Privacy and Information Security In the News -- Week of October 31, 2005

October 31, 2005

"Obscure" BlackBerry Bug Causes E-mail Security Breach

The Guardian Unlimited reported last week that the BBC had suspended the use of BlackBerries by the company's executives for security reasons. The BBC took the action after some of its executives reported that portions of other people's communications were appearing in messages sent by the executives. The BlackBerry's maker, Research in Motion, attributed the problem to an "obscure bug" in the system. "BBC suspends Blackberry use after email leaks," http://technology.guardian.co.uk/news/story/0,16559,1601197,00.html

Microsoft Sues Spammers

Microsoft announced last week that it has filed suit against 13 groups that use zombie computers to send spam. According to CSOOnline, Microsoft took action after it discovered that the use of zombies was more prevalent and more disruptive than it had understood. (Where has Microsoft been?) In a test, Microsoft infected a computer with malicious code used by spammers. In just three weeks, the computer sent 18 million e-mail messages from 5 million connections. "Microsoft Stalks Super Spammers,"http://www2.csoonline.com/blog_view.html?ID=742

Hackers Use Bird Flu to Spread Virus

Computerworld is reporting that virus writers are preying on heightened interest in bird flu to distribute an attachment that includes a Trojan horse. Bearing the subject line, "Outbreak in North America" or "What is avian influenza (bird flu)?," the Trojan includes two programs. One allows the Trojan horse to create, delete and modify files. The other installs a virus that allows a hacker to run an infected computer by remote control. "Bird flu brings on PC virus,"http://www.computerworld.com/securitytopics/security/story/0,10801,105777,00.html?source=x73

Banks Create List of Rogue Employees

A consortium of 100 large banks in the United States, known as Bits, is working to create a database of former employees who were terminated for compromising customer data or for knowingly causing financial losses. Bits says the database will be available in mid-2006. "Banks to blacklist rogue workers in fraud fight,"http://news.com.com/Banks+to+blacklist+rogue+workers+in+fraud+fight/2100-1029_3-5915678.html

UK CIO Says Go Slow on Biometric ID

The British government's chief information officer has told the government that its plans to introduce a national ID card with biometric measures may have to be postponed or scaled back. According to The Independent, the officer warned that the program was too complex and ambitious to implement immediately. The officer has proposed testing the program among groups – such as scoutmasters and teachers – whose security has already been vetted. "ID card plans face delay over technology, ministers warned,"http://news.independent.co.uk/business/news/article323280.ece

Easy Come, Easy Go

Police in Oregon have arrested a woman who bought a winning ticket worth $1 million in the state-run lottery using a credit card that belonged to her deceased mother-in-law. "Woman wins $1m with stolen credit card,"http://www.theregister.co.uk/2005/10/31/lottery_winner/

November 1, 2005

Documents Headed for Shredding Spread Across City Streets in Toronto; Medical Clinic and Disposal Company Held to Violate New Canadian Privacy Law

Thousands of businesses rely upon third-party companies to destroy sensitive documents for them. Even after you satisfy yourself that the third-party company has proper procedures in place to ensure that your documents are destroyed, you have to trust that the company will do what it says it will do or verify that it does.

Mistakes happen. For example, a story in yesterday's National Post recounts how a Toronto paper disposal company that collects paper for recycling and for shredding made an embarrassing error. It confused documents from an X-ray and ultrasound clinic that were meant to be shredded for documents that were intended to be recycled. It subcontracted the pickup to a paper recycling company, which indeed recycled them – by strewing them across a Toronto street to serve as the backdrop for the filming of a movie about the 9/11 attacks on the World Trade Centers. "Clinic, paper firm broke privacy rules,"http://www.canada.com/national/nationalpost/news/toronto/story.html?id=4c7ef96a-8695-4393-a5be-aba3067272f1.

The Ontario Information and Privacy Commissioner found the clinic liable in the first case brought before the Commissioner under Ontario's new Personal Health Information Protection Act ("PHIPA"). Yesterday, the Commissioner issued Order HO-01 (http://www.ipc.on.ca/docs/ho-001.pdf) that concluded that both the clinic and the paper disposal company had violated PHIPA. According to the Commissioner, the clinic:

  • Failed to take all reasonable steps to secure the personal health information in its custody or control;

  • Failed to ensure that the personal health information was disposed of in a secure manner; and

  • Failed to comply with PHIPA's requirement to be responsible for the proper handling of personal health information by itself and its agents.

The Commissioner found that the paper disposal company also violated the Act by forwarding the papers for recycling rather than shredding, even though it did not do so intentionally. See, "Medical records found scattered across Toronto streets: Commissioner Cavoukian issues first Order under new law,"http://www.ipc.on.ca/scripts/index_.asp?action=31&N_ID=1&P_ID=16559&U_ID=0

One Way to Avoid a Similar Error

One way to guard against the risk that your paper disposal company might unintentionally fail to destroy your sensitive discarded documents is to engage a company that shreds the documents on location. The Grand Rapids Business Journal this week has an article about just such a company that brings a mobile shredder to its customer's location where the customer can monitor the destruction of its documents. "'Information Destruction' Grows,"http://www.grbj.com/GRBJ/ArticleArchive/Article+Archive.htm?Channel={A63AA209-FEDF-443C-B448-4B0D59FCA811} (subscription required)

Federal Legislative Update

TheNew York Times and American Banker both report that we will see a lot of committee action on information security bills in Congress in the coming weeks. A vote is scheduled in the Senate Judiciary Committee on Thursday on S. 1789, a broad bill sponsored jointly by Sen. Arlen Specter, its Chairman, and Sen. Patrick Leahy, its Ranking Member. Chairman Specter tabled the bill in October when committee members proposed 24 amendments to the bill. At that time, the Committee approved a much narrower bill, S. 1326, which was offered by Senator Sessions.

Meanwhile, Congress will consider at least six other information security bills. On Thursday, the House Energy and Commerce Committee will vote on H. 4127, and on November 9, the House Financial Services Subcommittee will consider H. 3997. And Senate Banking Committee Chair, Richard Shelby, is preparing to introduce yet another bill that would apply to financial institutions.

The sheer number of bills, the looming fight over Supreme Court nominee Samuel Alito, turf battles among committee chairs, and the shortness of time make passage of a bill this year uncertain. Yet Congress continues to feel pressure to act. TheTimes reports that 47 state attorneys general sent a letter to Congress last week pressing for a broad bill supported by consumer advocates. Industry groups have lined up behind the considerably narrower Sessions bill already voted out of the Senate Judiciary.

For more information see, "Two Broad Data Bills Approach Critical Vote," http://www.americanbanker.com/article.html?id=20051028KV36ID24&from=technology (subscription required); "Data Security Laws Seem Likely, So Consumers and Businesses Vie to Shape Them," http://www.nytimes.com/2005/11/01/business/01theft.html?adxnnl=1&adxnnlx=1130818808-EfKcSnljQ4AAaASh+HGbVA

November 2, 2005

New Threats to New Technologies

As new technologies and new uses of old technologies are introduced, companies that employ them face an increasing burden to measure and control the risks posed by those technologies. Understanding the risk and establishing policies and procedures to address them is critical to a successful security program and requires continual review of changing threats. For example, on Monday we linked to an article about an "obscure" bug that caused messages sent by BBC executives using their popular BlackBerry devices to include parts of messages sent by other persons. The BBC quickly suspended use of the devices while it investigated. "Obscure" BlackBerry Bug Causes E-mail Security Breach,"In the News, October 31, 2005.

Continual risk reassessment is a requirement of any security program. As new technologies and uses become more popular, they catch the attention of hackers and cybercriminals who look for new ways to exploit security gaps. For example, SC Magazine UK reports that hackers have begun launching phishing attacks (called "mophophishing") on mobile phone users. The article notes that it is more difficult for a mobile phone user to protect himself against mophophishing than regular phishing because the domain name and path of links are concealed in a mobile phone phishing message. "New type of phishing could hit mobile phone users," http://www.scmagazine.com/uk/news/article/525582/new-type-phishing-hit-mobile-phone-users/

As instant messaging has become the preferred way for many to communicate, hackers have developed an increasing number of IM threats. InformationWeek quotes one report that the number of threats in October increased 30% over September 2005 and 1300% over October 2004. And the maliciousness of the threats is increasing as well, including malware that disables security software and loads spyware. According to the article, IM threats do not currently replicate on their own, but some foresee that they will soon. Symantec has reportedly run a simulation showing how a single IM worm could spread to up to 500,000 machines in less than 30 seconds. "Your Next IM Could Be Your Network's Last,"http://www.informationweek.com/story/showArticle.jhtml?articleID=173401741&cid=RSSfeed_IWK_news

Voice over Internet Protocol ("VoIP") is another new technology that is increasing in popularity. Last week, two critical flaws in Skype's VoIP software were disclosed. "Skype Flaws Prompt Warnings," http://www.computerworld.com/securitytopics/security/story/0,10801,105796,00.html The Voice over IP Security Alliance has released a 36-page report of the potential security problems faced by VoIP. "VoIP Security and Privacy Threat Taxonomy,"http://www.voipsa.org/Activities/VOIPSA_Threat_Taxonomy_0.1.pdf. In introducing the report, the alliance stated that "While some early press accounts have focused on the potential for VoIP spam and VoIP call hijacking, the consensus of learning from this project is that there are many other threats inherited from traditional data networks (worms, DDoS, etc.) that are more likely to occur today." "Threat Taxonomy,"http://www.voipsa.org/Activities/taxonomy.php

Concern that Spyware Is Increasing

Computerworld conducted a survey of 577 of its subscribers to explore their concerns about spyware. The subscribers were selected for inclusion in the study because they had IT management job titles or they had indicated they had responsibilities in planning or purchasing security products or technologies. A little more than half of the participants worked in companies with 1,000 or more employees.

Seventy-nine percent reported that their organizations had had problems with spyware in the last 12 months that required significant attention. These problems overwhelmingly (83%) involved desktop support or performance issues. But 22% indicated that spyware had allowed someone to break into their systems using a Trojan or other malware, and 14% reported that spyware led to the destruction of data or programs. Sixty-nine percent of respondents were "concerned" or "very concerned" that spyware might be used for industrial espionage. Eighty-four percent see the spyware threat as increasing.

"The Computerworld Spyware Survey,"http://www.computerworld.com/securitytopics/security/story/0,10801,105730,00.html

November 3, 2005

Global Security Survey Finds Gaps Between Growing Risk and Information Security Programs

Businesses around the world are not doing enough to keep up with the changing threat to information security. That is the conclusion of the eighth annual global information security survey conducted by Ernst & Youngand published yesterday. "Global Information Security Survey 2005: Report on the Widening Gap," http://www.ey.com/global/download.nsf/International/Global_Information_Security_Survey_2005/$file/EY_Global_Information_Security_survey_2005.pdf. From its survey of 1,300 organizations in 55 countries, E&Y concluded that "The gap continues to widen between the growing risks and what information security is actually doing to address them."

E&Y grouped its findings around four significant observations:

  • For the first time in the survey's history, information security programs are driven primarily by the need to comply with regulations and less by the threat of worms and viruses. Nearly 90% of those who are driven by legal compliance focus their efforts on creating and updating policies and procedures. E&Y found that fewer than half were modifying their information security architecture or functions to address the threat. E&Y argues that, by viewing compliance as a distraction rather than a catalyst for change, businesses "are missing the rare investment opportunities to promote information security as an integral part of their business."
  • While business is growing increasingly dependent on sharing information among business partners and suppliers, many businesses are not paying sufficient attention to vendor risk management. Only 42% of respondents said they had formal procedures to address vendor risk management. Twenty-one percent said they had not addressed the issue at all. Only 17% of the respondents said that an independent third party had reviewed their vendor's information security practices against best practices. Less than half said their vendors had information security policies and procedures in place.
  • Seeking to become more efficient and competitive, businesses are willing to adopt emerging technologies -- such as mobile technologies, wireless networks, voice over IP telephony, open source, and server virtualization – that pose special risks that are often not fully addressed. The survey found that only half of the respondents identified mobile technologies as a significant security concern. Less than half of the respondents indicated that they offered any training to general users to make them aware of information security issues or procedures for responding to security incidents.
  • Companies continue to focus their security efforts on "operational and tactical issues at the expense of addressing strategic concerns." Fewer than half reported that information security personnel are proactively involved in such strategic efforts as enhancing service and the customer experience, protecting the company's intellectual property, or facilitating mergers and acquisitions. The study concludes that for many companies information security occurs in silos that are not integrated into the overall risk management process. Forty percent of survey respondents reported that they had met with the board of directors less than once a year or not at all. Over half of the respondents said they provide reports to the board of directors on incidents and compliance less than once a year or not at all. Forty-four percent said they had met with the legal department less than once a year or not at all.

Sony Uses Hacker Tool to Hide Rights Management Tools

CNET News.com reports that Sony BMG has included special software on music CDs to hide digital rights management tools that prevent unauthorized copies of the CD from being made. The special software uses a rootkit, a tool used by hackers to hide any trace of viruses left on computers. The rootkit continues to run in the background, theoretically available for hackers to tap into. "Sony CD protection sparks security concerns,"http://news.com.com/2100-7355_3-5926657.html

Smile, You're on Candid Camera

A Canadian performance artist uses a surveillance video in her act. "The Art of Privacy Invasion,"http://www.wired.com/news/technology/0,1282,69445,00.html. Michelle Teran, whom Wired Magazine has dubbed "the pied piper of wireless networks," wanders city streets with a wireless enabled computer, looking for wireless feeds from surveillance cameras in adjacent buildings. She then displays the video to her audience. "People are feeling insecure, but their security equipment gives only an illusion of protection," Teran says. Teran describes her projects on her web site, "Life: a user's manual,"http://www.ubermatic.org/life/.

More Debate on RFID Chips in Passports

Cybersecurity consultant Bruce Schneier writes in Wired Magazine that the State Department has generally done a good job addressing privacy concerns with the new radio frequency ID ("RFID") chips that will begin appearing in U.S. passports in October 2006. But, he says, the department has left open a "fatal flaw" that will enable third parties to uniquely identify passport holders. In response to privacy concerns, the State Department included a radio shield to prevent the passport from being read when the cover is closed. Data on the RFID chip will also be encrypted. But Schneier faults the Department for failing to require chipmakers to delete the "collision ID," a low frequency radio signal designed to uniquely identify each chip. Schneier says the failure to delete the collision ID demonstrates the Department's lack of technical expertise. He argues that the Department's decision to implement RFID chips is "precipitous and risky," and should be subject to "serious quality assurance and testing." "Fatal Flaw Weakens RFID Passports,"http://www.wired.com/news/privacy/0,1848,69453,00.html?tw=wn_story_page_prev2

November 4, 2005

Microsoft Supports Strong Privacy Legislation

Microsoft has announced its support for comprehensive federal privacy legislation. In a press releaseand in a statement by Microsoft's general counsel issued on Capitol Hill, Microsoft said it was motivated by "an increasingly complex patchwork of state, federal and even international laws related to data privacy and security; the potential for consumer fears about identity theft and other online dangers to dampen online commerce; and the increasing consumer desire for more control over the collection and use of online and offline personal information." Microsoft said any federal legislation should be grounded on four "core principles:"

  • Create a baseline standard across all organizations and industries for offline and online data collection and storage. This federal standard should preempt state laws and, as much as possible, be consistent with privacy laws around the world.
  • Increase transparency regarding the collection, use and disclosure of personal information. This would include a range of notification and access functions, such as simplified, consumer-friendly privacy notices and features that permit individuals to access and manage their personal information collected online.
  • Provide meaningful levels of control over the use and disclosure of personal information. This approach should balance a requirement for organizations to obtain individuals' consent before using and disclosing information with the need to make the requirements flexible for businesses, while avoiding bombarding consumers with excessive and unnecessary levels of choice.
  • Ensure a minimum level of security for personal information in storage and transit. A federal standard should require organizations to take reasonable steps to secure and protect critical data against unauthorized access, use, disclosure modification and loss of personal information.

Brian Krebs in his Security Fix blog at TheWashington Post notes that this is quite a transformation for Microsoft. "Just five or six years ago," he writes, Microsoft "was a strong and vocal advocate of industry self-regulation on privacy. Now, it has effectively embraced the very principles espoused by groups as diverse as the Center for Democracy and Technology (CDT), American Civil Liberties Union (ACLU) and Electronic Privacy Information Center (EPIC)." Krebs's blog includes initial reactions from these groups. "Microsoft Advocates Comprehensive Federal Privacy Legislation,"http://biz.yahoo.com/prnews/051103/sfth044.html?.v=34

Federal Legislative Update: House Subcommittee Approves Data Security Bill

Microsoft's announcement occurred on the same day that a subcommittee of the House Committee on Energy and Commerce considered and approved the Data Accountability and Trust Act (H.R. 4127). The bill would require companies that hold consumer information to keep it secure and to notify consumers in the event of a breach of security if there is "a reasonable basis to conclude that there is a significant risk of" identity theft, fraud, or unlawful conduct. "House Panel Approves Data Breach Law,"http://www.internetnews.com/bus-news/article.php/3561601. At yesterday's markup, the subcommittee voted to remove a provision that would have required data brokers to allow a consumer, at least once a year, to review the broker's data about him or her and to require the broker to flag any information that the consumer says is inaccurate. American Banker reports that "financial services industry officials worried that it could have been interpreted to let consumers also access information held in databases maintained by bank holding companies." See "Data Bill Gets Partisan OK; Panel Vows Privacy Next,"http://www.americanbanker.com/article.html?id=20051103ZV7RR5WC&from=home (subscription required).

Congressional Quarterly reports that Democrats on the subcommittee offered several amendments, including one that would have required a company to notify consumers if it ships data offshore to countries with weaker data protection laws. Democrats also criticized the bill for giving the sole enforcement power to the Federal Trade Commission rather than allowing state attorneys general to enforce the law and for preempting state laws. "House Panel Endorses Bill Aimed at Protecting Consumers From Identity Theft," http://www.cq.com/(subscription required).

Meanwhile, Reuters reports that the Senate Judiciary Committee has postponed action on data security legislation for several months to allow staffers to attempt to reach a compromise and to permit the committee to hold hearings on Supreme Court nominee Alito. "Data-protection bill advances on party-line vote,"http://today.reuters.com/investing/financeArticle.aspx?type=bondsNews&storyID=URI:urn:newsml:reuters.com:20051103:MTFH08544_2005-11-03_22-30-21_N03118488:1

SEC Warns Against Online Dangers

The Security and Exchange Commission, on Thursday, warned online investors of the need to take precautions against identity theft. In a press release, the SEC said, "Regulators believe that some identity thieves are targeting online brokerage accounts for intrusion. Over the past few months, the SEC has become aware of numerous situations in which unauthorized individuals have gained access to other people's online brokerage accounts." "SEC Urges Investors to Protect Their Online Brokerage Accounts from Identity Thieves,"http://www.sec.gov/news/press/2005-158.htm. To help online investors protect themselves, the SEC has published a booklet, "Online Brokerage Accounts: What You Can Do to Safeguard Your Money and Your Personal Information," http://www.sec.gov/investor/pubs/onlinebrokerage.htm.

Biometric Cards to Be Used to Speed Airport Security Checks

The Transportation Security Administration will begin allowing air travelers to use a biometric identification card, beginning June 20, 2006, to avoid detailed security checks at airports. Cardholders will still pass through metal detectors and run their carry-on luggage through the X-ray machine. The program has been tested at five airports and, according to the TSA, is ready to be rolled out to the nation. Someone interested in obtaining the card will be subjected to a criminal background check and will be cross-checked against lists of known terrorists. The card will contain an electronic record of the person's fingerprint and an eye scan. Privacy groups oppose the creation of government databases that contain a person's "most private and personal information." "Starting in June, some fliers can skip long security lines,"http://www.usatoday.com/travel/news/2005-11-03-security_x.htm?POE=NEWISVA; "U.S. Plans `registered Traveler' Program,"http://www.nytimes.com/aponline/national/AP-Passenger-Screening.html.

Update: Sony to Offer Patch to Remove Hidden Software

Responding to a storm of criticism, Sony announced it was making available a patch that would reveal the hidden rootkit software that is automatically downloaded onto a user's computer by certain Sony music CDs. "Sony to distribute software patch," http://www.globetechnology.com/servlet/story/RTGAM.20051103.gtsonynov3/BNStory/Technology/

This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLPto advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.

Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at rmartin@wnj.com or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49506.

"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.

Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.