Sunday, February 12, 2006

Security Fix - Brian Krebs on Computer and Internet Security - (washingtonpost.com) Microsoft's Anti-Spyware program is causing troubles for people who also use  Symantec's Norton Anti-Virus software; apparently, a recent update to Microsoft's anti-spyware application flags Norton as a password-stealing program and prompts users to remove it. According to several different support threads over at Microsoft's user groups forum, the latest definitions file from Microsoft "(version 5805, 5807) detects Symantec Antivirus files as PWS.Bancos.A (Password Stealer)." When Microsoft Anti-Spyware users remove the flagged Norton file as prompted, Symantec's product gets corrupted and no longer protects the user's machine. The Norton user then has to go through the Windows registry and delete multiple entries (registry editing is always a dicey affair that can quickly hose a system if the user doesn't know what he or she is doing) so that the program can be completely removed and re-installed. 8:08:09 PM  PermaLink   / trackback []

Microsoft Anti-Spyware Removes Norton Anti-Virus. Microsoft Anti-Spyware Removes Norton Anti-Virus. An anonymous reader writes  "According to a story over at Washingtonpost.com, the latest definitions file for Microsoft's Anti-Spyware beta flags Symantec's Norton Antivirus products as a password-stealing trojan and prompts users to delete portions of the program. Users who follow the instructions hose their installation of Norton, requiring delicate Windows registry edits and a complete removal/reinstall of Norton. Microsoft's support forum is quickly filling up with complaints about this problem, many from businesses that have been pretty hard hit. This should be a cautionary tale about deploying beta products in production environments."  [Slashdot] 8:04:53 PM  PermaLink   / trackback []

UK.gov in partial ID card climbdown. UK.gov in partial ID card climbdown. Bill before compulsion concession The UK government is reportedly poised to accept key concessions in an effort to ease the passage of its controversial ID card plans through parliament. Amendments to the legislation, due to be tabled by a home office minister, would mean a new bill would have to be enacted in order to make it compulsory for Britons to carry biometric identity cards, following a defeat in the House of Lords over the issue. [The Register - Security] 7:54:27 PM  PermaLink   / trackback []

Security Specialists At Demo Paint Bleak Picture (TechWeb). Security Specialists At Demo Paint Bleak Picture (TechWeb). TechWeb - Computer security specialists gather at this week's Demo conference in Phoenix to examine the escalating threat scene. [Yahoo! News: Computer Security & Viruses] 7:52:39 PM  PermaLink   / trackback []

Spyware Barely Touches Firefox (TechWeb). Spyware Barely Touches Firefox (TechWeb). TechWeb - There's more ammunition for Firefox fans. New academic research says Internet Explorer users can be up to 21 times more likely to end up with a spyware-infected PC than Firefox users. [Yahoo! News: Computer Security & Viruses] 7:50:39 PM  PermaLink   / trackback []

TSA criticized for delay, mismanagement of Secure Flight program. TSA criticized for delay, mismanagement of Secure Flight program. The GAO says the TSA has not fully explained how it will protect passenger data once the program becomes operational.  [Computerworld Security News] 7:47:11 PM  PermaLink   / trackback []

Bank Card Reissues May Be Linked to Wal-Mart Breach. Bank Card Reissues May Be Linked to Wal-Mart Breach. Banks are reissuing credit and debit cards after a potential security breach at a U.S. retailer, which some speculate is Wal-Mart.   [eWEEK Security] 7:44:09 PM  PermaLink   / trackback []

Feds Deem Operation Cyber Storm a Success. Feds Deem Operation Cyber Storm a Success. Private sector representatives and government officials join to test U.S. preparedness for a combined physical and Internet-based attack.   [eWEEK Security] 7:40:37 PM  PermaLink   / trackback []

uComics - New TSA search rules Cartoon - New TSA search rules 7:37:29 PM  PermaLink   / trackback []

