Thursday, April 07, 2011

Looks like a day of questions. The first is the classic, what did they know and when did they know it?

http://www.databreaches.net/?p=17540

Epsilon breach used four-month-old attack

April 7, 2011 by admin

Brett Winterford writes:

… Today iTnews can reveal that Epsilon has been aware of the vulnerability behind this attack for some months.

In late November, Epsilon partner ReturnPath – which provides monitoring and authentication services to email service providers – warned customers about a series of coordinated phishing and hacking attacks levelled at the mailing list industry.

Neil Schwartzman, senior director of security strategy at Return Path’s ‘Email Intelligence Group’ warned its partners of “an organized, deliberate, and destructive attack clearly intent on gaining access to industry-grade email deployment systems”.

He said that the phishing attacks were targeted specifically at employees at email service providers that had specific access to email operations.

Read more on iTnews. I note that Epsilon has not actually stated or confirmed the cause of the breach. That said, I suspect Neal’s right and I’m definitely not surprised to read this.

As a reminder, a Walgreens spokesperson had told DataBreaches.net that after the December breach that led to its notifying customers:

After the incident last year, Walgreens requested that Epsilon put a number additional security measures in place. Apparently, that expectation was not fully met.

Phishing attacks on ESPs like Epsilon are not new. There were breaches, and the threat was made publicly known. What did Epsilon do since they were made known? It seems evident that whatever they may have done, it wasn’t sufficient – assuming that this breach was of the same type as what we saw last year.

In 2008, we saw a rash of breaches in the hospitality sector when cybercriminals learned that many restaurants were using default configurations on their POS systems for customers’ credit or debit card payments. The industry spread the word – or tried to – about the need to disable remote desktop access unless absolutely necessary and to change their passwords and to limit access. There are still some breaches of this kind, but they have declined dramatically.

Now we have a rash of breaches involving ESPs. Will the Epsilon fiasco be the wakeup call for this industry? One would hope so, but before that happens, I fear we’re going to hear about more breaches – including some breaches that may have already occurred but not have been fully disclosed.


(Related) These questions seem to confirm my suspicions that the Epsilon breach is big enough to be a potential game changer.

http://www.databreaches.net/?p=17532

House Lawmakers Want Info About Data Breach – So Do I!

April 6, 2011 by admin

Earlier today, I noted that Senator Blumenthal had asked Attorney General Holder to open an investigation into the Epsilon breach.

Also today, some members of the House decided that they wanted some answers, too. Juliana Gruenwald reports:

In a letter Wednesday to Epsilon’s parent company, Alliance Data Systems, the leaders of the Subcommittee on Commerce, Manufacturing and Trade voiced concern that even access to limited data such as a name and e-mail address can lead to identity theft.

“In the simplest fashion, a criminal can easily create a phishing e-mail that could lead an unwitting consumer into financial disaster,” subcommittee Chairwoman Mary Bono Mack, R-Calif., and ranking member G.K. Butterfield, D-N.C., wrote. “With a reported 40 billion marketing e-mails sent a year, the Epsilon breach could potentially impact a historic number of consumers.”

In response, the lawmakers asked for more details by April 18 on the breach and how it might affect consumers.

Some of the information they are seeking include: when Epsilon learned of the breach; when it notified authorities and its corporate customers about the breach; how many companies and consumers were affected; which companies were affected; what information was taken; how did the breach occur; and what steps the company is taking to prevent future intrusions.

Oh please, please, please, add a P.S. to that list of questions to include:

  • Was that Epsilon’s first breach, its second, third…?

And if there was a previous breach (as seems to be a reasonable hypothesis in light of Walgreens’ previous notice to customers):

  • Was this breach via the same means as the previous breach circa November 2010?

  • How many clients – and specifically which clients – did they notify of the 2010 breach?

  • What additional security steps did they take in response to Walgreens’ reported request in December 2010 that they add security protections to prevent a breach like the one Walgreens reported to its customers in December 2010?

  • Epsilon detected the breach on March 30, but when did it actually occur?

  • What other kinds of personal information were on the same server(s) that were compromised?

Read more on National Journal.

