Update on HP "pretexting": E-mails scanned; legality questioned
September 19, 2006 12:19 AM PDT
Hewlett-Packard reportedly deployed covert surveillance teams and analyzed thousands of e-mails and phone records during its probe of leaks to the media.
The San Francisco Chronicle reported late Monday that a source close to the scandal said that HP's investigators carefully compared the speaking patterns of board members suspected of talking to the press with the quotations in news articles.
It's unclear how HP's investigators -- the trail has led back to a Boston-area firm -- obtained "thousands" of e-mail messages, and the Chronicle divulged no details. Breaking into a computer or a Web-based e-mail account would be a violation of state and federal criminal law.
The newspaper's report comes amidst a burgeoning scandal involving Hewlett-Packard's use of pretexting against its own board, a handful of its employees, and journalists, including three reporters from CNET News.com.
In the last few days, news reports have speculated about e-mail that HP's outside investigators allegedly sent to Dawn Kawamoto, a reporter for CNET News.com. While details are still unclear, the ploy could have been done by using a so-called "Web bug" or graphical image that would be loaded from (and tracked by) a remote site, or by sending an infected PDF or Microsoft Word file via e-mail.
In other news:
- California Attorney General Bill Lockyer may decide as early as this week whether to indict anyone in the HP scandal, Bloomberg reported. Charges could include the use of "pretexting," using fraudulent means to obtain someone else's telephone records.
- Fred Adler, an official in HP's global security office in Roseville, Calif., had warned his superiors in e-mail that pretexting could be illegal, the Wall Street Journal reported in Tuesday's editions.
- Boston-area private investigator Ronald R. DeLia is cooperating with prosecutors' investigations, the Boston Globe reported on Monday. DeLia, a former prosecutor, apparently was hired by HP or an HP contractor.
- HP on Monday turned over some documents to a House subcommittee that requested them. Hearings are planned for Sept. 28.
- The Wall Street Journal reported on Monday that HP's investigation continued after a board member was fingered as leaking to the press.
- HP investigators accessed phone records of its then-chief executive, Carly Fiorina, during an earlier 2005 investigation, the San Jose Mercury News reported.
HP may have spied on e-mail, too, but legally
By Hiawatha Bray, Globe Staff September 19, 2006
Hewlett-Packard Co., already in hot water for using private investigators to obtain journalists' phone records under false pretenses, may have been spying on their e-mail habits, as well. But it's possible the e-mail snooping was legal.
Computer security experts say there are legitimate ways to track electronic mail exchanges. Indeed, they say the techniques are routinely used by many Internet advertising firms to track which customers have seen their ads. [S o that makes it legal? Bob]
Private data easy to buy on Internet
San Jose Mercury News Monday, September 18, 2006
Hewlett-Packard is hardly alone in hiring investigators who use questionable methods to find out information.
State and federal law enforcement agents, corporate law firms, big banks and major media companies have all enlisted unscrupulous information vendors, according to a congressional investigation and interviews with industry sources.
The type of misrepresentation that a private investigator used to obtain the phone records of at least two HP board members and as many as nine journalists is not explicitly illegal. Indeed, private investigators told the Mercury News that pretexting -- making up a cover story to get information -- is a basic investigative technique.
One private investigator based in San Francisco who asked to remain anonymous because the HP investigation has become so controversial said obtaining phone records was a routine tactic. "In the normal course of corporate America, this goes on day in and day out," the investigator said.
... A legitimate background search, conducted by a licensed professional, takes about four hours at hourly rates that range from $60 to $100. In contrast, an online data broker provides similar information for $49.95 or less.
... Attorneys can request telephone records through a subpoena if they are relevant to a court case, but private investigators say they are frequently hired to check phone records using alternative methods first. "Then they know what they are looking for if they want to subpoena the records down the road, because the subpoena process takes forever," the San Francisco investigator said.
... If [California Attorney General Bill] Lockyer presses forward, California could be the first state to prosecute customers of data brokers -- and that could spell as much trouble for upright citizens and police officers as it does for frauds.
... Eleven data brokers who were asked to testify before the committee invoked their Fifth Amendment right not to incriminate themselves.
Among them was Jim Welker, a Colorado state representative, who owns Universal Communications, described by congressional staff as a data broker.
... David Carter, assistant chief of the Austin Police Department, told Congress that it appeared detectives in his department who used Internet data brokers believed "they were getting open-record, public-data type information."
Patricia Dunn, the HP chair who ordered the leak investigation, has said she didn't think pretexting could be considered illegal and she didn't know that the investigation firm HP hired would enlist an investigator who would use pretexting.
Get a copy of this form, fill it out except for the signature, leave it on your boss' desk! (Keep the defibrillator handy)
27B Stroke 6
by Ryan Singel and Kevin Poulsen Monday, 18 September 2006
Consent Form for NSA Surveillance
Posted by Kevin Poulsen at 12:15 PM PDT
It turns out the NSA has a consent form you can fill out to give the agency permission to monitor your overseas phone calls and e-mail.
The form (.pdf) comes from a procedures manual (.pdf) FOIAed by John Young at Cryptome. It looks like it was crafted for government employees who want to go the extra mile for Uncle Sam. But there's no reason you can't volunteer -- unless, of course, you have something to hide.
Top Five Causes of Data Compromise
Posted by kdawson on Monday September 18, @05:18PM from the it's-the-data-stripe-stupid dept. Security
Steve writes, "In a key step to help businesses better understand and protect themselves against the risks of fraud, Visa USA and the U.S. Chamber of Commerce announced the five leading causes of data breaches and offered specific prevention strategies. The report states that the most common cause of data compromise is a merchant's or a service provider's encoding of sensitive information on the card's magnetic stripe in violation of the PCI Data Security Standard. The other four are related to IT security, which can be improved simply by following common-sense guidelines."
Here is the report on the U.S. Chamber of Commerce site (PDF).
Know anyone this might impact?
Update: Toshiba offers to exchange 340,000 notebook batteries
Defective batteries could unexpectedly cut power, causing users to lose unsaved work
By Peter Sayer, IDG News Service September 19, 2006
Toshiba has offered to exchange 340,000 notebook computer batteries, but said they do not pose a fire hazard. Instead, defective batteries could unexpectedly cut power to the notebooks, causing users to lose unsaved work.
The batteries, made by Sony, may fail to charge correctly, causing the power to cut off suddenly if the notebook is not connected to a mains outlet, said Toshiba spokesman Keisuke Ohmori.
... Toshiba's batteries are not at risk of starting a fire, Ohmori said. "There is no such hazardous or related issue," he said.
Instead, Toshiba's problems stem from a defect in the interface circuitry between the battery cells and the computer.
That defect is caused by corrosion, said a spokesman for Sony, the manufacturer of the batteries. An ingredient used in the insulating paper of batteries manufactured between March and May can corrode components in the batteries' charging circuits, causing them to fail, said Sony spokesman Takashia Uehara. The supplier changed the composition of the insulating paper without notice, he said.
Batteries made for other notebook manufacturers also contained the paper, and Sony is working with those companies to see whether there is a problem, Uehara said. He declined to say how many batteries were affected overall.
Toshiba's free battery exchange program covers 11 notebook models sold in Japan, five sold in the U.S. and 12 sold in Europe, including the Tecra A7, Satellite A100, Satellite M50 and Satellite pro M70, Ohmori said. European customers can consult a list of affected computers on Toshiba's Web site.
White House Selects Cybersecurity Chief
By LARA JAKES JORDAN, Associated Press Writer Monday, September 18, 2006 (09-18) 18:05 PDT WASHINGTON (AP) --
The Homeland Security Department picked an industry information security specialist [Actually a lobbyist, but why quibble... Bob] Monday as its cybersecurity chief, filling a job that has had no permanent director for a year.
... The cybersecurity job was created in July 2005, but department officials have struggled to find candidates willing to take significant pay cuts from industry jobs to fill it.
Part of Garcia's job will be to oversee the department's National Cyber Security Division. For the last two years, that office has been run by Donald "Andy" Purdy Jr., who is a two-year contract employee on loan from Carnegie Mellon University in Pittsburgh. Carnegie Mellon has received $19 million in contracts from Homeland Security's cybersecurity office under Purdy's management. [“Terrorism been berry berry good to me!” Bob]
September 18, 2006
Free Access to Supreme Court Records On-Line Library Now Available
Follow-up to July 11, 2006 posting, New York Courts to Make "Virtual" Case Files Available on the Internet, the link for the Supreme Court Records On-Line Library is now available.
Users may search CCIS - This database contains all cases assigned to a Judge from 1986 to date; or CCOP - All cases filed with the County Clerk since 1972 (this may take several minutes to execute.)
I think they should put a notice on their home page: “This site is illegal in Belgium” and leave it at that.
September 18, 2006
Belgian Court Rules Against Google in Copyright Dispute
Belgium Orders Google to Remove News Items or Pay Huge Fine: "A Brussels court has ordered internet giant Google to pay 1 million euro a day if it does not remove all news articles and pictures from French and German language newspapers on its news site, Belgian media reported on Monday."
Belgian court brings Google bad news: "Google has vowed to appeal against a Belgian court ruling that represents the first legal blow against its controversial Google News service which has provoked the ire of European publishers."
WSJ free feature: Belgian Court Orders Google To Stop Publishing News Content
Would this impact any prosecutions by these agencies? Can their data be trusted?
September 18, 2006
New GAO Report Analyzes Implementation of the Data Quality Act
Information Quality Act (IQA): Expanded Oversight and Clearer Guidance by the Office of Management and Budget Could Improve Agencies' Implementation of the Act, Full-text GAO-06-765, and Highlights, August 23, 2006.
"The Department of Homeland Security (DHS) does not have department-level guidelines covering its 22 component agencies. Also, although the Environmental Protection Agency and 4 other independent agencies posted IQA guidelines and other information to their Web sites, 44 of 86 additional independent agencies that GAO examined have not posted their guidelines and may not have them in place. As a result, users of information from these agencies may not know whether agencies have guidelines or know how to request correction of agency information. OMB also has not clarified guidance to agencies about posting IQA-related information, including guidelines, to make that information more accessible...Also, of the 80 substantive requests that agencies received during the 2-year period--over 50 percent of which came from businesses, trade groups, or other profit-oriented organizations--almost half (39) of the initial agency decisions of these 80 were appealed, with 8 appeals resulting in changes."
September 18, 2006
Economic Freedom of the World: 2006 Annual Report
Press release: "Economic freedom has a greater impact than foreign aid in helping people in poor nations escape poverty, according to the Economic Freedom of the World: 2006 Annual Report...Economic Freedom of the World measures the degree to which the policies and institutions of countries are supportive of economic freedom. The cornerstones of economic freedom are personal choice, voluntary exchange, freedom to compete, and security of privately owned property."
Economic Freedom of the World: 2006 Annual Report, By James Gwartney and Robert Lawson with William Easterly.
Executive Summary [PDF]
Chapter 1 [PDF]
Chapter 2 [PDF]
Appendix 1 [PDF]
Appendix 2 [PDF]
A Denver website worth a quick look!
September 18, 2006
NCSL 50-State Legislative Tracking Web Resources
National Conference of State Legislatures 50-State Legislative Tracking Web Resources, updated September 2006. The 15 covered topics include: Agriculture & Rural Development Elections, Campaigns & Redistricting, Ethics, Health issues and Transportation.
If their procedures are inadequate, this may cause them to upgrade... But I doubt it.
Target Targets Blogger Who Posted Anti-Theft Procedures
from the trade-secrets-or-freedom-of-speech dept
Target is the latest big company to be bit by bloggers, and they're apparently not happy about it. The company is trying to find out the identity of an anonymous anti-Target blogger who posted details of Target's anti-shoplifting procedures, which they claim are confidential. [Security through obscurity Bob] It appears that an ex-employee forwarded the procedures to the site, and the person behind the site notes that he never signed any confidentiality agreement, so the information is fair game. Target, on the other hand, claims that this info is a trade secret, and publishing it is breaking the law. There are some similarities here to the case where Apple sued a blogger for revealing product info which they claimed was a "trade secret." In that case, the courts chalked it up to a "freedom of the press" issue -- but it's not clear if the same reasoning would apply here. Either way, perhaps a more important issue is that this information is out there now, and it's not going to disappear (especially as the lawsuit gives it more attention). It says something about Target's anti-shoplifting procedures that they seem afraid they won't work if people know about them. Perhaps that suggests Target needs better security procedures in place -- where it doesn't matter whether or not anyone knows about them. Of course, this isn't the first time Target has run into trouble with people posting information online about it. A few years back it was involved in a lawsuit with a site that posted sale prices before they were officially published. It certainly is natural for a company to worry about all this information getting out there, but at some point it needs to realize there are better ways to deal with it than to go to court.
Attention election hijackers!
Diebold e-Voting Machines Can Be Opened With Standard Hotel Key Available Online
from the great-security dept
As Diebold continues to try (weakly) to defend itself from yet another batch of evidence that their security isn't particularly secure, Ed Felten points out another weakness in Diebold's defense. The company likes to claim that on top of the computer security aspect (which study after study has found is lacking) they have "physical" security. Avi Rubin's report from the field last week showed that the "security tape" and "security tags" on the machines aren't particularly secure at all (removing them and replacing them without anyone noticing is easy -- and apparently done quite often). However, a colleague of Felten has also noticed that the "lock" on the box uses an off-the-shelf standard key seen for things like hotel minibars. Apparently, it's quite easy to buy an identical key online or at an office furniture shop. In other words, the physical security isn't so secure. It's just designed to look secure, so they can say it's secure.
Yeah, but their website is labeled “Government Dunderheads” so who ya gonna believe?
Justice Department Says Free Speech Not Stifled By Web Labeling Bill
from the first-amendment-interpretations dept
Earlier this year, when politicians were shoving each other aside to introduce legislation "for the children." A popular bill was the one that would require websites with sexually explicit content to label themselves as such in some form or another. This idea is apparently so popular that, rather than a separate piece of legislation, it's found itself as an amendment tacked on to various other laws, including the big telecom bill and a spending bill (the type no one ever votes down). Now, the Justice Department has weighed in on the issue -- because requiring content providers to label themselves can be seen as a First Amendment violation. Not so, according to the Justice Department who says "this is not censorship." Why not? Well, because they feel: "it's not a major break with First Amendment principles." Of course, they don't really explain why -- and just saying it doesn't make it so. Plenty of others disagree, and note that this kind of legislation is quite problematic. The problem is pretty straightforward. Where is the line? What needs to be considered sexually explicit? What if it's considered sexually explicit in the bible belt, but not on a coast? Who gets to decide? Considering how difficult people have agreeing on what is and is not objectionable content, this kind of law just opens up a huge potential mess of problems (not even getting into the fact that any borderline content will likely move to offshore servers). It's one of these laws that will let politicians claim they're doing something, while actually creating an even bigger mess.
Think this is illegal? The Blog claims it merely implements a Microsoft script! (Comments on Digg are interesting though...)
How to Change Windows XP Product Key or Serial and Registration Information
shivaranjan18 submitted by shivaranjan18 20 hours 47 minutes ago (via http://www.shivaranjan.com/2006/09/18/how-to-find-and-change-windows-product-key-and-registration-information/ )
The Magical Jelly Bean Keyfinder is a freeware utility that retrieves your Product Key (cd key) used to install windows from your registry and allows you to change windows product key or serial and registration information.
In a sane world, this would be humor...
Why Paris Hilton Is Famous (Or Understanding Value In A Post-Madonna World)