More info, thoughts on Troy Group breach

In an interesting article, The St. Louis Post Dispatch reports new information about the recent breach of the “eCheck Secure” system run by Troy Group.
According to the article, the number of potential Scottrade victims is 140,000. Troy Group published a news release revealing they got hacked, and notified their financial sector customers, including Scottrade, the same day. Scottrade isn’t using Troy Group’s service any more, and probably won’t use it in the future.
Questions:
Given that “the hack” was a matter of public record on October 25, and Scottrade knew about it, why did it take them a month to let their customers know what happened?
Given that Troy Group has other financial sector customers, has any of them sent notices to their customers? Which have, and which haven’t? Why? This issue was raised in a comment by Roy to an earlier blog entry.
Why isn’t Troy Group talking? Maybe it’s because the mainstream press hasn’t latched onto this one yet. I suspect that may change.
Am I the only one who sees potential parallels to CardSystems here? Troy Group’s market cap is $26,000,000.
Finally, a confession. Remember the Simpsons episode where the Comic Book Guy is totally into everything having to do with the Radioactive Man movie? Well, if security breaches are Radioactive Man, I am the Comic Book Guy, and I can’t believe I missed the Troy Group press release. This is exactly why mandatory reporting to governmental agencies (as New York’s law requires) is a good idea.

EFF: Why Bother With DMCA comments?

The EFF has decided that the DMCA “rulemaking process is simply too broken” for them to bother commenting on it any further. See “DMCA Triennial Rulemaking: Failing Consumers Completely:”

EFF has participated in each of the two prior rulemakings (in 2000 and 2003), each time asking the Copyright Office to create exemptions for perfectly lawful consumer uses for digital media that are encumbered by DRM restrictions. For example, we asked that DVD owners be allowed to skip those “unskippable” ads at the beginning of DVDs. We asked that people who bought copy-protected CDs be allowed to get them to play on their computer. We asked that consumers be allowed to bypass region coding to play a DVD purchased in another part of the world. The Copyright Office rejected all of these proposals.

This year, we are not submitting any proposals. Where consumer interests are concerned, the rulemaking process is simply too broken. For example:

(Well, see the full post for examples.)

Netgear WGPS606 and Mac Printing

I recently bought a Netgear WGPS606 ‘print server.’ It’s a nifty little device with a 4 port 100mbs ethernet switch, a wireless bridge, and an LPD print service. I needed each of those as part of reconfiguring my office space, and here it was in one little package.

It turned out to be something of a bear to configure, and tech support has not been very helpful. I finally got it all working. A bunch of technical details and gripes are after the break.

Continue reading

NJ’s Strong Privacy Law

not-for-identification.jpgApparently, I woke up on the right side of the bed, and am just handing out kudos left and right today.

Consumers will gain strong new protections when New Jersey’s Identity Theft Prevention Act takes effect Jan. 1, but businesses and institutions are facing headaches and added expenses.

Social Security numbers will be out as all-purpose identification numbers, forcing businesses, colleges, unions, insurance companies, police departments and other public agencies to purge files and shred documents.

Those maintaining computer databases will be required to act quickly and publicly in case of security breaches under the new law – among the strongest in the nation.

See “Shredding identity theft” in the North Jersey News. The article does a fairly good job of addressing the costs. I’d like to see more about how this is transferring costs back from consumers to the businesses that put them at risk, but I’m happy to see improvements.

Via Chris Hoofnagle, who also points to a great table of security freeze and notification laws at New Jersey PIRG.

UNC Addresses Risk Systemically, Rather than Piecemeal

Students are currently recognized by their Social Security Number in many University systems and applications. With the growing threat of identity theft, an alternative method has been desired for identifying students and faculty. The opportunity to execute this change has surfaced through the implementation of an updated University [of North Carolina] computer system.

Kudos to UNC for getting this right, and taking the opportunity to fix a major problem before it struck. From “Social security number removed as student id.”

TSA to Revise Rules

airport-lines.jpg
[Updated with data from NYT]

A new plan by the Transportation Security Administration would allow airline passengers to bring scissors and other sharp objects in their carry-on bags because the items no longer pose the greatest threat to airline security, according to sources familiar with the plans.

The TSA’s internal studies show that carry-on-item screeners spend half of their screening time searching for cigarette lighters, a recently banned item, and that they open 1 out of every 4 bags to remove a pair of scissors, according to sources briefed by the agency. Officials believe that other security measures now in place, such as hardened cockpit doors, would prevent a terrorist from commandeering an aircraft with box cutters or scissors.

From “TSA Would Allow Sharp Objects on Airliners” (Washington Post). I’m very pleased to hear this. I’m curious: Will I be allowed to bring my swiss army knife again? [Update:No!] (When I flew back and forth to Tel Aviv, the last question Israel airport security always asked was “Do you have anything that could be considered a weapon. I always carried a swiss army knife as a carryon, and told them. They, properly, never cared.)

[The New York Times has an article with more details, “Significant Changes in Air Passenger Screening Lie Ahead.” More focus on finding explosives, more random searches, still no knives.]

(Photo from Burningwell.org.)

Centers for Disease Control Want To Track All Travel

In “CDC plans flight e-tracking,” Bob Brewin of Government Health IT writes:

Battling a pandemic disease such as avian flu requires the ability to quickly track sick people and anyone they have contacted.

In response, Centers for Disease Control and Prevention officials have proposed new federal regulations to electronically track more than 600 million U.S. airline passengers a year traveling on more than 7 million flights through 67 hub airports.

There’s more quotes from the article after the break.

The transcribed press conference is online. I don’t think I’ll have a chance to analyze the 8 parts of the proposed rules at Control of Communicable Disease Proposed 42 CFR Parts 70 and 71. My expectations are that:

  1. The travel industry, already half-bankrupt, can’t afford $160 million in additional costs. That will kill this, unless the CDC steps in to fund the effort to invade all of our privacy.
  2. The data collection will be mandatory, with penalties for lying, but no penalties for re-use of the data. Acceptable uses will including updating the airline’s marketing databases. The marketing value of the data will fall far short of that $160 million.
  3. The discussion of the data in the proposed rules and the media analysis will assume the use of ‘PNR’ data. The analysis will completely ignore the reality that PNRs contain lots of non-passenger information. This is well documented by Ed Hasbrouck, and routinely ignored because acknowledging it would drive the cost of these implementations through the roof.

Continue reading

Web Browser Developers Work Together on Security

Adam’s post earlier today on efforts to improve browser security, reminded me about this post on KDE.news. George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines:
1) “Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already.”
2) “KDE will furthermore look to remove 40 and 56 bit ciphers, and we will continually work toward preferring and enforcing stronger ciphers as testing shows that site compatibility is not adversely affected.”
Kudos, to all involved. It’s great to see some serious effort being made in this direction.

Meet The New Browser Security, Same as the Old Browser Security?

toolbar.jpgThere’s a thread developing in several blogs about web browser security, and I think it is dangerously mis-framed, and may involve lots of effort going down some wrong paths. At the IE Blog, Franco writes about “Better Website Identification and Extended Validation Certificates in IE7 and Other Browsers.” It’s a long, well-thought out post, which starts from the wrong place:

Today I want to tell you about both our established plan to highlight secure sites in IE7 but also to tell you about some early thinking in the industry about creating stronger standards for identity on the internet.

I think that defining the issue as stronger identity standards is likely to worsen the problems of phishing and pharming. A higher bar to jump over will simply mean that when phishers jump that bar, they’ll be more successful, because more indicators will act to re-assure users. That higher bar will be operated by ‘Certification Authorities,’ (CAs), whose focus will be keeping costs down. This is not helpful to the consumer whose identity is being stolen. The value of that identity (and the credit granted) is more than any business would like to spend on a digital certificate. So we need to move security, in a usable way, to the control of the consumer who is at risk. To do that, we need better persistence of identity information.

That is, we want the bank we visit tomorrow to be the same bank we visited yesterday. More validation by the CA doesn’t achieve that. It achieves a tighter bond between the name on the certificate, and the name on the server. Frank Hecker has a long post, “CAs, certificates, and the SSL/TLS UI” in which he outlines what the extended validation system might be. He also refers to Tyler Close’s “Petname,” which I wasn’t aware of. The idea is that you nickname a site. I think that’s awesome, and a better direction than more reliance on CA processes.

Persistence of identity can be hard, because the identity of a website is often made complex. But that doesn’t mean it’s the wrong solution, only that businesses will have to put effort into helping customers make it work. The import of this effort is less open to question when your customers are threatening to go back to the more reliable brick store fronts. As Tyler Close demonstrates, its possible to build something that works in the consumer’s model of the world. “That’s right, I’ve been to this site.”

This is a user-centered, rather than a CA-centered approach. The user-centric approach means that the security target is distributed. Further, local names means that the user is drawn into making security persistence decisions. (Whether that’s a good idea is open to question.) But the user could be encouraged to name sites, and then bookmark them. (I discuss the value of bookmarks as a persistence tool in “Preserving the Internet Channel Against Phishers.”) Will this work better than the CA model? It’s hard to say without actually observing users in testing.

The “trusted certificate authority” model has had a decade or so to demonstrate its value. It’s time we tried something else.