You can read the Representatives’ letter to Alliance here.


(Related) Many of Epsilon's clients have a global customer base...

http://www.databreaches.net/?p=17549

AU: Privacy czar to investigate Epsilon email breach


(Related) France makes it much more difficult to protect users (much more attractive for hackers looking for passwords) Question: If you have access to all the data in a user's account, why do you need the password?

http://yro.slashdot.org/story/11/04/07/0212222/France-Outlaws-Hashed-Passwords?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

France Outlaws Hashed Passwords

"Storing passwords as hashes instead of plain text is now illegal in France, according to a draconian new data retention law. According to the BBC, '[t]he law obliges a range of e-commerce sites, video and music services and webmail providers to keep a host of data on customers. This includes users' full names, postal addresses, telephone numbers and passwords. The data must be handed over to the authorities if demanded.' If the law survives a pending legal challenge by Google, Ebay and others, it may well keep some major services out of the country entirely."



Questions for the Cloud Computing industry?

http://www.pogowasright.org/?p=22265

Does Government Own Your Remotely Backed Up Computer Files, Your Emails, or Your Cell Phone GPS Info?

April 6, 2011 by Dissent

Warner Todd Huston writes:

Did you know that there are no laws to prevent government agencies from raiding your computer’s remotely hosted back up files, your third party emails, your cloud computing files, or your cell phone GPS location records? Well, there aren’t. As the law stands today government can go into your private computer files or trace your cell phone location without a warrant.

As a result of this lapse in protection form unlawful search and seizure a new group of concerned parties intends to change the law with the Digital Fourth Amendment campaign.

Read more on Publius Forum


(Related) I can see their interest in published writing (your Facebook page) but does the unpublished (background) stuff have any bearing on job performance?

http://www.pogowasright.org/?p=22268

ACLU Responds To Maryland Division Of Corrections’ Revision Of Invasive Social Media Policy

April 6, 2011 by Dissent

Today, the Maryland Department of Corrections released a letter describing a revised social media policy, in response to a complaint from the American Civil Liberties Union of Maryland asking DOC to rescind their blanket policy demanding personal social media passwords from corrections officers and applicants as part of the employment certification process.

The ACLU’s January 25 letter to Public Safety Secretary Gary Maynard details the experience of Officer Robert Collins, who was ordered to supply his Facebook login information during a recertification jnterview – giving the DOC access to his private electronic communications, and leaving his friends vulnerable to governmental cyber-snooping.

There was a public outcry when the case was reported in the media in February, and within days after the case was publicized, the department suspended the practice. Of concern, however, the state’s Attorney General held that the practice could be appropriate and legal under some circumstances. The Department of Corrections has not yet provided the written policy itself, although the ACLU has requested a copy.

Deborah Jeon, Legal Director for the ACLU of Maryland, said:

“The government should not ask people to “volunteer” access to their private, personal communications. If the term “chilling effect” describes anything, it describes this. Few job applicants, eager to please a prospective employer, are going to feel genuinely free to decline to give up their information. Under the DOC’s reasoning, it would be equally permissible (and logical) for them to ask that job applicants volunteer to have the DOC monitor all of their calls, read all of their e-mail, look at all of their letters, and search their houses on demand. The fact that no employer in country would think of “asking” that strongly indicates how improper it is, and how improper this is.

According to a statement released by the ACLU, although the government promises not to refuse to hire someone because the applicant does not turn over their password, it will be virtually impossible for an applicant who suspects the government is not living up to its word to prove that. Moreover, if the policy is truly voluntary, and if it is true that no negative inferences will be drawn, then it serves no useful purpose. [I doubt they'll buy the “logic” of this argument. Bob]

Equally significant, the revised policy does not address the privacy rights of the Facebook “friends” of those who apply for positions and agree to grant the government access to their social media sites, whose privacy rights are invaded by the government without their consent.

In a separate press statement regarding the policy change, the Department of Correction claims that, according to their own figures, 94 percent of those hired by the DOC during the past year shared their social media information. Because most people would not want to share their social network posts with a future employer, the staggeringly high rate of “volunteering to share” suggests that this was not really perceived as voluntary if one wants to get a job. The DOC statement is ambiguous as to whether anyone actually refused, saying only that five of those hired “chose not to, or were unable to” supply their login information.

Of significant interest is the omission from the DOC press statement of any statement as to how many of those who were not hired declined to provide the DOC with social media information.


(Related) Change is frightening. When you have a process that works and everyone understands it is very difficult to unlearn that process and learn a new one. Likewise, it is easier to oppose change that to support it.

http://www.pogowasright.org/?p=22274

Justice Department opposes digital privacy reforms

April 6, 2011 by Dissent

Declan McCullagh reports:

The U.S. Justice Department today offered what amounts to a frontal attack on proposals to amend federal law to better protect Americans’ privacy.

James Baker, the associate deputy attorney general, warned that rewriting a 1986 privacy law to grant cloud computing users more privacy protections and to require court approval before tracking Americans’ cell phones would hinder police investigations.

This appears the first time that the Justice Department has publicly responded to a set of digital privacy proposals unveiled last year by a coalition of businesses and advocacy groups including AT&T, Google, Microsoft, eBay, the American Civil Liberties Union, and Americans for Tax Reform.

Read more on cnet.

[From the article:

The question at hand is rewriting the Electronic Communications Privacy Act, or ECPA, which was enacted in the pre-Internet era of telephone modems and is so notoriously convoluted, it's difficult even for judges to follow.

[An interesting graphic illustrating how email is protected (or not):

http://www.scribd.com/doc/51761318/Email-Privacy-Protection



This has further implications for Data Mining. If you have millions of records, can you determine who is a terrorist and who is a completely innocent Blogger? (I really need to know!)

http://www.pogowasright.org/?p=22251

Applying the Mosaic Theory of the Fourth Amendment to Disclosure of Stored Records

April 6, 2011 by Dissent

Orin Kerr writes:

I’ve blogged a few times about United States v. Maynard, the controversial D.C. Circuit case holding that over time, GPS surveillance begins to be a search that requires a warrant. Maynard introduced a novel mosaic theory of the Fourth Amendment: Although individual moments of surveillance were not searches, when you added up the surveillance over time, all the non-searches taken together amounted to a search. The obvious question is, just how much is enough to trigger a search? At what does point the Constitution require the police to get a warrant?

This issue recently came up in a court order application before Magistrate Judge James Orenstein in Brooklyn seeking historical cell-site location for two cell phones used by a particular suspect.

Read more on The Volokh Conspiracy.

Julian Sanchez responds to Orin’s commentary in, “Blurry Lines, Discrete Acts, and Government Searches.” Julian writes, in part:

Orin’s point about the seeming arbitrariness of these determinations—and the difficulties it presents to police officers who need a rule to rely on—is certainly well taken. The problem is, the government is always going to have substantial control over how any particular effort at information gathering is broken into “acts” that the courts are bound to view “discretely.” If technology makes it easy to synthesize distinct pieces of information, and Fourth Amendment scrutiny is concerned exclusively with whether each particular “act” of information acquisition constitutes a search, the government ends up with substantial ability to game the system by structuring its information gathering as a series of acquisitions, each individually below the threshold.



Behavioral Advertising may be too aggressive?

http://www.pogowasright.org/?p=22259

Do certain mobile apps violate the Computer Fraud and Abuse Act?

April 6, 2011 by Dissent

Caroline Belich writes:

According to the Wall Street Journal and other sources, federal prosecutors in New Jersey are investigating whether certain mobile applications for smartphones have illegally obtained or transmitted information about their users. Part of the criminal investigation is to determine whether these app makers made appropriate disclosures to users about how and why their personal information is being used. The app makers subpoenaed include the popular online music service Pandora.

Examples of information disclosed by these app makers may include a user’s age, gender, location, and also unique identifiers for the phone. The information may then passed on to third parties and advertising networks. The problem is that users may be unaware that their information is being accessed by a smartphone app because a maker failed to notify them.

As a result, this failure to notify may violate the Computer Fraud and Abuse Act (18 USC 1030).

Read more on Internet Cases.



