Tuesday, June 07, 2011

Sony... Again...

Daily Sony Hacking Occurs On Schedule

"LulzSec was compromised and a member of the group, Robert Cavanaugh, was arrested by the FBI on June 6. Meanwhile, LulzSec hacked Sony again, this time leaking the Sony Developer Network source code through file sharing websites."


(Related) Sony users may be as bad at security as Sony!

http://www.pogowasright.org/?p=23280

A brief Sony password analysis

June 6, 2011 by Dissent

I usually post security breach analyses and commentaries over on DataBreaches.net, but an analysis by Troy Hunt of the hacked passwords used by millions of people on Sony and Gawker sites is worth a complete read if you’re concerned about your privacy. Read his analysis of the patterns of passwords and see if you fall into any of the problems he describes. Then start generating better passwords that are unique for each site or service you register for.



This is no surprise. Real loss of face for RSA as well as an expensive fix.

http://news.cnet.com/8301-1009_3-20069632-83/rsa-to-replace-securid-tokens-following-breaches/

RSA to replace SecurID tokens following breaches

Following recent cyberattacks against several defense contractors, in which hackers breached security using stolen SecurID keys, SecurID maker RSA is promising to replace the tokens for customers concerned about the vulnerabilty of their network data.

In an open letter to all SecurID customers, RSA Executive Chairman Art Coviello acknowledged that the likely motive behind the March theft of SecurID token information was to obtain defense secrets and related intellectual property. RSA specifically warned customers at the time that the theft could breach their security.



The next “Big Thing?” Personal information required for the charges, but not released? Apple's billing systems unreliable?

Has iTunes Been Hacked?

"Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."



“We're a bank. What do we know about protecting financial data?” Apparently they can't read regulations either.

http://www.databreaches.net/?p=18649

Scotiabank loses CDs with customer bank accounts, social insurance numbers

June 6, 2011 by admin

Mary Gazze of The Canadian Press reports:

Scotiabank says it will use digital locks [Interesting choice of words. Google 'digital locks' and you don't get encryption... Bob] on data discs after three CDs containing unencrypted information, such as customer social insurance and account numbers, were lost in its internal mail system.

The bank said a “small percentage” of customers are affected, but it is warning clients as a precaution so they can monitor accounts for any fraudulent activity.

[....]

The information on the discs was not encrypted, and was set to be transferred to the Canada Revenue Agency as part of the bank’s requirements to report the information.

The data included names, mailing addresses, social insurance numbers, account types, and numbers for registered accounts such as RRSPs, RESPs and RRIFs. It does not include savings or chequing account numbers, any account balances or employment information.

It is clear that there was non-compliance with the bank’s policy of encrypting portable storage devices that contain confidential personal information,” the bank said.

This appears to have been due to a belief that Canada Revenue Agency (CRA) would not accept encrypted files that, upon further examination, appears to be inaccurate.”

Read more on CanadianBusiness.com.

Okay, so the bank misunderstood. Not good, obviously. But assuming that this would not be the first time the bank was transferring required information to Canadian Revenue, why didn’t Canadian Revenue ever contact them and say, “Hey, you’re supposed to be sending this stuff encrypted?”



On the other hand...

http://www.databreaches.net/?p=18654

Important Information about a Ravelry Security Breach

June 6, 2011 by admin

Via DataLossDB.org:

From: “Ravelry”
Date: Jun 6, 2011 2:41 AM
Subject: Important information about a security breach at Ravelry.com

(Wondering if this email is real? You can also see a similar notice by logging in to Ravelry.com)

*Important Information about a Ravelry Security Breach*

Dear Ravelry member,

An attacker recently managed to break in to one of Ravelry’s secondary servers. Once inside, they were able to access user names, *encrypted*passwords, and possibly email addresses. Your passwords could not be seen and no financial or other sensitive information was accessed as we do not collect or store this type of data.

We think that it is important to be overly cautious and we need you to change your password on Ravelry and on any other sites where you’ve used the same or similar password, even if you used different usernames. Because passwords were encrypted, we do not think that your password has been exposed but it is important to change your passwords just to be safe. There is a chance that some passwords could be decrypted given enough time and computer power and we don’t want to put anyone at risk.

...

*More information regarding the security breach,* including the steps we are taking to make Ravelry more secure, can be found in our full notice at http://www.ravelry.com/?showletter=1. Additionally, we are listing answers to Frequently Asked Questions and fielding further questions in our forums . You are also welcome to reply to this message if you have any questions or concerns.

We are deeply sorry that this has happened. We care very much about everyone on Ravelry and we’re taking steps to make sure that we are all more safe from this sort of attack.

We are also very sorry that some people who are not active members may have been affected. If you’d like to delete your Ravelry account, please use the information above to do so.

Casey, Jess, Mary-Heather and Sarah

Nice. A bunch of knitters and crocheters knew to encrypt passwords when Sony didn’t?



Even volunteer organizations aren't safe. http://librivox.org/ creates public domain audio books...

http://www.databreaches.net/?p=18647

LibriVox Forum Hacked

June 6, 2011 by admin

Via DataLoss-Discuss mail list:

From: Date: May 26, 2011 11:37:21 PM CDT

To: undisclosed-recipients:;

Subject: URGENT: LibriVox Forum Hacked

The following is an e-mail sent to you by an administrator of “Librivox Forum”. If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:

LibrivoxPasswordReset@librivox.org

Message sent to you follows:
Dear Librivoxer,

This is Hugh, the founder of LibriVox, writing to let you know that, unfortunately, a hacker broke into the LibriVox forum, caused a bit of damage (now fixed), but more worryingly, got access to our complete database including emails and encrypted passwords. We have locked them out of the system, and we’ve fixed the vandalism, but they still have our database.

So, in order to protect our users & the LibriVox accounts:

* we have RESET ALL USER PASSWORDS (including yours)
* the next time you login your password will be invalid
* you will have to reset your password, using this link: http://forum.librivox.org/ucp.php?mode=sendpassword

NOTE1: PLEASE DO NOT USE THE SAME PASSWORD YOU USED BEFORE!

NOTE2: IF YOU USE THE SAME PASSWORD ON OTHER INTERNET SERVICES, WE RECOMMEND YOU CHANGE THOSE PASSWORDS TOO.

In the interests of full disclosure, here is some extra information:
(1) The database contained every piece of communications sent through the forum, including all private messages. This information is now in the possession of the hacker.

(2) All forum passwords in the database are encrypted. However, if your password was very simple, it will be trivial for the hacker to break the encryption using “brute-force” techniques. They will likely attempt exactly this, so if you use the same password on any other Internet service, you should immediately change your password at those services.

We are very sorry that this happened, and once this is sorted out as best as it can be, we?ll be doing a more thorough security review.

If you have questions, please don?t hesitate to contact me.

Sincerely,

Hugh McGuire Founder, Librivox



Broader application. Well worth a read.

http://www.phiprivacy.net/?p=6810

12 Steps for Surviving an HHS/OCR Privacy Breach Investigation



Implications for Cloud computing and off-shoring in general?

http://www.pogowasright.org/?p=23291

American Express’s call centers put customer data at risk of warrantless search and seizure – complaint

June 7, 2011 by Dissent

Seen at Courthouse News:

A federal class action claims that American Express routes customers’ calls to foreign call centers without their permission or knowledge, subjecting them to intrusive, warrantless snooping by the U.S. government.

The case is Pickman v. American Express Travel Services and was filed in Superior Court of California in Alameda on June 3.

If I understand the complaint, Pickman argues that on “information and belief,” the federal government is scooping up all data transferred to American Express’s non-U.S. call center personnel during customer interactions, that under U.S. law, there is nothing to stop this widespread surveillance, and that customers are not notified that their data are being sent outside of the U.S., that the data are seized and searched by the federal government or at the very least, are at risk of being searched without Fourth Amendment or constitutional protections. The complaint alleges various violations of California state law.

Is our government scooping up all of our data as it is transferred to outsourced call centers?



I'd look for people who want political power – like MP's. Clearly they have that “Big Brother is Good” attitude...

UK: Doctors asked to identify potential terrorists under government plans

By Dissent, June 6, 2011

Alan Travis reports:

Doctors and other health professionals will be asked to identify people who are “vulnerable to being drawn into terrorism” as part of the government’s redrawn counter-terrorism programme to be detailed on Tuesday.

[...]

One “key message” of the document is that it is not a programme to spy on Muslim communities, but doctors will be asked to identify people who may be “vulnerable” to recruitment by terrorist groups.

The British Medical Association said doctors were allowed to breach patient confidentiality in the public interest – for example, if they thought someone was going to blow up a bus.

But a spokeswoman said the plan “goes a lot further and we would have an issue with that”.

She said: “Doctors cannot look into the future and say how someone might behave. This would threaten the trust of the doctor and patient relationship. A doctor’s role is to treat the patient in front of them, not predict how the patient will behave in future.”

Read more in The Guardian.

I’ve blogged in the past on Chronicles of Dissent about not putting tin stars on doctors. Not only does the plan put doctors in the position of breaching confidentiality, but it asks them to make forensic predictions when there is no clear empirical basis to think that general practitioners or others who are not specially trained in this specialized area can make accurate predictions like this.



It will be interesting to see where this goes...

http://www.pogowasright.org/?p=23277

Google remedial measures address privacy deficiencies, Privacy Commissioner say (updated)

June 6, 2011 by Dissent

Privacy Commissioner satisfied with Google’s response to her Office’s investigation into the company’s inappropriate collection of personal information from unsecured wireless networks across Canada, but plans further follow-up.

OTTAWA, June 6, 2011 – An investigation that revealed Google Inc. lacked proper controls to protect personal information has led to a commitment by the company to implement remedial measures that will reduce the risk of future privacy violations, says Privacy Commissioner of Canada Jennifer Stoddart.

“Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues,” says Commissioner Stoddart. “However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations.”

The Privacy Commissioner has requested that Google undergo an independent, third-party audit of its privacy programs within a year and share the results with her Office. An audit will help measure the effectiveness of Google’s proposed measures vis-à-vis its overall privacy compliance regime.

This is the first time the Commissioner has asked a company to undergo an independent audit. In order to strengthen accountability going forward, organizations may, in appropriate cases, be asked to file independent, third-party reports attesting to the fact that they have lived up to their commitments and have complied with the Commissioner’s recommendations.

“Google is a world leader in innovation and, by its own admission, it pursues ideas which push the limits of social norms and technologies. As such, the company has an added responsibility to ensure that privacy protection gets the attention it deserves. Unfortunately, past history suggests that has not been the case until now,” she says.

The Privacy Commissioner initiated an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google admitted that its cars – which were photographing neighbourhoods for its Street View map service – had collected data transmitted over unprotected wireless networks installed in homes and businesses around the globe. It’s likely that thousands of Canadians were affected.

The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names, home telephone numbers and addresses, and even the names of people suffering from certain medical conditions.

The investigation concluded that the incident was largely a result of Google’s lack of proper privacy policies and procedures.

The Office of the Privacy Commissioner issued its findings and recommendations in October 2010 and asked for a response by February 2011. Google responded and subsequently provided clarification of certain issues at the request of the Office of the Privacy Commissioner.

The Privacy Commissioner is now satisfied with the measures that Google has agreed to implement, including:

  • Significantly augmenting privacy and security training provided to all employees;

  • Implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy;

  • Requiring engineering project leaders to draft, maintain, submit and update Privacy Design Documents for all projects in order to help ensure engineering and product teams assess the privacy impact of their products and services from inception through launch;

  • Assigning an internal audit team to conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers; and

  • Piloting a review process whereby members of Google’s Privacy Engineering, Product Counsel and Privacy Counsel teams review proposals involving location-based data, as well as the software programs that are to be used for the collection of data.

Additionally, Google has advised that it has begun to delete the data it collected in Canada. This process has been complicated by various rules and regulations that the company is subject to under Canadian and U.S. Laws. The company has stated that, until such time as the data can be fully destroyed, it will remain secured and will not be used.

The Office of the Privacy Commissioner will follow up with Google next year to gauge full implementation of its recommendations. At that time, the Privacy Commissioner will determine whether and how best to pursue the matter in accordance with her authorities under the Act.

The Report of Findings and a Backgrounder on the Google investigation is available on the Privacy Commissioner’s website, www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two pieces of federal legislation: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act(PIPEDA), which applies to commercial activities in all provinces, except British Columbia, Alberta and Quebec, which have enacted substantially similar legislation.

Source: Office of the Privacy Commissioner of Canada.

I’m trying to find out if Google has actually agreed to undergo the independent third-party audit. Will update this post when I find out.

Update 1: The Privacy Commissioner’s Office didn’t give me a yes or no and referred me to one of Google’s attorneys. I’ve emailed her to ask. More when I have it….

Update 2: I received a response from a Google spokesperson:

As we have said before, we are sorry for having mistakenly collected payload data from unencrypted networks. We have worked with the Office of the Privacy Commissioner throughout their investigation. We are pleased that the OPC has determined that our proposed measures will meet their requirements.

We have received the recommendation for third party assessment and look forward to discussing with the Office of the Privacy Commissioner.

So it appears that they haven’t agreed to the request – at least, not yet.



Non-combatants held hostage in Cyber war?

Chinese Paper Warns Google May Pay Price For Hacking Claims

"Google has become a 'political tool' vilifying the Chinese government, an official Beijing newspaper said on Monday, warning that the US internet giant's statements about hacking attacks traced to China could hurt its business. The tough warning appeared in the overseas edition of the People's Daily, the leading newspaper of China's ruling Communist Party, indicating that political tensions between the United States and China over Internet security could linger. Last week, Google said it had broken up an effort to steal the passwords of hundreds of Google email account holders, including US government officials, Chinese human rights advocates and journalists. It said the attacks appeared to come from China."



A tricky legal area? Somewhat like a “sting” but with the potential to send real information to criminals... Could be amusing, if true.

25% of US Hackers Are FBI/CIA Informers

"The Guardian reports that the FBI and CIA have 'persuaded' up to 25% of US hackers to 'work' for them. 'In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as "carders" – hackers specialising in ID theft – have themselves taken over the management of crime forums, using the intelligence gathered to put dozens of people behind bars. ... The best-known example of the phenomenon is Adrian Lamo, a convicted hacker who turned informant on Bradley Manning, who is suspected of passing secret documents to WikiLeaks.' What implications does this hold for privacy? Or is it just good work by the authorities?"

As you may have guessed, the estimate appears to be based only on the number of black hats, rather than all hackers.



Would this extend to cell phones?

http://www.pogowasright.org/?p=23293

Sixth Circuit agrees with the Third, Seventh, and Tenth Circuits: a computer is not a file cabinet under the Fourth Amendment

June 7, 2011 by Dissent

Alain Leibman comments:

An earlier post considered the wide array of analyses employed by the courts of appeal in assessing under the Fourth Amendment the constitutionality of searches of computers and other electronic storage devices. (An article by the author, expanding substantially on the short-form blog entry, may be found at “Computer Search and Seizure Under the Fourth Amendment: The Dilemma of Applying Old-Age Principles to New-Age Technology,” Criminal Law Reporter (March 2, 2011)). The differences among the courts turn on the degree to which they view the search of an electronic storage medium as like, or as unlike, a traditional search of a file drawer or other container of papers. A plurality of circuit courts have required law enforcement agents to proceed cautiously in searching through computers, cognizant both of the quantity of private data housed in a computer and the potentially corrosive effect on expectations of privacy when the “plain view” doctrine is used to justify a close review of data far afield from the original object of the search.

Read more on Lexology.

[Full article here:

http://www.jdsupra.com/post/documentViewer.aspx?fid=e39a69d8-73e7-4e6c-961b-dfccf8f2ad19


(Related)

http://www.pogowasright.org/?p=23288

Do GPS Tracking Devices Violate the Fourth Amendment?

June 7, 2011 by Dissent

Law professor Laurie L. Levenson writes:

…Now it appears that the issue may be headed to the U.S. Supreme Court. On April 15, acting Solicitor General Neal Katyal petitioned the Supreme Court for review of U.S. v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), petition sub nom, U.S. v. Jones, No. 1259 (April 15, 2011), a landmark decision striking down the warrantless use of GPS devices to conduct round-the-clock surveillance of suspects’ vehicles.

Read her summary of the history of judicial decisions and analysis of cases that have led to this point in The National Law Journal. Via FourthAmendment.com.



This should amuse the IP Lawyers...

Russian President: Time To Reform Copyright

"While most of the rest of the world keeps ratcheting up copyright laws by increasing enforcement and terms, Russian President Dmitry Medvedev appears to be going in the other direction. He's now proposing that Russia build Creative Commons-style open and free licenses directly into Russian copyright law. This comes just a few days after he also chided other G8 leaders for their antiquated views on copyright."



How the (I won't call it) Extortion works...

The Anatomy of a BitTorrent Piracy Settlement



Don't read too much into this. It looks more like budget cuts that a position on TSA searches.

http://www.bespacific.com/mt/archives/027438.html

June 06, 2011

EPIC: House Passes Budget for TSA, Cuts Funding for Body Scanners

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The House has approved the 2012 budget for the Transportation Security Administration, cutting $270 million from the amount originally requested by the Agency. The cuts include $76 million that had been designated for the purchase of 275 airport body scanners. Leading lawmakers and activists have called attention to the health risks associated with the scanners, as well as their invasiveness. Representative Jason Chaffetz (R-UT) criticized the machines as “slow” and “ineffective.”


No comments: