Shostack + Friends Blog Archive

 

Choicepoint Roundup, June 30

We open with two articles from News.com: “ChoicePoint overhaul falls behind,” (June 24) and “ChoicePoint overhaul completed, company says” (June 30). From the latter: “In fact, we’ve gone beyond our announced commitments to make substantial changes in the past 90 days,” ChoicePoint spokesman Dan McGinn said in an e-mail late Tuesday. The Alpharetta, Ga.-based data […]

 

Chase Manhattan and Textual Interpretation

Ray Everett Church picks up on a story, “Shouldn’t The CardSystems Victims Be Notified?” from Ed Foster, showing that Chase Manhattan bank has failed to read the text of California’s SB 1386. Ed writes: “Even the strictest of laws, like the one in California, require more identifying information like the individual’s social security number or […]

 

Cardsystems Auditor

I can’t find the blog that discussed the irony of a Visa spokesperson claiming that PCI worked because of the auditor’s need to put their reputation on the line, but then refused to name the auditor. According to the New York Times, in “Weakness in the Data Chain,” it was Cable and Wireless: In December […]

 

The Funeral of an American Soldier

I don’t care what you think of the conduct of a war. What you think of the reasons we’re involved in that war. The funeral of a soldier is no place for political portest, except, perhaps, maybe, if that soldier is a direct family member. The behavior of a dozen assholes from Kansas at the […]

 

Iran's New President a "Moderate"

“After all, he didn’t kill his hostages…” London, Jun. 29 – Iran Focus has learnt that the photograph of Iran’s newly-elected president, Mahmoud Ahmadinejad, holding the arm of a blindfolded American hostage on the premises of the United States embassy in Tehran was taken by an Associated Press photographer in November 1979. Prior to the […]

 

The FTC and BJs Wholesale

The FTC has recently issued a consent order to BJ’s Wholesale club in response to this complaint. The FTC, unfortunately, is the body charged with protecting consumers from ID theft. They are failing to rise to the challenge. This is obvious from the continued growth of ID theft. It is obvious from FTC Chair Deborah […]

 

Equifax CEO: ID Theft is an epidemic

But [Equifax CEO] Chapman acknowledges Equifax has “no silver bullet” when it comes to thwarting fraud. One popular belief is that checking a credit report once a year is a defense. That doesn’t protect consumers, Chapman said. “It’s not going to help and the public is starting to learn that,” Chapman said. He decried the […]

 

Fingerprint Privacy

There have been a slew of stories lately about fingerprint readers being tied into payment mechanisms. I don’t particularly like the idea, but if you do, feel free. At least until your lack of care about privacy starts displaying externalities. Many of these vendors are making claims like it is not possible to recreate the […]

 

UK ID Cards, Choicepoint, and Privacy

Usually, government ministers wait until a new program has been rolled out before they start reneging on their promised of how it will work. But in the brave new world of UK ID cards, they’re being honest. As the Independent reports in “Ministers plan to sell your ID card details to raise cash“: Personal details […]

 

A Privacy-Openness Tradeoff

In “Adoptees File Human Rights Complaint Against Canadian Privacy Commissioner,” Privacy.org reports on a dispute between the parents and children, mediated by the state: A group of Ontario adoptees has filed a human rights complaint against Privacy Commissioner Ann Cavoukian after she lobbied the province to amend its proposed adoption disclosure law with a clause […]

 

Choicepoint, Two Minutes Hate

This was going to be a roundup, but heck, There’s a backlog of hate, and I must post. Under the headline, “Who let Jeb Bush and ChoicePoint into the UK?” ‘Brother Rail Gun of Desirable Mindfulness’ points to a BBC story, “Hundreds wiped off vote register.” An oldy-but-I-Hadn’t-linked, Adrift at Sea comments in “Bleeding Edge […]

 

U Connecticut, 72,000 SSNs, Hacker

A computer containing personal information such as Social Security number and name was breached by an unauthorized intruder. Although there is no evidence indicating that this personal data was accessed or extracted, the University of Connecticut is contacting everyone whose identity may have been put at risk. … The breach occurred on October 26, 2003. […]

