(2005-12-22) [Datatilsynet] [Norwegian] Datatilsynet har allerede, sammen med Fornyingsdepartementet og Justisdepartementet, startet arbeidet for å lage klarere og mer detaljerte regler for bruk av e-post. Datatilsynet håper at et forslag kan sendes på høring før påske.
Det eksisterende regelverket er nok dekkende sett med våre øyne, sier Georg Apenes, direktør i Datatilsynet, -- men i løpet av høsten har vi sett et behov for tydeliggjøring og detaljering av reglene av hensyn både til arbeidstakere og arbeidsgivere.
[source: Nyheter]
(2005-12-14) [Pinsent Masons] The Database Directive is not meeting its objectives and causes too much confusion, according to evidence published by the European Commission this week. Repealing the legislation is proposed as an option for reform.
The Directive was passed in 1996 with the intention of protecting the investment involved in making a database. While copyright law protects databases if they are sufficiently creative and original, there are many other databases -- especially compilations of information or commonplace data, such as telephone directories, music charts or football match listings -- that are not covered by copyright law.
[source: OUT-LAW.com]
(2005-12-15) [Pinsent Masons] The European Parliament yesterday approved a draft Directive on data retention that will see ISPs and telcos retain phone and internet records for up to two years for use in investigation of criminal and terrorist offences.
MEPs had been under pressure to approve the proposals, which have formed a key part of the agenda of the UK Presidency. The UK Presidency comes to an end in the New Year, and Home Secretary Charles Clarke had made it a priority to reach agreement on the Directive before the handover.
[source: OUT-LAW.com]
(2005-12-31) [Netcraft] The volume of URLs increased throughout the year, from about 3,000 per month in June to 5,000-plus in September and more than 8,000 in October and November.
With a year's worth of data in hand, an analysis of attacks illustrates common patterns and practices in the operation of phishing scams. (Posted by Rich Miller)
[source: News]
(2005-12-29) [CMP Media LLC] Fraudsters will be busy in the post-holiday weeks, a security firm warned Thursday, and consumers should be especially watchful for bogus "get out of debt" phishing pitches.
"Every year during the holidays, a high percentage of consumers find themselves spending a little more than anticipated, and then begin to panic," said Jordan Ritter, chief technology officer of Cloudmark, in a statement. "A phishing offer posing as your bank and offering to consolidate your credit card debt under one easy, low-rate card might be especially tempting now." (Excerpt from news story by Gregg Keizer)
[source: InformationWeek]
(2005-12-22) [The Independent] Britain is to become the first country in the world where the movements of all vehicles on the roads are recorded. A new national surveillance system will hold the records for at least two years.
Using a network of cameras that can automatically read every passing number plate, the plan is to build a huge database of vehicle movements so that the police and security services can analyse any journey a driver has made over several years. (Excerpt from news story by Steve Connor)
[source: Online]
(2005-12-20) [BBC] Surveys show internet users are becoming more tolerant of spam The number of unsolicited e-mails received in the US appears to be falling thanks to new laws and better technology, a government report says.
The Federal Trade Commission (FTC) said internet users still disliked spam - but most got less than two years ago. Spam filters and a 2003 US law allowing people to opt out of future mailings were helping cut the problem, it said.
[source: News]
(2005-12-28) [IDG] In 2004, owners of Nokia 702 phones suddenly found their batteries running out of power after just 30 minutes due to extensive Bluetooth activity; the culprit turned out to be the Cabir worm, which uses Bluetooth to transmit itself from phone to phone in the form of a Symbian SIS package.
As the 702 model was also available from Vodafone in Japan, it was the first time that Japanese users experienced mobile worms on a large scale. In light of this, what steps are domestic carriers taking to prevent phones from becoming infected? (Excerpt from news story by Arjen van Blokland)
[source: ComputerWorld]
(2005-12-28) [BBC] There were few large scale virus outbreaks in 2005. At first glance 2005 looks like it was a quiet year for computer security because there were far fewer serious Windows virus outbreaks than in 2004.
According to figures gathered by security firm Symantec, there were 33 serious outbreaks in 2004. These are incidents measured by the number of people a virus infects or the severity of the damage they inflict. In 2005, there were only six such incidents. (Excerpt from news story by Mark Ward)
[source: News]
(2005-12-27) [wirelessIQ] A new Trojan, Nabload.U, which is distributing itself through Messenger, has appeared a few hours ago. This Trojan downloads another Trojan, called Banker.bsx, which is currently the number one detected piece of malware from Panda's ActiveScan.
Its objective is to obtain the passwords of certain banks that it has stored in its code primarily from Spanish-speaking users.
[source: News]
(2005-12-23) [EFF] On Tuesday, Magistrate Judge Gorenstein of the federal court for the Southern District of New York issued an opinion permitting the government to use cell site data to track a cell phone's physical location, without the government having to obtain a search warrant based on probable cause.
Judge Gorenstein's flawed legal analysis is in sharp contrast to three other federal court opinions strongly rejecting the government's legal arguments, including a decision by Magistrate Judge Orenstein in the Eastern District of New York.
[source: EFFector]
(2005-12-22) [SecurityFocus] We know that technology can be used to track people's location via a cellphone, but how difficult is it for law enforcement to get a court order and do this legally?
Recent court cases in the United States raise the question of the standard required when the police want to know exactly where you are, using your cell phone to track you down. The issue again raises the question of how new technologies can invade privacy rights, and how quantitative changes in the type and amounts of data collected and stored result in qualitative changes in privacy rights. These require a reexamination of even established laws of privacy and of probable cause. These precedents also apply to entities like ISPs and telephone companies that routinely collect massive amounts of data about individuals which may be subject to eventual discovery or disclosure. It is important that we establish and apply the correct legal standard for obtaining this information now. (Excerpt from news story by Mark Rasch)
[source: News]
(2005-12-21) [CNet] Sweaty hands might make you unpopular as a dance partner, but they could someday prevent hackers from getting into your bank account.
Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-doh or gelatin or a model of a finger molded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers. (Excerpt from news story by Michael Kanellos)
[source: News.com]
(2005-12-21) [Datainspektionen] [Swedish] Tidskriften Magazin DIrekt nr 4 2005 har nu publicerats.
Den innehåller artiklar om kameraövervakning, lagring av trafikdata, integritet och släktforskning, m.m.
[source: Nyheter]
(2005-12-21) [Reed Business Information Limited] European telecoms companies and ISPs will have to keep their data stored for two years to meet security regulations after EU politicians and legislators voted for the increase in data retention....
Members of the European Parliament voted overwhelmingly for the new rules that will require companies to keep traffic and location information for a minimum of six months and a maximum of two years. Law enforcement authorities in the country where data is collected will have automatic rights of access. The new rules will take effect in about 18 months for telephone data, and three years for internet data.
[source: ComputerWeekly.com]
(2005-12-20) [IDG] Computer users are seeing fewer unsolicited commercial e-mail messages in their inboxes two years after the U.S. Congress passed an antispam law, the U.S. Federal Trade Commission (FTC) said Tuesday.
The antispam law, called the CAN-SPAM Act, has provided the FTC and law enforcement agencies a new weapon to fight spam, but much of the reason computer users are seeing less spam is because they're using blocking software and services, said the FTC in a 116-page report to Congress. The volume of spam seems to be leveling off, and blocking technologies are keeping most spam messages away from inboxes, the FTC said. (Excerpt from news story by Grant Gross)
[source: InfoWorld]
(2005-12-20) [ElectricNews.net] McAfee Avert Labs' latest security alert pinpoints smartphones as a prime target for malware writers in the coming year, and warns that it may cause more extensive damage than similar threats posed to PCs.
The figures are frightening; according to McAfee a mobile threat targeting several operating systems could possibly infect up to 200 million connected smartphones simultaneously. (Excerpt from news story by Ciara O'Brien)
[source: News]
(2005-12-20) [Davis Wright Tremaine LLP] The federal bank and thrift regulatory agencies recently announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (the "Security Guidelines").
The Security Guidelines (i) implement section 501(b) of the Gramm-Leach-Bliley Act (GLB Act) and section 216 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and (ii) establish standards relating to administrative, technical, and physical safeguards to ensure the security, confidentiality, integrity and the proper disposal of customer information. (Posted by Peter Mucklestone and Stuart Louie)
[source: Privacy and Security Law Blog]
(2005-12-19) [CNet] Mobile security threats are expected to triple next year as smart phones and other mobile devices become more prevalent, according to a study released Monday by McAfee Avert Labs.
The number of malicious software programs created for mobile devices is expected to reach 726 by the end of 2006, up from an estimated 226 at the end of 2005, according to McAfee. (Excerpt from news story by Dawn Kawamoto)
[source: News.com]
(2005-12-16) [Post-Newsweek Media, Inc.] After nearly a year in the making, the National Institute of Standards and Technology has been convinced that minutia is an acceptable way to store fingerprint biometric data on smart cards.
Amid pressure from industry, agencies and the administration, NIST yesterday released the biometric specification for Federal Information Processing Standard 201, Personal Identity Verification under Homeland Security Presidential Directive 12, calling for agencies to store two index fingerprints on the smart card using the InterNational Committee for Information Technology Standard 358 for minutia. (Excerpt from news story by Jason Miller)
[source: Government Computer News]
(2005-12-16) [Datainspektionen] [Swedish] En utredning föreslår att brottsutredare ska få möjlighet att undersöka all information i enskildas datorer. Antingen planteras i hemlighet ett program (en trojan) i datorn via nätet eller också installerar man hård- eller mjukvara direkt i datorn genom hemligt intrång i bostad eller på arbetsplats. Datainspektionen avstyrker förslaget.
Utredningen SOU 2005:38 Tillgång till elektronisk kommunikation i brottsutredningar m.m. föreslår ett nytt tvångsmedel, hemlig dataavläsning. Det är tänkt att när brottsbekämpande myndigheter gör förundersökningar om allvarliga brott ska man efter beslut av domstol kunna undersöka all information i enskildas datorer. Antingen placerar man i hemlighet en programvara (till exempel en s.k. trojan) i datorn via nätet eller också installerar man hård- eller mjukvara direkt i datorn genom hemligt intrång i bostad eller på arbetsplats.
[source: Nyheter]
(2005-12-16) [EPIC] With 10 million new victims a year, there is a vast need for people to have legal help at a reasonable price. As a lawyer and former victim herself, who has helped thousands of victims, Ms. Frank coaches and guides you through every step, to lead you out of the nightmare. Mari Frank had created the first self-help recovery tool for victims of identity theft back in 1998, and this new edition with CD includes the new federal laws and regulations in an easy to understand format.
See news-url url="http://www.powells.com/partner/24075/biblio/17-1892126044-1" title="book description" />.
(2005-12-16) [EPIC] Journalist Robert O'Harrow's first book, No Place to Hide, is a Washington insider's exposé of how the fast-developing data collection, analysis, and identification technologies first developed for the marketing industry are increasingly used for law enforcement purposes since 9/11.
See book description.
(2005-12-16) [EPIC] At least 30,000 air passengers have been improperly matched to names on federal watch lists since last November, according to Jim Kennedy, head of the Transportation Security Administration redress office. Each of the 30,000 individuals submitted personal information and identification documents to the agency in hopes of resolving their misidentification problems, and were issued letters to help them clear security more quickly.
A few dozen more people were unable to benefit from this redress process. Kennedy provided the information at a meeting of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee in Washington last week. In related news, a Swedish newspaper cited European airline sources as saying that 80,000 names were on the watch list provided by the U.S. government to airlines for passenger screening.
(2005-12-16) [EPIC] On December 14, the European Parliament approved a proposal that requires service providers to store customers' records for law enforcement for two years. The data retention proposal, billed as a crime and terrorism measure, mandates the storage of phone location data, time and duration of calls, details of Internet connections, and the details--but not the content--of email and Internet telephony calls.
The measures must still be formally approved by member states. Privacy groups such as European Digital Rights and EPIC have continually opposed the measures as treating all European citizens as criminals. Privacy advocates also say that the measures do little to stem actual crime and terror. Telecoms have also opposed the measures on the grounds that the two-year storage is very costly, and governments have not committed to paying any part of the costs required by the measure.
(2005-12-16) [EPIC] The House Judiciary Committee has approved immigration reform bill, sponsored by REAL ID Act architect Rep. James Sensenbrenner, which would require a study on creating a machine-readable Social Security card and a Homeland Security database containing information on the employment eligibility of all citizens and non-citizens.
EPIC testified earlier this year against the far-reaching plans. EPIC said that the machine-readable card would become a de facto identification card if, as the bill suggests, employers were forced to use the machine-readable SSN card for employment verification. The SSN was never intended to be a national identifier, and should not be used as such, EPIC said.
(2005-12-16) [EPIC] According to documents obtained by EPIC under the Freedom of Information Act, the Department of Homeland Security has found significant problems with new hi-tech passports. Tests conducted last year revealed that "contactless" passports embedded with radio frequency identification (RFID) technology create difficulties for border inspectors.
EPIC previously has highlighted flaws in the E-Passport and, in light of these FOIA documents, submitted comments urging the abandonment of the use of RFID technology in E-Passports.
(2005-12-16) [Davis Wright Tremaine LLP] While probably old hat to espionage experts, the latest Newsweek had a brief article on the increasing prevalence of "keylogging" software programs, up 65% from 2004. Essentially, keylogging programs (I like the term "kloggers") are software programs designed to silently record each keystroke as the user types in information.
Through the software, even entering passwords or confidential information on legitimate websites may be prone to theft. Kloggers can also be physically installed on the computer and keyboard, but this would require physical access to the computer space. (Entry posted by Peerapong Tantamjarik)
[source: Privacy and Security Law Blog]
(2005-12-15) [CNet] Sarah Zapolsky was checking in for a flight to Italy when she discovered that her 9-month-old son's name was on the United States' "no fly" list of suspected terrorists. "But when I found out you can't actually get off the list, I started to get a bit annoyed," Zapolsky said.
According to the Transportation Security Administration, more than 28,000 people have applied to the TSA redress office to get on the "cleared list," which takes note of individuals whose names are similar to those on the terrorism watch list, but even getting on that list does not guarantee an end to hassles related to the no-fly list.
[source: News.com]
(2005-12-14) [Wired] The European Parliament adopted new rules drawn up by the European Union to store phone and internet data for up to two years to fight terrorism and other serious crime.
The measure was approved in record time after being proposed by the European Commission in September, and is part of the 25-nation bloc's response to the terrorist attacks in Madrid in 2004 and in London this year.
[source: News]
(2005-12-14) [Wired] E-voting rules head to court this week in North Carolina, where election officials stand accused of ignoring a tough new state law designed to raise the bar on procedures to ensure machines are secure and accurate.
A hearing is set for Wednesday in the suit, filed by the Electronic Frontier Foundation, against two state agencies in North Carolina for certifying voting machines in violation of state law. Though it's limited to North Carolina, court watchers say the case is a critical test of one of the strongest laws governing how e-voting machines are scrutinized before they are used in elections. (Excerpt from news story by Kim Zetter)
[source: News]
(2005-12-14) [CNet] The European Parliament on Wednesday passed new, far-reaching data retention legislation for the telecommunications industry. The directive will require Internet service providers and phone companies to keep data on every electronic message sent and phone call made for between six months and two years.
"Agreement on retaining communications data places a vital tool against terrorism and serious crime in the hands of law enforcement agencies across Europe," British Home Secretary Charles Clarke said in a statement. "Modern criminality crosses borders and seeks to exploit digital technology." However, the data retention has been criticized as a threat to the personal privacy of European citizens. (Excerpt from news story by Jo Best)
[source: zdnet]
(2005-12-13) [CMP] Researchers fooled biometric systems with fake fingerprints made out of Play-Doh nine out of ten times, demonstrating a weakness of some computer security systems.
Led by Stephanie Schuckers, an associate professor of electrical and computer engineering at Potsdam, N.Y.-based Clarkson University, the researchers tested 66 Play-Doh copies of real fingerprints of 11 different people. The fake fingerprints were verified as the real deal 90 percent of the time. (Excerpt from news story by Gregg Keizer)
[source: Personal Tech Pipeline]
(2005-12-13) [CIO Today] "We have been saying for a long time that fingerprint readers can be compromised by someone lifting live prints and creating false fingers," said Avivah Litan, a Gartner analyst specializing in security technologies.
A Professor at Clarkson University in New York has proved that biometric security systems can be easily "spoofed" with fake fingerprints. (Excerpt from news story by Robin Arnfield)
[source: News]
(2005-12-13) [MSNBC.com] Already over 20 million PCs worldwide are equipped with a tiny security chip called the Trusted Platform Module, although it is as yet rarely activated. But once merchants and other online services begin to use it, the TPM will do something never before seen on the Internet: provide virtually fool-proof verification that you are who you say you are.
Some critics say that the chip will change the free-wheeling Web into a police state, while others argue that it's needed to create a safe public space. But the train has already left the station: by the end of this decade, a TPM will almost certainly be part of your desktop, laptop and even cell phone. (Excerpt from story by Michael Rogers)
[source: News]
(2005-12-13) [MIT Technology Review] Election officials must decide by January 1 which electronic voting system is least likely to cause problems next November. The mid-term elections of 2006 are still 11 months away, but they've already generated a controversy -- not over politics, but about what technology should be used to count all the votes.
After the voting fiascoes during the 2000 presidential election, Congress passed the Help America Vote Act, which offered a total of $3.2 billion to the states to improve their vote-counting processes, most notably to replace the punch card systems that were exposed as so flawed during the recounting in Florida. States that took the money must use replacement systems in all elections after January 1, 2006. Yet widespread rancor persists over which new system is best. (Excerpt from news story by Lamont Wood)
[source: News]
(2005-12-13) [CNet] Senate Republicans and the Bush administration took the offensive Tuesday against critics of the Patriot Act, saying on the eve of an expected vote that Congress must renew the law for four years.
In a last-minute pitch before the vote, which could happen in the House of Representatives as early as Wednesday, Attorney General Alberto Gonzales warned against any delays. "We have been talking about the Patriot Act for months and months," Gonzalez said. "I think the time to act is now." (Excerpt from news story by Declan McCullagh and Anne Broache)
[source: News.com]
(2005-12-12) [CNet] Senate Democrats proposed on Monday a three-month extension of the Patriot Act as an alternative to the Bush administration's support for a broader expansion of the law's surveillance authorities.
