Monday, February 26, 2007

AHIC privacy co-chairman resigns in protest Paul Feldman resigned on Feb. 21 as co-chairman of the American Health Information Community's Confidentiality, Privacy and Security (CPS) Workgroup, citing in a letter to Interim National Coordinator for Health Information Technology Robert Kolodner the panel's lack of "substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network." 7:10:39 PM

Critics: New airport X-ray is a virtual strip search | CNET News.com U.S. authorities in Phoenix on Friday began testing a controversial new X-ray machine to screen air passengers for weapons, a process that critics likened to a "virtual strip search." The U.S. Transportation Security Administration rolled out an X-ray machine that uses so-called backscatter" technology at one checkpoint at Phoenix Sky Harbor International Airport. The machine peers beneath passengers' clothes to search for hidden explosives and weapons. The TSA will test the machine in Phoenix for 60 to 90 days before deploying machines in Los Angeles and New York's John F. Kennedy Airport for additional testing this year. "Everyday the bad guys are working and improving their tools. We need to continue working to improve ours, and introducing this technology is part of that work," TSA regional spokesman Nico Melendez told Reuters. Privacy groups and the American Civil Liberties Union have labeled the new screening a "virtual strip search" that could be abused. But TSA officials said Friday they had worked with industry specialists to blur any images of body parts generated by the scan, and likened the resulting picture to a "chalk outline" of a person. 7:05:45 PM

Intelligent Enterprise Magazine: How a Smarter Database Can Protect Your Data Firewalls, intrusion detection systems, authorization and authentication all have their place in securing the enterprise, but these technologies rarely plug a hole that has leaked millions of records with sensitive information since the well-publicized ChoicePoint breach about two years ago, according to the Privacy Rights Clearing House. Data inside a database that is protected by all of the above is still easy plunder for a legitimate user or a hacker successfully masquerading as one. "The database isn't smart enough to care that you execute the same type of SQL query over one thousand times in a matter of seconds and walk away with a list of social security numbers," explains Noel Yuhanna, analyst with Forrester Re-search. "And the network doesn't care either; it just looks at packets, which may or may not contain the personal information of all your customers." What is lacking, according to Yuhanna, is an end-to-end security solution. Such a solution would be impressive as it would have to address security concerns from the network stack layer all the way up to the application layer. Nothing like that exists, currently, and IT managers would be ill advised to wait for it to materialize. 6:48:06 PM

TSA to Supply Information on Possible Web Security Oversight. TSA to Supply Information on Possible Web Security Oversight. House Committee on Oversight and Government Reform requests documentation by March 9th. [GT: Security and Privacy] 6:43:05 PM

Privacy Concerns a Major Roadblock for Location-based Services Says Survey. Privacy Concerns a Major Roadblock for Location-based Services Says Survey. "Providers must give users control over location-based features to allay privacy concerns." [GT: Security and Privacy] 6:40:51 PM

Surveillance Cameras Get Smarter - International Business Times Look around - You might not be the only one watching. The never-blinking surveillance cameras, rapidly becoming a part of daily life in public and even private places, may be sizing you up as well. And they may soon get a lot smarter. Researchers and security companies are developing cameras that not only watch the world but also interpret what they see. Soon, some cameras may be able to find unattended bags at airports, guess your height or analyze the way you walk to see if you are hiding something. Most of the cameras widely used today are used as forensic tools to identify crooks after-the-fact. (Think grainy video on local TV news of convenience store robberies gone wrong.) But the latest breed, known as "intelligent video," could transform cameras from passive observers to eyes with brains, able to detect suspicious behavior and potentially prevent crime before it occurs. 6:16:37 PM

Tor Open To Attack. Tor Open To Attack. An anonymous reader writes "A group of researchers have written a paper that lays out an attack against Tor (PDF) in enough detail to cause Roger Dingledine a fair amount of heartburn. The essential avenue of attack is that Tor doesn't verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network." [Slashdot: Your Rights Online] 6:00:19 PM

The Importance of Securing AJAX Web Applications. The Importance of Securing AJAX Web Applications. This paper, submitted by Acunetix, reviews AJAX technologies with specific reference to JavaScript and briefly documents the kinds of vulnerability classes that should raise security concerns among developers, website owners and the respective visitors. By Acunetix. [Infosec Writers Latest Security Papers] 5:42:53 PM

Three Minutes With Sun's Security Guru. Three Minutes With Sun's Security Guru. Privacy laws could hurt the little guy, warns cryptographer Whitfield Diffie. [PC World: Latest Technology News] 5:35:39 PM

Mozilla Plugs Firefox Security Holes. Mozilla Plugs Firefox Security Holes. Mozilla on Friday published software updates to fix a baker's dozen security and compatibility problems with its Firefox Web browser. The new version includes fixes for serious security flaws along with updates designed to make Firefox play nicer with Vista, Microsoft's new Windows operating system. Users of supported versions 2.x and 1.5.x already should have received an alert that updates have been installed. If you haven't received one, you may be running an older, unsupported (and insecure) version of Firefox such as version 1.0.x. To check your version, click "Help" and then "About Firefox." [Security Fix] 5:33:13 PM

Fool Me Once, Shame On You But Fool Me Twice.... Fool Me Once, Shame On You But Fool Me Twice.... In aiming to settle a class action suit, a group of companies is throwing a proverbial pie in the face of affected consumers. A Security Fix reader forwarded an e-mail about a benefit he allegedly was eligible to collect as a result of a class-action settlement over services offered by a subsidiary of Experian, one of the three major credit reporting bureaus. I immediately sensed a phishing scam after reviewing the e-mail and the third-party site touted in the message, which asks the visitor to enter a Social Security number and birth date. But it turns out that the site is legitimate, although extremely insensitive to consumers. The class-action case referenced in the e-mail is the latest in a series of lawsuits against Consumerinfo.com. The firm promised free credit reports but allegedly failed to clarify that it would charge a customer's credit card $79.95 for a "credit monitoring service." In yet another insult for affected consumers, the Web site providing more information about the settlement encourages affected individuals to further expose their personal data online. Consumerinfo.com agreed last week to pay $300,000 to settle charges brought by the Federal Trade Commission that it violated the terms of a previous settlement with the agency over the misleading "free credit reports." It was originally fined $950,000. The impersonal e-mail was sent to consumers from browningnotice@gardencitygroup.com. It begins: "NOTICE FROM FEDERAL COURT. PLEASE READ. Records show that you entered into an agreement over the Internet with Consumerinfo.com or an Experian entity to purchase any Credit Check or Credit Check Monitoring (which were formerly known as CreditCheck Monitoring Service), Credit Manager (including Yahoo! Credit Manager), Triple Alert, or Triple Advantage credit-monitoring product, or you paid for a credit score sold on a Web site that also sold one of these credit-monitoring products, between June 17, 1998 and December 27, 2006. If so, you may be eligible to receive a benefit under the proposed settlement." So, exactly what is this perk? It's 60 days of free credit monitoring service from Experian. If you don't cancel this "benefit," Experian will bill you $9.95 per month after the initial 60 days. The e-mail details the terms of the settlement: "If you choose credit monitoring, and you don't cancel your credit-monitoring membership after using your code to obtain the credit monitoring benefit but prior to the expiration of the 60 day, settlement benefit period, you will be billed at the then-applicable rate, which is currently $9.95, for each month that you continue your membership." If you were an individual burned by this bogus "free credit report" offer who wasn't already insulted enough, go to browningsettlement.com, the site erected by Melville, N.Y.-based Garden City Group, a company that administers class action settlements. The Web site includes a link to "update your contact information," where it asks a visitors to enter a Social Security number and birth date. Phishing scams almost always try to dupe people into entering personal data at fake bank and e-commerce sites by blasting out e-mails telling people they need to "update" their information. I spoke with the contact who registered the site, Frank Dmuchowski, but he referred me without comment to Garden City's public relations staff. That person in turn referred me to a woman at Experian, with whom I'm currently playing phone tag. How else does this whole operation resemble a phishing scam? The e-mail does not address the recipient by name. It contains some very elaborate explanations and legalese that is somewhat akin to a Nigerian scheme. There is also the element of urgency. Recipients are told that if they do not respond within a given period of time, they will give up their rights to sue the company in as part of a class in any other lawsuit. Maybe that's one reason why we have seen phishing scams disguised as settlement offers succeed so well: settlement companies are conditioning consumers to respond to them, and the federal courts are encouraging this practice. But wait, there's more. While a federal court has deemed it acceptable for companies like the Garden City Group to communicate with people this way via e-mail, anyone who wants to object or exclude themselves from the settlement terms must do so by snail mail by May 15. Anyone who wants to accept the dubious settlement benefit, however, is free to do so by e-mail. Please do not let this May 15 deadline slip away. Write to the Browning Settlement Administrator to tell the court why you think the settlement stinks: Objections-Browning Settlement Administrator P.O. Box 91141 Seattle, WA 98111-9241 In addition, you can request to speak in court about the fairness of the settlement at a hearing on July 31. Under federal law, all U.S. citizens are eligible for a free copy of their credit report from each of the three major credit reporting bureaus: Experian, Equifax and Trans Union. Consumers should take advantage of this benefit, but only by visiting http://www.annualcreditreport.com or calling a toll-free number: 1-877-322-8228. You will get the most mileage out of your free reports if you scatter them across the entire calendar year by contacting a different credit bureau every four months. Update, 3:50 p.m.: I heard from Experian spokesperson Heather Greer, who said that all communications were reviewed and approved by the court in accordance with the settlement." With regard to this settlement, we felt that this was the best way to inform consumers as soon as possible as to the products they were entitled to as part of the class," Green said. She added that the settlement site also includes a toll-free number (1-800-399-4322) that consumers also can use to either opt-out or accept the terms of the settlement. [Security Fix] 5:27:39 PM

© Copyright 2007 Paul Hardwick. Last update: 3/4/07; 10:44:24 AM.