 

TSA Lies, Could Face Time Fines

Homeland Security officials who defied Congress and misled the public by creating secret files on American citizens while testing a new passenger screening program may have engaged in multiple counts of criminal conduct, and at least one employee has already lied to cover-up the misdeed. Read “TSA Lies, Could Face Fines” at Secondary Screening. Pictured […]

 

FinCen (IRS), Potentially tens of thousands, Complacent Bureaucrats

The U.S. tax agency — whose databases include suspicious activity reports from banks about possible terrorist or criminal transactions — launched the probe after the Government Accountability Office said in April that the IRS “routinely permitted excessive access” to the computer files. The GAO team was able to tap into the data without authorization, and […]

 

CVE Content Decisions

The fine folks at MITRE have published “CVE Abstraction Content Decisions: Rationale and Application:” This document is intended for use by Candidate Numbering Authorities (CNAs)and may be of interest to vulnerability researchers, maintainers of vulnerability databases and other CVE-compatible products and services, and technical consumers of vulnerability information on a large scale. Via OSVDB Blog, […]

 

Two There Are Always (Plus a Freebie)

Gizmodo asks “Am I the only one extremely disappointed by the fact that these upcoming Lucas-approved USB keys don’t offer a Han model?” No, you’re not. I’d get me Han in Carbonite to protect my data any day. I bet Wil Shipley would to. Anyone who can explain why Anakin went to the dark side […]

 

Dear Gmail

Thank you so much for your recent letter, telling me that We’ve noticed that you haven’t used your Gmail account, account.management@gmail.com, for quite some time. In order to make Gmail better for our users, we’ve added a lot of things in the last few months and we hope you’ll want to start using your account […]

 

Identity Thieves Drain Unemployment

But the most underpublicized identity theft crime is one in which thieves defraud state governments of payroll taxes by filing fraudulent unemployment claims. It can be a fairly lucrative scheme, too. File a false unemployment claim and you can receive $400 per week for 26 weeks. Do it for 100 Social Security numbers and you’ve […]

 

Suntrust, 75? SSNs, Employee Jonathan Bryan Adair

This post updated to replace the Suntrust logo with “You can’t shut me up by Jennifer Moo, after a bunch of bozos called “Internet Identity” sent vaguely scary letters that chilled my web hosting company. The Atlanta Journal Constitution reports that “Ex-SunTrust employee charged in check scam.” (Use Bugmenot for a login.): The U.S. attorney’s […]

 

Equifax Canada, 600 credit histories, hacker

CBC is reporting “Hacker accesses files at Equifax:” A computer hacker has accessed the files of about 600 consumers at Equifax Canada, one of Canada’s major credit bureaus. Most of the files are for consumers from British Columbia. Better Business Bureau spokesperson Sheila Chernesky said personal financial information is being gathered all the time, and […]

 

Florida Hospitals, "40 pages" of medical histories, mis-dialed fax

ALTAMONTE SPRINGS, Fla. — The private medical information for hundreds of people ended up at a Seminole County airplane parts business. The information was about patients at Florida Hospital East and Florida Hospital Altamonte. It included hundreds of names, birth dates, social security numbers and medical diagnosis information. … The 40-page fax included appointment information […]

 

Ed Moyle on "MasterCard Lays Down the Law"

In a bold move, MasterCard lays down the law on CardSystems. And by “lay down the law”, I mean they upped the ante from recommending they comply with security procedures to “putting them on notice” to comply. Um…. Is it me, or does that sound like the same thing to you? If the only ramifications […]

 

Stupid Privacy Invasion Fatigue

This morning, Liz sent me a pointer to “Pentagon Creating Student Database” in the Washington Post. I said “Not blogging it. I have stupid privacy invasion fatigue.” Apparently, I’m not alone. In “ID theft concerns grow, tools lacking,” Bob Sullivan of MSNBC reports: Among the report’s most interesting findings: only 14 percent of consumers who […]

 

China's Internet Blocking and Ethics

Rebecca MacKinnon has a post about US companies which are selling internet censorship technologies to China, “Confirmed: All Typepad blogs blocked in China:” It’s a complicated issue. We need greater scrutiny of U.S. tech companies in China by bloggers, journalists, human rights activists, and anybody who cares about free speech and corporate accountability. We need […]

 

Uncle Sam's Privacy Polices (TSA, SSA)

Daniel Solove has posts on “If It’s Against Your Privacy Policy, Just Change It” (Social Security Administration): This feeds distrust about the government’s law enforcement activities as well as makes people unsure that they are ever being given the complete story about what the government is doing with their personal data. And what good is […]

 

Trial By Fire

Tom Ptacek and Jeremy Rauch are offering a course on analyzing products, taking them from black boxes to open books. Cool! From the ad: This class offers a behind-the-scenes tour of the product evaluation process. Renowned security experts Jeremy Rauch and Thomas Ptacek offer a crash course on the most important aspects of validating – […]

 

Kaiser Permanente, 150 patients, $200,000 fine

Computerworld reports that “Kaiser Permanente division fined $200k for patient data breach:” The California Department of Managed Health Care (DMHC) has fined Kaiser Foundation Health Plan, a division of Kaiser Permanente, $200,000 for exposing the confidential health information of about 150 people. The DMHC said the information had been available on a publicly accessible Web […]

 

"Dear Mastercard,"

Effective May 1, 2005, any compromise of my data will result in a $50 liability for you, the card issuer, owed to me, the card holder. Cashing the payment check I sent you last month (which you did) shall constitute your acceptance of this agreement. Subsequent security breaches will compound the fee. I will spell […]

 

Small Bits of Privacy

CSO has a “Do it Yourself Disclosure.” Hey, you skimped on security, you might as well skimp on the PR. Wired News comes out in favor of a data protection and privacy law for the US in “Conress Must Deal with ID Theft.” The Financial Times has an article on [UK] “Regulator urges tougher laws […]

 

CardSystems and Choicepoint

Choicepoint, please call your trademark attorneys. You’re in danger of becoming a generic term for “massive security breach,” and a band-aid isn’t going to fix that. That was the lead (and about all I’d written) of a long post on Choicepoint and some bank breach. I think it was the New Jersey case. The point […]

 

CardSystems Cards Being Exploited

The Denver Channel reports that “Stolen Credit Card Data Now Being Sold On Internet:” CardSystems Solutions Inc. is admitting it made a huge mistake after some 40 million credit card accounts ended up in the wrong hands. Some of those account numbers are already being sold on a Russian Web site, and some consumers are […]

 

Schneier, Solove on Medical Privacy

In U.S. Medical Privacy Law Gutted, Bruce Schneier analyzes the new rules on who gets prosecuted for violating your medical privacy. Answer: fewer people than you’d think or hope: I’ve been to my share of HIPAA security conferences. To the extent that big health is following the HIPAA law — and to a large extent, […]

 

FDIC, 6,000 employee SSNs, "security failure"

Thousands of current and former employees at the Federal Deposit Insurance Corp. are being warned that their sensitive personal information was breached, leading to an unspecified number of fraud cases. In letters dated last Friday, the agency told roughly 6,000 people to be “vigilant over the next 12 to 24 months” in monitoring their financial […]

 

Why I Blog

Inspired in part by Daniel Solove’s “How Blogging Changed My Life,” in part by a number of emails I’ve just sent saying “Sorry, I’ve been heads down with product release,” and the contrasting reality that I’ve found energy to write twelve blog posts in that time, I thought I’d talk about the muses. I started […]

 

Spaceman Bicycle Flask Holster

Because no one’s ever said “Is that a hip flask in your bike shorts, or are you happy to see me?” Available from Aherne Cycles.

 

CardSystem Solutions, 40,000,000 CC, hacker

The New York Times (and probably everyone else) is reporting that “MasterCard Says 40 Million Files Are Put at Risk.” MasterCard said its investigation found that CardSystems, in violation of MasterCard’s rules, was storing cardholders’ account numbers and security codes on its computer systems. That information, MasterCard said, was supposed to be transferred to the […]

 

Thanks, but…

The Open Mind kindly writes: Adam Shostack who is in the computer security side of business always has informed and interesting news on the security vs privacy front. (Another great blog via Harry’s world of interesting links. ) If you read anything vaguely connected to security or privacy in the mainstream media, Adam has probably […]

 

More on North Korean Online Warfare

I wrote about this in “North Korean Hacking Story,” and more detail emerges from a mail (or perhaps its a website? Hard to tell.) Anyway, this was eventually forwarded to Dave Farber’s IP list, Anyway, Brooks Isoldi, edidor of Intellnet writes: North Korea has trained a small army of computer hackers whose capability is equal […]

 

Minnesota, 2,000 medical records, hacker

The Duluth News Tribue is carrying a story, “State’s Web systems bogged down:” [Monicq] Feider, [manager of the Health Professionals Services Program] disclosed the problem in a March 31 letter sent to nearly 2,000 health professionals. “The case management system database includes private and public information about you,” she wrote. “The security company believes that […]

 

On Real ID, and Hearings

Privacy Law has a post, “Senate to Hold Security Breach and ID Theft Hearings” about a June 16 2005, Senate Committee on Commerce, Science and Transportation hearing on identity theft. The DailyBulletin editorializes against the Real ID act, “

 

Motorola, 34,000 Employee SSNs, Outsourcer ACS

In an article titled “Stolen PCs contain Motorola HR data“, Reuters is reporting that: In the latest example of hardware theft putting data security at risk, two computers containing personal information on Motorola employees were stolen from the mobile phone maker’s human resources services provider, Affiliated Computer Services (ACS). The data on the stolen computers […]

 

Star Wars Posts

Lileks bleats: When you switch to the Dark Side, do you have to go to Sith HR to fill a bunch of forms? If the Jedi Council finds out you’re looking to switch sides, they send guards to make you empty out your desk and escort you out – or at least they used to. […]

 

2005 Underhanded C Contest

Inspired by Daniel Horn’s Obfuscated V contest in the fall of 2004, we hereby announce an annual contest to write innocent-looking C code implementing malicious behavior. In many ways this is the exact opposite of the Obfuscated C Code Contest: in this contest you must write code that is as readable, clear, innocent and straightforward […]

 

More Terrorist Slander Against Heroic Prison Guards

Except this time, the “terrorists” are American veterans working for a private company in Iraq: “I never in my career have treated anybody so inhumane,” one of the contractors, Rick Blanchard, a former Florida state trooper, wrote in an email quoted in the Los Angeles Times. “They treated us like insurgents, roughed us up, took […]

 

Small Bits: Soviet Realism at DHS and in China, Going Public, Lameness, and Curves

Artiloop reports on a security poster on the Marc commuter trains. Its clearly the work of a thoughtcriminal, encouraging ironic responses. I want to heroically help plan the tractor factory. I’ve been meaning to discuss the Chinese blog crackdown, but instead I’ll just juxtapose it with Soviet Realism. The Supreme Court of Canada has ruled […]

 

Emerging From Chaos

The server that Emergent Chaos lives on is at Server Beach, who have had serious problems with power. If you saw the Most Significant Bit home page, that’s Dwight Ernest, who kindly provides the space for me. Thanks Dwight!