Report Card on the War on Terror. Daniel Benjamin, Steven Simon (MIT World ) Report Card on the War on Terror. Daniel Benjamin, Steven Simon Gary Hart wields his national security expertise to query these two authors in detail on their latest collaboration. Benjamin summarizes the book this way: "By pursuing the policies we have, we are hastening the next attack. I'm not talking about a run of the mill attack, the kind society could learn to live with, but a really big attack, which will endanger our institutions, confidence and society." The authors believe the U.S. intervention in Iraq has spawned a new Iraqi insurgency and energized the greater Islamic jihad. Hart asks if it's solely U.S. policy that's creating an increasingly virulent movement, or whether homegrown "Islamic brutality" and belief must share some blame. Simon responds that our actions in the Middle East and elsewhere make it very difficult for Islamic moderates to counter "the observed experience of Muslims in many parts of the world." A lot of energy that went into Arab nationalism, says Benjamin, now enters a violent movement "to embrace justice, freedom and fairness." He continues, "The sense of imposition by the West will remain there, and grievances won't go away even if we pull up stakes tomorrow." The authors warn that Islamic fighters in Iraq are getting valuable experience in military operations in urban terrain, which they will likely apply to Western cities. They call for a new policy in the Middle East and South Asia, involving functioning alliances to counter terrorism, as well as creating incentives for hostile leaders to change their behaviors. Benjamin says, "Don't conduct foreign policy adventures," because these inevitably give "the bin Laden argument a powerful leg up. We've got to stop doing that[sigma]. We need people to go back to believing in America as the upholder of ideals it was not too long ago." -- [October 17, 2005 4:30PM] [MIT World » Recent Updates] 7:30:38 PM  PermaLink   / trackback []

Steve Gibson: Internet Privacy. [ITC: All Programs] Steve Gibson: Internet Privacy. Recently, the news has reported that the US Department of Justice has requested user information from some major internet search engines and service providers. In this conversation, Larry Magid talks with internet security expert Steve Gibson about the ramifications of these requests. They talk about what is possible and, more importantly, what is likely to be learned about an individual's surfing habits. [ITC: All Programs] 7:24:06 PM  PermaLink   / trackback []

Botnet Attack Shuts Down Hospital Network. Botnet Attack Shuts Down Hospital Network. aricusmaximus writes  "A California student is now facing felony conspiracy charges after unleashing a botnet attack that shut down the network of a Seattle hospital intensive care unit. This indictment comes a few weeks after another California man pled guilty to similar charges. Both attacks were attempts to make money off of adware affiliate programs. So who's really at fault here? The students? The hospital for not securing their computers and network? Or the adware companies for providing the incentive?"  [Slashdot: Your Rights Online] 4:00:20 PM  PermaLink   / trackback []

U.S. Cell-Phone Tracking Clipped. U.S. Cell-Phone Tracking Clipped. Judges reject Bush administration arguments that law enforcement should be able to use cell phone signals to track users' movements, ruling that the feds first need "probable cause" to believe someone's committed a crime. By Ryan Singel. [Wired News: Security Blanket] 3:40:47 PM  PermaLink   / trackback []

SSRN-A Model Regime of Privacy Protection (Version 3.0) by Daniel Solove, Chris Hoofnagle Abstract: A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as "commercial data brokers" have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices - principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States. 3:37:29 PM  PermaLink   / trackback []

Schneier on Security: A Model Regime of Privacy Protection Last year I blogged about an article by Daniel J. Solove and Chris Hoofnagle titled "A Model Regime of Privacy Protection." The paper has been revised a few times based on comments -- some of them from readers of this blog and Crypto-Gram -- and the final version has been published. 3:34:59 PM  PermaLink   / trackback []

Movie Firewall dramatizes dangers of ID theft. Movie Firewall dramatizes dangers of ID theft. Identity theft goes Hollywood in the movie thriller Firewall, and the use of a credit-monitoring service has an important role.   [Computerworld Privacy News] 3:33:13 PM  PermaLink   / trackback []

My Left Nutmeg :: Nancy Johnson Wants To Destroy Your Medical Privacy Nancy Johnson has introduced a bill that would let the Feds get control over your medical records, regardless of what state law might have to say on the matter. Not surprisingly, it has some folks madder 'n heck. [...] The American Association of Physicians and Surgeons isn't any too happy either. "We call for restraint in passing a law that would fast track the creation of a national health information system," said Jane Orient, M.D., head of AAPS, in a letter to lawmakers. "The only parties who will benefit by forcing technology on medicine by top-down central planning that actually risks an end to the advancement in information technology will be the government, certain third party payers, lawyers and information technology companies," she said. "Patients will definitely not benefit from this type of program because they do not control who has access to their sensitive identifiable medical records in any meaningful way." 3:30:33 PM  PermaLink   / trackback []

US Congress To Gut State Medical Privacy Laws? Saint Paul, Minnesota--Congress has latched onto legislation to create a national health information system: the Health Information Technology Promotion Act of 2005 (HR 4157). However, Citizens' Council on Health Care (CCHC) says the legislation- and the plan- is not the good idea it's portrayed to be. CCHC has published a chart, including analysis of the bill language and implications for the public if HR 4157 passes, click here to see it. "This bill gives the federal government complete control over private medical data. It advances a national health surveillance system - a system where the patient's data is shared, assessed, analyzed, collected, and used without the patient's consent or knowledge," said Twila Brase, president of CCHC. She clarified, "If this bill passes, there will be no virtually no escape for the public. The so-called federal medical privacy rule (HIPAA) eliminated patient consent requirements. This bill allows the federal government to gut stronger state privacy laws. Together they will lead to the end of personal and medical privacy for all American citizens." "This legislation is not supported by citizens," argued Brase. "It's not supported by patients. No doubt, the only ones who will support it are those who want free and easy access to patient data-without any worry about being sued." 3:27:31 PM  PermaLink   / trackback []

Passenger screening programs come under fire (FCW) The Government Accountability Office and the airline industry slammed the Transportation Security Administration in a congressional hearing on the agency's two main passenger-screening programs. TSA has made progress on Secure Flight, which is designed to screen out terrorists from airline passengers, but management problems persist, said Cathleen Berrick, director of homeland security and justice at GAO. In its rush to push out Secure Flight, TSA has neglected to define systems requirements for Secure Flight or follow its own or industry best practices for information technology systems development, Berrick said. "It's not clear what Secure Flight capabilities will be delivered and at what cost," she said. Berrick spoke on one of two panels that discussed Secure Flight and Registered Traveler, TSA's voluntary credentialing program, with the Senate Commerce, Science and Transportation Committee. TSA has not developed a cost-benefit analysis or passenger privacy notices for Secure Flight, so it is impossible to know how cost-effective the program is or how well it will protect travelers' privacy, Berrick said. Likewise, the agency must develop a redress process for people erroneously tagged as threats, Berrick said. Registered Traveler drew similarly harsh criticism. 3:23:52 PM  PermaLink   / trackback []

Congress Addresses Brokering of Cell Phone Records. Congress Addresses Brokering of Cell Phone Records. To protect consumer privacy [GT: Privacy] 3:19:54 PM  PermaLink   / trackback []

Missouri Rolls Out Tools to Fight Consumer Fraud and Identity Theft. Missouri Rolls Out Tools to Fight Consumer Fraud and Identity Theft. "Right now, many victims of identity theft don't report the problem to the authorities" [GT: Privacy] 3:18:35 PM  PermaLink   / trackback []

Sue Companies, Not Coders. Sue Companies, Not Coders. A former U.S. cybersecurity czar now advocates holding programmers liable for the security holes in their code. He's soooo close to getting it right. Commentary by Bruce Schneier. [Wired News: Security Blanket] 3:17:09 PM  PermaLink   / trackback []

Skip Airport Security Lines? Skip Airport Security Lines? Registered Traveler program, which will expedite screening of certain passengers, is set to begin in June. [PCWorld.com - Latest News Stories] 3:00:22 PM  PermaLink   / trackback []

Give Me Convenience or Give Me Death.  Google Vice President Marissa Mayer: "With everything, you trade privacy for a value-add." This has long been true, and sometimes the only surprise is how little some people ask in return for their private information.... [Privacy and Security Law Blog] 2:57:13 PM  PermaLink   / trackback []

