Thursday, August 31, 2006

Home Office admits to database breaches - ZDNet UK News The Home Office has admitted that the security of its ID and passport service database has been compromised several times, but denied that remote hackers were responsible. In a response to a parliamentary question at the end of last week, the Home Office said it had had five security breaches in five years, mostly caused by civil service staff. "The security breaches didn't involve people hacking into the systems," a Home Office spokesperson told ZDNet UK on Thursday. Four of the five incidents involved members of staff accessing the ID and Passport databases for unauthorised purposes. Three used their systems access privileges to conduct checks that were "not connected to their duties", according to an ID and Passport service spokesman, while in the other breach the staff member "misused data he was entitled to access". In each of the cases "disciplinary action resulting in dismissal was undertaken", with one staff member "resigning before the proceedings came to an end" said the spokesman. The fifth security breach occurred in a prison service legacy system, where a "technical failure" caused the system to crash. The system has since been replaced, according to the Home Office. The ID and Passport Service (IPS) denied that this did not bode well for the ID card project, which will involve a massive database of personal and biometric data. Experts have raised questions about how secure a National Identity database linked to the Government's ID card scheme could be. 7:45:05 PM  PermaLink   / trackback []

Medium-Size Financial Services Firms Targeted by SQL Injection Attacks. Medium-Size Financial Services Firms Targeted by SQL Injection Attacks. Attacks account for up to 90 percent of monthly threats to medium-sized financial firms [GT: Security and Privacy] 7:40:46 PM  PermaLink   / trackback []

Dallas Morning News | Cornyn seeking the facts on RFID Radio frequency identification technology will eventually be in the products you buy, the credit cards you buy them with, and the driver's license you carry while driving home from the store. But the proliferation of RFID has raised concerns among privacy advocates who worry that consumers will be at greater risk of fraud and identity theft. State and federal lawmakers are starting to look at regulating the technology. In July, U.S. Sen. John Cornyn of Texas co-founded the Senate RFID Caucus. Wednesday, the senator was in Dallas to deliver the keynote speech at the Texas Competitiveness Summit at the University of Texas at Dallas. He also sat down to discuss his interest in RFID technology, why he started the caucus, and his thoughts on the privacy concerns. Here are excerpts from the interview. 7:36:55 PM  PermaLink   / trackback []

Air chief: EU-U.S. discord over data sharing could ground passengers. Air chief: EU-U.S. discord over data sharing could ground passengers. A failure by the U.S. and the European Union to reach a new agreement on passenger data could ground 105,000 people per week from September, IATA's chief warned in Tokyo. [Computerworld Privacy News] 7:29:32 PM  PermaLink   / trackback []

EETimes.com - Survey says security issues can be fixed A pair of security surveys released this week shows that protecting corporate and consumer data is sometimes easier than people might think, but the broader problem still is confounding far too many organizations. The first study, entitled "Network Attacks: Analysis of Department of Justice Prosecutions 1999-2006," shows most network attacks tracked by the DOJ used stolen IDs and passwords. Those attacks resulted in far more extensive damages than what had been assumed -- an average of more than $1.5 million per incident, with $10 million being the most damage incurred in one incident. The study, commissioned by Phoenix Technologies and conducted by research and advisory firm Trusted Strategies, analyzed data from all cases prosecuted and publicly disclosed by the DOJ between March 1999 and February 2006. The report also maintains that a whopping 84 percent of these attacks could have been thwarted if, after checking the user ID and password, the organization had simply verified the identity of the invasive computer connecting to its network and accounts via device authentication policies and solutions. The failure to implement such technologies can kick the door open to attackers. In 88 percent of the cases in the DOJ report, the attacker accessed one or more privileged user accounts, obtaining IDs and passwords by network sniffing, using password-cracking programs or colluding with insiders and employees who later left the organizations. The full results of the report can be found at Phoenix Technologies https://www.phoenix.com/cybercrime. Another study released this week shows that almost two-thirds of security executives are convinced they have no way to prevent a data breach. In addition, most of them believe their organizations lack the accountability and resources necessary to enforce data security policy compliance. The report, called the "National Survey on the Detection and Prevention of Data Breaches," was prepared by the Ponemon Institute, a privacy and security research firm, and PortAuthority Technologies, a developer of Information Leak Prevention (ILP) solutions. The report surveyed 853 U.S.-based information security professionals, finding that, despite increased attention and media and public scrutiny, data security still is flummoxing many U.S. corporations. Among the key findings: 59 percent of companies believe they can detect a data breach, but 63 percent believe they can't prevent one -- with high false-positive rates, ineffective policy enforcement and overly costly leak prevention technologies comprising a big part of the problem. Full results of the study are available upon request from the Ponemon Institute http://www.ponemon.org or Port Authority Technologies www.portauthoritytech.com/breachsurvey . 7:26:07 PM  PermaLink   / trackback []

wfsb.com - Education - Terrorist Hunters Sifted Student Data For the past five years an office in the Education Department has scanned through its databases of millions of students' federal financial aid and college enrollment records in search of terrorist names supplied by the FBI. The effort, dubbed "Project Strike Back," was created by the Education Department's Office of Inspector General after the terror attacks of Sept. 11, 2001, to expand the office's mission to include counterterrorism. At the time, investigators believed some funding for the 9/11 attacks came from identity theft and fraud, criminal activity the Education Department had experience investigating, according to an internal memo obtained through a Freedom of Information Act request. "This program was one of many around the country used by the FBI to identify people of potential interest," said FBI spokeswoman Cathy Milhoan. The department's central database stores information on all of the roughly 14 million students who apply for financial aid each year, even after they have repaid the loans. To search for "potential terrorist activity," the FBI gave the department fewer than 1,000 names that the bureau considered suspicious to run through its databases, said bureau spokeswoman Cathy Milhoan. The bureau made requests as recently as February 2006. In response to the requests, department agents would look for "anomalies" in the data and share the information with the FBI and Justice Department attorneys, according to a letter from an Education Department Office of Inspector General special agent to the assistant inspector general for investigations. They found and shared personal information including at least names, addresses, dates of birth, Social Security numbers and driver's license numbers, according to an agency document that was recounted by a government official familiar with the data-mining program. The joint venture abruptly ended this summer, 10 days after Medill School of Journalism reporters interviewed the special agent who oversaw the data mining program. 7:19:45 PM  PermaLink   / trackback []

Telegraph | News | Celebrity children will get database privacy Children of celebrities will be given special safeguards in a new database that will store details of every child in England and Wales, it was disclosed yesterday. Ministers said the contentious two-tier level of privacy will protect children of the rich and famous from intrusion. Addresses and telephone numbers of celebrities will be removed from the database if, for example, their children are deemed at risk of kidnap. But opponents of the £241 million Children's Index -- a supposedly confidential system intended as an early warning system for children at risk of abuse -- said the move underlined their concerns about its security. In further embarrassment to the Government, an independent report commissioned by Parliament's Information Commissioner and due to be published next month, is understood to warn that the index is causing serious concern and is possibly unlawful. There are fears that it does not comply with the European Convention on Human Rights and may contravene the Data Protection Act. 7:02:49 PM  PermaLink   / trackback []

British Celeb Kids Get Posh Database Treatment. British Celeb Kids Get Posh Database Treatment. England is set to create a database of all children in the country that will allow schools, doctors and social workers to centrally file warning flags -- such as poor exam scores and parental depression -- in order to trigger faster investigations of families. While the system designers promise the system will be secure, evidently its not secure enough for celebrities -- so details on their children will get special treatment in the database, according to this UK Telegraph story. The database, to be introduced in 2008, follows the death of eight-year-old Victoria Climbie in 2000 as a result of abuse by her great aunt. Police, doctors and social workers had contact with Victoria as she suffered 128 injuries, but failed to discuss the case with one another. Files are held by many bodies on the 11 million children in England and Wales, but the index will link this sensitive information in one database accessible to hundreds of thousands of officials. Schools, doctors, the police and private-sector bodies will alert the system to such warning signals as low birth weight, poor exam results and a parent's depression or addiction. Two warning "flags" on a child's record may trigger an investigation. Lord Adonis, the education minister, told the House of Lords: "Between 300,000 and 400,000 users will access the index. Children who have a reason for not being traced, for example where there is a threat of domestic violence or where the child has a celebrity status, will be able to have their details concealed." Call it Big Mother, call it what you will, but you got to love the prospect of having Child Protective Services show up at your door because your kid could only label 20 out of 54 countries in Africa and you told your doctor that you were in the dumps recently because your company might be going out of business. I, for one, am glad someone is thinking of the children, and even more glad they are thinking about David Beckham's children. [27B Stroke 6] 6:58:28 PM  PermaLink   / trackback []

The End of PiggyBacking? Wi-Fi Routers Get a Warning. The End of PiggyBacking? Wi-Fi Routers Get a Warning. Wireless routers sold in California will soon come with warning stickers that advise buyers to password protect their home networks, according to this article in Dark Reading. The law, passed by California legislators and sent to Governor Schwarzenegger for his signature, will apply to wireless routers sold in California that were manufactured post-October 2007. One of the interesting things about California law is that since its tough to know where your product is going to be sold or where your customer lives, California law ends up being de facto national law. Does this mean the end of piggybacking free Wi-Fi, as Dark Reading suggests it does? I think no. There will still be plenty of free Wi-Fi to be found, but it might not be long before some legislator gets it in his head to pass a law banning the use of an open wireless network unless you have some sort of permission. Maybe it will happen after some guy gets busted downloading mp3s or child pr0n from a neighbor's open connection. But it's still legally unclear whether borrowing some unsecured bandwidth is stealing (technically trespass to chattels) or fine and dandy. So if you do occasionally jump on a open wireless network, remember to play nice, be subtle and don't send any passwords in the clear (ideally, not any passwords unless you are on a VPN). [27B Stroke 6] 6:51:37 PM  PermaLink   / trackback []

MS preps DRM hack fix. MS preps DRM hack fix. Papering over the cracks Microsoft is working on closing a loophole that creates a means to strip usage restriction from music files wrapped in its DRM technology. A program called FairUse4WM, recently posted on the internet, allows users to bypass Microsoft's Digital Rights Management (DRM) system. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 6:05:44 PM  PermaLink   / trackback []

eBay accused of privacy breach. eBay accused of privacy breach. ICO to investigate The Information Commissioners Office (ICO) is to investigate eBay after Privacy International lodged an official complaint about the company's data retention practices. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 5:54:24 PM  PermaLink   / trackback []

Slashdot | Comcast Blocks Yet Another ISPs E-Mail Nom du Keyboard writes, "Last week Comcast shutdown e-mail forwarding from NameZero entirely. People who have bought private domain names (i.e. yourname@yourdomain.com) and have e-mail forwarding to their current Comcast e-mail account through NameZero aren't receiving it any longer. No warnings -- no e-mail. Now, again without warning, they've blocked out The Well, one of the oldest ISPs on the net. And nobody can get through to the Comcast people in charge of this to discuss the issue with them. Not the ISPs being blocked. Not the customers who pay Comcast to deliver e-mail to them. Comcast says they're protecting 10M customers from spam. I am a current Comcast broadband customer and I feel I should have the right to whitelist and receive e-mail from whomever I designate. I don't want as much protection as Comcast is giving me. Is it a basic right to be allowed to receive e-mail from whomever I desire, or does Comcast have the right to censor as they wish?" ---  Last week Comcast was also blocking mail from alum.mit.edu. I (probably among many others) left a complaint on the phone line identified in bounce messages; the block was eventually lifted. 4:59:11 PM  PermaLink   / trackback []

FBI Shows Off Counterterrorism Database The FBI has built a database with more than 659 million records -- including terrorist watch lists, intelligence cables and financial transactions -- culled from more than 50 FBI and other government agency sources. The system is one of the most powerful data analysis tools available to law enforcement and counterterrorism agents, FBI officials said yesterday. The FBI demonstrated the database to reporters yesterday in part to address criticism that its technology was failing and outdated as the fifth anniversary of the Sept. 11, 2001, terrorist attacks nears. Privacy advocates said the Investigative Data Warehouse, launched in January 2004, raises concerns about how long the government stores such information and about the right of citizens to know what records are kept and correct information that is wrong. The data warehouse is an effort to "connect the dots" that the FBI was accused of missing in the months before the 2001 attacks, bureau officials said. About a quarter of the information comes from the FBI's records and criminal case files. The rest -- including suspicious financial activity reports, no-fly lists, and lost and stolen passport data -- comes from the Treasury, State and Homeland Security departments and the Federal Bureau of Prisons. "That's where the real knowledge comes from . . . sharing information," said Gurvais Grigg, acting director of the FBI's Foreign Terrorist Tracking Task Force, who helped develop the system. 4:54:57 PM  PermaLink   / trackback []

