Eight Million? Eight Million?!?!

Chris Soghoian, who we’ve mentioned here extensively in the past, has posted some new research around just how much electronic surveillance is really going on here in the US.

Sprint Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

And that’s just Sprint. (Who btw also keeps logs of all IP access for 24 months, including in many cases full URLs).
You really need to read the full article because he has so much data, as usual, Chris sums things up nicely:

As the information presented in this article has demonstrated, the publicly available law enforcement surveillance statistics are, at best misleading, and at worst, deceptive. It is simply impossible to have a reasonable debate amongst academics, public policy makers, and members of the public interest community when the very scale of these surveillance programs is secret.

and

As for the millions of government requests for geo-location data, it is simply disgraceful that these are not currently being reported…but they should be.

Per Chris’s request the full data dump has been mirrored here as well.

Jail Time For ID Fraud

This past Friday, Baltimore resident, Michelle Courtney Johnson, was sentenced to 18 months in jail and a $200K fine for theft and use of PHI.

According to her plea agreement and court documents, from August 2005 to April 2007, Johnson provided a conspirator with names, Social Security numbers and other identifying information of more than 100 current and former patients of Johns Hopkins. That information was used to apply for credit.

It’s good to see more prosecutions and convictions for ID fraud. Hopefully this trend will continue.

Connecticut Attorney General On The March

It’s been a bad couple of weeks for residents of Connecticut and their personal health information. First Blue Cross Blue Shield had a laptop stolen with enough PHI that over 800K doctors were notified that their patients were at risk, including almost 19K in Connecticut.

Connecticut’s attorney general said Monday that he’s investigating insurer Blue Cross Blue Shield’s loss of confidential information about health care providers, which was on an employee’s stolen laptop computer.
Richard Blumenthal said Monday that the company and its affiliates may have broken state law by losing the information and taking too long to notify doctors.

And if that wasn’t enough, Health Net lost Information for 450,000 Connecticut residents.

Blumenthal said he’s “outraged” that the company never told customers or police and only told the AG on Wednesday.
Blumenthal is investigating and demanding that Health Net provide consumers with at least two years of identity theft protection, identity theft insurance, reimbursement for credit freezes and credit monitoring for at least two years for all 446,000 consumers.

I wonder how many other State AGs are investigating Health Net at this point. There were a total of 1.5 million records lost at least count.
At bare minimum Arizona’s AG is also investigating.

Health Net officials said they were not able to determine which information was on the disk, so they investigated and learned the information was saved in an image format that cannot be read without special software.

So anyone have any clue what this supposed image format is? And what makes them think that someone who was smart enough to grab that drive wasn’t smart enough to grab a copy of the software? Assuming of course that wasn’t just all in pdf…

FTC Delays Red Flags Enforcement Yet Again

I missed this when it hit the newswires two weeks ago, but the FTC has delayed enforcement of the Red Flags Rule. This change was in response to the American Bar Association successfully suing the FTC and being granted an injunction to prevent the Red Flags Rule being applied to lawyers.
Similarly, the American Institute of CPAs (AICPA) is now also suing the FTC to also get injunctive relief from having to comply with the Red Flags Rule as well.

“We do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered,” said AICPA president and CEO Barry Melancon in a statement. “As trusted advisors, CPAs are personally acquainted with their clients and already adhere to strict privacy requirements governing identifying information.”

The current AICP requirements are pretty much inline with most of the security requirements of the Red Flags Rule already. So really what the AICP is telling us is that they really care about our privacy but they can’t be bothered to monitor their own systems for abuse or loss of our information. I guess they don’t really care after all.

Visual Notetaking

I’m a big fan of the book “Back of the Napkin” which is all about using pictures to help with problem solving. Yesterday, I was introduced to a related concept “visual notetaking” where you use images to support other notes you are taking during a meeting. I’m at a two day workshop and we have a professional notetaker who is using this. It really makes the notes much more powerful and useful then just text. Imagine having notes with visual cues to (including but not limited to network diagrams) help you remember what happened. I’m sitting here looking at the posters, the notetaker made in real time with our discussions and it’s amazing how much more useful they are.

Detecting Malice

I just finished reading RSnake’s new book Detecting Malice and I can say without a doubt that it is one of the best technical books I have ever read. Furthermore, I can tell you that it is, without a doubt, the best web security book I have ever had the pleasure to read. Imagine a book that is as engaging as RSnake’s or Jeremiah’s blog, but even more so.
This is not a book on how to build secure websites, there are plenty of those already. This is a book for security practitioners who get to deal with the site after it’s been built and deployed. It is full of great advice and information about not just how to detect attacks, but also how to distinguish between human attackers, regular users, bots and spiders.
This book should be on the purchase list of every security geek and if Rob hadn’t graciously given me a copy, I’d have already sent him my $40. Send him your money and make him a rich man.

Another Long Time Fugitive Arrested

Yesterday, Luis Armando Peña Soltren was arrested after forty years on run for hijacking a plane to Cuba.

Soltren “will finally face the American justice system that he has been evading for more than four decades,” said U.S. Attorney Preet Bharara.

I understand that Woody Allen, Martin Scorsese and David Lynch are already circulating a petition around Hollywood demanding Mr Soltren’s release.

Punditry: Better Security Through Diversity Of Thinking

I am honored that the kind folks at threapost have asked me to write for them occasionally. My first post is about better security through diversity of thinking which was inspired by pastry chef Shuna Fish Lydon.
From her post (which I quoted in mine as well)

It is my experience that unless you push yourself really hard to stay away from your sweet spot comfort zone of I-Know-All-I-Need-To-Know-And-I-Feel-Very-Comfy-In-This-Job/Kitchen-Thank-You-Very-Much, and move kitchens or chefs or hire people who are much closer to your level than you feel comfortable having them, you will become stagnant in your baking skill and knowledge.

True for security as well. See my post for more.

MA/NY: Using GPS To Track Cars Requires A Warrant

Jennifer Granick reports that in Massachusetts, Cops Can’t Convert Car Into Tracking Device Without Court’s OK.

Connolly decided that the installation of the GPS device was a seizure of the suspect’s vehicle. “When an electronic surveillance device is installed in a motor vehicle, be it a beeper, radio transmitter, or GPS device, the government’s control and use of the defendant’s vehicle to track its movements interferes with the defendant’s interest in the vehicle notwithstanding that he maintains possession of it.” Thus, the court held this interference with the owner’s possessory interest requires a warrant.

She also links to a similar case in NY with effectively the same results.
It’s great to see the courts addressing how relatively new technology can and has impacted our personal liberties and law enforcement. It is definitely going to be interesting to see how US v Jones (a federal appeals case addressing this same question) turns out.

Gates Was Hardly An Exception

There was a lot of news when Henry Lewis Gates was arrested back in July, essentially for mouthing off to a cop. What happened was a shame, but what is more of a shame is that this sort of thing isn’t that rate. Time magazine had a recent article about this, Do You Have the Right to Flip Off a Cop? which you should read. One of my best friends from High School, Jeff Miller, linked to this article from his own blog and summed up the issue as only he can:

You can be rude to Taylor Swift, you can be rude to a tennis line judge, you can even be rude to the President … none of these things will get you arrested. But if you’re rude to a cop, get ready for some handcuffs.
This is a problem, no?

You said it Jeff!