chico, Paradise, Magalia, Oroville and Gridley. The notice tells customers the computer database is protected by a password, which should keep the information from being accessed. http://www.orovillemr.com/news/ci_7410591 (Oroville (CA) Mercury – Register – 11/08/07) Laptop with personal data missing Cabarrus County officials notified more than 28,000 people this week that their personal data, including Social Security numbers, are on a missing laptop computer owned by Cabarrus County Emergency Medical Services. The computer had accidentally been left on an ambulance's back bumper at 10 p.m. Oct. 28, while the vehicle was parked at Carolinas Medical Center-NorthEast in Concord. County officials said it is possible, but unlikely, that the information in the laptop could be breached. The county is offering a $500 reward for the safe return of the lost laptop, a silver Panasonic Toughbook 18 tablet PC version. It is encased with a hard black alloy. The laptop contained names, addresses, phone numbers and Social Security numbers of about 28,000 people who had been cared for by the county EMS over the past four years. It also contained medical information on about 58 people who received treatment from EMS Oct. 13-28. http://www.charlotte.com/local/story/353337.html (Charlotte Observer – 11/08/07) 6
  • E-COMMERCE Regulating e-commerce There is a debate over whether governmental noninterference is applicable to e-commerce and international trade that is conducted over the Internet. Should e-commerce be regulated by governments or should it be allowed to be “self-regulated” by the forces of the free market? Economies work more efficiently when they are free from governmental interference. In this regard, a classical economist Adam Smith claimed that an individual pursuing his self-interest by engaging in commerce is “led by an invisible hand to promote an end which was no part of his intention.” This “invisible hand” is said to guide individuals to achieve greater collective wealth. Smith felt that the idea of the “invisible hand” applies to the realm of international commerce as well as to domestic commerce. http://biz.thestar.com.my/news/story.asp?file=/2007/11/19/business/19336753&sec=business (The Star – 11/19/07) EDITORIALS & OPINION Be your own personal privacy czar Like most journalists I know I'm very sloppy about keeping my online communications secure. I rarely encrypt e- mail messages, leaving them to be read by anyone in the electronic chain between me and the intended recipient. And I use public chat services like MSN Messenger and iChat, even though they send messages as plain text across the network. Partly this is because the tools needed to make communications secure can be cumbersome and complicated, even for someone with a technical background. But partly it is because I have not often been involved in researching stories that are going to bring me to the attention of those with the capabilities needed to tap even insecure online communications. But you never know. http://news.bbc.co.uk/1/hi/technology/7101637.stm (BBC News – 11/19/07) Privacy and security: There’s always a tradeoff (Commentary: Although security can help ensure privacy, the two are not the same thing) Hugo Teufel III, chief privacy officer of the Homeland Security Department, said recently at a roundtable discussion on cyber security for the Congressional High Tech Caucus that there was no need to balance privacy and security. The two go hand in hand, he said. What a disturbing thing for a chief privacy officer to say. Although it is true that security can help ensure privacy, the two are not the same thing. Security often entails gathering sensitive information about individuals, and these collections raise plenty of concerns about privacy, no matter how well- intentioned. http://www.gcn.com/online/vol1_no1/45454-1.html (Government Computer News – 11/19/07) Protecting our privacy from federal bureaucrats Privacy has always been important to Texans - from government officials' snooping to citizens choosing to be anonymous. Privacy is a fundamental right in our state's common law and in our state constitution. That means the government cannot trump or invade our privacy without a compelling state interest to do so - not just any reason, but a compelling reason - and the government has no other alternative available to get the information it claims to need. That is why both the Fourth Amendment to the U.S. Constitution and the Texas Constitution require probable cause and a warrant from a court, except in an emergency, to intrude upon our privacy. Since frontier times, Texans have cherished and insisted on their privacy and their anonymity. For Texans, not only was this part of rugged individualism and innate distrust of government, but it was part of their desire to start over in their lives and live the way they wanted. http://media.www.dailytexanonline.com/media/storage/paper410/news/2007/11/16/Opinion/Protecting.Our.Privacy. From.Federal.Bureaucrats-3107109.shtml (Daily Texan Online – 11/16/07) 7
  • The Picture Of Conformity It's been apparent for years that we're being watched and monitored as we traverse airports and train stations, as we drive, train, fly, surf the Web, e-mail, talk on the phone, get the morning coffee, visit the doctor, go to the bank, go to work, shop for groceries, shop for shoes, buy a TV, walk down the street. Cameras, electronic card readers and transponders are ubiquitous. And in that parallel virtual universe, data miners are busily and constantly culling our cyber selves. Is anywhere safe from the watchers, the trackers? Is it impossible to just be let alone? http://www.washingtonpost.com/wp-dyn/content/article/2007/11/15/AR2007111502482.html (Washington Post – 11/16/07) EDUCATION EMPLOYEE Boeing bosses spy on workers Within its bowels, The Boeing Co. holds volumes of proprietary information deemed so valuable that the company has entire teams dedicated to making sure that private information stays private. One such team, dubbed "enterprise" investigators, has permission to read the private e-mails of employees, follow them and collect video footage or photos of them. Investigators can also secretly watch employee computer screens in real time and reproduce every keystroke a worker makes, the Seattle P-I has learned. For years, Boeing workers have held suspicions about being surveilled, according to a long history of P-I contact with sources, but at least three people familiar with investigation tactics have recently confirmed them. One company source said some employees have raised internal inquiries about whether their rights were violated. Sometimes, instead of going to court over a grievance on an investigation, Boeing and the employee reach a financial settlement. The settlement almost always requires people involved to sign non-disclosure agreements, the source said. http://seattlepi.nwsource.com/business/339881_boeingsurveillance16.html (Seattle PI – 11/16/07) FINANCIAL GOVERNMENT – U.S. FEDERAL MySpace, Facebook ad plans violate privacy, groups tell FTC Two consumer advocacy groups have asked the Federal Trade Commission to investigate whether new advertising initiatives announced last week by social networking sites MySpace and Facebook adequately protect consumer privacy. In a Nov. 12 letter to FTC Chairman Deborah Platt Majoras, the Center for Digital Democracy and the U.S. Public Interest Research Group claimed that the "ambitious new targeted advertising schemes" launched by MySpace.com and Facebook Inc. "make clear the advertising industry's intentions to move full-speed ahead without regard to ensuring consumers are protected." Jeffrey Chester, founder and executive director of the Center for Digital Democracy, said that by launching the advertising plans, MySpace and Facebook are "thumbing their noses at the FTC and consumer privacy rights" by allowing marketers to customize advertisements based on data provided by users in their profiles on the social networking sites http://www.computerworld.com/action/article.do? command=viewArticleBasic&articleId=9046738&source=NLT_SEC&nlid=38 (Computer World – 11/13/07) GOVERNMENT – U.S. STATES 8
  • HEALTH & MEDICAL AMA Recommends Routine HIV Testing While Protecting Patient Autonomy, Privacy The American Medical Association recently updated its HIV testing policy to include guidelines supporting routine HIV testing, while continuing to advocate for the protection of patient privacy and autonomy, the AP/Google.com reports (AP/Google.com, 5/14). "Understanding and treatment of HIV has grown substantially over the past few decades," Ardis Hoven, an AMA board member, said, adding, "new policy calls on physicians to routinely test consenting adult patients for HIV and reflects the reality that if HIV is detected early patients can lead full and productive lives" (AMA release, 11/13). http://www.kaisernetwork.org/daily_reports/rep_index.cfm?DR_ID=48905 (Kaiser Network – 11/16/07) Threats to Your Genetic Privacy In a season of political divisiveness, the overwhelming majority of Americans agree on one thing: Your genes are your own business and should not be tapped by employers or health insurers deciding whether you or your family are fit for their company. Yet the long-awaited GINA, the Genetic Information Nondiscrimination Act, languishes in lawmaker limbo. The bill, with near-unanimous support of both House and Senate and a president solidly behind it, has been prevented from sailing through by one senator, physician Tom Coburn of Oklahoma, also known as "Dr. No," who makes serious sport of placing on hold bills he thinks need fixing. http://health.usnews.com/articles/health/2007/11/16/threats-to-your-genetic-privacy.html (US News & World Report – 11/16/07) Whose records? Does medical privacy law hinder privacy? A Journal Times editor went to the dentist, and when she picked her medical records folder off a reception desk to look at it, the office manager publicly and loudly rebuked her. Perhaps the manager was incensed over a violation of procedure, or was venting anger from something else, but the editor was confused about her rights to look at her own health records. More than 10 years after it was passed, the Health Insurance Portability and Accountability Act (referred to by everyone as HIPAA), is still causing confusion in part because people who have to apply it don’t necessarily understand it. Beyond the application of rules lies the broader issue of whether people have lost privacy. http://www.journaltimes.com/articles/2007/11/14/life/doc473a2f9ec1c96741856824.txt (Journal Times Online – 11/14/07) Federal patient privacy rule makes it harder to conduct medical research A federal patient privacy rule is being blamed for stagnating medical research, making it tougher than ever to recruit patients and use their health records. That's what a national survey suggests. Two-thirds of the more than 1,500 epidemiologists surveyed say the Health Insurance Portability and Accountability Act, known as HIPAA, has made their research more difficult. The doctor who led the survey says one in nine researchers surveyed say they had abandoned a research idea because they thought it wouldn't be approved because of HIPAA. Another doctor says medical professionals are waiting to see if HIPAA becomes more clear in reassuring hospital staff that they're not going to jail if they work with researchers. http://www.ktvz.com/Global/story.asp?S=7355518 (KTVZ TV – 11/13/07) IDENTITY THEFT Used hard drives are ID theft paradise Irish people may have improved their record on recycling electronic waste, but it seems security concerns have fallen by the wayside. According to a study, personal information including credit card numbers, customer data and client files is being left on hard drives that are being sold into the second-hand market. The drives examined by Rits were sourced openly on the internet and online auctions. The survey looked at the information remaining on the disks, unveiling some alarming results. Data found on the drives included client files from insurance brokers and mobile phone firms, and electrical design data for academic institutions and civic offices. http://www.enn.ie/article/10123430.html (ENN – 11/14/07) 9
  • Don't Let Identity Thieves Enjoy a Holiday Shopping Spree on You The Identity Theft Resource Center(R) gets more calls about lost and stolen wallets between November and January than any other time of the year. The time between Thanksgiving and Christmas is the biggest shopping season of the year. As we enter the holiday season, we would like to remind everyone to be aware and take the following precautions against identity theft. After all, tis' the season to enjoy, not be stressed as an identity theft victim. Identity theft is not just something you read about in the paper. About 15 million people fall victim to this crime every year. Because of the distractions of the holidays and crowded shopping environments, conditions are ripe for identity thieves and pickpockets to take advantage of the situation. http://www.earthtimes.org/articles/show/news_press_release,221703.shtml (Earth Times – 11/12/07) ID Thief Admits Using Botnets to Steal Data In the first U.S. prosecution of its kind, a well-known member of the "botnet underground" was charged Friday with using botnets to steal the identities of victims across the country by extracting information from their personal computers and wiretapping their communications. John Schiefer, 26, of Los Angeles, has agreed to plead guilty to four felony counts: accessing protected computers to conduct fraud, disclosing illegally intercepted electronic communications, wire fraud, and bank fraud. Schiefer faces a maximum sentence of 60 years in federal prison and a fine of $1.75 million. The criminal information and plea agreement filed Friday in U.S. District Court in Los Angeles outlines a series of schemes in which Schiefer and several associates developed malicious computer code and distributed that code to vulnerable computers. Schiefer and the others used the illicitly installed code to assemble armies of up to 250,000 infected computers, which they used to engage in a variety of identity theft schemes. Schiefer also used the compromised computers to defraud a Dutch advertising company. http://www.darkreading.com/document.asp?doc_id=138856 (Dark Reading – 11/12/07) ID theft can be a dead issue Apparently it's not that hard for a dead person to open a bank account. About 400,000 bank accounts were opened last year in the names of dead people, James D. McCartney told an audience last week at Germanna Community College's Fredericksburg-area campus. The people opening the accounts had stolen the identities of the deceased by buying their Social Security numbers and credit records. It's part of a growing problem of identity theft. More than 90 million American identities have been reported lost or stolen in the past 18 months, said McCartney, an identity theft expert and author who works for Bearing Point Management and Technology Consultants. http://fredericksburg.com/News/FLS/2007/112007/11112007/331416 (Fredericksburg Free Lance Star – 11/11/07) INTERNATIONAL AFRICA ASIA/PACIFIC Flaws in Asia's Maturing IT Security Approach In the latest Global State of Information Security 2007 (GSIS), employees past and present have taken over the top spot from hackers as the most likely source of an information security event. Representing a 10 per cent increase since 2005, 47 per cent of Asian respondents believe that their employees are now the most likely source of security risk. They now have more fear of the ‘enemy within’ than of exterior attackers. http://cio-asia.com/ShowPage.aspx?pagetype=2&articleid=6906&pubid=5&issueid=126 (CIO-Asia – 11/18/07) 10
  • EUROPE AUSTRIA Austrian privacy laws 'used to gag media' Austrian childcare officials have been accused of using privacy laws in an attempt to stop newspapers and TV stations from exposing their failure to protect children. Officials in the Linz-Urfahr region are demanding substantial damages from all the media organisations that reported on the case of a mentally disturbed lawyer who kept her three daughters locked up for seven years. Austrian state broadcaster ORF was fined €22,000 for teletext and online reports about the case. Gert Edlinger, the managing director of newspaper Österreich, which also faces legal action, said the case was an "unbelieveable scandal". http://www.guardian.co.uk/media/2007/nov/16/pressandpublishing.television?gusrc=rss&feed=media (UK Guardian – 11/16/07) GREECE Head of Greek privacy watchdog resigns over police use of cameras to monitor protests The head of Greece's privacy watchdog resigned Monday over the government's use of traffic cameras to monitor demonstrations, raising the stakes in a heated dispute over civil liberties. Dimitris Gourgourakis said police "directly breached" his powerful Data Protection Authority's regulations by using closed-circuit cameras for surveillance at a central Athens protest Saturday, despite a ban. "I believe this constitutes a blow to the authority's independence," said Gourgourakis, a former senior judge. The authority's deputy head and another two members also stepped down in protest. Opposition parties accused the conservative government of trying to weaken the authority. The resignations follow a long-running dispute between the government and the authority over police use of surveillance cameras installed in 2004 for the Athens Olympic Games, which has sparked a broad debate on privacy rights in Greece. http://www.iht.com/articles/ap/2007/11/19/europe/EU-GEN-Greece-Cameras-Resignation.php (International Herald Tribune – 11/19/07) UNITED KINGDOM Government policies threaten data privacy, warns information commissioner Information commissioner Richard Thomas has listed a string of government policies that he feels threaten data protection rights. The data protection watchdog provided the list to the House of Lords constitution committee as part of its inquiry into the impact of surveillance and data collection. He highlighted policies including the national identity database that will underpin the controversial ID cards scheme – “an area of particular concern” – the e- borders passenger checking policy, the full electronic health records being rolled out as part of the NHS’s £12.4bn computer overhaul. Thomas also warned over plans to share road-charging data with police and sections of the Serious Crimes Act that authorised public sector agencies to access information held on private company databases. The information commissioner said he questioned why “so much transactional data is going to be collected” on the national identity database, which would hold a record of every occasion an individual swiped their ID card through a reader. http://www.computerworlduk.com/management/government-law/legislation/news/index.cfm?newsid=6271 (Computer World UK – 11/19/07) Doctors may be prosecuted if their laptops are stolen Doctors who have laptops containing patients’ records stolen from their cars could end up in court. Richard Thomas, the Information Commissioner, said a “blatant breach of fundamental observation” should attract criminal penalties. He told the Lords’ Constitution Committee that this was a new criminal offence being sought to enforce compliance with data protection laws. The offence would be for knowingly or recklessly flouting data protection principles. Offenders could be fined up to £5,000 in a magistrates’ court or unlimited sums in the Crown Court. http://business.timesonline.co.uk/tol/business/law/article2873186.ece (Times Online – 11/15/07) 11
  • Public concern grows over data protection The public are increasingly aware of data protection issues, according to research from the Information Commissioner’s Office (ICO). People now consider protecting their personal information as the second most socially important issue above the NHS, national security and environmental issues. Information Commissioner Richard Thomas said the results of the research were encouraging. "While the majority of organisations process personal information appropriately, this research highlights the need for all organisations, large and small, to process customers’ information securely," he said. The nationwide survey also found that 90 per cent of individuals know that they have a right to see information that an organisation holds about them, compared with 74 per cent three years ago. http://www.computing.co.uk/computing/news/2203452/public-concern-grows-protection (Computing – 11/14/07) MIDDLE EAST NORTH AMERICA CANADA Opinion: Survey Finds One In Five Execs Say Their Companies Don't Use Anti-Virus Software Just 37 percent of Canadian executives who participated in a survey said they are confident that data in their companies is protected against attacks, according to this column in The London Free Press. The survey also found that one in five executives reported that their companies don't use anti-virus software, and 25 percent operate without a firewall, according to Ledger Marketing, which conducted the survey for Fusepoint Managed Services. Columnist David Canton said that he is surprised that "more attention is not being placed on security and privacy and the boardroom or executive level, especially in light of highly publicized incidents such as the TJX Cos. security breach." Canton said that companies should elevate data security to the top of the executive or board agenda because "doing nothing, or ignoring the issue, is not an option." http://lfpress.ca/newsstand/Business/Columnists/Canton_David/2007/11/19/4667152-sun.html (London Free Press – 11/16/07) School boards lack privacy protection Parents should be concerned about the privacy of their children's personal educational records, experts say, following news that a memory stick containing the names, addresses and phone numbers of more than 500 Alberta students was stolen this month. At most schools across the country, everything from attendance records to grades to psychological assessments is now kept in electronic files. And while individual boards of education are regulated by provincial privacy guidelines, teachers, administrators, school psychologists and guidance counsellors often transport the information on memory sticks, which are easily lost or stolen. "It really is very efficient, but if backup copies are going home without password protection, that's a real concern," said Lori Nagy, spokeswoman for the Edmonton Catholic School District. http://www.theglobeandmail.com/servlet/story/RTGAM.20071114.wlmemory14/BNStory/Technology/home (Globe and Mail – 11/14/07) SOUTH AMERICA 12
  • LEGISLATION – FEDERAL Privacy concerns plague Senate health IT legislation The Senate's eagerness to mandate incentives for modernizing healthcare through information technology has prompted concerns about enacting a law without adequate privacy protections. Psychiatrist Deborah Peel, founder of the Patient Privacy Rights Foundation, has alerted her coalition of nearly 40 organizations, including the American Academy of Family Physicians and the American Medical Association, to call the sponsors of a pending bill, S. 1693, about adding a privacy amendment proposed by Patrick Leahy, D-Vt. She said the bill relies too heavily on privacy standards promulgated under a flawed 1996 law, the Health Insurance Portability and Accountability Act, in covering non-medical entities like data aggregators. http://www.govexec.com/dailyfed/1107/111607tdpm1.htm (Government Executive – 11/16/07) House passes Restore Act with no telecom immunity provision The House of Representatives has passed the Restore Act, which facilitates broad surveillance of foreign terror groups while restoring the Foreign Intelligence Surveillance Act Court's oversight of communications between foreign and domestic surveillance targets. The Restore Act controversially does not include a provision granting telecom companies retroactive legal immunity for their involvement in the NSA wiretap program. The major telecom companies that cooperated with the NSA are accused by privacy advocates of violating federal laws that restrict disclosure of phone records. The companies face costly and embarrassing litigation as several cases wind their way through the courts. The telecoms have been lobbying heavily for retroactive immunity grants that would excuse them of any wrongdoing. http://arstechnica.com/news.ars/post/20071116-house-passes-restore-act-with-no-telecom-immunity-provision.html (Ars Technica – 11/16/07) Also see: • No immunity for telecoms http://www.registerguard.com/csp/cms/sites/dt.cms.support.viewStory.cls?cid=24248&sid=1&fid=1 (Register Guard – 11/19/07) • Carriers Try To Avoid The Warrantless Eavesdropping Spotlight http://www.informationweek.com/security/showArticle.jhtml?articleID=203103309 (Information Week – 11/1/7/07) Under bill, companies could face privacy suits Congress appeared headed toward a confrontation with President Bush on Thursday over House and Senate plans to require that telecommunication firms that aided the administration's warrantless surveillance program be subject to lawsuits from American customers. The House of Representatives approved Thursday night a Democrat-sponsored foreign surveillance bill that would block retroactive immunity from lawsuits for telecoms that facilitated wiretapping or shared customer information with the federal government from the Sept. 11 attacks until this past January. The bill passed 227-189. Bush has promised to veto any measure that does not include such immunity. http://www.usatoday.com/news/washington/2007-11-15-fisa_N.htm (USA Today – 11/16/07) LEGISLATION – STATE NEW HAMPSHIRE Judge questions privacy argument of voter info law The New Hampshire Democratic Party has agreed to stop selling voter information data while a judge considers whether a law allowing political parties to do so is unconstitutional. The Libertarian Party is challenging the law, passed earlier this year, which only allows major parties to purchase previously unavailable voter information from the state. Under the law, only parties which received more than 4% of the vote qualify, meaning only Democrats and Republicans. The state Republican Party has said it is not selling the voter list. The state Democratic Party has sold updated lists, containing voter history and birth years, to several presidential candidates at $65,000 each. http://www.wcax.com/Global/story.asp?S=7370893&nav=menu183_7_2_1 (AP – 11/16/07) 13
  • Also see: • Judge doubts basis of voter data law http://www.concordmonitor.com/apps/pbcs.dll/article?AID=/20071116/FRONTPAGE/711160303 (Concord Monitor – 11/16/07) LITIGATION & ENFORCEMENT ACTIONS Vets Can Sue VA Over Stolen Laptop A federal judge questioned the Veterans Affairs Department's computer security and ruled Friday that lawsuits can go forward over the theft of computer equipment containing data on 26.5 million veterans. U.S. District Judge James Robertson dismissed several aspects of the case but said the three lawsuits sufficiently made the claim that the agency failed to safeguard personal information, as required by the Privacy Act. "The government's own evidence raises serious questions about the VA's computer safeguards," Robertson wrote, citing government reports that faulted the agency's computer security years before the theft. A laptop and hard drive were stolen last year during a burglary at the home of a Veterans Affairs employee. The equipment contained the names, Social Security numbers and birth dates of veterans discharged since 1975. It was the worst-ever breach of government data. http://ap.google.com/article/ALeqM5gqGfy6HNMsTyAGUesRe43dQCGsDgD8SV20PO2 (AP – 11/17/07) Visa Gave TJX Until 2009 to Get PCI Compliant Credit card company Visa knew in late 2005 of the extensive security problems at TJX, but decided to give the retailer permission to remain non-compliant through Dec. 31, 2008, according to documents filed in federal court on Nov. 8. The Dec. 29, 2005, letter from Joseph Majka, a fraud control vice president for Visa, was written months after cyber-thieves had already secretly infiltrated TJX's systems, starting the work that would ultimately become the worst data breach in credit card history. Majka wrote the letter to Diana Greenshaw, an official with TJX's credit card processor, Fifth Third Bank. "Visa will suspend fines until Dec. 31, 2008, provided your merchant continues to diligently pursue remediation efforts. This suspension hinges upon Visa's receipt of an update by June 30, 2006, confirming completion of stated milestones." http://www.eweek.com/article2/0,1895,2215022,00.asp (eWeelk – 11/10/07) MOBILE/WI-FI Expect a rocky road for mobile data security, experts say You’re in for a nasty surprise if you think mobile broadband devices will be free of the security problems that long have plagued PCs, said a panel of security experts at the Mobile Internet World conference. The panel, which discussed how companies could protect their data in the era of iPhones and open source Android platforms, generally agreed that most handsets that provide high-speed Internet access are vulnerable to the same kinds of security problems that PCs experienced before the advent of firewalls, VPNs and other security systems. The reason that many of these devices lack stringent security measures, they said, is that companies don’t want to invest heavily in security protocols for mobile devices that they aren’t certain will be profitable. http://www.networkworld.com/news/2007/111507-mobile-data-security-problems.html?fsrc=rss-security (NetworkWorld – 11/15/07) 14
  • Many Retailers Open to Wireless Attacks "Today's retailer faces a greater threat from data breaches than from simple theft," says Amit Sinha, CTO AirDefense. During the study, company staffers used wireless antennas to test the wireless "perimeters" of some 3,000 stores in major malls across the globe. The company discovered some 2,500 laptops, hand-helds, and barcode scanners and approximately 5,000 access points -- and about 85 percent of them would have been relatively easy to hack, Sinha says. "Twenty-five percent of them were completely open -- they weren't secured at all," Sinha reports. "Another 25 percent were protected only by [Wired Equivalent Protection]," a security technology that has been widely proven to be vulnerable. Twelve percent of the wireless LANs tested were configured with the name of the store as the Service Set Identifier (SSID), "which is like giving the thief a map to your store," Sinha says. Many other wireless devices were still configured with out-of-the-box default passwords, most of which can be found in widely-published lists on the Web. http://www.darkreading.com/document.asp?doc_id=139291&WT.svl=news1_2 (Dark Reading – 11/15/07) ODDS & ENDS The Picture Of Conformity: In a Watched Society, More Security Comes With Tempered Actions This Washington Post article looks at the cultural and individual impacts of constant surveillance. Experts say that surveillance strips people of their public anonymity and forces conformity at the expense of individual creativity and expression. Author Jeffrey Rosen tells the Post that it is important for individuals to have a "sphere of immunity from surveillance to be yourself and do things that people in a free society take for granted." He added that the loss of autonomy is one of the "amorphous costs of having a world where there's no immunity from surveillance." The constant evolution of technology makes it difficult to immediately notice the impacts. Paul Saffo, a technology futurist, says that "it's a little bit like locked doors," adding that today "nobody has any concept of what it's like to have a house without a locked door or a security system." The story also looks at surveys that indicate mixed reactions to government surveillance post-Sept. 11 http://www.washingtonpost.com/wp-dyn/content/article/2007/11/15/AR2007111502482.html (Washington Post – 11/16/07) NYPIRG warns of travelers’ shopping privacy concerns As we enter the holiday travel season, the New York Public Interest Research Group has updated their consumer Web site, www.CyberStreetSmart.org, with a new report to help travelers shop around for better privacy policies and protect their identities. “You have to share a lot of personal information to book a flight or a hotel online,” said Amanda Hanley a SUNY New Paltz student with NYPIRG. “If that information isn’t treated carefully, you could be at risk for ID theft.” Since 63 percent of Internet users plan trips on the Web and ID theft is the most commonly reported Internet crime, NYPIRG contends that street-smart consumers should know how businesses plan to use, share and safeguard their information. http://www.midhudsonnews.com/News/online_shop_priv-16Nov07.html (Mid-Hudson News – 11/16/07) Web Site Features Could Affect Trust in Candidates If voters judge presidential candidates on Web site privacy and other features, some campaigns may want to revisit their site design. A new report measuring the prominence of privacy policies and other criteria found campaign sites for Hillary Clinton, John Edwards, Rudy Giuliani, Barack Obama, Mitt Romney and Fred Thompson each failed at least one test, while Clinton's site was the only one to fail all three tests applied. When Forrester Research evaluated the candidates' Web sites last month to measure how prominently privacy policies were presented when users took critical actions, all six sites flunked. Specifically, the research firm looked at whether privacy policies were displayed in context when users were asked for personal data, particularly when registering for e-mail alerts or making a donation. http://www.clickz.com/3627618 (ClickZ – 11/16/07) 15
  • ONLINE McAfee Sees Cybercriminals Targeting Web 2.0, Windows Vista, and Online Games Threats to Web 2.0 sites, Windows Vista, and online games are expected to increase in 2008, along with attacks on IM, virtualization, and VoIP software, according to security firm McAfee. http://www.informationweek.com/news/showArticle.jhtml?articleID=203100959 (InformationWeek – 11/15/07) Facebook Encounters Difficulty Deleting Account Channel 4 aired a story based on a UK user's discovery that he was unable to remove his Facebook account. Facebook allows users to deactivate their accounts, but according to this report, the information stays indefinitely on the company's servers. The deactivation approach allows users to easily rejoin, according to this report. Facebook told the television station that it complies with the country's Data Protection Act. The Information Commissioner's Office told Channel 4 that it plans to investigate the viewer's complaint, and added in a statement that Web sites should "ensure that personal information is not retained for longer than necessary especially when the informant relates to a person who no longer uses the site." http://www.channel4.com/news/articles/science_technology/facebook%20data%20protection%20row/1060467 (Channel [UK] 4 – 11/17/07) Also see: • Facebook May Face U.K. Privacy Probe http://blog.wired.com/business/2007/11/facebook-faces.html (Wired.com – 11/19/07) The Facebook betrayal - users revolt over advertising sell-out It used to be a great way to swap student party drinking stories. Office workers embraced it as a chance for a quick escape from the daily drudgery – until their bosses banned it. And 50-something parents marvelled at a virtual window on what their children were up to. That is the appeal of Facebook, which in little more than a year has exploded from an elite student-only club into a global social networking phenomenon with more than 54 million users. But with Facebook's latest attempt to turn those users into dollars, the site that was started in 2004 as a way for one Harvard student, Mark Zuckerberg, to stay in touch with his classmates has grown up faster than a child who has just found out the truth about Father Christmas. Like that kid on Christmas Eve, the innocence of Facebook's users, including almost 11 million in the UK, has been shattered by the site's decision to fall into the clutches of the corporate world. http://news.independent.co.uk/sci_tech/article3172153.ece (The Independent – 11/18/07) Thousands of Unprotected Databases Litter the Internet After checking 1,160,000 random IP addresses, a security firm found nearly half a million database servers on the Internet not protected by firewalls—most of them were running Microsoft SQL Server, but a healthy portion of them were Oracle databases. Next Generation Security Software released on Nov. 12 a report saying the company found 368,000 Microsoft SQL Server databases and around 124,000 Oracle database servers, all directly accessible on the Internet. Between the two vendors, there were 492,000 unprotected database servers out on the Internet without firewalls. http://www.eweek.com/article2/0,1759,2217123,00.asp (eWeek – 11/14/07) 16
  • RFID Enhanced driver's licence approval sparks privacy caution Recent news from the U.S. Department of Homeland Security (DHS) about allowing enhanced driver's licences to be used as alternative to passports for U.S. - Canada border crossing, renewed talks around the privacy issues surrounding the use of radio frequency identification (RFID) technology. RFID enables the wireless transmission of data over short distances, through the use of an RFID tag that transmits data, and a reader that receives the data from the tag. This technology is being eyed by Canadian provincial governments as a means to implement high-tech and highly secured driver's licences. http://www.intergovworld.com/article/567312d80a010408008b33e86bd7c189/pg1.htm (InterGovWorld – 11/19/07) Public Trust of RFID In October, California Governor Arnold Schwarzenegger signed a law banning the forced implantation of radio- frequency identification (RFID) tags in humans by an employer. RFID tags are basically a microchip attached to an antenna which transmits information with radio waves. A scanner picks up these radio signals and sends the information to a computer system, thus identifying the item the chip is attached to. RFIDs are used today to track inventory, in library books, passports, automatic toll bridge systems and even credit cards. According to the study "RFID Reports: 'Public Policy: Understanding Public Opinion,'" by Auto-ID Labs, University of Cambridge, U.K., the main concern of people "is that they do not have a choice as to when or where the technology is used or as to how it will impact them." They are also concerned that the technology will be abused, creating a negative affect on their privacy. State Senator Joe Simitian -- sponsor of a California bill banning forced RFID implantation in humans -- admits that RFID is not necessarily a bad thing. "RFID technology is not in and of itself the issue. RFID is a minor miracle, with all sorts of good uses," said Simitian. "But we cannot and should not condone forced 'tagging' of humans. It's the ultimate invasion of privacy." http://www.govtech.com/gt/185756?topic=117676 (Government Technology – 11/14/07) SECURITY DNS Servers in Harm's Way "There are many organizations who are still in the dark about managing their external DNS," says David Ulevitch, CEO of OpenDNS. "Just as people run firewalls and anti-spam systems, it's important for them to manage the DNS coming into, and leaving, their network. "Many organizations today manage their internal DNS, but leave their Internet-facing DNS wide open to abuse their network and act as a vector for malicious activity," he says. http://www.darkreading.com/document.asp?doc_id=139525&f_src=darkreading_informationweek (Dark Reading – 11/19/07) Thumb twiddling Mozilla promises fix for privacy-biting bug Mozilla's head of security has promised a patch for a dangerous vulnerability that's been lurking in the popular Firefox browser for more than eight months. The new urgency in fixing the jar: protocol handler comes after bloggers in recent weeks demonstrated how the vulnerability could wreak real-world havoc, including allowing attackers to steal a victim's Gmail contacts. Short for Java Archive, the jar: protocol is used to compress Java classes and other types of files into a single file. Problem is, the protocol will open any zip-formatted file without first validating the MIME type of the archived contents. Malicious content is then run in the context of a trusted site. "An attacker can use this to evade filtering on sites that allow users to upload content and use this [to] initiate a cross site scripting attack," Window Snyder, Mozilla's security chief, wrote in this post on the Mozilla Security blog. "This may allow the attacker to access information stored on the trusted site without the victim's knowledge." http://www.channelregister.co.uk/2007/11/19/upcoming_firefox_patch/ (Channel Register – 11/19/07) 17
  • Password Security Do's and Don'ts Outlined by Security and Privacy Company Online hackers don't need high-tech tools to guess the passwords of many online account holders today. Once they have access to a computer, stored files and family photos can give hackers all the clues they need. With some time, guess work and the use of trial and error, it doesn't take some hackers long to virtually take over an online account holder's financial life. One of the problems with passwords is that users forget them. Hackers know that many online account holders use simple, easy to remember people, places or things for their passwords. In a Nov. 15 press release, Adaptive Marketing's security and privacy membership program, Privacy Matters, urges all consumers to create and maintain safe passwords for their online accounts. Taking some time to review the company's do's and don'ts of password security may be time well-spent. http://www.associatedcontent.com/article/449909/password_security_dos_and_donts_outlined.html (Associated Content – 11/16/07) Corporate data control policies are failing More than a fifth of employees stores corporate files on memory sticks, despite the risk to security, new research has found. A survey of 300 employees across the UK and Ireland found that nearly half – 49% - stored work material “in multiple locations”, with 21% holding it on portable USB memory sticks. Another 14% of employees said they stored corporate material on a laptop hard drive, with 9% admitting that they kept work-related material on non- work owned personal devices, the research by Dynamic Market for enterprise content management company, Tower Software found. Lost and stolen laptops have been at the heart of a string of recent corporate data security breaches. Last month, HM Revenue and Customs became the latest high profile organisation to lose customer data after the theft of a laptop from an employee’s car. http://www.computerworlduk.com/management/security/data-control/news/index.cfm?newsid=6177 (Computer World – 11/14/07) Looming Online Security Threats in 2008 It's nearly enough to make you long for the days of typo-ridden e-mails pretending to come from your bank. As Internet users display more of their personal information on social networking Web sites, and office workers upload more sensitive data to online software programs, computer hackers are employing increasingly sophisticated methods to pry that information loose. In many cases, they're devising small attacks that can fly under the radar of traditional security software, while exploiting the trust users place in popular business and consumer Web sites. In September, the names and contact information for tens of thousands of customers of Automatic Data Processing (ADP) and SunTrust Banks (STI) were stolen from Salesforce.com (CRM), which provides online customer management software for those two companies. The incident occurred after a hacker tricked a Salesforce employee into disclosing a password. http://www.businessweek.com/technology/content/nov2007/tc2007119_234494.htm? chan=technology_technology+index+page_top+stories (Business Week – 11/12/07) 'LoJack' For Backup Tapes? A new spin on tape storage management could be near with Fujifilm testing technology to help its large corporate customers use GPS to keep track of their backup tapes -- whether they're in storage or in transit. The imaging and media giant is beta testing a tape-sized device that can help companies pinpoint their backup tapes to within meters. "The genesis of this product was we were watching the news reports just like everybody else in this industry," Rich Gadomski, vice president of marketing for Fujifilm, told InternetNews.com. "So we wondered why there wouldn't be a tracking device to help keep track of these assets. And that's what we eventually developed, and are testing right now in the Tape Tracker." http://www.internetnews.com/ent-news/article.php/3710516 (Internet News – 11/12/07) 18
  • SEMINARS Internet Identity Workshop. December 3-5, 2007 Mountain View, CA http://www.windley.com/events/iiw2007b/register.shtml Seattle Technology Law Conference December 13-14, 2007 Seattle, WA. http://www.lawseminars.com/seminars/07COMWA.php US Department of Homeland Security Privacy Office Public Workshop: CCTV Developing Privacy Best Practices. December 17-18, 2007 Arlington, VA privacyworkshop@dhs.gov ACI's 7th National Symposium on Privacy & Security of Consumer and Employee Information January 23-24, 2008 Philadelphia, PA. http://www.americanconference.com/privacy Computer Professionals for Social Responsibility: Technology in Wartime Conference January 26, 2008 Stanford University http://cpsr.org/news/compiler/2007/Compiler200707#twc IAPP Privacy Summit March 26-28, 2008 Washington, D.C. http://www.privacysummit.org/ Future of the Internet Economy - OECD Ministerial Meeting June 17-18, 2008 Seoul, Korea http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667_1_1_1_37441,00.html Conference on Ethics, Technology and Identity. The Hague. June 18-20, 2008. http://www.ethicsandtechnology.eu/ETI _____________________________________________________________________ PAPERS Cyber Security Threat Assessment About This Compilation: Congressional staff have indicated to Internet Caucus Advisory Committee staff that succinct Internet policy position papers from a variety of perspectives would be helpful in their Congressional work. Based on that suggestion, the ICAC has requested of all its 200 member organizations one pager issue briefs on the topic of Assessing the Nature of our Cyber Security Vulnerabilities The position papers herein reflect only the perspective of the organization that submitted it. The ICAC hopes that the scope of submissions reflects a balanced and diverse perspective on this issue. This one pager compilation serves to augment the Internet Caucus Advisory Committee event providing a Cyber Security Threat Assessment. 19
  • http://www.netcaucus.org/events/2007/threatassessment/one-pagers/ Security Experts Report on Hazards of New Surveillance Architecture This summer's Protect America Act (PAA) temporarily authorized warrantless surveillance of communications that Americans have with individuals abroad. The use of this authority will require the deployment of new interception technologies. These new technologies raise several significant security risks. The report identified the three most serious security risks. The experts pointed to the danger that the system could be exploited by unauthorized users. Another risk is the misuse by a trusted insider. The third major risk is misuse by the US government. http://www.crypto.com/papers/paa-comsec-draft.pdf 20