Boston Globe, Worcester Telegram and Gazette, CC#s printed on routing slips, 240,000 subscribers

Via MSNBC:

Two newspapers owned by The New York Times Co., the Boston Globe and Worcester (Massachusetts) Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with credit card data of up to nearly a quarter million subscribers.
The credit card numbers were been printed on routing slips attached to 9,000 bundles of newspapers sent to retailers and carriers last weekend, according to the newspapers.

I can see how this mess-up might get a carrier the credit-card info for subscribers on his or her route, but what credit card number(s) would be sent to a retailer?

January 20, Honeywell International, 19,000 current+former employees, SSNs and bank account info, published on web site

Long Island Newsday reports on Honeywell paying for credit monitoring for 19,000 current and former employees after their information somehow wound up on a web site:

The company notified employees about the breach within a day of learning of it Jan. 20, according to spokesman Robert C. Ferris.
“The company immediately contacted the relevant service provider, had the page removed from the Internet and is continuously monitoring the Internet to ensure that the Web page and any copies of it remain taken down,” said Ferris.
He said the company was working with federal and state investigators to determine who posted the data. Ferris said he didn’t know whether the posting was the work of a disgruntled employee or resulted from an administrative error or other cause.

The South Bend Tribune provides the important detail that the 19,000 worked for Honeywell in 2003.
Update 2/6/2006: Honeywell believes this to have been the work of a disgruntled insider, as reported here.

TSA Records

tsa-foia.jpgBack in August, (“Demand Your records“) I mentioned the effort to request, under the Freedom of Information Act, records relating to the TSA’s illegal data grab on Americans. In December, I got a response, and share a redacted copy here. All redactions are mine. (The whole process of redaction is remarkably difficult, but that’s a separate post. Feel free to try to defeat my “scan a magic markered copy” technique.)

Since I redacted what I’m sharing, allow me to explain what I’m choosing not to share. The number starting:

  1. …218 is my Delta frequent flyer number.
  2. …617 is the phone number I tend to use for such things.
  3. …3823 is my Diner’s club card.

Some comments:

  1. I appreciate being addressed by our civil servants as “Dear Shostack.”
  2. I am utterly stymied by the 12/31/89 19:00:00 apparent date. I know why I might have called one year later, but not in 1989. John Gilmore pointed out that that’s localtime for midnight, GMT, in both Boston (where I was) and Atlanta (where Delta was, and mostly remains).

The records: tsa-redacted.PDF

[Update: Fixed spelling. Thanks Samablog!]

New Passports More Secure than Wet Paper Bags (Barely)

seasoned-vs-newbie.jpgRemember the US Government plan to put a radio chip in your passport? The one whose security has never been seriously studied, whose justification seemed to boil down to a hope that it would speed processing, but even that was wrong? The one whose security gets worse every time anyone competent looks at it? Well, someone else just looked at it.

Bart Jacobs & Ronny Wichers Schreur of Radboud University Nijmegen, Netherlands have discovered that an eavesdropper can decrypt everything sent over the air under the latest scheme. In about two hours. They presented at a SafeNL workshop, and have a working demo. It turns out the error is really basic, as explained in this press release:

The secret key is made up of the passport expiry date, birth date and the passport number stored in the passport’s Machine Readable Zone. The Dutch passport numbering scheme proves to be sequential and has a relation with the passport expiry date. Further, the last digit of the number is a checksum introducing additional predictability. The selection of a new and unpredictable passport numbering scheme would considerably improve the security.

Now, why does that sound familiar? Oh yeah! Its because that’s the same predictable key source attack I found on the SecurID client-server protocol a decade ago.

Is this fixable? This particular hole probably is, with a re-issued passport. The important questions are not about whether or not a new scheme can be designed and analyzed. That game of penetrate and patch doesn’t lead to secure systems, it leads to more penetrate and patch.

The important lessons are: First, the people doing this work are either incompetent, or working under such a compressed timeframe that they can’t get it right. Second, the chips should not have a radio. Let me say it again. The radio has no function, and introduces a plethora of security holes. It should be removed now, before the State Department needs to replace millions of passports.

(Research reports from Dave’s Bit Bucket, via Alec Muffet. “Seasonsed vs. Newbie” photo by Antomic.)

On Disclosure

In comments on “Bank of America Customers Under Attack,” Options Scalper writes:

I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud or other crime, I’m not sure that I agree with mandatory disclosure. That data, while useful to the awareness of security provides information that cannot be made transparent to an entity’s competitors, i.e. the availability of this data may provide for means of advantage in key markets based on the data “surrounding” the security data. I’m a proponent of mandatory disclosure of “lost data”, but I just think that this topic needs a great deal more discussion.

I admit, I have been using “mandatory disclosure” in a somewhat slippery way. The mandatory disclosure of a loss of confidentiality of personal information, such as is mandated by California’s SB 1386, and a host of other laws, and emerging new custom and expectation. I also use it in a somewhat tongue in cheek way to refer to the benefits that mandatory disclosure is bringing, despite the discomfort involved in the transition.

Beyond that, I note the utter paucity of good information about security breaches. This paucity hurts us deeply as a profession, as we talk about how über-hackers tromp undetected through networks. Compare and contrast the quality of data we have about computer security incidents to the quality of data about burglaries. Should we mandate disclosure of these things? We mandate lots of disclosure under laws like SarBox. Its not clear if it does much good for the expense it entails.

There is, of course, the whole bloody “debate” over disclosure of vulnerabilities in software. Like all right-minded people, I believe in full disclosure and only practice it when left no choice.

As to the concern that competitors may start jumping on a lack of security as a way to poach customers, I can’t see that as justification for allowing a company to mislead the public. We demand lots of disclosures from companies, especially around the reporting of crimes. Why should online crime be different?

Musings on The Future of the State

cathedral.jpgI love the little corners of the law that is ancient rights and privileges. They illustrate ways in which our institutions have evolved, and from where they came, we can learn much about where they may go. That’s why I was delighted to read “Russian-Israeli who Left Newfoundland and Labrador Church Sanctuary Is Deported.” Church sanctuary! In 2006! What a great living fossil of the days when the Church in Rome was an important power, equal to or even superior to local Lords. That power was shattered by a series of wars (‘the thirty years war‘) for what was called freedom of conscience. More properly, it was freedom of christian conscience: Jews were barely, if at all tolerated, and Muslims, pagans, and infidels were still anathema.

Today, where those wars were won, even if there is a a `state religion,’ contributions are optional–a right Thomas Jefferson had to argue for in Virginia. Heretics of all sorts, even atheists, are tolerated. Freedom of conscience has turned from a controversy that engulfed Europe into a settled tenet of modern liberalism. The role of the Church has been quite sharply curtailed.

Perhaps something similar is happening to the state. Since this isn’t my area of expertise, I hesitate to try to speak definitevely, but I see a possibility that expansion of communication networks, re-globalization of economies, strong disagreements about the appropriate limits of power, catastrophic failures of response to events like hurricane Katrina, modern migratory trends, etc will combine to transform the state to the point where its architects, from Cardinal Richelieu to Kaiser Willhelm, would not recognize it.

(Oviedo Cathedral, photograph by R. Duran, “Torre de San Salvador,” on Flickr.)

Newspeak Alert

Dear San Jose Mercury News,

In re your article, “Date set for hearing on Google data-sharing.

It’s not sharing when you’re holding a court hearing. It’s a demand. I share my toys with my friends. The man with a gun demanded my wallet. Please make a note of it.

PS: If you didn’t promulgate the use of the word “sharing” to mean the promiscuous trading of personal data, this never would have happened.

Langley, British Columbia, Canada, 1,000 medical records, courier firm

There are calls for tougher guidelines in the handling of private information after 1,000 medical files went missing when a courier car was stolen in Langley on Thursday.
The courier company says the driver left the car running for less than a minute.
When the car was stolen, so was a box of health records of patients from Langley, Aldergrove and Surrey. The files were later found dumped near a recycling bin in Surrey.

“It is an offence to leave a vehicle running unattended and the driver may face charges for that. The investigator is looking at that and he may follow up with that and charge this driver with an insecure vehicle,” says RCMP spokesperson Cpl. Diane Blain.

[Darrell Evans of the B.C. Freedom of Information and Privacy Association] calls the possibility of charges “over the top.”

Thanks, Darrell! Way to look out for our rights!

(From the CBC, “Medical records stolen in Langley.”)