NSA Spying on Americans Without Warrants

Bush Secretly Lifted Some Limits on Spying in U.S. After 9/11, Officials Say.” A 10 page story in the New York Times opens:

Months after the Sept. 11 attacks, President Bush secretly authorized the National Security Agency to eavesdrop on Americans and others inside the United States to search for evidence of terrorist activity without the court-approved warrants ordinarily required for domestic spying, according to government officials.

No good deed goes unpunished

The folks at the Alabama Credit Union were informed that 500 of their customers were among those whose payment card information was stolen in the Sam’s Club breach. They took a conservative approach and reissued the cards for all 500 customers, and also informed them of the breach.
As we’ve commented on previously, information concerning the size of this breach, and notifications to its victims, have been slow in coming.
Today’s American Banker continues the story, showing how the openness of the Alabama Credit Union, in conjunction with the silence of others involved, has led to the false impressions about ACU’s security:

Alabama Credit Union’s policy is to err on the side of disclosure – and following that policy after the recent breach at Sam’s Club brought unwelcome consequences.
Executives say they have not wavered in their conviction, but attention the credit union got in the local press after sending notification letters to everyone potentially affected, and other issuers’ refusal to do so, left them frustrated.
“I find it strange that you haven’t heard from anyone else,” said Steve Swafford, the president of the $220 million-asset credit union, which is based in Tuscaloosa. “This information should become public quickly, so that people can act. That is consumer-spirited.

(emphasis added)
Indeed, because rumors swirl in an information vacuum, the credit union has chosen to publicly release information about what it learned, when it learned it, and (quite tellingly) information concerning the number of accounts put in jeopardy at another institution.
There’s a new equilibrium being established here, and this skirmish is happening where old meets new.

White Wolf, Unknown number of Passwords, Hackers

white-wolf.jpgThe game company White Wolf is going offline because of internet attacks. This is a blending of several trends: Fuller disclosure of incidents, attackers who are only in it for the money, and the economic impact of attacks.

Dear White Wolf Users,

Like many other well-known companies of the last few years, White Wolf was the target of an attack by international hackers this weekend. These hackers are now attempting to extort money from us with the threat of posting user data to the internet. We have no intention of paying this money, and are in contact with the FBI in an attempt to bring these criminals to justice.

We are choosing to make this public so that our users and fans can take any precautions needed to protect themselves. We are recommending that if you have used your White Wolf user password as the password for any other services you use on the internet, that you change them immediately.

The first trend I’d like to talk about is disclosure. Since February, there has been a dramatic shift in the willingness of companies to admit to security faults. This is very important, because without data, we can’t even begin to measure our defensive activities. (And it shows.) White Wolf isn’t even worried about credit cards or social security numbers. This would have been unlikely to be talked about even a year ago.

The second trend is that the attackers are extorting money, and lots of it. Ten years ago, hackers were called criminals, and there was lots of sound and fury. The truth was the people onstage at Defcon might have been punks and vandals, but they were in it for fun, not money. When Erik Bloodaxe said “I only hack for money,” it was made into a t-shirt, and Erik wasn’t happy about it. Today, there are entire criminal organizations that really only hack for money.

The ways they work are pretty simple: They steal. They blackmail. They commit fraud (often by impersonation). These are not new crimes. They are new methods of committing very old crimes. They are also made scalable by the internet.

There are three main components to the cost of these attacks. They are the direct costs of response (security consultants, code changes, etc), the lost revenue from being offline, and the brand damage of having their site exposed. That last is very hard to calculate.

(Thanks to Les for the pointer.)

Insurance Claims and Privacy

One of the biggest issues I have with the gossip industry is how behavior that seems normal and expected is entered into databases and is used to judge us in unexpected ways. As the Tampe Tribune reports in “Insurers’ Road Service Could Prove Costly:”

TAMPA – Andrea Davis can’t understand what two flat tires and leaving the keys in her car have to do with being rejected for auto insurance.
The answer lies in the optional emergency road service coverage the Lutz resident was persuaded to buy from her insurer, Geico, for $12 a year. The bargain rate, one-fifth the cost of emergency road service from AAA, turned out to be no bargain at all.

“They said I had too many claims,” said Davis, a public relations manager with a perfect driving record. “I didn’t meet their eligibility requirements.”

Insurance companies use a centralized database with tens of millions of records on U.S. motorists called Comprehensive Loss Underwriting Exchange. The data are maintained by Atlanta-area-based ChoicePoint, one of the country’s biggest compilers of consumer data.

Firm breached in Scottrade incident to sell business unit

From the press release:

SALT LAKE CITY, Dec. 13 /PRNewswire-FirstCall/ — silex technology
america, Inc. and TROY Group, Inc. signed a definitive agreement effective
today stating that silex technology america will acquire the Wireless &
Connectivity Solution Business of TROY Group, Inc.
[…]
“We are pleased to announce this transaction as we believe that the
synergies Silex will be able to accomplish will be good for the customers and
employees of Wireless and Connectivity Solutions,” stated Patrick Dirk CEO and
President of TROY Group, Inc. “The transaction will allow TROY to focus on
its largest business Secure Payment Systems
.”

(Emphasis added)
I have no idea whether the portion of the business they are selling is losing money for Troy Group, but apparently silex thinks it will, in their hands, make money. So, we have a firm which revealed account-level information on 140,000 customers of another company deciding to rely more heavily on the business unit involved in the breach for the return shareholders expect. That is noteworthy and unexpected.

Fake Fingerprints

play-doh-fingerprint.jpg

Fingerprint scanning devices often use basic technology, such as an optical camera that take pictures of fingerprints which are then “read” by a computer. In order to assess how vulnerable the scanners are to spoofing, Schuckers and her research team made casts from live fingers using dental materials and used Play-Doh to create molds. They also assembled a collection of cadaver fingers.

In the laboratory, the researchers then systematically tested more than 60 of the faked samples. The results were a 90 percent false verification rate.

“The machines could not distinguish between a live sample and a fake one, ” Schuckers explained. “Since liveness detection is based on the recognition of physiological activities as signs of life, we hypothesized that fingerprint images from live fingers would show a specific changing moisture pattern due to perspiration but cadaver and spoof fingerprint images would not.”

Cool.”

Previous fingerprint stories have included “Fingerprint Privacy” and “Fingerprints at Disney: The Desensitization Imperative,” which contained a link to the classic gummy finger paper, “How to fake fingerprints.”

Torturing People

Last week, Secretary of State Condoleezza Rice made a speech in which she made apparently definitive statements about our policies towards torture. See Jack Balkin, “Rice: ‘U.S. Personnel’ Don’t Enage in Cruel, Inhuman and Degrading Treatment ”Wherever They Are.'” Then be sure to see Marty Lederman’s follow-up, “Condi Rice’s ‘No Torture” Pledge: Don’t Believe the Hype!.’ The Economist also has a good article on this, “So, what’s all the fuss?.”

To close, Michael Froomkin writes “CIA Getting Cold Feet on Rendition/Torture?:”

Now comes a suggestion in the UK’s Observer — sadly, not an utterly reliable source — that CIA officers are getting cold feet about carrying on with these ‘renditions’. But not because they produce false intelligence. No, it’s the fear of law suits.

Navigation