Does the GPL need Linux more than Linux needs the GPL? Does the GPL need Linux more than Linux needs the GPL? You seem to think so Letters If you're looking for clear-cut heroes and villains in the raging debate about Linux and GPL version 3.0, don't read on. Things get really messy from here on in. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 2:55:44 PM  PermaLink   / trackback []

EFF - Nominate a Pioneer for EFF's Pioneer Awards. Nominate a Pioneer for EFF's Pioneer Awards. Awards Recognize Leaders on the Electronic Frontier San Francisco - The Electronic Frontier Foundation (EFF) is calling for nominations for its 2006 Pioneer Awards -- the annual celebration of leaders on the electronic frontier who extend freedom and innovation in the realm of information technology. Past winners have included Tim Berners-Lee, Linus Torvalds, and Ed Felten. Pioneer Awards nominations are open to individuals or organizations from any country. Nominations are reviewed by a panel of judges chosen for their knowledge of the technical, legal, and social issues associated with information technology. This year's award ceremony will be held in Washington, DC, in conjunction with the Computers, Freedom and Privacy conference (CFP), which takes place in early May. Persons or representatives of organizations receiving an EFF Pioneer Award will be invited to attend the ceremony at EFF's expense. How to Nominate Someone for a 2006 Pioneer Award: You may send as many nominations as you wish by email to pioneer@eff.org, but please use one email per nomination. We will accept nominations until March 1, 2006. Simply tell us: 1. The name of the nominee; 2. The phone number or email address or website by which the nominee can be reached, and, most importantly; 3. Why you feel the nominee deserves the award. Nominee Criteria: There are no specific categories for the EFF Pioneer Awards, but the following guidelines apply: 1. The nominees must have contributed substantially to the health, growth, accessibility, or freedom of computer-based communications. 2. To be valid, all nominations must contain your reason, however brief, for nominating the individual or organization and a means of contacting the nominee. In addition, while anonymous nominations will be accepted, ideally we'd like to contact the nominating parties in case we need further information. 3. The contribution may be technical, social, economic, or cultural. 4. Nominations may be of individuals, systems, or organizations in the private or public sectors. 5. Nominations are open to all (other than current members of EFF's staff and executive board or this year's award judges), and you may nominate more than one recipient. You may also nominate yourself or your organization. More on the EFF Pioneer Awards: http://www.eff.org/awards/pioneer/ Contact: Katina Bishop Projects Coordinator Electronic Frontier Foundation katina@eff.org [EFF: Breaking News] 2:52:09 PM  PermaLink   / trackback []

WHITEPAPER: Simplifying the Implementation and Management of Application Data Security. WHITEPAPER: Simplifying the Implementation and Management of Application Data Security. Public incidents where consumers' personal information was exposed have made many companies take notice of the problems and damage to a public image that can occur from violating customers' trust. Unauthorized access and theft of data is costing companies over $60 billion per year. These incidents show that current levels of security controls are not enough: they need to be complemented with deeper, more formidable controls. [Computerworld Data Mining News] 2:50:05 PM  PermaLink   / trackback []

U.S. Government to Survey Businesses on Cyber-Crime WASHINGTON--The U.S. government said Feb. 9 it will launch its first national survey to estimate how much cyber-crime is costing American businesses. The Justice Department and the Department of Homeland Security will try to measure the number of cyber-attacks, frauds and thefts of information and the resulting losses during 2005, officials said in a statement. The survey, to be completed by year-end, will collect information about the nature and extent of computer security violations, the monetary costs, types of offenders and computer security measures now used by companies. [...] A smaller pilot survey by the government found nearly three-fourths of business respondents said they were victimized by cybercrime in 2001. The respondents said the most common form of attack was computer viruses, followed by denial of service, the government said. More information about the planned survey was posted on the Internet at www.ojp.usdoj.gov/bjs/survey/ncss/ncss.htm. 2:47:07 PM  PermaLink   / trackback []