A data breach as a labor negotiation tactic? Lots of unanswered questions here, and I'm too ignorant to see how this aids negotiations in any way.

http://www.databreaches.net/?p=17512

US Airways Pilots Express Outrage over Data Theft

April 6, 2011 by admin

A press release from the U.S. Airlines Pilots Association reminds us yet again how labor disputes may increase the risk of a privacy breach or data breach:

The pilots of US Airways, represented by the US Airline Pilots Association (USAPA), today expressed their outrage at the airline’s acknowledgement that its management personnel aided in unauthorized distribution of the highly confidential personal data of thousands of pilots. USAPA is currently cooperating with a criminal investigation into this matter.

US Airways recently admitted that a management pilot accessed and transferred a confidential database containing the personal information of thousands of US Airways pilots, including names, addresses and Social Security numbers. The transferred database may also have included pilot passport information. The data was given to a third party pilot group, which has acted to disrupt the ongoing negotiations between USAPA and US Airways currently under the auspices of the National Mediation Board and undermine USAPA’s bargaining objectives.

“US Airways pilots are infuriated at the data breach perpetuated by a management official of the company for which they work,” stated Mike Cleary, president of USAPA. “Thousands of us have been exposed to identity theft that could impact us for the rest of our lives. Further, as the Federal Bureau of Investigation has yet to determine the extent of the breach, we are concerned about the security of ALL information provided to US Airways – including our families’ personal information. US Airways collects personal information on US Airways employees’ family members and information from passengers, such as credit card data.”

USAPA has been working with the FBI since November 2010 in an attempt to determine the exact scope of the data breach. In his letter alerting the FBI, the Transportation Security Administration and the Federal Aviation Administration to USAPA’s concerns, President Cleary said,

“We believe the unauthorized access to this confidential information may pose a direct threat to national security, our represented pilots’ safety, and their professional standing.

“The exact scope of the breach is unknown, but unauthorized access to airline pilot passport numbers coupled with pilot residential addresses could potentially be used to forge U.S. commercial airline pilot passports, or identities, in order to gain access to international or domestic commercial aircraft or flights – thereby posing a direct threat to our nation’s security.”

“In light of this breach, USAPA has concluded that US Airways cannot be trusted with confidential or sensitive information,” President Cleary said today. “The union is also extremely disappointed by the Company’s lack of aggressive action to address this issue, first denying that a significant breach had even occurred, then equivocating concerning the extent of that breach, all the while taking no remedial action against the Company personnel involved in the breach. Significantly, the Company has also failed to take steps to provide lifelong protection to the pilots directly affected and adequately address the potential national security issues for all of our pilots and passengers.”

USAPA is committed to spending the time and resources necessary to protect its members, while it believes that US Airways sits on the sideline. US Airways management has informed USAPA that it is relying on the “assurances” of the very parties responsible for the data breach that the confidential information will not be misused.

“This is, of course, ludicrous,” President Cleary responded. “It’s analogous to a bank robber promising he will not spend the stolen loot. We are demanding swift and aggressive action as we simultaneously take significant steps to hold both US Airways and the specific responsible parties liable for the damage caused.



For my Disaster Recovery students. How easy would it be to disrupt the Internet in your neighborhood? The Internet was designed to re-route data around links taken out in a nuclear war – but you have to have more than one link for that to work.

http://tech.slashdot.org/story/11/04/07/0234214/Elderly-Georgian-Woman-Cuts-Armenian-Internet?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Elderly Georgian Woman Cuts Armenian Internet

"An elderly Georgian woman was scavenging for copper with a spade when she accidentally sliced through an underground cable and cut off internet services to nearly all of neighboring Armenia. The fibre-optic cable near Tiblisi, Georgia, supplies about 90% of Armenia's internet so the woman's unwitting sabotage had catastrophic consequences. Web users in the nation of 3.2 million people were left twiddling their thumbs for up to five hours. Large parts of Georgia and some areas of Azerbaijan were also affected. Dubbed 'the spade-hacker' by local media, the woman is being investigated on suspicion of damaging property. She faces up to three years in prison if charged and convicted."


No comments: