Wednesday, January 17, 2007

Another case where the victims are not sure what was taken

http://media.www.dailylobo.com/media/storage/paper344/news/2007/01/16/News/Personal.Info.May.Be.At.Risk.After.Burglary-2634025.shtml?sourcedomain=www.dailylobo.com&MIIHost=media.collegepublisher.com

Personal info may be at risk after burglary

Campus computers stolen over break

Jeremy Hunt Daily Lobo Posted: 1/16/07

At least three computers and four monitors were stolen from the associate provost's office overnight between Jan. 2 and 3, said Lt. Pat Davis, UNM Police spokesman.

The computers may have contained faculty members' names and Social Security numbers, said Richard Holder, associate provost.

The alarm for the building had not been set up, so no one knew the burglary happened until staff went into the office on Jan. 3, he said.

... Caroline Smith, an associate professor of linguistics, said she is not worried about her information being used. Smith monitors her credit carefully, and the office doesn't even know what was on the computers, she said.

... "The University is bound to have that information somewhere. It doesn't get widely disseminated," [Stunning assumption. Bob] she said. "Computers get stolen."

The Faculty Contract and Services Office also had computers taken from it. Raquel Martinez, director of the office, said no one should worry about the computers taken from her office.

"We don't keep faculty information on computers," she said.



No doubt this will become required reading in DU's University College Computer Security Master's program...

http://news.com.com/2100-1028_3-6150676.html?part=rss&tag=2547-1_3-0-5&subj=news

Feds offer cybercrime tips to local cops

Because many police agencies may lack computer skills, the Justice Department created an investigator's manual.

By Declan McCullagh Staff Writer, CNET News.com Published: January 16, 2007, 7:55 PM PST

Police trying to learn how to use the Internet to investigate everything from cyberstalking to spam and illegal hacking have some new advice, thanks to the U.S. Department of Justice.

The department's Office of Justice Programs on Tuesday published what amounts to a manual for tech-challenged gumshoes, covering everything from how to track suspects through an Internet Relay Chat network to targeting copyright thieves on peer-to-peer networks.

Local and state law enforcement have bungled some high-tech investigations recently. The Pennsylvania Supreme Court rejected prosecutors' attempts to seize newspaper reporters' hard drives, and the 8th Circuit Court of Appeals ruled that police illegally seized a computer in a methamphetamine investigation. A federal judge permitted an Internet service provider to sue police after it was raided because of Usenet posts its employees knew nothing about.

The new 137-page manual (click for PDF) appears to represent the Justice Department's attempt to offer at least some basic technical and legal tips to law enforcement agencies that may not have computer experts on the payroll.

"Criminals can trade and share information, mask their identity, identify and gather information on victims, and communicate with co-conspirators," the manual says. "Web sites, electronic mail, chat rooms, and file sharing networks can all yield evidence in an investigation of computer-related crime."

The manual warns of the perils of assuming that the owner of a computer--especially Windows PCs, which can be vulnerable to security breaches--is responsible for what's actually on it.

"Because investigations involving the Internet and computer networks mean that the suspect's computer communicated with other computers, investigators should be aware that the suspect may assert that the incriminating evidence was placed on the media by a Trojan program," it says. "A proper seizure and forensic examination of a suspect's hard drive may determine whether evidence exists of the presence and use of Trojan programs."

Defendants in criminal cases have been known to raise what's become known as the Trojan defense. In a dawn raid, Arizona police stormed into the house of a 16-year-old boy named Matthew Bandy and accused him of downloading child pornography--which carried a maximum penalty of 90 years in prison.

It turned out that, contrary to claims by police and Maricopa County District Attorney Andrew Thomas, Bandy's home computer was thoroughly infected by malware. After being contacted by reporters, the Maricopa County Attorney's Office offered the boy a plea bargain without jail time.

The Trojan defense was also tried by an eighth-grade math teacher in Georgia, but with less success. In November, the 11th U.S. Circuit Court of Appeals upheld the teacher's conviction on federal child pornography charges.


Related...

http://www.wired.com/news/columns/0,72510-0.html?tw=rss.index

Computer Privacy in Distress

By Jennifer Granick 02:00 AM Jan, 17, 2007

My laptop computer was purchased by Stanford, but my whole life is stored on it. I have e-mail dating back several years, my address book with the names of everyone I know, notes and musings for various work and personal projects, financial records, passwords to my blog, my web mail, project and information management data for various organizations I belong to, photos of my niece and nephew and my pets.

In short, my computer is my most private possession. I have other things that are more dear, but no one item could tell you more about me than this machine. [Probably more common that most people would think – but is it the right thing to do? Bob]

Yet, a rash of recent court decisions says the Constitution may not be enough to protect my laptop from arbitrary, suspicionless and warrantless examination by the police.

At issue is the Fourth Amendment, which protects individuals from unreasonable searches and seizures by government agents. As a primary safeguard against arbitrary and capricious searches, property seizures and arrests, the founding fathers required the government to first seek a warrant from a judge or magistrate.

The warrant has to specifically describe the place to be searched and the items to be seized.

Searches and seizures without such a warrant are presumed to be unconstitutional. There are times, of course, when it would be unreasonable, burdensome, ineffective or just plain silly to require police to get a warrant before searching, so courts have carved out many, many exceptions to the warrant requirement. The fundamental thread in these decisions is a subtle and case-specific determination of what is "reasonable" conduct by law enforcement.

Because reasonable minds can differ on reasonable courses of action, the resulting Fourth Amendment law is complicated, sometimes contradictory and very fact-dependent.

Computers pose special Fourth Amendment search problems because they pack so much information in such a small, monolithic physical form. [Not a strong argument... Bob] As a result, courts are grappling with how to protect privacy rights during searches of computers.

Three digital search topics in particular are converging in interesting, and foreboding, ways.

First, there are several new cases that suggest that agents can search computers at the border (including international airports) without reasonable suspicion or a warrant, under the routine border search exception to the warrant requirement.

Second, a recent case in the 9th U.S. Circuit Court of Appeals has held that private employees have no reasonable expectation of privacy, and thus no Fourth Amendment rights, in their workplace computers (gulp!).

Third and finally, the 9th Circuit is struggling, and failing, to define ways to judicially supervise police searches of computers to ensure that law enforcement gets the information it needs, while leaving undisturbed any private information on unrelated matters that may be on the same disk drive.

Together the computer search cases can paint a scary picture. But if you read the decisions carefully, there is ample room for courts to follow up with more nuanced opinions that protect computer privacy and allow reasonable government access.

For example, the border search exception allows "routine" searches without reasonable suspicion or a warrant. "Non-routine" searches still require reasonable suspicion. Is the examination of computers at the border a routine or non-routine search? The cases so far don't answer this question head on. Future cases will have to.

The Supreme Court has said that the definition depends on the "dignity and privacy interests" implicated by a search. Thus, strip searches and cavity searches are non-routine, but searches of vehicles and baggage are routine.

Given the sensitivity of information stored on a computer, the way people tend to archive everything, how long a comprehensive search takes and the likelihood of discovering contraband with such a search, courts may well find that computer searches are allowed at the border only based on reasonable suspicion, not as a baseless fishing expedition.

I hope for the best, as I do in United States v. Ziegler, the case that found private employees have no reasonable expectation of privacy in their workplace computers. Defense attorneys have asked for a rehearing, and the court may do better next time.

Ziegler is important, because if employees have no protected privacy rights, then the government can enter a private workplace, without cause, without a warrant, with or without the employer's consent and search employee computers. The business might try to sue, but the employee would not have the right either to challenge the government's actions in court, or to suppress any discovered evidence.

Similarly, defense attorneys in United States v. Comprehensive Drug Testing have asked the 9th Circuit for a new hearing, and the court has an opportunity to issue a more careful opinion in that case, which arose from the Balco doping scandal.

The government is investigating whether 10 professional baseball players were illegally taking steroids. In the course of its probe, it obtained multiple warrants for the results of drug tests taken by the players. But it didn't just seize the results for the players under scrutiny -- it grabbed the entire database, with samples from hundreds of other athletes.

Lower courts ordered the government to return the information that was not related to the Balco-linked players, but the government appealed and the 9th Circuit ruled in its favor.

The facts of the case are complicated, but the proper result is clear: In every computer or database search case, information responsive to the warrant is going to be intermingled with information about other matters. Warrants should not only state whether the computers will be removed from the premises, and how the search will be done, but should also establish a way agents will try to segregate private information from the data they are entitled to obtain pursuant to the warrant.

Otherwise, we will find that the government can use a smaller investigation as a stalking horse to obtain information about a vast number of other people.

These Fourth Amendment trends should be closely followed.

Of course, there's a chance that the courts will not recognize the different scope of privacy interests at stake in computer searches, or will not be adept at crafting a rule that gives enough leeway and guidance to law enforcement, while also protecting privacy. At that point, the Constitution may fail us, and we will have to turn to Congress to create rules that are better adapted for the information age.

- - - Jennifer Granick is executive director of the Stanford Law School Center for Internet and Society, and teaches the Cyberlaw Clinic.



http://news.com.com/2100-1028_3-6150572.html?part=rss&tag=2547-1_3-0-5&subj=news

President signs pretexting bill into law

By Anne Broache Story last modified Wed Jan 17 06:03:16 PST 2007

It's official: "pretexting" to buy, sell or obtain personal phone records--except when conducted by law enforcement or intelligence agencies--is now a federal crime that could yield prison time.

President Bush on Friday affixed his signature to the Telephone Records and Privacy Protection Act of 2006. The measure threatens up to 10 years behind bars to anyone who pretends to be someone else, or otherwise employs fraudulent tactics, to persuade phone companies to hand over what is supposed to be confidential data about customers' calling habits.

Even before Bush's move, federal law banned pretexting to obtain someone's financial records. Some states, such as California, have already outlawed telephone pretexting. But many politicians and consumer advocacy groups urged passage of a federal law to clarify that the practice is illegal.



Pass this to anyone with an Acer laptop.

http://blog.washingtonpost.com/securityfix/2007/01/a_warning_to_acer_laptop_users.html

A Warning to Windows Users on Acer Laptops

Update, Jan. 16, 12:57 p.m: Acer has released an update that automates the deactivation of the culprit file, as described in this blog. The patch can be downloaded from this link here. Also, U.S. CERT has issued an advisory about this threat.



Toward a complete medical database? Security issues to follow?

http://www.infoworld.com/article/07/01/16/HNfreeeprescribing_1.html?source=rss&url=http://www.infoworld.com/article/07/01/16/HNfreeeprescribing_1.html

U.S. doctors to get free e-prescribing software

Initiative aims to get all U.S. doctors, pharmacies to use e-prescribing and eliminate prescription errors

By Grant Gross, IDG News Service January 16, 2007

Doctors in the U.S. will have access to free, Web-based electronic medicine prescribing software within a month, a group of health-care providers and technology vendors announced Tuesday.

The goals of the National ePrescribing Patient Safety Initiative (NEPSI) are to get every U.S. doctor and pharmacy to use e-prescribing software and to eliminate thousands of injuries and deaths in the U.S. each year caused by prescription errors, supporters said at a press conference in Washington, D.C.

... "Paper kills," added Newt Gingrich, a former U.S. representative and founder of the Center for Health Transformation. "It is a clear fact that a paper prescription is dangerous."

... Allscripts and other technology partners will not make money from NEPSI, but the vendors see business opportunities down the road, when full-featured e-health records are in place, Tullman said. Allscripts sells e-health record software, and putting an e-prescribing system in place is the first step toward full e-health records, he said.



I have stated repeatedly that this has always been possible – in any database, this application merely automates existing techniques... If you have personal data, can you ignore this control?

http://www.eweek.com/article2/0,1759,2084658,00.asp?kc=EWRSS03119TX1K0000594

Ntirety, Tizor Partner to Offer Database Monitoring Service

By Brian Prince January 16, 2007

Tizor Systems has agreed to allow its intelligent data auditing and protection product, Mantra, to be used by database administration company Ntirety in a new managed security service package.

The new product, dubbed Remote DAS (Data Auditing Service), will provide Ntirety customers with compliance assurance, data monitoring and information theft detection by monitoring, auditing and reporting on all critical database activity, including privileged user activity, in real time.



Oh, how tragic!

http://hosted.ap.org/dynamic/stories/S/SHOE_SCANNER?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Some Unhappy With Airport Shoe Scanners

By TRAVIS REED Associated Press Writer Jan 16, 11:07 PM EST

ORLANDO, Fla. (AP) -- New airport screening technology that was trotted out Tuesday was supposed to let passengers keep their footwear on while passing through security.

But several travelers complained they had to kick loafers or heels off anyway, even after standing in a kiosk that reads their biometric information and uses radio waves to test for explosives and metal. The scanners are part of a new program at Orlando International Airport that promises shorter screening lines for those who pass a federal background check and pay a $100 annual fee.

But all shoes with metal must still be removed for additional screening because the agency has not approved the devices' ability to distinguish between safe and unsafe metals, said Shawn Dagg, Verified Identity Pass senior vice president.

... Dagg said he hopes customers will learn to wear shoes without metal.



Another argument for free software? An excuse to charge more? Bad contract language (Future upgrades, if available, are included in the license fee)

http://techdirt.com/articles/20070115/163130.shtml

Is Sarbanes-Oxley Forcing Apple To Charge You To Upgrade Your WiFi?

from the say-what-now? dept

Well, here's a weird one. It's no secret that Sarbanes-Oxley is a law with lots of problems. It's become a huge pain for businesses, forcing all sorts of useless, but expensive, procedures to be put in place that have little (if anything) to do with protecting investors from being taken in by unscrupulous companies. It's been a huge net loss to the economy, and has scared away plenty of companies from the public markets. While that may have held some "bubble euphoria" in check by keeping investment opportunities away from the public, the net result is bad for the overall economy. Last week, there was lots of talk about Jim Clark's decision to quit Shutterfly while blaming Sarbanes-Oxley for limiting what he could do at the company. Now comes the latest odd SOX complaint. Apparently Apple is forcing Mac owners to pay an extra $5 to unlock next generation features of WiFi that were bundled with recent machines. In order to unlock the pre-standard 802.11n features, you have to pay $5, with Apple saying that they cannot be seen as "giving away an unadvertised new feature of an already sold product without enduring some onerous accounting measures." The thinking, basically is that they would be unfairly recognizing the revenue early, since they hadn't completely delivered the product. The alternative would be to not recognize all the revenue ahead of time, but that presents other problems, and could even be more costly. Thus, consumers get the fun of having to pay extra to upgrade. [Could be argued for all commercial software, right? Bob] Yet another fun unexpected consequence from excessive meddling from politicians.



Free is good, and I figure it can't make me any dumber...

http://digg.com/general_sciences/UC_Berkeley_Webcasts_Video_and_Podcasts_Spring_2007_Courses

UC Berkeley Webcasts - Video and Podcasts: Spring 2007 Courses

"Webcast.berkeley is piloting a new podcasting system. Building on the success of our pilot last Spring 2006..." Some great free courses.

http://webcast.berkeley.edu/courses.php



http://www.darkreading.com/document.asp?doc_id=114703

The Trouble With Customers and Their Data

Courtesy of Wall Street & Technology JANUARY 16, 2007

The financial services industry certainly is aware of threats to customer data privacy. Firms are well informed about previous data breaches at nonprofit and for-profit entities alike. These events are grabbing headlines globally and are foremost on the minds of existing and potential clients, so financial institutions must be attentive to consumers' concerns, mustn't they? Yet, time and again, reports surface of hackers, dishonest insiders, careless data handling and lost laptops leading to the exposure of customer information.

Recently, E-Trade Financial Corp. (New York) and TD Ameritrade Holding Corp. (Bellevue, Neb.), two fixtures of the online brokerage industry, reported in October losses of $18 million and $4 million respectively as the result of customer account breaches. Overseas hackers used keylogging software installed in public computing facilities to capture users' account information and passwords, and then used those accounts to execute a pump-and-dump market-manipulation scheme, according to TD Ameritrade. E-Trade declined to comment on the breach for this story.

... According to an annual data breach study from Elk-Rapids, Mich.-based think tank the Ponemon Institute, which studied 31 organizations that suffered data breaches, the average total cost of lost customer records is $182 per record, a 30 percent increase from 2005. The study calculated costs in terms of direct incremental costs, indirect productivity costs and customer opportunity costs. The latter is perhaps the most damaging.

... Historically, explains Bill Edwards, chief security officer at TD Ameritrade, "My job has been to protect the company that I was at. What's changed in the past couple of years is that now my hands and my arms are being wrapped around our clients as well," he says. "Oh, we've cared about the clients, but now the threats have morphed onto the clients desktops, so now we have to settle that problem. ... The game is changing a little bit, so you have to look a the entire transaction -- where it initiates to where it ends."

... Both TD Ameritrade and E-Trade feature online security centers that offer educational materials, security software and self-defense best practices that are user-friendly and, as Edwards says, "written for my mother."

... Most firms are willing to admit the inevitability of customer data exposure. And no firm is foolish enough to claim invulnerability, for fear that such a claim paints a bright red bull's-eye on the heart of its security infrastructure, targeted by hackers across the globe, according to William Yeh, CEO of Genesis Securities, which owns discount brokerage Sogo Invest (New York). "No one wants to say that because we all know that's not true," he says, adding hesitantly that his firm has not fallen victim to a data breach. "Not yet."

... "I can build a ten-ton firewall, but if customers give their password to somebody, my ten-ton firewall is not going to do anything," says Genesis' Yeh.

"The largest threat, frankly, is that darn Post-It on somebody's computer," adds TradeKing's Montanaro, referring to the often thoughtless actions of clients who leave passwords exposed.

The most formidable vehicle for customer data protection is the customers themselves.



Today's Dilbert pretty much sums up the password security issue... Don't send this to the security geeks, send it to your pointy headed boss.

http://www.unitedmedia.com/comics/dilbert/

No comments: