Two Quickies on Credit

The spread of the credit check as civil rights issue,” in the Christian Science Monitor:

Bailey, with her lawyer, has lodged a complaint against Harvard charging racial discrimination. The reason: Studies show that minorities are more likely to have bad credit, but credit problems have not been shown to negatively affect job performance.

and “Insurers Don’t Always Tell you of bad Credit,” in the Seattle Post-Intelligencer:

During an hour of argument, several justices seemed taken aback at the magnitude of a federal appeals court ruling. Under that ruling, Geico Corp. and Safeco Insurance Co. would have to notify nearly all their customers that they aren’t getting the best rates because their credit scores aren’t the highest.

“Oh, sorry, we can’t obey the law…it would be expensive!”

CSM story via Pogo Was Right.

Information Security Needs

The NYT reports, “Rough Treatment for 2 Journalists in Pakistan” and indeed reporting is dangerous in countries where they do not respect the sort of basic rights we in the civilized world have championed for nigh 800 years.

However, a computer was seized, sources were roughed up and possibly jailed or killed:

Since then it has become clear that intelligence agents copied data from our computers, notebooks and cellphones and have tracked down contacts and acquaintances in Quetta.

All the people I interviewed were subsequently visited by intelligence agents, and local journalists who helped me were later questioned by Pakistan’s intelligence service, the Inter-Services Intelligence.

Come on. You don’t have crypto? You’ve never heard of PGP (to name the obvious famous one)? That’s so easy to find I won’t even paste in the link.
I hope when you get a new laptop you’ll consider protecting your sources.

Everything Old is New Again

“They are a handful of miserable resuscitators of a degenerate dead religion who wish to return to the monstrous dark delusions of the past,” said Father Efstathios Kollas, the President of Greek Clergymen.

Hundreds of followers of Zeus, Hera, Poseidon, Artemis, Aphrodite and Hermes stood in a circle, a mile from the Acropolis, in what was the first official religious service allowed in the grounds of an Ancient Greek temple.

See “Ancient Greek gods’ new believers” at the BBC, who, for once, don’t ‘misuse’ quotes.

Habeas Corpus? What Habeas Corpus?

gonzales.jpgOn January 18th, Attorney General Alberto Gonzales testified in front of the Senate Judiciary Committee. As part of the hearings, there was a discussion of habeas corpus. As part of that discussion, Gonzales said:

There is no express grant of habeas in the Constitution.

Yes that’s right, our own Attorney General thinks that there is no guaranteed right in the U.S. to habeas corpus. He even got more explicit when he said:

the Constitution doesn’t say, ‘Every individual in the United States or every citizen is hereby granted or assured the right to habeas.’ It doesn’t say that. It simply says the right of habeas corpus shall not be suspended . . .

Think Progress has the full transcript and video from C-SPAN2. including where Senator Spectre appropriately takes Gonzales to task. The video in particular is a must see if only for the goofy expressions on Gonzales’s face.
Via Balkinization, who as usual has an excellent analysis.

A compromising position

Does Pete Lindstrom need to buy a dictionary? You make the call.
In a recent post at Spire Security Viewpoint, he suggests that the folks at Privacyrights.org might be liars:

I am starting to see (and hear) this “100 million records lost since February, 2005” figure referenced in a number of places such that it has somehow gained credibility. What I wonder is if the Privacy Rights Clearinghouse is blatantly lying by listing the CardSystems’ 40 million records (I am not statistician, but I think that is a full 40% of the total ;-)), or is just shoddy in its tracking (wink, wink, nudge, nudge).

I may have missed it, but I don’t see Privacyrights.org claiming that any records were lost, by Cardsystems or anyone else.
What they do say on the widely-cited breach chronology page is:

The running total we maintain at the end of the Chronology represents the approximate number of *records* that have been compromised due to security breaches….

(my bold)
“Lose” and “compromise” have different meanings. Sure, there may only have been a confirmed loss of 260K records. However, “compromise” (according to the good folks at www.dictionary.com) means:

[T]o expose or make vulnerable to danger, suspicion, scandal, etc.; jeopardize

Is this not precisely what is said to have happened in the CardSystems instance?
Consider for example these words from the FTC complaint against CardSystems:

Since 1998, respondent has stored authorization responses for up to thirty (30) days in
one or more databases on its computer network. Each day, these databases contain as
many as several million authorization responses.
[…]
In September 2004, a hacker exploited the failures set forth in Paragraph 6 by using an
SQL injection attack on respondent’s web application and website to install common
hacking programs on computers on respondent’s computer network. The programs were
set up to collect and transmit magnetic stripe data stored on the network to computers
located outside the network every four days, beginning in November 2004. As a result,
the hacker obtained unauthorized access to magnetic stripe data for tens of millions of credit and debit cards.

(My emphasis)
Now, CardSystems never admitted any wrongdoing, and its successor company entered into a consent agreement with the FTC, but if you are a person of ill intent (as I think we can say the hacker was), and you have unauthorized access to tens of millions of credit and debit cards’ mag stripes, have you not “jeopardized” those records, exposed them, or made them vulnerable to danger? If not, what the heck does it take?
As an aside, I think “compromise” is excellent word choice. Tying back to the notification trigger discussion in the CIPPIC report, I may prefer it to both “access” and “acquire”. I will probably address this question is an extremely tedious and narrowly-focused post in a few days.

BenL on OpenID and Phishing

Ben Laurie (of Apache-SSL fame) posted a great analysis of a major design problem with OpenID calling it a “Phishing Heaven“.

So, I can steal login credentials on a massive basis without any tailoring or pretence at all! All I need is good photos of kittens.
I had hoped that by constantly bringing this up the OpenID people might take some step to deal with the issue, but they continue to insist on punting on it entirely:

Looks like yet another open project that doesn’t actually care about security.

More on the CIPPIC Report

philippa-lawson.jpgA few days ago, Chris covered the release of a report from the Canadian Internet Policy and Public Interest Clinic, “Approaches to Security Breach Notification” (PDF). This is highly readable and important analysis. If you care about breaches, read it. I’d like to add some notes from my reading of it.

  • First, the report talks about the moral aspects of breach reporting in terms which resonate with me. For example:

    These
    investigation reports suggest that the Alberta Commissioner considers breach notification to be an important moral responsibility, if not a legal duty, under the Alberta private sector data protection legislation.

    and

    The Privacy Commissioner for the State of Victoria, [Australia] in his investigation of inappropriate disclosure of personal information by the Office of Police Integrity (a civilian oversight body for police conduct) stated that the Privacy Act contains a “presumption … that privacy breaches ought to be notified to those whom they potentially affect”.

  • The report points to a Perkins, Coie “Data Breach Notification Chart” (pdf). Mmmm, 34 pages of analysis which isn’t legal advice.
  • It points to the seven government actions, and eight class action, (or attempted class action) suits.
  • I do have one small nit. The advice given is to “Amend PIPEDA to include an explicit security breach notification requirement.” Which is a great recommendation, but (my understanding of PIPEDA is that) PIPEDA is a private sector law, and this leaves the Canadian Government in an unclear legal state. I suggest that both the Canadian Privacy Act and PIPEDA be ammended in the same ways.
  • Finally, it contains this stunningly clear summary:

    Breach notification laws clearly provide organizations with an incentive to improve
    security. Organizations will surely take greater care to prevent security breaches if they know that such breaches will carry significant costs in terms of reporting and negative publicity. Conversely, “the ability to cover up data security breaches simply encourages complacency and rewards incompetence.”

(Image: Philippa Lawson, one of the report’s authors. Photo from the University of Ottawa Gazette.)

CIBC, 470,000 Canadians, lost tape

I’d attribute our knowledge that “CIBC loses info on 470,000 Canadians” (reported in the Globe and Mail) to the new transparency imperative, but as the CIPPIC survey makes clear, privacy regulators are finding notice requirements in extant laws. (More on that excellent survey soon.) Also note that the Globe and Mail seems to think that Canadians have SSNs.

Also note that 470,000 Canadians is roughly 1/60th of the population. An equivallent US breach would be 5 million people.

Via Pogo was right.

It’s Amazing What A Little Oversight Can Do

Two in the Washington Post today: “Secret [FISA] Court to Govern Warrantless Taps” and “Vast Data Collection Plan Faces Big Delay:”

In a report to Congress to be released today, the Treasury Department concluded that the program was technologically feasible and has value, but said it needs to determine whether the counterterrorism benefit outweighs banks’ costs of compliance and to address privacy concerns.

Lemme help you, Treasury: it doesn’t, and you won’t. Please stop wasting our money.

“Not Having a Discussion About What I’m Buying? Priceless.”

There’s a fascinating article in Sunday’s New York Times, “Money Doesn’t Talk.” The money quote:

Through her store, Pesca, Ms. Azizian has earned her financial independence, but to avoid the disapproval of her husband of 27 years, she adopts a low profile by using cash. “His tastes aren’t as expensive as mine, and he doesn’t understand the need to have so many pricey things,” Ms. Azizian, 50, said. “Even though I have my own income, paying for my shopping in cash is so much easier than having a discussion about what I’m buying.”

[Update: comments are closed early on this post due to a spam surge.]

Security Through Obscurity, The Next Big Thing

meshPCMesh, a Canadian company, has something Better Than Encryption.

Encrypted files are still visible on the hard drive. This makes them vulnerable to attack from anyone who is interested enough in the content of the files to spend time trying to decipher them. And with more and more hackers intent on defeating modern encryption algorithms, a need exists for a better type of protection.

In addition to rapidly becoming obsolete, current encryption programs are slow. It takes as long as 10 minutes per 200 MB to encrypt or decrypt a file, while PCMesh Hide Files and Folders executes instantly regardless of the file size or number of files/folders being protected. Just one click is all it takes to render any file or directory invisible.

Yes, that will stop all those data breaches, we’ll just hide our files and when the machine is stolen, the identity thieves will simply not be able to find the files. I feel better all ready, don’t you?

via El Reg, photo courtesy of killermonkeys

New Year’s Resolution Dept. — Protecting Against Identity Theft

identity-theftIt’s the MLK Day holiday weekend. That means that one’s headache has subsided to the point that one can no longer hear one’s nose hair growing, and the cat is padding rather than stomping. It also means that it’s time for New Year’s Resolutions!

If yours is to get better control over your information privacy, particularly as it relates to identity theft, here are some effective steps you can take:

  1. Buy a shredder. Ninety percent of information theft is still low-tech and comes from dumpster-diving, etc. When we infosec people go on and on about breakins and disclosures, we are the equivalent of transportation safety wonks talking about airline safety. It’s an exciting spectator sport, but for real safety, just internalize that when that traffic light turns green, it means that someone in a hurry has floored it and is about to enter the intersection.
  2. Drop off your outgoing mail at the post office, not in your home mailbox. The reason is the same. The best way for someone to get valuable information about how to pretend to be you is to rob your outgoing bills.
  3. Consider on-line bill-paying. As I said above, worrying about on-line security as opposed to paper security is like worrying about aviation security as opposed to automotive security. On-line bill paying moves you to a lower risk activity that is perhaps scarier because it’s less in your control, but it is genuinely safer.
  4. Get rid of extra credit cards. It lowers your vulnerable profile.
  5. Don’t perform financial transactions on your mobile phone in a public place. I have never been fond of mobile phones, but I’ve adapted. I travel a lot and often hear what people say loudly into their phones. Don’t recite your credit card number loudly, or your brokerage account number. Keep an eye on who can see your laptop screen, too. As a wise man once said, there are vultures everywhere.
  6. Lastly, there’s the whole issue of password security. While this could start a whole debate by itself, don’t use the same password for junk sites as for financial ones.

Photo courtesy of motoed.

Report: Approaches to Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic at the University of Ottawa has published a report entitled Approaches to Security Breach Notification[pdf].

From the Introduction:

This White Paper considers the need for an explicit obligation in Canadian privacy law to
notify affected individuals of a breach in an organization’s security that places those
individuals’ personal information at risk. The Paper begins its analysis with a review of
the existing Canadian legislative framework relating to security breach notification. It
then analyzes security breach legislation in the United States, where over half the states
have enacted a mandatory security breach disclosure requirement and where several
federal bills are currently pending. The Paper then considers justifications for, and
objections to, such legislation, before concluding with a series of recommendations for
enacting an effective statutory obligation of security breach notification in Canada.

I have only skimmed this report (for reasons I will get to momentarily). Nonetheless, I feel it is a must read for anyone interested in this topic. Although the authors are writing to a Canadian audience, their review of existing legislation and much of their analysis is of broader interest.

This report covers all the right stuff. Here’s an excerpt from the table of contents.

Relevant United States Law
Federal Legislation
State Legislation
Trigger for Notification
Responsibility for Determining need for Notification
Responsibility for Notifying
Notification Method
Notification to other agencies
Notification Timelines
Security Freezes
Private Rights of Action
Proposed U.S. Federal Legislation
U.S.  Caselaw
Relevant Australian Law
The Case for a Legal Duty to Notify
Recommendations for a Canadian Breach Notification Law
[...]
Appendix:  Security Breach Notification Laws (as of Dec.31, 2006)

We’ve blogged about every single item under “State Legislation”, and much of the rest, and I can assure you it would have been easier if this report had been written a year ago.

Just as an example, this is the only source I have come across that discusses Nevada’s unique definition of “encryption”, other than Cryptogram and myself. If these folks are fastidious enough to note something about crypto that only Schneier had written about prior to 2006, I’d say they’re worth paying attention to.

As I said, I did not fully read this document. The reasons are two. First, it is so logically arranged I can immediately know what is in it without doing an exhaustive search. Second, I can feel myself being “sucked in”, and I don’t have the time right now. Hopefully, that will soon change.

New York Times on DRM

Want an iPhone? Beware the iHandcuffs” says The New York Times in today’s edition of “Your Money”. Unfortunately it doesn’t really say much about the iPhone and crippleware beyond saying that it will be limited in music playing in effectively the iPod. However the article does a very nice job of covering the state of the downloadable music scene and has some good comparisons to Microsoft’s DRM solutions and eMusic’s decision to not use it. Well worth a read if you haven’t been following the debate of late.