Feds Show Off Massive Database. Feds Show Off Massive Database. Feeling a little burnt from stories about its technological incompetence, the Justice Department wooed reporters Tuesday with its massive anti-terrorism database that contains some 659 million records comprising no-fly list data, airline records, driver's license numbers, social security numbers and suspicious financial activity reports, according to this story from Ellen Nakashima in the Washington Post. Privacy advocates said the Investigative Data Warehouse, launched in January 2004, raises concerns about how long the government stores such information and about the right of citizens to know what records are kept and correct information that is wrong. The data warehouse is an effort to "connect the dots" that the FBI was accused of missing in the months before the 2001 attacks, bureau officials said. About a quarter of the information comes from the FBI's records and criminal case files. The rest -- including suspicious financial activity reports, no-fly lists, and lost and stolen passport data -- comes from the Treasury, State and Homeland Security departments and the Federal Bureau of Prisons. One assumes that the database includes such things as the hundreds of thousands of records agents culled in 2003 from Las Vegas hotels and casinos, rental car agencies and airlines as part of their response to increased intelligence chatter. This system is not totally unknown -- Washington Post journalist Robert O'Harrow, Jr. covered it in his book No Place to Hide. Kenneth Ritchhart, the man who headed the project, made his aims clear to O'Harrow: John Poindexter's Total Information Awareness project. "The technology that he's looking at," Ritchhart told O'Harrow, "is right up our alley." Is it legal? Depends on who you talk to. It's not clear the agency has ever disclosed the database in the Federal Registry or published Privacy Impact Assessments as required by law. You might also remember that the Justice Department exempted its criminal databases in 2003 from the requirement that they be accurate. It's now not their problem, its yours. Photo: Wbs 70 [27B Stroke 6] 2:52:59 PM  PermaLink   / trackback []

(IN)SECURE Magazine Issue 8. (IN)SECURE Magazine Issue 8. Payment Card Industry demystified, Skype: how safe is it?, Computer forensics vs. electronic evidence, Review: Acunetix Web Vulnerability Scanner, SSH port forwarding - security from two perspectives, part two, Log management in PCI compliance, Airscanner vulnerability summary: Windows Mobile security software fails the test, Proactive protection: a panacea for viruses?, Introducing the MySQL Sandbox and Continuous protection of enterprise data: a comprehensive approach [(IN)SECURE Magazine Notifications RSS] 2:50:33 PM  PermaLink   / trackback []

EFF - miniLinks for 2006-08-30. miniLinks for 2006-08-30. AOL Goes From Badware to Worseware As AOL's servers give out your search terms, its client takes control of your computer without permission. What's not to like? Barney's Last Gasp New York Times sees our case as the final straw for the purple dinosaur. Boomtime for Biometrics Manufacturers Tech companies eye $8 billion in government ID contracts. IGF IP workshop IP Justice, EFF, and CPTech, eFIL, ask the Internet Governance Forum to look at impact of overbroad IP on the Internet. Preemptive Cease and Desists bad for ... Lawyers? American Lawyer looks at the media outrage that bad publicity blanket C&D letters gather. Free Wi-Fi - Just No Free Speech Culver City, home of the film studios, starts filtering its free muni wi-fi Or Constitutional Rights ... while its terms of service declare you've waived your First Amendment rights. Press Here to Waste Police Time MSN Messenger apps will have a one-click "report sex offender" button in the UK. Give us Your Poor, Your Huddled Personal Information Michael Chertoff asks our "European allies" to hand over their citizens' personal data to the US. [EFF: Deep Links] 2:49:38 PM  PermaLink   / trackback []

California Lawmakers Pass Safeguards for Privacy-Leaking RFID Chips. California Lawmakers Pass Safeguards for Privacy-Leaking RFID Chips. The California State Senate passed tough new privacy safeguards yesterday for use of "tag and track" devices known as Radio Frequency Identification (RFID) chips embedded in state identification cards. The bill, SB 768, helps ensure that Californians can control the personal information contained on their drivers' licenses, library cards and other important ID documents. EFF worked with a diverse range of concerned groups to get this bill passed, and now it just needs to clear one last hurdle -- the governor's signature -- before becoming law. If you live in California, follow this link and call the governor's office immediately to voice your support for S.B. 768. Regardless, forward that link to friends and family who live in California and urge their support. [EFF: Deep Links] 2:48:25 PM  PermaLink   / trackback []