 

The Open Society Paradox: Companies Have Privacy, You Don't

For those who, during the ChoicePoint outcry, (see Secondary Screening) were critical of me for not supporting a notification law for companies who maintain databases of personal information I point you to a couple of facts. First, today’s news that tapes with the sensitive data of 4 million Americans are missing is just the latest […]

 

ACM Computer & Communications Security

Industry and Government Track of CCS ’05 is now accepting submissions: The track aims to foster tighter interplay between the demands of real-world security systems and the efforts of the research community. Audience members would like to learn about pressing security vulnerabilities and deficiencies in existing products and Internet-facing systems, and how these should motivate […]

 

Teland and Wattal on Insecurity and Stock Price

At the Workshop on Information Security Economics, Rahul Telang and Sunil Wattal presented “Impact of Software Vulnerability Announcements on the Market Value of Software Vendors – an Empirical Investigation.” I’m pretty busy, so I’ll point to comments by Ed Moyle, and hefty analysis by Tom Ptacek. [Private to DM: If I say its a workship, […]

 

"Well, umm, He Had Valid ID"

AP is reporting “Man With Chain Saw, Sword Is Let Into U.S.:” On April 25, Gregory Despres arrived at the U.S.-Canadian border crossing at Calais, Maine, carrying a homemade sword, a hatchet, a knife, brass knuckles and a chain saw stained with what appeared to be blood. U.S. customs agents confiscated the weapons and fingerprinted […]

 

Markets in Social Security Numbers

Social security numbers used to be just for social security. But the government is the only actor in the marketplace who can produce something, and also mandate demand for it. In the case of SSNs, they’ve created a large demand by declaring that Uncle Sam gets to decide who you may hire. (The gossip-mongers credit […]

 

Terminal Futility

I think I had also noticed that there are not enough plastic bins or tables to line them up on, and that “X-ray machines that examine carry-on baggage sit idle as much as 30 per cent of the time.” The time elapsed between Sept. 11, 2001, and today’s writing (1,364 days) is only slightly less […]

 

Madison, The Bill of Rights, Raich

The Supreme Court today handed down a decision in “Gonzales vs. Raich.” Larry Solum has done outstanding work blogging it. The essence of the case was the limits of the commerce clause, and the case was decided that the commerce clause places, essentially, no limits on what Congress may legislate. Respondents nonetheless insist that the […]

 

Citibank, 3,900,000 SSNs, unencrypted tape

[Update: Bruce Schneier has an important update in “E-Hijacking.” Thanks to Chris for pointing this out.] CNN is reporting that Info on 3.9M Citigroup customers lost. Citigroup said Monday that personal information on 3.9 million consumer lending customers of its CitiFinancial subsidiary was lost by UPS while in transit to a credit bureau — the […]

 

Polk Community College, 3 SSNs, Professor Bradley Neil Slosberg

Professor Bradley Neil Slosberg asked students in his anatomy and physiology class to sign in with their name and social security numbers. They did. CNN quotes student Amanda Bracewell: “We all signed it. We figured, ‘He’s a teacher, what is he going to do with it?’” TBO.com news has the only non-AP story, at Professor […]

 

New Law Protects You, Shredder Makers

At MSNBC, Bob Sullivan reports “Got a nanny? You need a shredder:” Even if you ordered a background check on your kid’s coach, or nanny, or — as is the latest trend in online dating — on a prospective blind date, the law applies to you. Transgressions — such as tossing paperwork containing personal information […]

 

Cakeeater on Tiananmen

CakeEater has a beautiful post on the man in front of the tanks: Then the tank tried to get around him. And he moved in concert with it, shifting to stay directly in its path. I remember being stunned when this happened. I remember saying, “Holy Shit!” to no one in particular in the family […]

 

Duke, 9,000 partial SSNs, Hacker. (With Commentary.)

In Hacker hits Duke system, the (Charlotte? Raleigh [thanks, Neil!]) News and Observer reports on a breach at Duke University School of Medicine. The school’s “Security Incident at Duke” page states: On Thursday, May 26, 2005 a security breach allowed an unauthorized user to gain access to data stored on several web sites at Duke […]

 

Moxie CrimeFighter Jillette

Its all over the web that Penn Jillette and his wife Emily have named their new baby Moxie CrimeFighter. I’m sorta disappointed that they didn’t go all the way, and name her “Moxie CrimeFighter™ Jillette, a member of the Jillette family of people.”

 

Breach Laws

The Washington Post reports: States Keep Watchful Eye on Personal-Data Firms: Critics of the multi-state approach say that due to the potential monetary, logistical and public-relations headaches that could come from establishing different requirements and penalties in each state, companies will soon be forced to set their overall policies to satisfy the state with the […]

 

The Voting-Industrial Complex

The fine folks over at Black Box Voting demonstrate that Diebold can’t even build an optical scan voting machine without screwing it up in “Optical scan system hacked (3 ways).” If we existed in a reality-driven world, these people would be permanently disqualified from participating in the vote counting process. Vote counting is, as Stalin […]

 

June 4th, 1989

At our best, the United States inspires people around the world to reach for freedom and democracy. In the student led rallies in Tiananmen Square, the students built a statue of liberty as one of the centerpieces of their protest. I remember watching the protests on TV, being thrilled by the power of people to […]

 

North Korean Hacking Story

The Korea Herald has done an awful job of reporting in “N.K. hacking ability matches that of CIA, analyst says.” Normally, I ignore awful reporting as roughly par for the course, but this is egregious. “Our electronic warfare simulation indicates that North Korea’s capability has reached a substantial level, unlike what is generally known to […]

 

Small Bits: Wives Vs. The Dark Side, Diamonds, FRCA, Brill & Lexis-Nexis

VikingZen posts her Two Cents about Revenge of The Sith, and closes with: My big question: Why didn’t Padme just release a can of whoop-ass on her husband? I mean, they’re secretly married, the guy’s off in some outer galaxy playing space cowboy while she’s lugging around a pregnant belly full of twins? How about […]

 

More on Deep Throat

The Telegraph has a roundup story, “FBI Deep Throat branded a traitor by Nixon aides:” Charles Colson, Nixon’s chief counsel who served seven months in jail for his role in the Watergate scandal, confessed to understanding the dilemma Mr Felt faced. But he added: “When any president has to worry whether the deputy director of […]

 

University of Cincinnati, 7,000 SSN, Hacker

Cincinnati’s Channel Cincinnati reports that “Hacker Steals Personal Data From UC System:” UC Vice President of Information Technology, Fred Siff, said the hacker knew how to avoid intruder alerts on the system. “This was obviously a serious breach,” Siff said. “This is a very sophisticated hack. I hope that goes without question. It wasn’t just […]

 

Omega World Travel, 80,000 CCs, Laptop

The Washington Post reports, “FBI Probes Theft of Justice Dept. Data” The FBI is investigating the theft of a laptop computer containing travel account information for as many as 80,000 Justice Department employees, but it is unclear how much personal data are at risk of falling into the wrong hands. Authorities think the computer was […]

 

SEC on Internal Controls

Pete Spire Lindstrom* points to a press release from the SEC on “Commission Statement on Implementation of Internal Control Reporting Requirements:” “Registered public accounting firms should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable in the implementation of Section 404.” “A one-size fits all, bottom-up, check-the-box […]

 

Reporters without…Mathematics

DM pointed me to this Register story, “Fraud expert becomes victim of credit card crime.” Its a nice bit of irony, but my favorite bit is the very end: CNP (Cardholder Not Present) fraud in the UK has grown nearly 50 times between 1994 and 2003 to £116.4 million. Goodwill wants the government to recognise […]

 

W. Mark Felt aka Deep Throat

For more than 30 years, W. Mark Felt, and three co-conspirators have protected his privacy after one of the most spectacular whistleblowing act in history. He’s admitted to being Deep Throat in this Vanity Fair article. The Washington Post has coverage in “FBI’s No. 2 Was ‘Deep Throat’“, and “Conflicted and Mum For Decades.” I’ve […]

 

Breach Disclosure Laws

The National Conference of State Legislatures has a “2005 Breach of Information Legislation” summary page: Summary: Legislation was introduced in at least 34 states as of May 18, 2005. Legislation enacted in at least six states in 2005: Arkansas, Georgia, Indiana, Montana, North Dakota and Washington. Thank you, masked man Choicepoint. (Via The HIPAA blog.)