How Not To Secure Your Search Privacy. How Not To Secure Your Search Privacy. Yesterday, the AP reported on a tool called TrackMeNot, which promises to protect "web-searchers against surveillance and data-profiling." While we certainly appreciate the intentions of TrackMeNot's developers, it is wholly ineffective at serving its stated purpose. EFF recommends you follow these tips to keep your search history private. Computer security expert Bruce Schneier explains just some of the reasons why TrackMeNot doesn't work here. [EFF: Deep Links] 2:46:55 PM  PermaLink   / trackback []

Slashdot | US Government Restricting Research Libraries An anonymous reader writes:  "In a move that has been termed 'positively Orwellian' by Public Employees for Environmental Responsibility Executive Director Jeff Ruch, George W. Bush is ending public access to research materials at EPA regional libraries without Congressional consent. This all-out effort to impede research and public access is a [loosely] covert operation to close down 26 technical libraries under the guise of budgetary constraint. Scientists are protesting, but at least 15 of the libraries will be closed by Sept. 30, 2006." 2:44:23 PM  PermaLink   / trackback []

Slashdot | iTunes v6 FairPlay DRM Cracked luaine writes with an Engadget article claiming the cracking of iTunes v6 FairPlay DRM. From the article: "[A] new app called QTFairUse6 looks like it can now be used (with some amount of difficulty) to dump iTunes version 6.0.4 - 6.0.5 files of their chastely protection." At present this is a Windows-only tool for those who are "not afraid to get [their] hands dirty with a little python." Engadget does not provide a link to QTFairUse6, and neither will we. We've run several DRM stories recently, but it's been 19 months since Cracking iTunes' DRM with JHymn. 2:39:05 PM  PermaLink   / trackback []

Slashdot | Cell Phone Secrets Die Hard duplo1 writes "According to an article on CNN, "Selling your old phone once you upgrade to a fancier model can be like handing over your diaries. All sorts of sensitive information pile[s] up inside our cell phones, and deleting it may be more difficult than you think." It seems that corporate security policies need to extend their disposal standards to mobile devices; but what is there to educate consumers regarding such a potential breach of privacy?" 2:37:11 PM  PermaLink   / trackback []

Browzar | Your private window on the Web With Browzar you can search and surf the web without leaving any visible trace on the computer you are using. Browzar is free, it only takes seconds to download and you don't even need to install it, so you can download Browzar time and time again, whenever and wherever you need it to protect your privacy. 2:35:12 PM  PermaLink   / trackback []

Web browser leaves no footprints | InfoWorld | News | 2006-08-30 | By China Martens, IDG News Service The latest entrant to the crowded Internet browser market is the appropriately named Browzar, a tool specifically designed to protect users' privacy by not retaining details of the Web sites they've searched. Most Web browsers like Microsoft Corp.'s Internet Explorer automatically save users' searches in Internet caches and histories. Users do have the option of deleting the history folder and emptying the Internet cache, but many people either don't know how to do that or tend not to, leaving a trail of where they've been online behind them in the browser. Browzar is being officially launched Thursday but can already be run or downloaded from its Web site. Users don't have to register to use the free browser. Browzar automatically deletes Internet caches, histories, cookies and auto-complete forms. Auto-complete is the feature that anticipates the search term or Web address a user might enter by relying on information previously entered into the browser. 2:32:25 PM  PermaLink   / trackback []

Slashdot | New Web Browser Leaves No Footprints eastbayted writes "InfoWorld reports a new web browser designed to protect users privacy is available for download. Called Browzar, it 'automatically deletes Internet caches, histories, cookies and auto-complete forms.' It also boasts a search engine, which the company will use to generate income. The 264KB application is the brainchild of Ajaz Ahmen, known for creating the U.K.'s first ISP Freeserve. The forthcoming version is for Windows only, but Mac and Linux versions will be available eventually." 2:27:59 PM  PermaLink   / trackback []

Security Engineering - A Guide to Building Dependable Distributed Systems Security Engineering - The Book `If you're even thinking of doing any security engineering, you need to read this book' Bruce Schneier `Even after two years on the shelf, Security Engineering remains the most important security text published in the last several years' Information security Magazine Wiley has finally agreed to let me put my book online! You can now download it by chapters: 2:24:35 PM  PermaLink   / trackback []

Slashdot | "Security Engineering" Is Now Online An anonymous reader writes  "Ross Anderson, author of 'Security Enginnering', notifies in a message to comp.risks that he just got permission from Wiley to let anyone download the full content of his book for free. This is one of the best books on computer security and it is used as textbook in many University courses (I teach two of them)." 2:22:21 PM  PermaLink   / trackback []