Sen. Patrick Leahy, a Vermont Democrat, said "we should make every effort to make this a better bill that will strengthen, instead of jeopardize, the public's faith and trust." Another Democrat, Russ Feingold of Wisconsin, has threatened a filibuster. (Excerpt from news story by Declan McCullagh)
[source: News.com]
(2005-12-12) [CNet] The yellow security padlock in Web browsers, weakened by lax standards and loose supervision, will get reinforced next year with tougher requirements and browser updates. Web industry group aims to lock out phishers with a stronger program to vouch for legitimate e-commerce sites.
The browser icon was designed to show that traffic with a Web site is encrypted and that a third party, called a certification authority, has identified the site and vouches for its validity. But in recent years, standards of verification have slipped, undermining the sense of security implied by the padlock. To solve that problem, a group of companies that issue the Secure Socket Layer certificates are working with major Web browser makers to develop a new type of "high assurance" certificate. The informal organization, dubbed the CA Forum, has held three unpublicized meetings this year and plans to meet again next year, representatives from the companies involved told CNET News.com. (Excerpt from news story by Joris Evers)
[source: News.com]
(2005-12-28) "Ethical and social implications of biometric identification technology: towards an international approach" will take place on December 15 -- 16, 2005 (Brussels, Belgium).
See calendar entry.
(2005-12-28) "PST 2006 -- International Conference on Privacy, Security, and Trust" will take place on October 20 -- November 1, 2006 (Oshawa, Ontario, Canada).
See calendar entry.
(2005-12-28) "PSACE 2006 -- Privacy and Security in Agent-based Collaborative Environments" will take place on May 9, 2006 (Hakodate, Japan).
See calendar entry.
(2005-12-10) [ConsumerAffairs.com] For every new incident of identity theft, data loss, or online fraud, it seems as if a study has been commissioned to verify if this is a first-class threat or an exaggerated nuisance.
Depending on what you read, credit card fraud is a minor inconvenience, but cybercrime is a bigger cash crop than all illegal drugs combined. (Excerpt from news story by Martin H. Bosworth)
[source: News]
(2005-12-10) [EFF] The Electronic Frontier Foundation (EFF) has asked a federal magistrate judge in New York City to reject a Department of Justice (DOJ) request to track a cell phone user without first showing probable cause of a crime.
In a brief filed in New York on Tuesday, EFF and the Federal Defenders of New York argue that no law authorizes the government's request, and that granting the order would threaten Americans' Fourth Amendment right against unreasonable searches.
[source: EFFector]
(2005-12-09) [Wired] If you have internet access at work, there's a very good chance your employer has a system in place to monitor your online activities.
So, if you're concerned about privacy, take heed. Under current U.S. law, there's little you can do to protect the confidentiality of your internet use on the job. Here's a rundown of the rights you don't have at work. (Excerpt from news story by Joanna Glasner)
[source: News]
(2005-12-09) [Davis Wright Tremaine LLP] The compromise announced December 8, 2005 by members of the conference committee working to reconcile the Senate and House versions of the Patriot Act amendments has been criticized by members of Congress and others. One significant failure of the legislation that has not gotten much attention is its failure to regulate -- or even require reports about -- federal data mining projects.
Opponents of government data mining projects object to governments analyzing petabytes of data (a petabyte is roughly a quadrillion bytes, 1,000,000,000,000,000), from both public and private database records that were often gathered with an expectation of privacy, to search for patterns of suspicious behavior among people the government has no reason to suspect of criminal or terrorist activities. (Excerpt from blog entry posted by Randy Gainer)
[source: Privacy and Security Law Blog]
(2005-12-08) [Wired] A three-judge panel of the 9th U.S. Circuit Court of Appeals heard arguments Thursday on tech entrepreneur and internet freedom fighter John Gilmore's challenge to a secret government order forcing airline passengers to show identification or submit to a pat-down search.
The hearing pitted a matter-of-fact government attorney against Gilmore's impassioned, podium-banging lawyer, James Harrison, in a closely watched legal battle over government secrecy and antiterrorism measures that has federal officials defending a rule whose existence they will not admit in open court. (Excerpt from news story by Ryan Singel)
[source: News]
(2005-12-08) [ECT News Network] Phishers are getting better at tricking consumers into revealing their bank account and financial information, and most Americans can't tell the difference between real e-mails and the growing flood of scams that lead to fraud and identity theft, according to AOL
The only figure that is larger than the 81 percent of home PCs that lack critical security applications such as anti-virus, anti-spyware or firewall software is the 83 percent of home PC users who falsely believe they are safe from online theft of information and identity, according to AOL's latest Online Safety study. (Excerpt from news story Jay Lyman)
[source: E-Commerce Times]
(2005-12-08) [Post-Newsweek Media] The IRS has proposed guidelines on the disclosure and use of income tax filer's information by tax return preparers to strengthen privacy in the era of electronic filing.
Tax return preparers may not disclose or use tax return information for purposes other than tax return preparation without the knowing, informed and voluntary consent of the taxpayer. (Excerpt from news story by Mary Mosquera)
[source: Government Computer News]
(2005-12-08) [Post-Newsweek Media] The federal Centers for Disease Control and Prevention has awarded a pair of contracts totaling $68.4 million to Science Applications International Corp. to help implement and support CDC's BioSense national syndromic surveillance program.
BioSense charts incoming health data about current patient symptoms from numerous military and Veterans Affairs Department hospitals to identify spikes of activity that might signal a disease cluster outbreak or bioterrorism attack. (Excerpt from news story by Alice Lipowicz)
[source: Government Computer News]
(2005-12-08) [IDG] A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.
The analysis, released late yesterday, also found that even in the most dangerous data breaches -- where thieves access Social Security numbers and other sensitive information on consumers they have deliberately targeted -- only about 1 in 1,000 victims had their identities stolen.
[source: ComputerWorld]
(2005-12-08) [CIO Today] A study found nearly three-quarters of those surveyed, 74 percent, use their computers for sensitive transactions such as banking, stock trading or reviewing medical information. That leaves phishers with a good chunk of Internet users to target.
The study released Wednesday by America Online and the National Cyber Security Alliance looked at Internet security and "phishing scams."
[source: Network Security]
(2005-12-08) [IDG] Attendees of the Infosecurity computer security conference in New York heard both sides of the debate on U.S. national identification cards this week. On Wednesday, former U.S. Secretary of Homeland Security Tom Ridge told conference attendees that a national ID card was an inevitability; the next day the show's other keynote speaker, Counterpane Internet Security Inc. Chief Technical Officer Bruce Schneier, claimed that it was a bad idea.
Schneier said that the complexity of maintaining a national database would be overwhelming, and could ultimately make the U.S. less secure. Ridge, in contrast, said that national security requirements would ultimately make such cards a reality. (Excerpt from news story by Robert McMillan)
[source: InfoWorld]
(2005-12-07) [CNet] A new study suggests consumers whose credit cards are lost or stolen or whose personal information is accidentally compromised face little risk of becoming victims of identity theft.
The analysis, released on Wednesday, also found that even in the most dangerous data breaches--where thieves access social security numbers and other sensitive information on consumers they have deliberately targeted--only about 1 in 1,000 victims had their identities stolen.
[source: News.com]
(2005-12-07) [CMP] The growing sophistication of phishers has left the majority of Americans unable to tell the difference between legitimate and scam e-mail, a survey released Wednesday showed.
Nearly a quarter of online people in the United States have found themselves the target of the online con artists, and roughly one in five knows a friend or family member who has been duped, according to the second annual survey by America Online Inc. and the National Cyber Security Alliance. (Excerpt from news story by Antone Gonsalves)
[source: Security Pipeline]
(2005-12-07) [CDT] The percentage of Americans whose home computers are infected with spyware fell from 80 percent in 2004 to 61 percent in 2005, according to a new study published by America Online and the National Cyber Security Alliance (NCSA).
The study found that 62 percent of users had anti-spyware software installed on their computers in 2005, a factor that CDT believes can be strongly credited for the decline. CDT also notes that law enforcers in 2005 ratcheted up their efforts to crack down on the worst spyware distributors. The number of users infected remains disturbingly high, but CDT believes the findings underscore the value of the multi-pronged battle against spyware.
[source: Headline News]
(2005-12-07) [MIT Technology Review] About one in four Internet users are hit with e-mail scams every month that try to lure sensitive personal information from unsuspecting consumers, a study says.
Of those receiving the phony e-mails, most thought they might be from legitimate companies -- seven in 10, or 70 percent, were fooled by the e-mails, said the report. The study released Wednesday by America Online and the National Cyber Security Alliance looked at Internet security and "phishing scams."
[source: News]
(2005-12-07) [Wired] New facial-recognition technology is moving us toward surveillance that is unnoticeable, distributed, persistent, searchable and cheap. And as the technology's effectiveness improves, a new face may be the only way to preserve some semblance of privacy.
A great example of the state of the art comes from a new company called Riya, which recently launched a beta facial-recognition service for the masses. The service builds on current multimedia search techniques. With billions of bits of information out there, finding what you want is impossible without good search tools, and there hasn't been a really good way to search multimedia files like photos, video and sound. A common current practice, used by photo sites like Flickr, is to encourage users to tag photos, and then allow text searches of those tags. (Excerpt from news story by Jennifer Granick)
[source: News]
(2005-12-07) [MSNBC.com] While most Internet users think they are safe online, they're not, according to a new study released Wednesday by America Online and the National Cyber Security Alliance. In fact, about 80 percent are exposed to common Internet threats, the study found.
More than half of the participants either had no anti-virus protection or had not updated it within the last week, researchers found.  About half did not have a properly-configured firewall, and four in ten didn't have spyware protection. Taken collectively, more than 4 in five consumers lacked at least one of the three types of basic protection. Still, 83 percent told researchers they were "safe from online threats," the study found. (Excerpt from news story by Bob Sullivan)
[source: Security News]
(2005-12-06) [Pinsent Masons] Privacy International and European Digital Rights (EDRi) are calling on MEPs to reject a proposed Directive on data retention when it comes before the European Parliament next week following an agreement reached by EU Ministers on Friday.
In an open letter to the Parliament today, the groups argue that, if approved, the Commission-drafted Directive would irreversibly shift European civil liberties, affect European consumer rights and obstruct the competitiveness of European industry.
[source: OUT-LAW.com]
(2005-12-06) [Bell Globemedia Publishing Inc] The year has seen the number of new viruses rise by 48 per cent, and more of their authors are engaging in targeted attacks, says Internet security company Sophos.
The general trend is turning away from widespread bombardment toward a rise in the amount of spam spewed out by zombie computers, London-based Sophos says in its year-end wrap-up. Zombie-driven spam now accounts for more than 60 per cent of the world's spam. (Excerpt from news story by Jack Kapica)
[source: globeandmail.com]
(2005-12-06) [vnu business publications] November was the worst month for malware since records began in the mid-1980s, according to antivirus firm Sophos.
The company detected 1,940 new pieces of malware in the past month, and has seen a 48 per cent increase in threats over the year. (Excerpt from news story by Iain Thomson)
[source: vnunet.com]
(2005-12-05) [IDG] A sophisticated phishing attack has proven to be so successful, it has tricked eBay Inc.'s own fraud investigations team into endorsing it as legitimate, according to an independent security consultant who reported the attack to eBay.
In late November, Richi Jennings received a fraudulent e-mail message containing the subject line "Christmas is Coming on ebay.co.uk." Offering him "great tips for successful Christmas selling," the message directed him to the Web site ebaychristmas.net, which then asked Jennings to enter his eBay user name and password, as well as the name and password for his e-mail account. (Excerpt from news story by Robert McMillan)
[source: InfoWorld]
(2005-12-05) [IDG] European Union justice and interior ministers agreed on Friday to require telecommunications companies to store phone and e-mail data for a minimum of six months to two years to help fight terrorism.
The agreement is an important step toward implementing common rules across the 25-nation bloc. Currently some member states have no rules on data storage, while Ireland, for example, requires records to be kept for 36 months. (Excerpt from news story by Marie-Louise Moller)
[source: ComputerWorld]
(2005-12-05) [Datainspektionen] [Swedish] Dataskyddsgruppen inom EU är starkt kritisk mot EU-kommissionens förslag att lagra uppgifter om telefon- och Internettrafik. Gruppen anser att förslaget inkräktar på den grundläggande rätten till förtrolig korrespondens.
29-gruppen är en arbetsgrupp inom EU som ska se till att dataskyddsdirektivet efterlevs. Datainspektionen representerar Sverige i gruppen, som flera gånger har yttrat sig över olika förslag att lagra uppgifter om telefon- och Internettrafik i syfte att utreda allvarliga brott.
[source: Nyheter]
(2005-12-05) [Post-Newsweek Media] The Health and Human Services Department seeks information about technologies to support and manage public-key infrastructure credentials on personal identity verification smart cards to meet requirements of Homeland Security Presidential Directive 12 for secure forms of identification.
The smart cards must be compliant with Federal Information Processing Standard 201, a common identification standard for federal employees and contractors, and PKI Common Policy Certificate requirements. (Excerpt from news story by Mary Mosquera)
[source: Government Computer News]
(2005-12-05) [EDRI] On 22 November 2005 the Advocate General of the European Court of Justice has advised to annul the EU-US agreement on the transfer of passenger data. The AG does not answer the privacy-questions raised by the European Parliament, but finds the agreement unacceptable under the subsidiarity rule of the European Union. Only the member states should decide on these matters, not the European Commission.
US Customs have had access to the passenger lists of Europeans flying to the US since May 2004. European commissioner Frattini promised to send the European Parliament an evaluation in May 2005, but nothing has surfaced yet.
[source: EDRI-gram Number 3.24, 5 December 2005]
(2005-12-05) [EDRI] The Supreme Court of the Netherlands ruled on 25 November 2005 in a landmark case against the freedom of internet users to express their opinion anonymously. The Supreme Court upheld a previous court verdict in which internetportal Lycos was forced to hand over the personal data of one of its subscribers to the Dutch stamp trader Pessers.
Mr Pessers trades in postage stamps on the auction portal eBay and was accused of fraud by a Lycos subscriber, who published Mr Pesser's name on his website. Subsequently Pessers demanded the personal data from the subscriber in order to sue for damages. But Lycos refused and was taken to court. After the initial verdict, Lycos did hand over the data, but only to find out the address data were false. Pessers started another procedure, to force Lycos to find other ways to retrieve the correct information, but that demand was declined.
[source: EDRI-gram Number 3.24, 5 December 2005]
(2005-12-05) [EDRI] In Poland, the parliamentary leader of the new social-right governing party 'Law and Justice', Przemyslaw Gosiewski, has called for a new law to introduce mandatory telephony data retention for 15 years.
His call followed an article the day before, on 22 November 2005, in the leading newspaper Gazeta Wyborcza with a cry from local investigators that they are unable to effectively prosecute corruption without telephony billing data from the last 4 years.
[source: EDRI-gram Number 3.24, 5 December 2005]
(2005-12-05) [EDRI] European Digital Rights and Privacy International are urgently calling on the individual members of the European Parliament to reject the misguided compromise proposal on data retention.
Party leaders of the christian-democrats and social-democrats in the parliament have agreed behind closed doors to allow for mandatory data retention of telephony and internet data for a period of 6 to 24 months, with even longer terms at the individual discretion of every member state, including the purpose of 'prevention of criminal offences'. This compromise completely overrules the suggestions of the appropriate parliamentary LIBE committee and ignores all the legal and technical objections against the inclusion of location and internet data.
[source: EDRI-gram Number 3.24, 5 December 2005]
(2005-12-05) [EDRI] Behind closed doors, representatives of the Council of Ministers of Justice (JHA Council), representatives from the Commission and the leaders in the European Parliament of the social-democrat and christian-democrat groups have agreed to introduce an unprecedented law (directive) on mandatory data retention in the EU.
The groups have agreed to introduce mandatory retention for fixed and mobile telephony data and for internet log-in-log-off, for e-mail records and for Voice over IP records. There is only one last formal hurdle; the plenary vote in the European Parliament on Monday evening 12 December 2005.
[source: EDRI-gram Number 3.24, 5 December 2005]
(2005-12-04) [CNet] About a year and a half ago, Amnon Jackont, an Israeli mystery novelist and Tel Aviv University history professor, became ensnared in a mystery of his very own: friends and students were receiving e-mail messages from him that he had never written.
A few months later, unpublished paragraphs and chapters from a book he was writing were plucked from his computer and began appearing on Israeli Web sites. (Excerpt from news story by Timothy L. O'Brien)
[source: News.com]
(2005-12-02) [IDG] A bug in Microsoft (Profile, Products, Articles) Corp.'s Internet Explorer (IE (Overview, Articles, Company)) browser gives phishers a way to scan the hard drives of Google (Profile, Products, Articles) Desktop users, according to an Israeli hacker. Because of a flaw in the way IE processes Web pages, a malicious Web site could use the attack to steal sensitive information like credit card numbers or passwords from the hard drives of its visitors.
"Google Desktop users who use IE are currently completely exposed," wrote hacker Matan Gillon in an e-mail interview. "An experienced attacker can covertly harvest their hard drives for sensitive information such as passwords and credit card numbers. Since Google also indexes e-mails which can be read in the Web interface itself, it's also possible to access them using this attack." (Excerpt from news story by Robert McMillan)
[source: InfoWorld]
(2005-12-02) [EFF] The North Carolina Board of Elections certified Diebold Election Systems to sell electronic voting equipment in the state Thursday, despite Diebold's repeated admission that it could not comply with North Carolina's tough election law.
The Electronic Frontier Foundation (EFF) believes that this raises important questions about the Board of Elections'procedures as well as the integrity of Diebold's bid for certification.
[source: EFFector]
(2005-12-01) [EPIC] In a report released on November 28, the Federal Trade Commission found that using spam filtering technologies and techniques such as "masking" helps reduce the volume of unsolicited emails that consumers receive.
Researchers created 150 email accounts, some with spam filters, and some without, and posted the addresses at various places on the Internet. The study showed that Internet service providers that use spam filters reduced spam by 86-95% over a five-week period. Masking, a technique by which email addresses are presented in a human-readable, but not machine-readable form (for instance, by displaying "epic-info AT epic DOT org" instead of "epic-info@epic.org"), was found to be highly effective. Four masked addresses received one spam message over a five-week period, while four unmasked addresses received 6,416.
(2005-12-01) [EPIC] The Advocate General of the European Court of Justice called for the annulment of the May 2004 Passenger Name Records agreement between EU and US authorities. The agreement requires airlines flying from the EU to the US to disclose their passengers' personal information, including e-mail and credit card details.
The European Parliament complained with the Court later that year that the agreement did not sufficiently protect European travelers' privacy rights. Any eventual ruling by the Court, which follows the Advocate General's opinion 80% of the time, may call other EU anti-terrorism measures into question, as a data retention proposal now for review before EU institutions (see item [5] above) is being carried out under the same legal basis as the Passenger name Records agreement. The Court's final decision is expected next spring.
(2005-12-01) [EPIC] The Senate is mulling over a legislative proposal that would create an intelligence exception to a federal privacy law.
The Privacy Act imposes obligations upon federal agencies maintaining personal data about citizens and permanent residents, and gives those individuals rights in their personal information held by the government. The proposed exemption would allow intelligence and other agencies to share information gathered about citizens and permanent residents when the data is related to foreign intelligence or counterintelligence.
(2005-12-01) [EPIC] EPIC hosted a panel at the World Summit on the Information Society in Tunisia on November 18, 2005 to introduce the highlights of its upcoming "Privacy & Human Rights 2005" survey.
Seven panelists from Europe, North America, Latin America, the Middle East and Asia discussed their views on the importance of privacy in the Information Society and the recent privacy developments in their region. The panel gathered representatives from civil society, human rights organizations, data protection authorities and academic experts.
(2005-12-01) [EPIC] Members of the European Parliament's Civil Liberties Committee voted to limit a proposed data retention directive being negotiated by the European Commission and 25 European Union governments through the Council of the EU.
The proposal has now gone back to the Council of Ministers for them to accept the amendments or make further changes. The Parliament and the Council will then have to reach a compromise on the final legislation, which will later go to the European Parliament for a vote. Great Britain, which holds the EU Presidency until the end of the year, reaffirmed its commitment to reaching an agreement on the data retention issue by that time.
(2005-12-01) [EPIC] A reporter successfully obtained the personal and government phone records of Canadian Privacy Commissioner Jennifer Stoddart, causing her to call for "drastic action" to address the security of phone records.
The reporter, Jonathan Gatehouse of Maclean's Magazine, obtained the phone records from American data broker "locatecell.com" for $200 per order, "no questions asked." An exemption in Canadian privacy law allows reporters to engage in such activities for newsgathering purposes.
(2005-12-01) [EPIC] The Centers for Disease Control and Prevention has proposed a rule that would greatly expand the powers of the federal government to track and quarantine individual travelers. The federal government, airline and shipping industries would scrutinize travelers more closely.
The new rule, estimated to cost up to $865 million a year, would require airline and shipping industries to gather passenger contact and health information, maintain it electronically for at least 60 days, and release it to the CDC within 12 hours of a request.
(2005-12-01) [CMP] In an about face on its previous stance, Microsoft says the time is right for the government to adopt privacy legislation. The trick is developing legislation that truly works.
Less than five years ago, a group of technology vendors, including Microsoft, asked the U.S. Congress not to enact federal privacy legislation, begging legislators to let the industry police itself. Now, in an about-face, Microsoft is stumping for national privacy laws. (Excerpt from news story by Tim Wilson)
[source: Security Pipeline]
(2005-12-01) [Ziff Davis] The American Civil Liberties Union today joined an expanding group of organizations filing lawsuits against a new rule that increases the FBI's power to conduct surveillance on the Internet.
The rule being challenged is one the Federal Communications Commission adopted in September, granting an FBI request to expand wiretapping authority to online communications. (Excerpt from news story by Caron Carlson)
[source: eWeek]
(2005-12-01) [Wired] Three years ago the company was considered a parasite and a scourge. Today it's a rising star - selling virtually the same product. How a pop-up pariah won the adware wars.
Back in 2002, Gator was one of the most reviled companies on the Net. Maker of a free app called eWallet, the firm was under fire for distributing what critics called spyware, code that covertly monitors a user's Web-surfing habits and uploads the data to a remote server. ... Today Gator, now called Claria, is a rising star. The lawsuits have been settled - with negligible impact on the company's business - and Claria serves ads for names like JPMorgan Chase, Sony, and Yahoo! The Wall Street Journal praises the company for "making strides in revamping itself." (Excerpt from news story by Annalee Newitz)
[source: Wired Issue 13.12 December 2005]
(2005-12-01) [Davis Wright Tremaine LLP] Despite significant improvements by Banks and regulators in both (i) educating consumers about fraudulent phishing, pharming, spyware and key logging schemes and (ii) developing technologies and procedures to defend against such practices, consumers still believe that online banking may be too risky.
Susanna Montezemolo, a policy analyst at Consumers Union, appreciates the concerns of these consumer noting that, "Consumers can do everything right -- not give out passwords or financial information -- and still become victims." (Excerpt from blog entry posted by Peter Mucklestone and Stuart Louie)
[source: Privacy and Security Law Blog]
(2005-12-20) "LSPI -- First International Conference on Legal, Security and Privacy Issues in IT" will take place on April 30 -- May 2, 2006 (Hamburg, Germany).
See calendar entry.
(2005-12-20) "CHI 2006 Workshop on Privacy-Enhanced Personalization" will take place on April 22 -- 23, 2006 (Montreal, Quebec, Canada).
See calendar entry.
(2005-12-20) "Data Devolution: Corporate Information Security, Consumers and the Future of Regulation" will take place on February 3 -- 4, 2006 (Gainesville, Florida, US).
See calendar entry.
(2005-12-20) "Ensuring Privacy and Security of Consumer Information" will take place on January 26 -- 27, 2006 (New York, New York, US).
See calendar entry.
(2005-12-20) "Meeting of the Information Security and Privacy Advisory Board" will take place on December 6 -- 7, 2005 (Rockville, Maryland, US).
See calendar entry.
(2005-11-30) [Post-Newsweek Media] Homeland Security Department procedures for verifying identities of people applying for U.S. residency and citizenship are still vulnerable to fraud and are overly reliant on paper documents, according to a new report from the department's inspector general, Richard Skinner.
To reduce fraud and better check identities, the U.S. Citizenship and Immigration Services agency should make greater use of biometrics, but to date there are no firm plans for doing so, the report said. (Excerpt from news story by Alice Lipowicz)
[source: Government Computer News]
(2005-11-29) [e.Republic] According to a new study released by the Federal Trade Commission, spammers continue to harvest email addresses from public areas of the Internet, but Internet Service Providers' anti-spam technologies can block the vast majority of spam sent to these email addresses.
The FTC staff report also found that consumers who must post their e-mail addresses on the Internet can prevent them from being harvested by using a technique known as "masking." Read Email Address Harvesting and the Effectiveness of Anti-Spam Filters (a Report by the Federal Trade Commission's Division of Marketing Practices, November 2005).
[source: Government Technology]
(2005-11-29) [CMP] Trickery and technology both play key roles in managing spam, according to a study released yesterday by the Federal Trade Commission.
The agency looked at three aspects of spamming and efforts to control it: the automated harvesting of E-mail addresses on public areas of the Internet; using E-mail address masking to reduce address harvesting; and the effectiveness of spam filtering by Internet Service Providers. (Excerpt from news story by Thomas Claburn)
[source: Security Pipeline]
(2005-11-29) [IDG] E-mail spammers are aggressive as ever, but Internet service providers are getting better at blocking junk messages before they reach users' in-boxes, according to a Federal Trade Commission study released yesterday.
The FTC found that spammers continue to "scrape" e-mail addresses from the Web using automated programs that look for the telltale "@" sign. But up to 96% of those messages were blocked by the two Web-based e-mail providers used by the FTC in its test. The FTC did not say which providers it used in its study.
[source: ComputerWorld]
(2005-11-28) [IDG] Global cybercrime generated a higher payback than drug trafficking in 2004 and is set to grow even further as the use of technology expands in developing countries, a security expert said today.
No country is immune from cybercrime, which includes corporate espionage, child pornography, stock manipulation, extortion and piracy, said Valerie McNiven, who advises the U.S. Department of the Treasury on the problem. "Last year was the first year that proceeds from cybercrime were greater than proceeds from the sale of illegal drugs, and that was, I believe, over $105 billion," McNiven said. "Cybercrime is moving at such a high speed that law enforcement cannot catch up with it." (Excerpt from news story by Souhail Karam)
[source: ComputerWorld]
(2005-11-23) [IDG] Members of the European Parliament have welcomed the opinion by a top legal advisor to the European Union's highest court that the transfer of airline passenger data to U.S. authorities is illegal and should be stopped.
The leader of the Parliament's Liberal group said that the decision by the advocate-general of the European Court of Justice confirmed the Parliament's criticism of the measure that it "did not contain sufficient safeguards for data protection of E.U. citizens." (Excerpt from news story by Simon Taylor)
[source: InfoWorld]
(2005-11-03) [Wired] In 2004, when the U.S. State Department first started talking about embedding RFID chips in passports, the outcry from privacy advocates was huge. When the State Department issued its draft regulation in February, it got 2,335 comments, 98.5 percent negative. In response, the final State Department regulations, issued last week, contain two features that attempt to address security and privacy concerns. But one serious problem remains.
Before I describe the problem, some context on the surrounding controversy may be helpful. RFID chips are passive, and broadcast information to any reader that queries the chip. So critics, myself included, were worried that the new passports would reveal your identity without your consent or even your knowledge. Thieves could collect the personal data of people as they walk down a street, criminals could scan passports looking for Westerners to kidnap or rob and terrorists could rig bombs to explode only when four Americans are nearby. The police could use the chips to conduct surveillance on an individual; stores could use the technology to identify customers without their knowledge. (Excerpt from story by Bruce Schneier)
[source: News]
(2005-10-20) [Wired] A recent government order mandating that voice over internet protocol services must include the same government-approved wiretapping capabilities as traditional phone companies threatens to cripple peer-to-peer telephone innovation, according to new warnings from civil liberties groups and an internet telephony pioneer.
The new rules from the FCC were published last month and take effect Nov. 14 , though companies have 18 months to comply. The order expands a controversial 1994 law known as the Communications Assistance for Law Enforcement Act, or CALEA, which required phone companies to buy or retrofit switching equipment to meet stringent, government-approved wiretap standards that permit law enforcement to more easily wiretap digital phone calls, and to capture information such as voicemail PINs typed on a phone after a call is completed. (Excerpt from news story by Ryan Singel)
[source: News]
(2005-11-30) [The Register] Email fraudsters are taking advantage of lax government security around a US government website to run a scam designed to trick US taxpayers into handing over sensitive personal information.
A phishing email which pose as notification of a refund from the US's Internal Revenue Service (IRS) takes advantage of security configuration weaknesses on a secondary website run by the Department of Labor, according to security firm Sophos. It warns that these emails redirect surfers to a bogus website with users fooled into thinking they remain on a legitimate US government site. (Excerpt from news story by John Leyden)
[source: News Story]
(2005-11-30) [vunet.com] Hitachi in Japan has unveiled its new Lora SE210 security laptop computer featuring a biometric security device that uses vein recognition.
The security device is placed below the keyboard and uses infra red light to scan a finger's tissue for vein patterns. (Excerpt from article by Tom Sanders)
[source: News]
(2005-11-29) [IDG] Several major Japanese electronics makers have formed a consortium to study and coordinate the introduction of RFID (radio frequency identification) tags for distribution channel inventory management purposes, they said Tuesday.
The Home Appliance Electronic Tag Consortium was founded in late October by Sony (Profile, Products, Articles) Corp., Toshiba (Profile, Products, Articles) Corp., Hitachi Ltd. and Matsushita Electric Industrial Co. Ltd., (Panasonic) the four companies said this week. The group also counts Sanyo Electric Co. Ltd., Sharp Corp., Victor Co. of Japan Ltd. and Mitsubishi Electric Corp. as members and Mizuho Information & Research Institute Inc. as coordinator. (Excerpt from article by Martyn Williams)
[source: InfoWorld]
(2005-11-29) [Datainspektionen] [Swedish]Så småningom ska 77 000 förskrivare och 6 000 farmaceuter få tillgång ett register över alla läkemedel som patienter har hämtat ut på recept. Men då ställs höga krav på information till de registrerade, hanteringen av samtycken, kontroller och IT-säkerhet.
Nu ger Datainspektionen klartecken för ett begränsat försök -- men innan man startar verksamhet i större skala måste Apoteket uppfylla en rad villkor.
[source: Pressmeddelande]
(2005-11-28) [Datatilsynet] [Norwegian] Personvernnemnda har avgjort en klagesak som gjelder kundeopplysninger hos en bilimportør og i denne importørens forhandlernett.
Klagesaken gjelder videregivelse av kundeopplysninger fra en bilimportør (Subaru Norge) til andre forhandlere enn den kunden selv kjøpte bilen hos, eller har kontaktet selv i annen sammenheng.
[source: Nyheter]
(2005-11-28) [Pinsent Masons] Fears over identity theft and the sale of personal information will have an impact on online Christmas shopping this year, according to research commissioned by the Business Software Alliance (BSA).
Fifty-one percent of consumers told Forrester Custom Consumer Research that security fears would impact their online Christmas purchases in some way. Over 1,000 British consumers took part in the survey.
[source: OUT-LAW.com]
(2005-11-28) [Datatilsynet] [Norwegian] En EU-arbeidsgruppe for personvern gir råd om å vente til pågående utredninger er ferdige før man produserer biometriske pass.
Artikkel 29-gruppen, en EU-arbeidsgruppe som er satt til å ha en rådgivende funksjon i personvernsaker, kom i månedsskiftet september/oktober med en uttalelse om biometriske pass. Arbeidsgruppen peker der spesielt på et behov for samordning av europeiske land slik at man får ens beskyttelse av personvernet til enkeltpersoner.
[source: Nyheter]
(2005-11-26) [Guardian] The music and film industries are demanding that the European parliament extends the scope of proposed anti-terror laws to help them prosecute illegal downloaders.
In an open letter to MEPs, companies including Sony BMG, Disney and EMI have asked to be given access to communications data - records of phone calls, emails and internet surfing - in order to take legal action against pirates and filesharers. Current proposals restrict use of such information to cases of terrorism and organised crime. (Excerpt from article by Bobbie Johnson)
[source: Guardian Umlimited]
(2005-11-25) [The Register] A draft US law to increase the security and privacy of personal information held by companies took a step forward last week, when it was approved by the influential Senate Judiciary Committee. The bill includes a duty to disclose security breaches.
The draft Personal Data Privacy and Security Act of 2005 will now move forward to a full Senate hearing.
[source: News]
(2005-11-25) [IDG] Members of the European Parliament's civil liberties committee voted on Thursday to limit to 12 months the maximum period for which telephone companies and Internet service providers should store call data logs.
The new rules being negotiated by Parliament and 25 European Union governments are designed to help law enforcement agencies track terrorist suspects. Police and intelligence agencies managed to identify the bombers in the London and Madrid attacks at least partly through mobile phone records. (Excerpt from news story by Simon Taylor)
[source: ComputerWorld]
(2005-11-25) [Pinsent Masons] The Civil Liberties, Justice and Home Affairs Committee of the European Parliament (LIBE) yesterday approved Commission proposals for a Directive on data retention -- subject to a few controversial amendments.
The changes could put the Parliament on a collision course with the European Council of Ministers, which has threatened to push through its own data retention proposals if the two institutions cannot compromise on the draft Directive before the end of the year.
[source: OUT-LAW.com]
(2005-11-24) [The Register] Dishonesty and fraud are widespread in the UK, with nearly half of people quizzed in a survey admitting to forgery and one in ten to low level identity fraud. A quarter of 1,000 Britons polled in a survey by document and identity verification firm TSSI confessed to exaggerating their educational qualifications to gain employment.
TSSI has a vested interest here, of course, in talking up the scope of the very dishonesty among the general public its technology is designed to addresses. Nonetheless we can't help but be impressed by the ability of its researchers to elicit admissions from random punters in train stations that might (were they not anonymous) result in an extended stay at Her Majesty's pleasure. (Excerpt from news story by John Leyden)
[source: News story]
(2005-11-23) [CMP Media LLC] The Senate approved the Personal Data Privacy and Security Act this week, which requires businesses holding the personal data of more than 10,000 U.S. residents to conduct risk assessments and implement data-protection policies. The bill would create big opportunity for VARs able to help corporations assess their own infrastructures and implement compliant solutions.
Chances are a bill in some form will pass in 2006 to become law. "There is a real win/win/win that's possible," says Kevin Brown, vice president at Decru, a Network Appliance company that offers storage security technology. "But for that to happen, there needs to be a streamlining of compliance requirements for the enterprise. Right now they're suffering under a lack of clarity and a proliferation of rules. It's time for the federal government to step up and provide the clarification, while not losing the level of protection set for the consumer by existing state laws." (Excerpt from news story by Jill R. Aitoro)
[source: System Management Pipeline]
(2005-11-22) [Pinsent Masons] European Commission and Council decisions that led to a controversial agreement permitting the transfer of air passenger data to the US should be annulled because they do not have an adequate legal basis, according to Advocate General Phillipe Léger.
The Advocate General is set to publish his opinion on the decisions today, advising the European Court of Justice on how he feels Europe's top court should approach the dispute between MEPs, the Commission and the Council.
[source: OUT-LAW.com]
(2005-12-02) "TSPUC2 -- Trust, Security and Privacy for Ubiquitous Computing" will take place on June 26, 2006 (Niagara-Falls, Buffalo, NY, US).
See calendar entry.
(2005-12-02) "First International Conference on Availability, Reliability and Security" will take place on April 20 -- 22, 2006 (Vienna, Austria).
See calendar entry.
(2005-12-02) "Privacy in the Information Age: Databasese, Digital Dossiers, and Surveillance" will take place on January 27, 2006 (Santa Clara, California, US).
See calendar entry.
(2005-12-02) "Committee Meeting of the Department of Homeland Security's Data Privacy and Integrity Advisory Committee" will take place on December 6, 2005 (Washington, DC, US).
See calendar entry.
(2005-12-02) "Regulating Search: a Symposium on Search Engines, Law, and Public Policy. " will take place on December 3, 2005 (New Haven, Connecticut, US).
See calendar entry.
(2005-12-02) "Workshop on Privacy and Security Aspects of Data Mining" will take place on November 27, 2005 (Houston, Texas, USA).
See calendar entry.
(2005-12-02) "Fifth International Conference on Data Mining" will take place on November 27 -- 30, 2005 (Houston, TX., US).
See calendar entry.
(2005-12-02) "EU Data Protection Directive 45/96: 10 Years On. " will take place on November 30, 2005 (London, UK).
See calendar entry.
(2005-12-02) "Privacy Conference: Building Bridges on ICANN's Whois Questions. " will take place on November 29, 2005 (Vancouver, Canada).
See calendar entry.
(2005-11-21) [EDRI] The US digital rights organisation EPIC organised a panel with a preview of their annual privacy and human rights report, with 7 panellists from all continents, from China to Argentina, and from Israel to the Arab Human Rights Watch.
Speaker Alberto Escudero-Pascual from Sweden/Spain focussed on the RFID badges given to every participant. Some participants were given badges in which the mini-chip was included, others were given a cheaper add-on RFID-sticker on their badge. Escudero-Pascual briefly explained the results of his earlier research into the RFID badges handed out to participants in Geneva in 2003.
(2005-11-21) [EDRI] The day before official opening of the WSIS summit, delegates finally reached an agreement on the sensitive issue of global internet governance. Both the US and the EU claimed victory at the creation of a new Internet Governance Forum (IGF).
The forum will be set up next year and decide upon public policy issues for the internet. It will be made up of governments as well as private and civil society, but it will not have power over existing bodies. There will not be any new oversight on ICANN. Governments will continue to discuss policy desires within the Governmental Advisory Committee (GAC) of ICANN.
(2005-11-17) [EPIC] Sherwin Siy reviews "Information Privacy Law" 2nd edition (by Daniel J. Solove, Marc Rotenberg and Paul Schwartz, 2005, Aspen Publishers)
Quote: " 'Information Privacy Law' is a valuable and accessible centerpiece for any course on privacy law."
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [EPIC] EPIC has taken a number of steps to eliminate the private risks caused by "online data brokers," companies that offer to obtain the information of others through trickery. These companies often offer to obtain phone records without the knowledge or consent of the account holder.
EPIC filed a complaint at the Federal Trade Commission, highlighting the activities of a specific online data broker that now is reportedly being investigated by state attorneys general. EPIC also petitioned the Federal Communications Commission to require carriers to increase their protection for phone records.
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [EPIC] EPIC and 12 privacy and consumer groups set out a framework for effective legislation to address the growing problem of identity theft. Identity theft now costs the economy over $50 billion annually, and consumers foot much of the bill.
The groups recommend strong notification requirements, better consumer control over personal information, limits on the use of the SSN, regulation of commercial data brokers, and protection for good state privacy initiatives.
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [EPIC] Sixty-seven percent of adults are concerned about the privacy of their personal medical records, according to a poll by the California HealthCare Foundation and the Health Privacy Project.
Also, 52 percent fear that their health insurance information might be used by employers to limit job opportunities. Congress is considering a proposal to build a national Health Information Network, but it does not yet include adequate privacy safeguards. EPIC and Patient Privacy Rights are calling for strong medical privacy protections in an online petition.
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [EPIC] Even as Congress considers whether to renew the PATRIOT Act, the FBI is pressing the FCC to expand its wiretap authority. The Communications Assistance for Law Enforcement Act of 1994 requires communications providers to design their systems so that law enforcement agencies can listen in on communications easily.
Expanding the scope of this law to VoIP could mean that the same security backdoors could be required of any number of Internet-connected devices and computer programs.
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [EPIC] Critics of the PATRIOT Act frequently focus not only on the expansion of surveillance powers the Act grants to the federal government, but also on the widespread secrecy that the Act grants to law enforcement investigations.
One particularly powerful tool is the "national security letter," which prevents its recipients from reporting that they have been asked for information, or indeed that they have received the letter itself.
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [EPIC] The PATRIOT Act, passed in a frenzy of activity following September 11, dramatically expended the government's domestic spying powers. The Act established new search authorities that lacked judicial oversight, and the personal information of millions of American citizens was gathered into government databases.
According to the Washington Post, more than 30,000 national security letters were issued in a single year. Documents obtained by EPIC under the Freedom of Information Act reveal clear abuses of PATRIOT Act authority.
[source: Volume 12.23 November 17, 2005]
(2005-11-17) [Better Buiness Bureau] The National Consumers League, the Better Business Bureau and the National Cyber Security Alliance Provide Joint Advice on Safe Online Shopping Do's and Don'ts
The holiday season is a busy time as people hunt for the perfect gifts for family and friends. The Internet can make your shopping faster and easier, but there can also be pitfalls if you're not careful. The National Consumers League, the Better Business Bureau and the National Cyber Security Alliance offer key advice to ensure you have a safe online shopping experience, so that your gift-giving is a joyous occasion, not an opportunity for cyber thieves.
[source: News]
(2005-11-16) [Pinsent Masons] A warning has been issued to online traders about a 30% rise of so-called Customer Denial Fraud. Cardholders place orders, receive the goods, dispute their credit card bills and then receive a refund -- and merchants carry the costs.
The scam is not a new one, but according to fraud protection company Early Warning, which detected the massive rise over the past month, it is hard to beat because the cheats are valid credit card holders and the personal details submitted are correct.
[source: OUT-LAW.com]
(2005-11-15) [IEEE Cipher] Bob Bruen reviews "Security and Usability" (by Lorrie Faith Cranor and Simson Garfinkel, 2005, O'Reilly, 738 pages).
Quote: "The parts include privacy and systems ... 'Security and Usability' is one of those few books that push the security field forward. As much as I enjoy books on hacking stuff, thoughtful work on the impact on society are extremely important. I highly recommend this book, which will become a foundation for others to build upon. The other 32 papers are as good as the two I highlighted. More than likely, any reader will find at least a few papers which will strike home.
[source: Reviews]
(2005-11-23) [Government Computer News] European airlines should stop providing passenger information to the Homeland Security Department, a top official of the European Union's highest court says, because the legal basis for the data transfers is inadequate.
Phillipe Leger, advocate general of the European Court of Justice, has recommended annulment of a May 2004 trans-Atlantic agreement permitting the European passenger data to be shared with Customs and Border Protection as an anti-terrorism measure. (Excerpt from article by Alice Lipowicz)
[source: News]
(2005-11-23) [IDG] Most online shoppers say they will take their business elsewhere if they find out their personal information was compromised, according to a survey of U.S. Internet users. The results of the study show that consumers are aware of identity theft and that companies are likely to lose business if they fail to handle customer information securely.
Two-thirds of adults with Internet connectivity who participated in the survey expect to shop online this holiday season, with 14% of them planning to do half or more of their holiday shopping online. But 67% of Internet users who were part of the study said they were likely to stop shopping at an online store if they found out that their personal information was compromised. (Excerpt from article by Nancy Gohring)
[source: ComputerWorld]
(2005-11-22) [IDG] Despite the increasing size of the online shopping market, one in four U.S. consumers won't shop online during the upcoming holiday season because of concerns over buying goods online, according to the results of a survey published on Tuesday.
A major concern of consumers when shopping online is that their personal information will be sold to a third party, according to the survey, which was commissioned by the Business Software Alliance and conducted by Forrester Custom Consumer Research. The results found 79% of the 1,099 U.S. consumers surveyed worried about such a sale of their information. (Excerpt from article by Martyn Williams)
[source: ComputerWorld]
(2005-11-22) [Datainspektionen] [Swedish] Kammarrättens dom att ge gymnasiet i Uddevalla klartecken att använda tallriksautomater som läser av fingeravtryck för att kontrollera om eleverna betalt för skolmåltiden överklagas till Regeringsrätten. Datainspektionen anser att kontrollen går att göra på ett mindre integritetskänsligt sätt.
Datainspektionen delar inte kammarrättens bedömning att kommunens behov av ett smidigt kontrollsystem väger tyngre än elevens skydd mot kränkning av den personliga integriteten.
[source: Pressmeddelande]
(2005-11-22) [CNet] Online criminals shifted their attacks in 2005 from operating systems such as Windows to media players and software programs, according to a study released Tuesday
Among the software programs under attack are antivirus software, according to the SANS Institute, a nonprofit research group based in Bethesda, Md.
[source: News.com]
(2005-11-22) [CNet] The European Union's transfer of airline passenger data to the United States--part of U.S. efforts to fight terrorism--should be declared illegal, an adviser to the European Union's highest court said on Tuesday
Since May 2004, the EU has given U.S. authorities 34 categories of information on passengers flying to the United States, including name, address, all forms of payment and contact phone numbers.
[source: News.com]
(2005-11-22) [vunet.com ] The Electronic Frontier Foundation (EFF) has filed a lawsuit against Sony BMG demanding that the record label repair the damage done by anti-piracy technology bundled on millions of its audio CDs
As well as the XCP technology, which for the past weeks has been at the centre of a storm of controversy, the lawsuit also targets SunnComm's MediaMax software that the music giant has included on more than 20 million CDs. Another two million CDs were shipped with XCP. (Excerpt from article by Tom Sanders)
[source: News]
(2005-11-21) [Yahoo!] A court has sentenced two men to a total of 37 years in prison for their part in defrauding a Brazilian bank of $242 million, the biggest scam in Nigerian history, newspapers reported on Saturday.
The sentencing of Emmanuel Nwude to 25 years and Nzeribe Okoli to 12 years follows negotiations in which they agreed to plead guilty to 16 of the 91 original charges, and to forfeit assets worth at least $121.5 million to the victims of the scam.
[source: News]
(2005-11-20) [eChannelLine] It is not new news that cell phones and personal digital assistants (PDAs) are subject to malware threats. But given the average consumer's lax approach to security in the networked world, coupled with the rise in identity theft, extortion, and fraud, it is fair to say a new chapter in the cyber-crime saga is set to unfold.
Last September, the results from Symantec Corp.'s "Internet Security Threat Report Volume VIII -- The Changing Threat Landscape" reported global phishing threats continued to increase in volume and have begun focusing on smaller and regional targets over the past six months. (Excerpt from article by Liam Lahey)
[source: Daily News]
(2005-11-18) [The Register] Hackers are on target to release more than 6,000 keystroke loggers in 2005, a 65 per cent increase from the 3,753 keyloggers released last year, according to security intelligence outfit iDefense.
Five years ago iDefense (which was recently acquired by net infrastructure firm VeriSign) recorded only 300 such programs, demonstrating a huge growth in a strain of malware that has become a favourite with cybercriminals as a preferred tool to plunder online banking accounts. (Excerpt from article by John Leyden
[source: News]
(2005-11-18) [Government Computer News] The administration is expected to make a decision as early as next week about the standard type of biometric identification for governmentwide smart cards under Homeland Security Presidential Directive-12.
Curt Barker, co-chairman of the National Institute of Standards and Technology's Personal Identity Verification project, said his office will have draft specifications out for public review within about a month of when the administration chooses between image and minutiae as the way to capture two fingerprints on the smart card. (Excerpt from article by Jason Miller)
[source: News]
(2005-11-17) [The Register] Only 16 per cent of people are confident that internet sites will treat their personal information properly, according to a new survey by the Information Commissioner's Office that found widespread concern about data protection laws and practices.
Four out of five of us are concerned about how our finances or health and safety will be affected if our personal data falls into the wrong hands, according to the research published today.
[source: News]
(2005-11-16) [vunet.com] A third of professionals using mobile devices such as PDAs and smartphones admit to not using passwords or any other security protection despite three out of 10 storing their Pins, passwords and other corporate information on the devices.
The findings come from the Mobile Usage Survey 2005, conducted by Pointsec Mobile Technologies and SC Magazine. (Excerpt from article by Ken Young)
[source: News]
(2005-11-16) [Privacy and Security Law Blog] What high-tech gadgetry do you need to get complete records of phone calls made and received by another? An internet connection and a credit card will do the trick. Criticism is mounting over the ease in which anyone can obtain phone records of others.
Magazine reporters recently visited the offices of Canadian privacy commissioner Jennifer Stoddart, and produced records of calls at her Montreal home, vacation chalet, and on her government-issued cell phone. And in the US, EPIC has submitted comments to the FCC arguing that the agency needs to intervene to protect individuals' phone records from online data brokers. (Posted by Merrill Baumann)
[source: Blog Entry]
(2005-11-16) [Privacy and Security Law Blog] The UK newspaper, The Register, reports that the UK's Association of Chief Police Officers (ACPO) plan to create a national vehicle moving database that is designed to retain license plate data captured from moving vehicles.
A control center in London will link existing speedcams and other databases around the country, and by the end of the year, APCO expects the control center to process up to 50 million number plates, which would make it one of the most pervasive surveillance systems in the world. (Posted by Steve Chung)
[source: Blog entry]
(2005-11-16) [Datatilsynet] [Norwegian] Fraværende personvern og utflytende og uoversiktelig taushetsplikt, mener Datatilsynet om forslaget til ny lov om arbeids- og velferdsforvaltningen. Også Helsetilsynet ser reglene som uoversiktlige. Hvem skal ha tilgang til hvilke opplysninger?
Den nye arbeids- og velferdsetaten vil få svært mange ansatte. Etaten kommer til å yte omlag 16 000 årsverk. Grovt anslått vil 1 av 300 innbyggere arbeide der. Datatilsynet ser en fare for at arbeids- og velferdsforvaltningen nå planlegges slik at alle saksbehandlere skal dele opplysninger om oss alle, uten at den enkelte får mulighet til å vite hvor opplysningene tar veien.
[source: Nyheter]
(2005-11-16) [CDT] House-Senate negotiators have agreed on a PATRIOT Act renewal bill that falls far short of balancing the legitimate demands of national security with the need to preserve the privacy and civil liberties of ordinary, law-abiding Americans.
There was bipartisan support in Congress for fixing the PATRIOT Act, but at the last minute the reforms got watered down. While the new bill includes some additional oversight measures, Congress is going to have to return to these issues soon and develop some genuine limits on the PATRIOT Act and other surveillance powers, especially because changing technology is exposing more personal information to government access.
[source: Headlines]
(2005-11-16) [vunet.com] Unsecured wireless networks may be convenient, but they can provide rich pickings for crooks.
If you bank online through a wireless connection, there’s a good risk of your authentication details becoming visible and vulnerable; ditto your credit card. While happily exploiting wireless facilities, we have to be aware that others might be anticipating this. So it is natural to worry about the security of these facilities and the way we habitually use them. But there is an even greater worry behind this, concerning evidence in cases of abuse. (Excerpt from article by Neil Barrett)
[source: News]
(2005-11-16) [CNet] Malicious makers of bots are finding big is not always better when it comes to avoiding detection, according to a security expert.
Over the past two years, the average network of bots, or compromised PCs commandeered by remote attackers, has dropped from more than 100,000 to an average of 20,000, Mark Sunner, MessageLabs's chief technology officer, said during Tuesday's annual Security Roundtable Webcast. (Excerpt from article by Dawn Kawamoto)
[source: News.com]
(2005-11-15) [CMP] If some of the numbers being cited about identity theft are to be believed, it's just a matter of time before some unseen cyberhustler steals your name, empties your bank account and wrecks your financial reputation. You can almost hear the maniacal laughter.
By some measures, one in five Americans has been hit. Another common statistic is that 10 million people fall victim every year.
[source: Security Pipeline]
(2005-11-15) [ComputerWorld] Citing Federal Trade Commission statistics that point to identity theft as a top consumer issue, New York Times language columnist William Safire told an audience at the Computer Security Institute conference that it's up to individuals to take responsibility for protecting their own information.
But there are steps the technology security industry can take as well, Safire said during his keynote speech at the conference. Safire, a civil libertarian who denounced the Patriot Act, said there's not enough protection of confidentiality today. (Excerpt from article by Cara Garretson)
[source: News]
(2005-11-15) [The Register] A "24x7 national vehicle movement database" that logs everything on the UK's roads and retains the data for at least two years is now being built, according to an Association of Chief Police Officers (ACPO) strategy document leaked to the Sunday Times.
The system, which will use Automatic Number Plate Recognition (ANPR), and will be overseen from a control centre in Hendon, London, is a sort of 'Gatso 2' network, extending. enhancing and linking existing CCTV, ANPR and speedcam systems and databases. (Excerpt from article by John Lettice)
[source: News]
(2005-11-15) [Michale Geist's blog] Canadian "lawful access" bill: telephone and Internet service providers will be required to include an interception capability as they introduce new technologies, and aw enforcement will be able to compel ISPs to disclose subscriber information, including name, address, IP address, telephone number, and cellphone number.
A few comments on MITA and the government' s spin on the bill. First, the government is clearly trying to convince Canadians that we are playing catch-up on this issue, as it provides a chronology illustrating how the U.S., the U.K., Australia, and New Zealand have already moved forward with intercept legislation. Second, the government seeks to assure Canadians that their privacy will be protected with the oversight described above.
[source: Blog entry]
(2005-11-15) [CMP] The number of keyloggers unleashed by hackers exploded this year, soaring by 65 percent in 2005 as e-criminals rush to steal identities and information, a security intelligence firm said Tuesday.
"The overall number of keyloggers has just skyrocketed this year," said Ken Dunham, senior engineer with Reston, Va.-based VeriSign iDefense. "It's all part of the last year's, 18 months' change in motive toward crimeware." (Excerpt from article by Gregg Keizer)
[source: InformationWeek]
(2005-11-15) [Government Computer News] The Transportation Security Administration has issued a guidance document on the basic criteria and standards the agency believes biometric technology should meet in order to qualify for airport access control systems.
Congress mandated in the Intelligence Reform and Terrorism Prevention Act that TSA consult with representatives of the aviation and biometrics industries, as well as the National Institute of Standards and Technology, to develop the guidance package. (Excerpt from article by Patience Wait )
[source: News]
(2005-11-14) [CNN] If some of the numbers being cited about identity theft are to be believed, it's just a matter of time before some unseen cyber-hustler steals your name, empties your bank account and wrecks your financial reputation. You can almost hear the maniacal laughter.
By some measures, one in five Americans has been hit. Another common statistic is that 10 million people fall victim every year.
[source: Technology]
(2005-11-12) [Independent OnLine] South Africa's major chain-store groups are conducting trials with fingerprint technology which may mean shoppers will soon no longer have to carry cash.
All that shoppers would have to do is memorise their PIN codes. The system, which is called Pay by Touch, is widely used in the US and consists of a scanning machine that reads the fingerprint of the shopper, bringing up details of their credit or debit card. (Excerpt from article by Fiona Gounden)
[source: News]
(2005-11-08) [Privacy and Security Law Blog] The Anti-Spyware Coalition, a collection of anti-spyware vendors and consumer groups, recently released guidelines for public comment to help consumers assess products designed to defend against spyware and adware -- unwanted programs that can "bombard [the user] with pop-up ads and drain [a PC's] processing power to the point of rendering [the computer] unusable."
The guidelines promulgated by the Anti-Spyware coalition attempt to assign risk levels to various actions performed by spyware and adware programs. For example, (i) spyware or adware that installs one or more programs without a user's permission or knowledge, interferes with competing programs, intercepts email or instant-messenger conversations or displays ads without identifying the program that generated them, is considered high risk; (ii) spyware or adware that changes a browser's homepage or search engine settings is considered medium risk; and (iii) spyware or adware that uses cookies to collect information is considered low risk. Despite the categorization of actions by risk level, the guidelines continue to warn internet users that "all behaviors can be problematic if unauthorized." (Posted by Peter Mucklestone and Stuart Louie)
[source: Blog entry]
(2005-10-04) [ThePrivacyPlace.Org] privacyplace.org organises a privacy survey, to poll the state of privacy on the web.
See The Privacy Place Privacy Survey.
[source: News]
(2005-11-10) [Yahoo] Attempts to introduce a biometric passport in Germany have been thwarted by people smiling, the Financial Times reported today.
Germany started issuing biometric 'ePass' passports a week ago but has had toissue guidelines warning that people "must have a neutral facial expression andlook straight at the camera". Visible teeth are apparently also a problem. Rainner Rinner, who is in charge of the Tiergarten passport office in Berlin,said: "We sent someone home because their picture did not fit with thebiometrics." (Excerpt from article by Robert Jaques)
[source: News]
(2005-11-09) [CNet] Even as banks and regulators step up efforts to thwart identity theft over the Internet, the worry that fraudsters remain one step ahead is convincing many Americans that banking online is too risky.
At an identity theft forum in New York on Tuesday, security and policy experts said banks are taking appropriate steps to stop online criminals but that their best efforts--and consumers' own vigilance--may not be enough.
[source: News.com]
(2005-11-08) [IDG] Internet fraudsters have had another good year, according to the U.K.'s Association for Payment Clearing Services (APACS).
The banking organization's latest annual figures show that "card not present" (CNP) fraud in the country rose by 29% compared to 2004, reaching $175 million in the six months to June this year. Of that, fraud specific to Internet transactions rose 5%, to $101 million. CNP refers to transactions where sales can be carried out without the presence of the credit card, such as in mail-order or Internet sales. The figures are compiled from real losses incurred by U.K. banks. (Excerpt from article by John E. Dunn)
[source: ComputerWorld]
(2005-11-08) [IDG] Even as banks and regulators step up efforts to thwart identity theft over the Internet, fears that fraudsters remain one step ahead is convincing many Americans that banking online is too risky.
At an identity theft forum in New York today, security and policy experts said that banks are taking appropriate steps to stop online criminals but that their best efforts -- and consumers' own vigilance -- may not be enough. "Consumers can do everything right -- not give out passwords or financial information -- and still become victims," said Susanna Montezemolo, a policy analyst at Consumers Union, in an interview. (Excerpt from article by Jonathan Stempel)
[source: ComputerWorld]
(2005-11-08) [CNet] For several years, rumors have circulated on the Internet about privacy concerns with magnetic cards [used in hotels]. The rumors appeared to originate in 1999, when the police department in Pasadena, Calif., investigated a claim that personal information had been extracted from a hotel key card.
Officials ultimately concluded that private data was not being downloaded onto the cards. A few weeks ago, though, the rumors boiled over after Robert Mitchell, a national correspondent for the trade publication Computerworld, posted an item on his blog questioning the security of magnetic cards (Excerpt from article by Christopher Elliott)
[source: News.com]
(2005-11-08) [Datainspektionen] [Swedish] En departementspromemoria föreslår att myndigheternas möjligheter att avlyssna enskildas kommunikation ska utvidgas kraftigt.
Datainspektionen anser det är en stor fråga som bör behandlas av en parlamentarisk kommitté, inte bara i en PM från ett departement.
[source: Nyheter]
(2005-11-07) [CNet] Sony rightly came under fire last week from programmers and Internet users for injecting an undetectable copy-prevention utility into Microsoft Windows when certain CDs are inserted.
Now the lawyers are taking aim, too. Robert Green, a partner at the San Francisco firm of Green Welling, says he's readying a class action lawsuit against Sony. (Excerpt from article by Declan McCullagh)
[source: News.com]
(2005-11-07) [CMP] As a wave of identity-theft and data-privacy legislation makes its way through Congress, credit-card companies and retailers are scrambling to come up with ways to avoid a repeat of the fiascos earlier this year that placed millions of accounts at risk. The bills would create a national security-breach notification policy, replacing numerous state laws, and would impose stiff fines for violations.
The card companies would prefer to address the issue themselves, rather than have the government do it for them. American Express, Discover, MasterCard, and Visa have formulated data-security requirements for retailers and payment processors to ensure that transaction information doesn't fall into the wrong hands. Merchants are forbidden to store the full contents of the magnetic stripes on cards and the card-validation number printed on the back. They may store only those portions of customer-account information deemed essential for business, such as name, account number, and expiration date. And they must purge all media containing obsolete transaction data with cardholder information. (Excerpt from article by Steven Marlin)
[source: Compliance Pipeline]
(2005-11-04) [Datainspektionen] [Swedish] Datainspektionen har bjudit in Sveriges släktforskarförbund till ett möte den 14 november för att rätta ut de frågetecken som finns angående publicering på nätet.
Det handlar t ex om hur man skall tolka skrivningar som "direkt eller indirekt släktskap" och "härledas till någon nu levande".
[source: Nyheter]
(2005-11-04) [IDG] Regulatory compliance has emerged as the biggest driver of information security initiatives, trumping concerns such as worms and viruses for the first time, according to the results of a survey released Wednesday by Ernst & Young.
At the same time, the survey said, IT organizations and information security groups are failing to take advantage of compliance-related concerns to rearchitect their security organizations. (Excerpt from article by Jaikumar Vijayan)
[source: ComputerWorld]
(2005-11-04) [IDG] Microsoft Corp. yesterday called for a broad national law to protect consumer privacy, and a top Republican lawmaker said he plans to push such a bill next year amid heightened consumer concerns about identity theft and online fraud.
"This is the time, this is the place, we believe, for the government to adopt privacy legislation on a national basis," Microsoft General Counsel Brad Smith said at a lunch event. (Excerpt from article by Andy Sullivan)
[source: ComputerWorld]
(2005-11-04) [EPIC] According to the Wall Street Journal, identity thieves have found a new target for fraud: the government. Identity thieves are posing as students in order to collect federal student financial aid.
One thief profiled by the Journal assumed 43 identities and stole $316,000 in federal aid. The thief committed the crime by purchasing a list of names of prison inmates, and using their personal information for fraud.
(2005-11-04) [EPIC] Government data protection authorities, academics, and human rights and privacy groups gathered at the university of the Andes in Bogota, Colombia on October 20-21 to hold the Public Voice Symposium on Privacy and Data Protection in Latin America: Analysis and Perspectives.
The symposium gave experts from Latin America and the United States an opportunity to analyze and debate the most current public policy issues and recent developments in privacy in Latin America. The meeting also marked the introduction of the first Spanish-language edition of EPIC's annual Privacy & Human Rights survey.
(2005-11-04) [EPIC] This month, Spotlight focuses on facial recognition systems. The Department of Homeland Security has spent millions of dollars on these "smart" cameras that attempt to identify people based on their facial images. However, several tests show the systems are not reliable.
Facial recognition systems also create significant privacy risks: the cameras are often hidden and there are no laws to prevent abuse.
(2005-11-04) [EPIC] EPIC has obtained a copy of the final report prepared by Supreme Court nominee Samuel Alito for a 1972 conference on "The Boundaries of Privacy in American Society."
The paper proposes far-reaching protections for the right of privacy, and specifically addresses such topics as the use of census data, polygraphs, domestic surveillance, communications privacy, computer security and encryption, consumer protection, and homosexuality.
(2005-11-04) [EPIC] EPIC joined a coalition of public interest and business groups on October 25 in challenging a Federal Communications Commission order that requires broadband Internet and certain voice-over-Internet Protocol (VoIP) providers to design their systems to ease government wiretapping. The order expands the reach of the 1994 Communications Assistance for Law Enforcement Act.
The law grew out of concerns that, as telephone networks became more advanced, law enforcement agencies would have an increasingly difficult time intercepting and deciphering the communications of suspects under surveillance. In 1994, Congress drafted a law that required telephone companies to provide this assistance to the government. In passing the act, Congress removed from its coverage e-mail and "information services" like America Online and Prodigy.
(2005-11-04) [EPIC] The State Department announced it will move forward with plans to require new passports to be equipped Radio Frequency Identification (RFID) chips. The recently issued final rule also attempts to address deficiencies in a previous proposal, which would have made personal data contained in the hi-tech passports vulnerable to unauthorized access.
The previous design would have stored information in the remotely readable passports in unencrypted form. Tests had shown that the passports' RFID chips could be read from two feet or more, posing a significant risk of unauthorized access. The program was widely criticized as unnecessary and insecure by EPIC and other civil liberties groups. The previous design was also criticized by privacy and security experts and the travel industry.
(2005-11-03) [CDT] Announcing today that it would support national Internet privacy legislation, Microsoft Corp. joined a growing group of major high-tech companies that support the creation of robust federal rules to protect citizens' privacy rights online.
With companies like Microsoft, Hewlett Packard and eBay aligning themselves with public interest advocates in the call for stronger privacy protections, momentum is now clearly on the side of those advocating for a robust new federal law, CDT President Jerry Berman said. "While we have not reached consensus on all of the provisions of a privacy bill, we applaud Microsoft 's willingness to work actively with other high tech companies, consumer organizations, and policy makers to make serious privacy legislation a reality."
[source: News]
(2005-11-03) [eChannelLine] The Anti-Spyware Coalition (ASC), a U.S.-based alliance of technology companies and public interest groups, has announced several key accomplishments in its ongoing effort to help users combat the unwanted and often dangerous spyware infesting their computers.
As both Cyber-Security and Domestic Violence Awareness Month (October) draws to a close, ASC has unveiled its final, consensus definition of spyware, which was developed by coalition members including major anti-spyware companies, software developers and public interest groups. The definitions were further shaped by almost 400 comments submitted by organizations and individuals to the ASC Web site (http://www.antispywarecoalition.org). The final document, available now on the ASC Web site, will serve as the foundation for all of the coalition's future anti-spyware efforts. (Excerpt from article by Mark Cox)
[source: DailyNews]
(2005-11-03) [EDRI] The European Data Protection Supervisor has started an e-mail newsletter to inform a general public about his activities such as opinions, policy papers and publications.
The October newsletter contains brief information and links to the EDPS's involvement in PNR and the Visa Information System. The newsletter also mentions a policy paper on the conflict between two fundamental rights: access to information and data protection. See European Data Protection Supervisor newsletter.
[source: EDRI-gram Number 3.22, 3 November 2005]
(2005-11-03) [EDRI] In a carefully worded report, the coalition of EU privacy commissioners (the Article 29 Working Party) criticises both the Council and the Commission policies on data retention. The Article 29 Working Party calls for restraint and safeguards that have to date not appeared in any national or EU policy.
"The Working Party questions whether the justification for an obligatory and general data retention coming from the competent authorities in Member States is grounded on crystal-clear evidence. The Working Party also doubts whether the proposed data retention periods in the draft Directive are convincing." And when it comes to safeguards, the Working Party states: "imposing the said data retention obligations on communication service providers without having first realised adequate, specific safeguards is not to be accepted within the existing European legal framework."
[source: EDRI-gram Number 3.22, 3 November 2005]
(2005-11-03) [EDRI] Behind closed doors, the European Parliament is engaged in a monumentous battle with the Council of ministers of Justice over the plans for mandatory data retention. After a first meeting of the leading parliamentary committee on Civil Liberties, Justice and Home Affairs (LIBE) on Monday 24 October, it looks like a majority of social-democrats, greens and some liberals is ready to delete internet data from the proposal all together, focus on a very limited set of telephony data and store them for only 3 months, while deleting the abhorred 'comitology procedure'.
During the debate with LIBE the European Commission provided some technical explanations about their proposal for a directive. A 'connection label' is a number only related to voice over IP connections. And the term user ID only relates to internet access.
[source: EDRI-gram Number 3.22, 3 November 2005]
(2005-11-02) [Slashdot] 'samzenpus' reviews "Security and Usability" (by Lorrie Faith Cranor and Simson Garfinkel, 2005, O'Reilly, 738 pages).
Quote: "Overall, I found the book useful. The variety of authors and subject matter made it easy to skip around and choose what piqued my interest at the time. Along with the academic feel of the book, each chapter is generally descriptive enough to get an idea as to what subject matter will be covered. While the book's target is "researchers and students" first, as a "professional" working for a security company, I found it helped me better explain the pros and cons of these topics to the less technical people I work with every day. I'd recommend it to anyone involved with the usability of security applications and systems."
[source: News]
(2005-11-02) [HNS] A review just published of "Security and Usability" (by Lorrie Faith Cranor and Simson Garfinkel, 2005, O'Reilly, 738 pages).
Quote: "[This book] brings together research findings, actual implementation experiences, practical advice, and recommendations for constructing next-generation operating systems. This volume is sure to become a classic reference and an inspiration for further research."
[source: Reviews]
(2005-11-02) [CNet] The number of threats targeting instant messaging has soared, according to IMlogic, which tracked a 1,500 percent increase in the past year.
IMlogic's Threat Center said its data showed that huge increase in malicious code aimed at IM services between October 2004 and October 2005. Of these, 87 percent of unique IM-targeted attacks were worms, 12 percent were viruses and one percent was client vulnerabilities, according to the research. (Excerpt from article by Will Sturgeon)
[source: News.com]
(2005-11-01) [CNet] A British man was jailed for four years on Tuesday for masterminding an eBay Internet auction swindle which stole computer account details from users and assumed their identities.
David Levi led six others in a gang which scooped almost $355,000 through a "phishing" fraud--the practice of stealing goods after tricking computer users into revealing their bank details. The sentencing at Preston Crown Court follows a high-profile court case last week in which three Romanian fraudsters were jailed in London for a worldwide scam that netted at least $530,000 from thousands of eBay traders.
[source: News.com]
(2005-11-01) [MIT Technology Review] "Phishers" and other Internet fraud artists have become adept at stealing passwords, mainly through "social engineering." Preying on people's propensity to believe something seemingly authoritative, criminals send authentic-looking e-mails that send unsuspecting people to an authentic-looking Web site where they give away their data.
Many banks overseas, where data-privacy laws are stronger, already have deployed a second level of authentication. They give customers specialized hardware, such as a "smart card" or an electronic token that displays a changing series of passcodes. Cost-conscious U.S. banks are unlikely to go as far. Instead, they'll probably perform tweaks inside their own Web servers that most of us will barely notice. (Excerpt from article by Brian Bergstein)
[source: Article]
(2005-11-01) [IDG] The Voice over IP Security Alliance has published a list of security problems that could derail IP telephony's expansion.
The list of problems is similar to the hassles of using a conventional PSTN (public switched telephone network) phones, but with added woes that come from running calls across the Internet. Topping the industry body's list are issues such as privacy and eavesdropping, harassment by phone, premium rate abuse, and hijacking of service, all of which remain to be tackled by the industry. (Excerpt from article by John E. Dunn)
[source: ComputerWorld]
(2005-11-09) "Regulating Identity Theft and Data Breaches" will take place on November 17, 2005 (Washington, DC., US).
See calendar entry.
(2005-11-09) "Contours of Privacy: Normative, Psychological, and Social Perspectives" will take place on November 5 -- 6, 2005 (Ottawa, Canada.).
See calendar entry.
(2005-11-09) "Privacy Law in the New Millennium: A Tribute to Richard C. Turkington" will take place on October 29, 2005 (Villanova, PA., US).
See calendar entry.
(2005-10-28) [CMP] A coalition of anti-spyware vendors and consumer groups published guidelines Thursday to help consumers assess products designed to combat unwanted programs that sneak onto computers.
The Anti-Spyware Coalition released the guidelines for public comment and also updated a separate document that attempted to craft uniform definitions for "spyware" and "adware" in hopes of giving computer users more control over their machines.
[source: Security Pipeline]
(2005-10-28) [Datainspektionen] [Swedish] Ett nytt nummer av DIrekt har publicerats. Det innehåller artiklar under rubriker som "Piratjakten får fortsätta" "Många kan se patientdata" "Vi lever i ett hav av data" "De nya passen är inte biometriska, jag vill kalla dem e-pass" "SL får registrera klotter".
Tidningen finns nedladdningsbar från Datainspektionens hemsida.
[source: Nyheter]
(2005-10-28) [Datatilsynet] [Norwegian] Datatilsynet har før spurt om personvernet er tilfredsstillende ivaretatt ved innføringen av biometriske pass. Nå kommer Datatilsynet til å dra på tilsyn i saken.
Datatilsynet oversendte 4. oktober et notat til Justisdepartementet der de personvernmessige problemene med passene ble nærmere belyst.
[source: Nyheter]
(2005-10-28) [CNet] Three Romanian fraudsters were jailed on Friday in London for a worldwide fraud carried out via Internet auction house eBay which netted at least 300 pounds, or $532,000.
Some 3,000 victims from as far away as the United States and South Korea were snared by the trio in a scam involving crime bosses in Romania and which police fear continues to this day. Judge Duncan Matheson sentenced Nicolae Cretanu, 30, to 3 1/2 years and his wife Adriana Cretanu, 23, and their accomplice George Titar, 26, to 30 months each.
[source: News.com]
(2005-10-27) [IDG] A new coalition of technology companies and public interest organizations has hit some early milestones in its effort to combat spyware. On Thursday, the Anti-Spyware Coalition published two documents that the group hopes will take the computer security industry a step closer toward agreeing on a set of best practices for stopping this type of annoying and invasive software.
Coalition members have published a definition of the term "spyware" and are now seeking public comment on a "risk modeling" document that goes into technical detail about just what it is that separates spyware from any other kind of software. (Excerpt from article by Robert McMillan)
[source: InfoWorld]
(2005-10-27) [CNet] The Anti-Spyware Coalition offered up standard guidelines on Thursday for detecting, rating and protecting against unwelcome programs that have plagued Internet users in recent years. The group, composed of software companies and consumer advocates, also finalized its definition of spyware, veering little from the version it proposed in July.
The coalition defines spyware and other potentially unwanted technologies as programs deployed without sufficient user consent or impair user control over any of the following: privacy, system security and user experience; use of their system resources; or collection, use and distribution of personal information. (Excerpt from article by Alorie Gilbert)
[source: News.com]
(2005-10-27) [IDG] As banks turn their attention to stronger authentication technologies in the wake of recent guidance from the Federal Financial Institutions Examination Council, it's important that they don't overlook transaction-level controls, several security experts said.
The FFIEC on Oct. 12 released guidelines that call on banks to upgrade single-factor authentication processes, which are typically based on usernames and passwords, by adding a second, stronger form of authentication during online transactions. (Excerpt from article by Jaikumar Vijayan)
[source: ComputerWorld]
(2005-10-27) [Pinsent Masons] The Information Commissioner, the Joint Committee on Human Rights (JCHR) and Law Society have added to the criticism of the ID Card Bill prior to its second reading in the House of Lords next week.
On Monday, the Constitution Committee of the House of Lords published a critical report which reiterated its concerns about insufficient safeguards associated with the ID Card scheme as it believes that the ID Card "fundamentally alters the relationship between citizens and the State".
[source: OUT-LAW.com]
(2005-10-27) [eChannelLine] PandaLabs has recorded the appearance of a new threat called Naiva.A. This malicious code is a Trojan that reaches computers in a Word document containing information about the bird flu epidemic.
In order to protect against this threat, users should ensure that the macro security level is set at medium to receive a warning when they are run or high to stop them from running. If the macro security level is not set at one of these levels, the Trojan will be installed on the computer when the user opens the Word document.
[source: Daily News]
(2005-10-26) [Slashdot] The US State Department released a final ruling on the issue of RFID technology to be included in all US passports after October 2006 which also contained some of the reasoning behind their move.
Other technologies were apparently looked at and discarded due to the difficulty of implementation and several security measures have apparently been taken to try and placate the opposition.
[source: News]
(2005-10-26) [CDT] In the past several months, two federal judges have told the government that tracking cell phone users implicates constitutional privacy interests and requires the higher showing of justification required for a search warrant. The cases make it clear that for years the Justice Department has been getting orders requiring cell phone companies to provide real-time location information under a lower standard intended for access to stored records.
A search warrant, by contrast, requires a showing of "probable cause" to believe that a crime is afoot.
[source: News]
(2005-10-26) [IDG] Skype users are being urged to upgrade to the latest version of the popular Internet telephony client, due to a number of critical flaws in the software that were disclosed Tuesday by Skype's maker, Skype Technologies SA.
If exploited, two of the flaws could allow attackers to take over a Skype user's system, the company said in an advisory published Tuesday. These flaws affect a number of Windows versions of the software, from Version 1.1 to Version 1.4, the statement said. (Excerpt from article by Robert McMillan)
[source: ComputerWorld]
(2005-10-26) [IDG] Germany's Federal Office for Security in Information Technology (BSI) is warning businesses of potential security risks with voice-over-IP (VoIP) technology, in a study presented at the Systems IT exhibition and conference in Munich.
The VoIPSec report, released Monday at the opening of Systems, appeared one day before Skype Technologies SA, one of the world's largest providers of VoIP service, acknowledged critical flaws in its software and urged users to upgrade to the latest version. (Excerpt from article by John Blau)
[source: ComputerWorld]
(2005-10-25) [New Scientist] With half a century's experience of listening to feeble radio signals from space, NASA is helping US security services squeeze super-weak bugging data from Earth-bound buildings.
A new "through-the-wall audio surveillance system" uses a powerful beam of very high frequency radio waves instead of light. Radio can penetrate walls -- if they didn't, portable radios wouldn't work inside a house. (Excerpt from article by Barry Fox)
[source: News]
(2005-10-24) [CMP] By defining the kinds and nature of threats, the organization hopes to provide a common reference point to deal systematically with VoIP security issues.
The Voice over IP Security Alliance (VoIPSA) today announced its much anticipated VoIP Security Threat Taxonomy, a classification and description of the types of security threats that affect IP telephony. (Excerpt from article by Matthew Friedman)
[source: Information Week]
(2005-10-24) [CNet] New federal wiretapping rules forcing Internet service providers and universities to rewire their networks for FBI surveillance of e-mail and Web browsing are being challenged in court.
Telecommunications firms, nonprofit organizations and educators are asking the U.S. Court of Appeals in Washington, D.C., to overturn the controversial rules, which dramatically extend the sweep of an 11-year-old surveillance law designed to guarantee police the ability to eavesdrop on telephone calls. (Excerpt from article by Declan McCullagh)
[source: News.com]
(2005-10-24) [IDG] Questions about the security and accuracy of electronic voting systems are likely to continue into the 2006 national elections, because the U.S. government has not yet completed work on electronic voting guidelines, according to a new government report.
With lingering concerns about the security of e-voting systems, the U.S. Election Assistance Commission (EAC) needs to define security policies and set up a machine-certification program to help state and local election officials use e-voting equipment, according to a report issued Friday by the U.S. Government Accountability Office (GAO). (Excerpt from article by Grant Gross)
[source: ComputerWorld]
(2005-10-24) [IDG] With the clock ticking for banks to comply with new federal guidelines calling for stronger user authentication measures during online transactions, companies are rushing to evaluate the various technologies available to help meet the requirements.
But in many cases, the choices may not be cut and dried, IT and security managers warned last week. (Excerpt from article by Jaikumar Vijayan and Eric Lai)
[source: ComputerWorld]
(2005-10-24) [Pinsent Masons] The European Data Protection Supervisor (EDPS) has called for better privacy protection in the European Commission's plans for revising a system that enables authorities to share information about the movement of people across the EU.
The EDPS is Peter Hustinx, the person responsible for monitoring the processing of personal data by the Community institutions and bodies. His 26-page opinion on three proposals related to the Second Generation Schengen Information System, known as SIS II, was published today.
[source: OUT-LAW.com]
(2005-10-20) [EPIC] Marc Rotenberg reviews "Spychips: How major corporations and government plan to track your every move with RFID" (by Karen Albrecht, 2005, Nelson Current, 270 pages).
Quote: "A good advocacy book also needs good recommendations. The authors cover these bases well, providing advice for local protests and national campaigns. Much credit also goes to their organization CASPIAN for several of the successful organizing efforts."
[source: EPIC Alert Volume 12.21 October 20, 2005]
(2005-10-20) [EPIC] The European Council of Ministers agreed recently to require telecommunications companies to keep records of their traffic data for a minimum of 12 months. Internet Service Providers would be required to retain emails and browsing logs for six months.
The decision faces stiff opposition in Europe from EU bodies, IT industry groups, and public interest organizations. The European Parliament has also overwhelmingly voted against the data retention proposal twice in the last few months.
[source: EPIC Alert Volume 12.21 October 20, 2005]
(2005-10-20) [EDRI] Google is offering more detailed information about how it collects and uses personal data of internet users. Since 14 October Google has expanded its privacy policy outlining more details but little change in substance.
Some key issues, such as how long personal data are kept, are not answered by the new privacy policy.
[source: EDRI-gram Number 3.21, 20 October 2005]
(2005-10-20) [EDRI] According to the Swedish e-zine The Local, the Swedish Data Inspection Board now allows the Swedish anti-piracy group Antipiratbyrån and the record industry group IFPI to collect the IP addresses of file-sharers.
In an earlier ruling EDRI-gram reported about, the Swedish Data Protection Authority said APB and IFPI broke privacy laws, because they were collecting personal information without permission. Only government authorities were allowed to create registers of criminal offences. The DPA now grants the organisations an exception from the law. APB and IFPI maintain they do not keep extensive personal files, but just pass on the IP addresses to providers or to the police.
[source: EDRI-gram Number 3.21, 20 October 2005]
(2005-10-20) [EDRI] The UK ID card proposals have come closer than ever to defeat in their final House of Commons vote. The government's majority shrunk from the previous vote by 11 votes to 25, despite several concessions over cost and claims to improve privacy protection.
The legislation now moves to the House of Lords, where it is certain to face sustained attack from the House's majority of Conservative, Liberal Democrat and independent peers. The close vote in the Commons will encourage the Lords in their efforts to amend and defeat the Bill. Debate is likely to take place at the end of October 2005.
[source: EDRI-gram Number 3.21, 20 October 2005]
(2005-10-19) [PRC] An email warning that telemarketers will soon be targeting cell phones has been re-circulating. This email is a hoax according to the Federal Communications Commission (FCC).
The bogus email warns that with the release of a cell phone 411 directory (expected in 2006) telemarketer calls will flood consumer cell phones, creating enormous bills for consumers. The FCC clarified that this is not going to happen because in most cases telemarketing calls to cell phones are already illegal. For more information, see the full release at http://ftp.fcc.gov/cgb/consumerfacts/truthaboutcellphones.html.
[source: News]
(2005-10-19) [Pinsent Masons] It is time for internet banks to start reviewing their authentication procedures because best practice is changing. It's a change that directly impacts upon the legal duty that a bank owes to its customers and means the days of single-factor authentication are numbered.
There is no mention of phishing, pharming or Trojans in the legislation; but banks have to keep up with best practices in security otherwise they fall foul of the Act. The penalty for non-compliance is not horrific. However, it would be open to the Information Commissioner to act on a complaint or to undertake a review of the whole sector. And if an account holder loses money in a phishing attack, that individual could take action.
[source: OUT-LAW.com]
(2005-10-18) [IDG] European Union lawmakers said yesterday that they will not back down in a dispute with member states over storing details of telephone and Internet traffic to fight terror and other serious crime.
European Parliament member Alexander Alvaro said the assembly was still committed to reaching a deal on data storage with member states by the end of the year, but only if countries gave it a say in how the controversial measures are introduced. (Excerpt from article by Huw Jones)
[source: ComputerWorld]
(2005-10-18) [IDG] Consumer confidence in the security of their online transactions is slipping due to the growth of phishing-related fraud and identity theft, Gartner reports. As a result, consumers are curtailing their online purchases.
Phishing is the sending of an e-mail by cyberthieves with a link to a fake Web site that is disguised to look legitimate ,in order to lure recipients into divulging personal information. Gartner estimates that 73 million adults who use the Internet received a phishing e-mail between May 2004 and May 2005, and that 2.4 million online shoppers lost money as a direct result of phishing. (Excerpt from article by Lorraine Cosgrove Ware)
[source: ComputerWorld]
(2005-10-18) [IDG] A federal advisory body with broad regulatory powers over banks today issued new guidelines aimed at improving security in Internet-based banking and financial services.
The Federal Financial Institutions Examination Council (FFIEC) updated its guidance for how financial institutions should plan to authenticate customers' online identities by the end of next year. The FFIEC said authentication of a customer via simple password and ID alone is "inadequate for high-risk transactions involving access to customer information or the movement of funds to other partners." (Excerpt from article by Ellen Messmer)
[source: ComputerWorld]
(2005-10-18) [CMP] Federal regulators will require banks to strengthen security for Internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank Web sites are expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
[source: Security Pipeline]
(2005-10-17) [CMP] The number of phishing attacks spammed to computer users fell for the second straight month, the Anti-Phishing Working Group (APWG) said last week as it reported on August's scams.
According to the APWG, a collection of over 1,900 companies, banks, ISPs, and government agencies, 13,776 unique phishing attacks were recorded during August, down about 3 percent from July's 14,135. The high tide for phishing attacks was June, which saw 15,050. (Excerpt from article by Gregg Keizer
[source: Security Pipeline]
(2005-10-17) [CMP] There was a time when the biggest mobile computing risk was losing a laptop. How quickly things change. Cell phones, smart phones, and PDAs increasingly are being used to access business applications, E--mail, and the Internet. In sync with that trend are new security threats to mobile devices that store and distribute company information.
They're becoming victims of zombie attacks and other forms of hacking; malware; hybrid PC--mobile viruses like Comwarrior, Bluejacking, and Cabir; and spam. And for the first time, many businesses are finding they need plans for securing mobile devices, including what methods to use and rules for how devices can be used. (Excerpt from article by Elena Malykhina)
[source: Security Pipeline]
(2005-10-17) [CMP] A Trojan passing itself off as the Skype voice-over-Internet (VoIP) client is making the rounds, security firm MessageLabs warned Monday.
The IRCbot variant is spammed via e-mail, with the attached file payload disguised as the newest release of Skype, version 1.4, said MessageLabs. Skype Technologies released the 1.4 client at the end of September. "For further details see the attached document," read the e-mail after an opening spiel touting Skype's features. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-10-14) [IDG] Police in the Australian state of New South Wales are set to introduce portable, handheld fingerprint scanners by the end of 2006.
Tenders are likely to be issued early next year with the proposal currently awaiting approval from the NSW Treasury. Static biometric devices, known as LiveScan, are already in use in NSW and Victorian Police stations, provided by French electronics company Sagem, which is a supplier to military organizations across the globe. (Excerpt from article by Michael Crawford)
[source: ComputerWorld]
(2005-10-14) [IDG] U.K. bank Lloyds TSB has reacted to a marked increase in attempted online banking fraud by embarking on a large-scale trial of token-based security.
The trial is one of the biggest of its kind yet announced in the U.K., and will involve offering 30,000 bank customers the option to log on to their accounts using a number-generating key-fob. (Excerpt from article by John E. Dunn)
[source: ComputerWorld]
(2005-08-19) [Elsevier] An article "The loss of privacy and identity" (by Craig Arndt) has been published in Biometric Technology Today, Volume 13, Issue 8 , September 2005, Pages 6-7.
Abstract: "There have been many papers and speeches over the last few years concerning the loss of privacy and the dangers of identity theft in the United States and in the world. Many blame the loss (or at least the reduction in personal privacy) on the intrusions of government under the auspices of increasing security in response to terrorism attacks. While this approach to understanding issues surrounding the loss of privacy may be appealing to the media and to some civil liberties advocates, it is far from the truth and leads to policy makers trying to solve the wrong problems. The loss of privacy in American society has been caused by major shifts in economic practices and technology, which have little, if any thing, to do with terrorism. This article examines the root causes behind the loss in privacy and the rise in identity theft, and considers how the emerging technology of biometrics can be used to ensure privacy in the 21st century."
[source: ScienceDirect]
(2005-07-05) [Bundesamt für Sicherheit in der Informationstechnik] The latest edition of the German survey of IT security has been published by the Bundesamt für Sicherheit in der Informationstechnik.
Access the report as PDF (July 2005, in German). The latest BSI annual report, BSI-Jahresbericht 2004 (July 2005, in German), briefly discusses future trends in biometrics, RFID and similar things.
[source: News]
(2005-11-09) "Workshop ANSI/NIST Fingerprint Standard" will take place on December 5 -- 6, 2005 (Gaithersburg, Md., US).
See calendar entry.
(2005-10-24) [CNet] This is a new Wiki-page about ID theft, what it is, what risks are, and whatever else one should know about it.
[source: News.com]
(2005-10-21) [Privacy and Security Law Blog] On October 12, 2005, the Federal Financial Institutions Examination Council (FFIEC) issued the guidance "Authentication in an Internet Banking Environment."
The FFIEC considers single-factor authentication to be "inadequate for high-risk transactions involving access to customer information or the movement of information to other parties." (Posted by Brian Wong)
[source: Blog Entry]
(2005-10-21) [EFF] Rejoice gaming fans, for the latest new "feature" of Blizzard Entertainment's smash hit multi-player online videogame World of Warcraft is here! No, it's not a new Sword of Destruction or Staff of Power--it's spyware! Yes, unbeknownst to many gamers, World of Warcraft now has an unwanted special feature--a hidden program called "Warden" that snoops gamers' computers, looking for any "unauthorized third-party program" that "enables or facilitates cheating of any type."
According to Greg Hoglund, co-author of "Exploiting Software, How to Break Code," this hidden program opens every process on a gamer's computer, from email programs to privacy managers, and sniffs email addresses, website URLs open at the time of the scan, and the names of all running programs--whether or not those programs, emails, or websites could conceivably have anything to do with hacking.
[source: EFFector Vol. 18, No. 36 ]
(2005-10-21) [EFF] Last month, we told you about the first published court decision considering when the government can track your cell phone's location. In that case, federal magistrate judge James Orenstein in New York denied the Justice Department's request to track someone's cell phone location without probable cause. EFF filed a brief in that case, urging the court to stand by its decision despite the government's request that it reconsider.
It looks now like judicial skepticism of the DOJ's authority to track cell phones is catching. Last week, a second magistrate judge--this time in Texas--issued another decision similarly denying a Justice Department request to tap a cell phone's location.
[source: EFFector Vol. 18, No. 36 ]
(2005-10-21) [EFF] A research team led by the Electronic Frontier Foundation (EFF) recently broke the code behind tiny tracking dots that some color laser printers secretly hide in every document.
The U.S. Secret Service admitted that the tracking information is part of a deal struck with selected color laser printer manufacturers, ostensibly to identify counterfeiters. However, the nature of the private information encoded in each document was not previously known. For examples see page with pictures.
[source: EFFector Vol. 18, No. 36 ]
(2005-10-10) [Wired] A recent government order mandating that voice over internet protocol services must include the same government-approved wiretapping capabilities as traditional phone companies threatens to cripple peer-to-peer telephone innovation, according to new warnings from civil liberties groups and an internet telephony pioneer.
The new rules from the FCC were published last month and take effect Nov. 14 , though companies have 18 months to comply. The order expands a controversial 1994 law known as the Communications Assistance for Law Enforcement Act, or CALEA, which required phone companies to buy or retrofit switching equipment to meet stringent, government-approved wiretap standards that permit law enforcement to more easily wiretap digital phone calls, and to capture information such as voicemail PINs typed on a phone after a call is completed. (Excerpt from article by Ryan Singel)
[source: News]
(2005-10-20) [CNet] The scourge of e-mail--spam--has reinvented itself for the world of blogs, in a phenomenon experts have dubbed "splog." And Google is in the hot seat.
The search giant's Blogger blog-creation tool and BlogSpot hosting service, together the most popular free blogging service on the Web, fell victim this past weekend to the biggest splog attack yet--an assault that led to clogged RSS readers and overflowing in-boxes, and that may have manipulated search engine rankings. (Excerpt from article by Elinor Mills)
[source: News.com]
(2005-10-19) [Chicago Chronicle] Cub Foods East Region today announced that it is launching biometric payment technology in all 24 of its Chicago stores. The new technology, provided by Pay By Touch, is free to shoppers and will allow them to pay for their groceries with a finger scan that is linked to their financial accounts. Eliminating the need to carry a wallet or checkbook in the store, the new system provides customers with greater convenience, security and speed at checkout.
It will be available in all 24 Chicago Cub Foods stores by November 10. Interviews and photo opportunities are available today between 1 and 3 p.m. at the Wheaton Cub Foods (501 South Country Farm Rd, Wheaton).
[source: News]
(2005-10-18) [Privacy and Security Law Blog] As recently reported by CNN, a new standard in ATM security is emerging; however, not in the United States or even North America, but in the mountains and jungles of Colombia.
BanCafe, Colombia's fifth-largest bank, has installed hundreds of ATM machines across the county which, as an alternative to requiring the traditional ATM card and personal identification number to grant a user access to his/her accounts, operate using fingerprint biometrics. The move by BanCafe was motivated by the increasing need for security among coffee-growers concerned about theft related to ATM use. Since offering fingerprint biometrics as an alternative method of accessing a user's account via an ATM, approximately 15% (or 230,000) of BanCafe's customers have registered for the service. (Posted by Peter Mucklestone and Stuart Louie)
[source: Blog Entry]
(2005-10-18) [HNS] With more and more spam being sent around, people are creating innovative approaches to deal with it.
We had normal anti spam software for some time, then a year ago anti virus companies started buying anti spam specialists and bundling their technology inside their "mother" products. A month ago we reported about a blog service that helps tackling spam and today I came across a service that has a new approach to minimizing the threat of spam. The service called CanIt 'Locked Addresses' offers you the possibility to create unlimited ammount of forwarders to your real e-mail address. (Excerpt from article by Berislav Kucan)
[source: Articles]
(2005-10-18) [HNS] With more and more spam being sent around, people are creating innovative approaches to deal with it.
We had normal anti spam software for some time, then a year ago anti virus companies started buying anti spam specialists and bundling their technology inside their "mother" products. A month ago we reported about a blog service that helps tackling spam and today I came across a service that has a new approach to minimizing the threat of spam. The service called CanIt 'Locked Addresses' offers you the possibility to create unlimited ammount of forwarders to your real e-mail address. (Excerpt from article by Berislav Kucan)
[source: Articles]
(2005-10-17) [HNS] The research survey, conducted in Germany, France, the United Kingdom and the United States by Momentum Research Group, gauges market confidence in conducting more frequent - and higher-value - transactions online and helps businesses to understand the key components in developing trust in online transactions.
The survey shows that consumers in each of these nations are spending more online today, although a significant segment is actively reducing their investment. Online expenditure per respondent during the month of September averaged 153 Euros, with 40% stating that this was higher than 12 months ago. The UK leads the way, averaging 231 Euros per consumer, and US consumers spent the least at 129 Euros per capita.
[source: Articles]
(2005-10-18) [CNet] Federal regulators have ordered banks to tighten their Internet security procedures by the end of 2006 to help thwart identity theft, one of the fastest-growing types of consumer fraud.
In a letter sent to banks last week, the Federal Financial Institutions Examination Council said it is not sufficient that banks permit online access with a single form of authentication, such as a password or personal identification number, when the risks of a breach are too high.
[source: News.com]
(2005-10-18) [Spy blog] UK politician claims Brits will be able to view and edit their national ID card info online using a PIN number.
[source: Entry]
(2005-10-17) [Wired] Federal regulators will require banks to strengthen security for internet customers through authentication that goes beyond mere user names and passwords, which have become too easy for criminals to exploit.
Bank websites will be expected to adopt some form of "two-factor" authentication by the end of 2006, regulators with the Federal Financial Institutions Examination Council said in a letter to banks last week.
[source: News]
(2005-10-14) [Datatilsynet] [Norwegian] Datatilsynet har accepteret, at bibliotekerne fortsætter med at sende ukrypterede e-mails med oplysninger om reserverede bøger.
Der er tale om en særlig undtagelse fra de sikkerhedskrav, som Datatilsynet generelt stiller til offentlige myndigheder. Undtagelsen gælder foreløbig i en periode på 5 år.
[source: Nyheter]
(2005-10-12) [BBC] Mr Clarke said governments would go ahead without MEPs if necessary EU interior ministers have agreed that phone records must be kept for at least 12 months, and e-mail data for at least six, to help the fight against terror.
At a meeting in Luxembourg, they mandated UK Home Secretary Charles Clarke to negotiate with the European Parliament to get its agreement. The parliament has argued that such a law would violate civil liberties. Mr Clarke said governments would pass a law without MEPs' involvement unless there was a deal by December.
[source: News]
(2005-10-06) [samizdata.net] Daniel Cuthbert was accused of "hacking" into the website of the Disasters and Emergency Committee. He was recently found "regretfully" found guilty under section 1 (a) of the Computer Misuse Act 1990.
This blog entry (and comments) provides more details about what his actual crime was -- which implies that most of us may be guilty of this crime!
[source: Blog entry]
(2005-10-13) [CNet] Finnish scientists have invented a device to make it harder to steal mobile phones and laptops by enabling them to detect changes in their owner's walking style and then freeze to prevent unauthorized use.
The VTT Technical Research Center of Finland said the device, which is has patented but has yet to sell, could prevent millions of portable appliances being stolen every year.
[source: News.com]
(2005-10-13) [Datainspektionen] [Swedish] Datainspektionen bedömer att Antipiratbyrån och IFPI har ett befogat intresse av att samla in IP-nummer om fildelare som sprider filmer, dataspel och musik i strid med upphovsrätten.
Båda organisationerna får tidsbegränsade undantag som kan dras tillbaka om de inte används på rätt sätt och om nya omständigheter dyker upp som medför ett otillbörligt integritetsintrång.
[source: Pressmeddelande]
(2005-10-12) [CMP] Corporate users know about spyware but a new study from Trend Micro Inc. suggests they might not know enough -- and aren't getting enough help from network administrators and IT to fight the threat.
Some 87% of users surveyed said that they were aware of spyware, but the research firm reports that almost 40% respondents from the U.S. believe that their IT departments are not doing enough to defend against it. And 53% said that they need to be better educated to understand the spyware threat. (Excerpt from article by Matthew Friedman)
[source: Security Pipeline]
(2005-10-12) [Simplex] Q3 IM Security Threat Report Reveals IM and P2P Attacks Have Increased More Than Fourteen Times Through the First Three Quarters of 2005
The IMlogic Threat Center, the industry's first global consortium to provide threat detection and protection for instant messaging (IM) and peer-to-peer (P2P) applications, today issued its Third Quarter 2005 threat report on the rise of IM security threats. The report highlights a 3295 percent increase in Q3, 2005 over Q3, 2004 bringing the year-to-date increase to 2083 percent over 2005 YTD. (Excerpt from article by Jon Sakoda)
[source: Sarabanes-Oxley Compliance Journal]
(2005-10-12) [Pinsent Masons] Michael Durant, who lost a landmark Court of Appeal ruling on the meaning of "personal data" two years ago, has withdrawn his petition to the House of Lords. This means the House of Lords will no longer review the Court of Appeal's narrow interpretation of the definition.
The focus of attention now turns to the European Commission which has used the Durant decision as evidence that the UK's Data Protection Act of 1998 is a defective implementation of the Data Protection Directive of 1995. The ground-breaking privacy case began when Mr Durant wanted access to personal information held by the Financial Services Authority. The FSA refused and Mr Durant took the matter to court.
[source: OUT-LAW.com]
(2005-10-12) [IDG] Two German companies have developed a new biometric system for identifying airline passengers during the boarding process.
Lufthansa Systems Group GmbH, the IT services arm of German airline Lufthansa AG, and high-security document producer Bundesdruckerei GmbH are demonstrating their jointly developed SecBoard system at the InterAirport trade show in Munich through Friday. (Excerpt from article by John Blau)
[source: ComputerWorld]
(2005-10-11) [IDG] The Liberty Alliance Project, an industry consortium working on standards for federated identity systems, released guidelines today that aim to help organizations deal with some of the legal and privacy issues that arise from such federated identity projects.
The technologies that underlie the Liberty Alliance Project are mature enough for companies to build federated identity systems, according to Russ DeVeau of Liberty Alliance Communications. But companies must also agree on what types of information will be shared and the security and privacy measures they need to have in place to achieve what the Liberty Alliance calls a "circle of trust" among the organizations involved (Excerpt from article by Jeremy Kirk)
[source: ComputerWorld]
(2005-10-11) [Pinsent Masons] A Swedish internet bank was forced to shut down its website for a short time last week after its one-time password security system was targeted by a new type of phishing scam, according to reports.
Phishing usually occurs when a fraudster sends an email that contains a link to a fraudulent website where the users are asked to provide personal account information. The email and website are usually disguised to appear to recipients as though they are from a bank or another well-known brand.
[source: OUT-LAW.com]
(2005-10-11) [CNet] Spyware is becoming increasingly pernicious and sophisticated, according to security experts who are warning that users are still failing to take basic steps to protect themselves against the threat.
It's a problem that should scare big businesses as they face up to the fact that important data could be leaking out of their organizations daily. And yet too many organizations are failing to properly educate or protect their employees, one expert says. "You'd be surprised at the amount of data these things collect," said Eric Chien, a senior researcher at Symantec. (Excerpt from article by Will Sturgeon)
[source: News.com]
(2005-10-10) [CMP] It's already happening--check the next Hewlett-Packard printer you buy at Wal-Mart or that Ann Taylor blouse you picked up. Chances are a radio-frequency ID tag came home with your purchase.
That doesn't mean the debate has ended over whether RFID infringes on personal privacy. Take a bill pending in the California Senate, sponsored by state Sen. Joe Simitian, D-Palo Alto: It aims to curb RFID use in government-issued documents by putting a three-year moratorium on putting chips in driver's licenses, library cards, and similar documents, and requiring protective measures such as encryption for chips used in documents like student IDs. (Excerpt from article by Laurie Sullivan)
[source: RFIDinsights]
(2005-10-10) [European Biometrics Portal] A new European website for biometrics has been opened.
The European Biometrics Portal (EBP) is initiated by the European Commission to encourage and support the exchange of information and data on biometric technology initiatives, deployments and trials in European Member States. EBP is access and membership free and the quality of the EBP content is dependant on the quality of the users community contributions.
[source: News]
(2005-10-11) [CNet] With Congress considering the first national standards for data privacy, American companies are looking to long-standing European Union regulations for a heads-up. But as is often the case these days, the EU and United States are marching to different drummers.
Companies that collect, store and process personal data should take note not just of the similarities, but also of the significant differences, because ultimately, our version of data privacy may prove the tougher compliance challenge. When it comes to data privacy, the EU is certainly ahead of the game. (Opinion by Kimber Spradlin)
[source: News.com]
(2005-10-06) [HNS] Over the last week or so, the volume of spam has been rising markedly. There is of course some variation between domains, but here is one typical example, from one of the domains we monitor.
(Excerpt from article by Mirko Zorz)
[source: News]
(2005-10-06) [Reuters] Security software experts identified a malicious program targeting Sony Playstation Portable systems that marks the first so-called Trojan found in video game devices, Symantec Corp. said on Thursday.
The world's biggest security software maker said the Trojan represented a low-level threat, only affecting machines users have modified with their own code. A Trojan is a destructive program that masquerades as a harmless application.
[source: Know.Now]
(2005-10-06) [EPIC] A recent CBS/New York Times poll shows that Americans are increasingly worried about their personal information being collected and shared by private companies. 52% think the right to privacy is under serious threat, and another 30% think it has already been lost.
Only 16% think it is still safe. The poll also reveals that 55% were very concerned about having personal information stolen, and another 34% were somewhat concerned.
[source: EPIC Alert Volume 12.20]
(2005-10-06) [EPIC] "Spotlight on Surveillance" turns to the Registered Traveler air passenger prescreening program run by Verified Identity Pass, Inc. Travelers pay $80 per year and submit personal data, including Social Security numbers, fingerprints, and iris scans, to the company for the privilege of a "fast pass" through airport security.
The program may expand beyond airports to office buildings and stadiums. The system not only contains significant security and privacy flaws, it also creates the risk that people may eventually have to pay for an unregulated, privatized ID card simply to enter an office building.
[source: EPIC Alert Volume 12.20]
(2005-10-06) [EPIC] In a conference report on the 2006 Homeland Security Appropriations Act, Congress instructed the Department of Homeland Security to create clearer and more consistent procedures for determining what documents are to be considered "sensitive security information," or SSI.
While such documents are unclassified, they are still withheld as being too sensitive to release publicly. Among the documents considered SSI are airport security plans, specifications for screening devices, and vulnerability studies. However, in recent years, the category has expanded to include "security directives" and any "other information" within an agency's discretion. For instance, Transportation Security Administration employees have cited SSI to refuse to tell airline passengers why they were being searched.
[source: EPIC Alert Volume 12.20]
(2005-10-06) [EPIC] EPIC has created an issue page on theme parks and privacy to act as a single source of information for consumers to learn more about privacy issues surrounding theme parks.
The page provides information on theme parks' growing use of biometrics and other surveillance technology for commercial purposes. For instance, fingerprint scans are now being used to keep track of visitors who enter and exit theme parks such as Walt Disney World.
[source: EPIC Alert Volume 12.20]
(2005-10-06) [EPIC] In comments to the Department of Homeland Security, EPIC again has urged the agency to abandon a flawed proposal to embed Radio Frequency Identification tags in the Form I-94 or Form I-94W, which is the Arrival-Departure record issued to a traveler to the United States.
The plan lacks basic privacy and security safeguards, and these costs substantially outweigh the limited timesaving benefits, EPIC said.
[source: EPIC Alert Volume 12.20]
(2005-10-06) [CNet] It's been nearly five years since Americans received a painful education on the perils of traditional voting machines in Florida and almost one year since the 2004 election revealed perplexing irregularities in Ohio's vote tabulation methods.
Yet no uniform security standards exist for electronic voting machines. Even though they were used to tabulate a third of the votes in last year's presidential run, nearly all electronic voting machines in use today remain black boxes without external methods of verifying that the results have not been altered or sabotaged. (Excerpt from article by Declan McCullagh)
[source: News.com]
(2005-10-06) [IDG] The FTC has requested that a U.S. District judge stop a Web site that allegedly installs spyware onto visitor's PCs.
The group claims that Odysseusmarketing.com offered free software that would enable users to anonymously share files in a peer-to-peer fashion. But along with the software came spyware and adware, unbeknownst to those downloading the P2P program. In the request, the FTC claimed that the company's P2P software did not even allow such file sharing, according to a story on InfoWorld sister publication PC World, FTC seeks to halt alleged spyware site.
[source: InfoWorld]
(2005-10-06) [EFF] EFF has filed comments with the Department of Culture, Media, and Sport (DCMS) in the British House of Commons about plans for digital television broadcasting in Europe.
In the comments, EFF expressed concern that switching off analog broadcasts could result in new digital television standards that unduly restrict the public and manufacturers.
[source: EFFector]
(2005-10-06) [CMP] Cell phone networks are so vulnerable to denial-of-service-style attacks that an assault carried out by a mid-sized bot network could bring down the United States' entire mobile infrastructure, a group of academic researchers said in a paper made public Wednesday.
The paper, which will be presented by four Pennsylvania State University researchers at the ACM Conference on Computer and Communications Security in November, outlined how an attack exploiting weaknesses in SMS (Short Message Service) could overload a cell network, and bring both voice and text messaging to a screeching stop. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-10-06) [EFF] EFF filed a brief this week in support of one of its previous court opponents, DirecTV, arguing that a federal appeals court should throw out a lawsuit against the company for accessing a public website.
DirecTV is being sued by Michael Snow, the publisher of an anti-DirecTV website that contained warnings to DirecTV employees that they were not authorized to enter. In its "friend of the court" brief to the Eleventh Circuit Court of Appeals, EFF argues that the federal Stored Communications Act, on which Snow's suit relies, only protects websites that are configured to be private.
[source: EFFector]
(2005-10-06) [EFF] The Delaware Supreme Court has protected the identity of a blogger in the case of Doe v. Cahill, finding that the plaintiffs failed to meet the strict standards required by the First Amendment to unmask an anonymous critic. It dismissed the case Wednesday.
This is the first state supreme court to rule on a "John Doe" subpoena or to address bloggers' rights.
[source: EFFector]
(2005-10-06) [Wired] Last week California became the first state to enact a law specifically addressing phishing. Phishing, for those of you who have been away from the internet for the past few years, is when an attacker sends you an e-mail falsely claiming to be a legitimate business in order to trick you into giving away your account info -- passwords, mostly. When this is done by hacking DNS, it's called pharming.
Financial companies have until now avoided taking on phishers in a serious way, because it's cheaper and simpler to pay the costs of fraud. That's unacceptable, however, because consumers who fall prey to these scams pay a price that goes beyond financial losses, in inconvenience, stress and, in some cases, blots on their credit reports that are hard to eradicate. As a result, lawmakers need to do more than create new punishments for wrongdoers -- they need to create tough new incentives that will effectively force financial companies to change the status quo and improve the way they protect their customers' assets. Unfortunately, the California law does nothing to address this. (Excerpt from article by Bruce Schneier)
[source: News]
(2005-10-06) [Datatilsynet] [Norwegian] Datatilsynet mener personvernet ikke er tilfredsstillende ivaretatt ved innføringen av biometriske pass i Norge. Tilsynet har nå oversendt et notat til Justisdepartementet der de personvernmessige problemene med passene belyses nærmere.
I notatet pekes det på ulike problemstillinger i forhold til sikkerheten. Det henvises blant annet til at representanter for 40 europeiske personvernmyndigheter i en felles resolusjon krever at effektive sikkerhetsanstaltninger settes inn på et tidlig stadium. Artikkel 29-arbeidsgruppen forlangte det samme på et møte i Brussel 30. september i år. Generaldirektør Jonathan Faull fra EU-kommisjonens avdeling for menneskerettigheter, personvern med mer, opplyste dessuten om at forsøk har vist at de tekniske løsningene man hittil har jobbet med har vist seg ytterst mangelfulle. (Av Guro Skåltveit)
[source: Nyheter]
(2005-10-05) [CMP] E-criminals took to attacking ever-smaller targets in the first half of the year, a Web security firm said Wednesday, as they simultaneously used more sophisticated tools, such as "screen scrapers" designed to steal passwords entered with the mouse in build-for-security graphical interfaces.
By San Diego, Calif.-based Websense's take in its semi-annual "Security Trends Report," phishers have turned to small financial organizations, regional banks and credit unions in particular, as opportunities elsewhere have shrunk. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-10-05) [HNS] A federally funded group of voting system experts called on the United States' Election Assistance Commission, which oversees the nation's state-run elections, to revamp its recommended process for evaluating the security of electronic voting devices.
(Excerpt from article by Mirko Zorz)
[source: News]
(2005-09-05) [FirstMonday] An article on phishing has been published: "The economy of phishing: A survey of the operations of the phishing market" by Christopher Abad.
Abstract: Phishing has been defined as the fraudulent acquisition of personal information by tricking an individual into believing the attacker is a trustworthy entity. Phishing attacks are becoming more sophisticated and are on the rise. In order to develop effective strategies and solutions to combat the phishing problem, one needs to understand the infrastructure in which phishing economies thrive. This paper presents the findings from this research as well as an analysis of the phishing infrastructure.
[source: FirstMonday vol 10, Number 9, ]
(2005-06-01) [ENISA] The computer emergency rescue team of the CERT Bund (CERT for German federal government institutions) has issued a warning against 'surf turbos', which, in the meantime, represent a considerable security risk. The warning applies to users who use the 'surf turbos' to increase the surfing rate.
When using a 'surf turbo', most users are not aware of the fact that the provider can read their entire data traffic, analyse it, and link the data with the personal data delivered by the user during registration.
[source: Newsletter, June 2005]
(2005-10-05) [HNS] California is the first US state to pass anti phishing laws. Finally someone went a step further in, at least, trying to create a more secure cyberspace.
Here you can find some of the most important snippets from the Anti-Phishing Act of 2005 .. [see source link]
[source: News]
(2005-10-05) [EDRI] On 28 September 2005 the Dutch Lower House commission on judicial affairs organised a public hearing about data retention, preceding the official debate on the need and usefulness of data retention on 5 October 2005.
The commission invited two representatives from law enforcement, one from the telecom and internet world each as well as EDRI-member Bits of Freedom and the national data protection authority.
[source: Number 3.20, 5 October 2005]
(2005-10-05) [EDRI] Since the introduction of compulsory identification in the Netherlands on January 1st 2005, the police have fined 50.000 people that could or would not present a valid ID.
Almost 4.000 of those who were fined were children aged 14 and 15. The statistics are provided by the Central Judicial Collection office.
[source: Number 3.20, 5 October 2005]
(2005-10-05) [EDRI] EDRI-member FIPR (the Foundation for Information Policy Research) has published a strong analysis of the proposed new EU intellectual property enforcement directive.
According to FIPR, the proposed new directive is pushed by the UK Presidency, but will undermine basic freedoms. It will force all EU member states to criminalise incitement to infringe patents or copyrights. The directive is promoted by big drug companies and the music industry.
[source: Number 3.20, 5 October 2005]
(2005-10-05) [EDRI] On 12 October the Council of ministers of Justice and Home Affairs (JHA Council) will debate about data retention once again, both about the framework decision and about the directive proposal from the European Commission.
In response to the final launch of the Commission proposal on 21 September, the UK Presidency of the EU announced it would wait for 2 months for the Commission and Parliament to agree with each other. Otherwise, it would use the last official JHA Council of 1 December 2005 to table the framework decision as an A-item (a decision item)
[source: Number 3.20, 5 October 2005]
(2005-10-05) [Wired] Government regulators are trying to shut down a company they say secretly downloaded spyware onto the computers of unwitting internet users, rendering them helpless to a flood of pop-up ads, computer crashes and other annoyances.
The Federal Trade Commission accused Walter Rines of Stratham, New Hampshire, and his company, Odysseus Marketing, of luring computer users with the promise of free software that would make peer-to-peer file sharing anonymous. The claim was bogus, the agency said, and the software was bundled with spyware that was secretly downloaded onto computers.
[source: News]
(2005-10-05) [HNS] US non-profit IT company MITRE today announced the Common Malware Enumeration Initiative. Headed by the United States Computer Emergency Readiness Team (US-CERT) and supported by an editorial board of anti-virus vendors and related organizations it should provide a neutral, shared identification method for malware outbreaks.
During a virus outbreak, participants on the CME board request an identifier from an automated system by providing a sample of the virus and as much additional information as possible. An identifier in the format 'CME-N' where N is an integer between 1 and 999 is generated and distributed to the other participants. The participants then disseminate the CME identifier to their contacts in the industry and reference the CME identifier on their web pages, in their product, or when speaking to the press.
[source: News]
(2005-10-05) [CMP] E-criminals took to attacking ever-smaller targets in the first half of the year, a Web security firm said Wednesday, as they simultaneously used more sophisticated tools, such as "screen scrapers" designed to steal passwords entered with the mouse in build-for-security graphical interfaces.
By San Diego, Calif.-based Websense's take in its semi-annual "Security Trends Report," phishers have turned to small financial organizations, regional banks and credit unions in particular, as opportunities elsewhere have shrunk. (Excerpt from article by Gregg Keizer)
[source: SecurityPipeline]
(2005-10-09) "First International Conference on Digital Rights Management: Technology, Issues, Challenges, and Systems." will take place on October 31 -- November 2, 2005 (Sydney, Australia).
See calendar entry.
(2005-10-09) "AutoID 2005: Fourth IEEE Workshop on Automatic Identification Advanced Technologies" will take place on October 17 -- 18, 2005 (Buffalo, New York, USA.).
See calendar entry.
(2005-10-09) "6th Workshop on Privacy Enhancing Technologies" will take place on June 28 -- 30, 2006 (Cambridge, United Kingdom ).
See calendar entry.
(2005-10-09) "Biometrics E-Symposium" will take place on September 28, 2005 (on the web).
See calendar entry.
(2005-10-05) [IDG] Trafficking in stolen credit cards has largely shifted to Russian-language Web sites after an international crackdown sparked disarray among English-speaking scam artists, a U.S. Secret Service official said.
The October 2004 raid, dubbed Operation Firewall, led to 28 arrests in seven countries and shut down several Web sites that served as online bazaars where scam artists could buy and sell credit-card numbers, drivers' licenses and other documents.
[source: ComputerWorld]
(2005-10-05) [IDG] In Chile and Colombia, biometrics is giving cash machine banking the finger. And that phenomenon may happen in Canada too, if Mark Grossi has his way.
The chief technology officer at NCR Corp., Grossi is also a leading evangelist for "self-service banking at the touch of a fingerprint." It's a technology he and his team have honed at NCR's Advanced Concepts Lab in Dundee, Scotland. (Excerpt from article by Joaquim P. Menezes)
[source: ComputerWorld]
(2005-10-04) [CMP] American Power Conversion's new PCMCIA Password Manager, a personal fingerprint scanner, facilitates an additional level of security for laptop users -- login and password information. An extension to the company's Biometric Password Manager, the new product allows users to access their laptops without the need to memorize logins and passwords.
"In today's growing mobile environment, road warriors cannot afford the inconvenience and time of dealing with forgotten login names and passwords for all of their password-protected sites," said Joe Loberti, general manager of the company's Consumer Network Solutions Group. "Our research shows that the average computer user has to remember approximately 17 different passwords. (Excerpt from article by Vince Biancomano)
[source: SecurityPipeline]
(2005-10-04) [IDG] Online marketers have embraced pay-per-click advertising, enriching search engine-based ad networks such as those run by Google Inc. and Yahoo Inc. Unfortunately, fraudsters also participate in the clickfest.
Click fraud incidence is unclear, say experts, but it has become a gnawing concern: 70% of online advertisers were concerned about the phenomenon or considered it a problem, according to a recent survey from the Search Engine Marketing Professional Organization. (Excerpt from article by Juan Carlos Perez)
[source: ComputerWorld]
(2005-10-04) [CNet] An election commission headed by former President Jimmy Carter and former secretary of state James A. Baker III drew attention last month by proposing that voters be outfitted with national identification cards.
But a less-noticed recommendation could accelerate reform efforts in state legislatures: Improving the security of electronic voting machines by outfitting them with a voter-verifiable paper audit trail. (Excerpt from article by Declan McCullagh)
[source: News.com]
(2005-10-04) [CNet] Malicious hackers could take down cellular networks in large cities by inundating their popular text-messaging services with the equivalent of spam, said computer security researchers, who will announce the findings of their research Wednesday.
Such an attack is possible, the researchers say, because cell phone companies provide the text-messaging service to their networks in a way that could allow an attacker who jams the message system to disable the voice network as well. (Excerpt from article by John Schwartz)
[source: News.com]
(2005-10-04) [Yahoo!] A San Francisco start-up, Pay By Touch Solutions, is expected to announce today $130 million in fresh financing for a novel way of paying for groceries and other goods and services: a machine that reads your fingerprint.
The capital raised -- $55 million of it in convertible notes and $75 million in loans -- will help the company build out its finger-reading payment systems at several nationwide retailers, including in California in the first quarter of next year. Here's how it works: Customers sign up once, by registering a checking account or a credit card, and showing government identification such as a driver's license. The Pay by Touch technology records the lines and ridges of their fingerprints, and translates the data into a numerical algorithm that is stored in a secure database. The customers thereafter never have to carry a wallet or purse back to the store, and can use their finger to pay for goods across the Pay By Touch network, which now includes stores in 10 urstates. (Excerpt from article by Matt Marshall)
[source: News]
(2005-10-04) [TheStreet.com] Google's WiFi ambitions may generate a few hits on the privacy front. The potential problem is that for Google's location-based services to work, the company needs to know where you are and what you are interested in. And to get that info, the company will track some of your Web page viewing and roughly pinpoint your location.
"From a privacy standpoint, I don't think it's a huge issue. But targeting ads makes it more visible to the user," says ABI Research analyst Sam Lucero. "Google is going to slap them right in the face with it. And that might be a public relations problem." (Excerpt from article by Scott Moritz)
[source: Tech Stocks]
(2005-10-04) [DHS] The Department of Homeland Security has a "DHS Data Privacy and Integrity Advisory Committee" (support for the DHS Privacy Office). Documents and minutes from various committee meetings are available.
See links from the DHS Privacy AC home page, and also DHS Privacy Office home page.
[source: News]
(2005-10-04) [Privacilla] Privacilla.org has made avaliable a document about analysis of privacy issues in specific technologies, applications, etc.
Abstract: "This document is a recommended framework for analyzing programs, technologies, and applications in light of their effects on privacy and related interests. It was written for the use of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee but it may also be useful elsewhere within the Department and for other governmental entities that are working to reconcile personal data-intensive programs and activities with important social and human values." Read the draft of the document Framework for Privacy Analysis of Programs, Technologies, and Applications.
[source: News]
(2005-10-03) [IDG] Big Brother is watching. The law recognizes that there are circumstances in which monitoring of others' activities is permissible or even desirable.
In general, employers have a lot of leeway in monitoring what their employees do while on company premises and using company equipment. (Excerpt from article by Deb Shinder)
[source: ComputerWorld]
(2005-10-03) [IDG] Microsoft said Monday it is investigating a recently released Trojan horse that targets a hole in its Microsoft Office software suite that was first identified in April.
Symantec has issued an advisory that the Trojan, named Backdoor.Hesive, can arrive as a Microsoft Access file, exploiting a Microsoft Jet Database Engine buffer overflow. The code can allow an unauthorized user access, Symantec (Profile, Products, Articles) said, allowing an intruder to upload files, modify registry values and get system and network information. (Excerpt from article by Jeremy Kirk)
[source: InfoWorld]
(2005-10-01) [IDG] It takes critical care to control employee, customer and partner identities, but the efforts will help shore up security and compliance, not to mention reduce spending. Here's what you need to know about IdM.
If you think identity management simply means issuing user accounts to restrict and monitor access to critical business information, think again. Those tasks are just a tiny piece of the complicated IdM puzzle, which also incorporates directory services, strong authentication, access control, user provisioning, self-service and federated identity management. Ensuring secure access to an ever-expanding set of systems and applications requires IT to manage the creation, modification and termination of employee, business partner, contractor, customer and vendor identities that often are stored on distributed systems. Fortunately, IdM done right can save you money by giving you bettercontrol over assets and increasing operational efficiencies. (Excerpt from article by Joanne VanAuken)
[source: Compliance Pipeline]
(2005-09-30) [California Legislative Information] On Sep 30, 2005, Governor Arnold Schwarzenegger signed California Senate Bill 355, the Anti-Phishing Act of 2005, which makes phishing schemes illegal in California.
Read the Anti-Phishing Act.
[source: News]
(2005-09-29) [IDG] Here's one more reason why the FCC's ruling about VoIP and wiretap laws is thoroughly wrong-headed: Under it, Skype, as well as other PC-to-PC VoIP systems like Google Talk, are exempt. But VoIP providers like Vonage need to comply.
Here are the exact words the FCC used: "facilities-based broadband Internet access service providers and VoIP providers that offer services permitting users to receive calls from, and place calls to, the public switched telephone network (PSTN)" are covered by the ruling. But computer-to-computer VoIP services need not comply. (Posted by Preston Gralla)
[source: InfoWorld Blog]
(2005-09-29) [EFF] MIT's eCitizen project has launched a blog to examine the Real ID Act.
See eCitizen website.
[source: EFFector 33]
(2005-09-29) [EFF] EFF is fighting the Department of Justice in a New York federal court case that will determine whether the government is required to show probable cause to believe a crime has been or will be committed before secretly tracking people using their cell phones.
"This is the first case considering when the government can track the movements of your cell phone, and the answer couldn't be more important," said EFF Staff Attorney Kevin Bankston. "Allowing the government to turn anyone's cell phone into a tracking device without probable cause will enable a surveillance society that would make Big Brother jealous."
[source: EFFector 33]
(2005-09-29) [EFF] The Trusted Computing Group (TCG), an industry consortium developing controversial computer security specifications, has released a wish list of applications of TCG technology to cell phone security. Unfortunately, much of this "security" aims to help cell phone carriers cement their control over their customers.
EFF attended TCG's announcement in San Francisco on Tuesday and criticized the proposals as steps in the wrong direction for the future of mobile communications.
[source: EFFector]
(2005-09-29) [Datainspektionen] [Swedish] Många säljföretag erbjuder sina kunder bonuskort och kan därigenom kartlägga mat-, res- och köpvanor in i minsta detalj. Ett hot mot den personliga integriteten anser Datainspektionen och kräver att kunden informeras tydligare och att uppgifterna inte sparas längre än nödvändigt.
Svenska folket har en mängd olika bonuskort i sina plånböcker. Varje gång man drar sitt kort registreras i princip samma information som framgår av kassakvittot. Många kunder samlar poäng med sina kort -- utan att ha fått tillräcklig information om hur uppgifterna registreras. Dessa uppgifter kan sedan användas av företagen för att bygga upp en "kundprofil", som gör det möjligt att skicka rätt reklam till rätt person.
[source: Pressmeddelande]
(2005-09-29) [Datatilsynet] [Norwegian] Internasjonale datatilsynsmyndigheter etterlyser debatt om bruk av biometri i pass
På den 27. internasjonale konferansen for datatilsyns- og personvernmyndighetene i Montreux (14-16. september) vedtok tilsynsmyndighetene en felles resolusjon om bruk av biometriske data (ansiktsgjenkjenning og fingeravtrykk) ved utstedelse av pass, id-kort og reisedokumenter. Utstrakt bruk av biometri i slike dokumenter vil ha store samfunnsmessige konsekvenser, og bør derfor ikke innføres uten en forutgående debatt. Representantene for tilsynsmyndighetene etterlyser i resolusjonen at effektive sikkerhetsmekanismer blir bygget inn i løsningene, slik at risikoen ved bruk av biometri begrenses. (Av Ove Skåra)
[source: Nyheter]
(2005-09-28) [Kansas City Star] A University of Missouri hospital faces a class-action lawsuit after allegedly releasing confidential medical records for hundreds of patients to a company it hired to solicit business.
The suit was filed earlier this year on behalf of approximately 800 patients with liver diseases, including hepatitis C. The complaint alleges that records were turned over by University Hospital's internal medicine chairman to a home health care provider dba Option Care, who then allegedly called the patients in an effort to sell them antiviral drugs and keep them in the hospital network. The Option Care nurse who contacted the patients using the list from the hospital stated that the calls were not for solicitation, but for patient safety.
[source: News]
(2005-09-28) [CNet] RBC Dain Rauscher, a unit of Royal Bank of Canada, is investigating the possible theft of the identities of a small number of its customers. A person claiming to be a former employee of RBC Dain Rauscher sent anonymous letters to some of the company's customers, saying their personal information had been stolen, RBC Dain Rauscher said Tuesday.
RBC Dain Rauscher said it is working with local and federal authorities, including the FBI, and has hired an outside company specializing in identity theft to probe the matter. Identity theft by some estimates affects more than 9 million Americans each year.
[source: News.com]
(2005-09-28) [CNet] The organization behind the World Cup soccer competition warned this week that Internet fraudsters are using its name in a global phishing scheme.
Several groups are distributing fraudulent e-mail messages that claim to be associated with the FIFA soccer committee, FIFA said. The official-looking e-mails tell recipients they've won a lottery and ask them to disclose personal information, including bank account data, in order to collect their winnings, the organization said. "FIFA confirms that these lotteries have no connection with or authorization from FIFA," the Swiss-based organizers said in a statement on Tuesday. (Excerpt from article by Alorie Gilbert)
[source: News.com]
(2005-09-28) [Pinsent Masons] The European Parliament rejected plans from the UK for an EU-wide data retention regime yesterday. But it lacks the power to stop them becoming law so instead it is hoping to divert support towards an alternative proposal from the Commission.
The European Parliament had already rejected the measure -- promoted by the UK, France, Ireland and Sweden -- in June, but had been asked to reconsider.
[source: OUT-LAW.com]
(2005-09-27) [CMP] A recent talk by Visa and MasterCard security experts delivered some sobering news to the card industry. According to a report by Reuters, the fight against cyber thieves has reached a stalemate, and millions will have to be spent over the next decade to combat perpetrators.
Organized crime rings are successfully using the Internet and crimeware programs to sidestep many of the security measures taken by card issuers, said John Shaughnessy, SVP for fraud prevention at Visa USA, and Suzanne Lynch, VP for security and risk services at MasterCard, at a conference. They even claimed these organized gangs are assisted in some cases by former Soviet KGB cryptographers. (Excerpt from article by Maria Bruno-Britz)
[source: Security Pipeline]
(2005-09-23) [EFF] Jakob Nielsen says stop shouting at poor consumers for problems caused by badly designed security software.
See story.
[source: EFFector]
(2005-09-23) [EFF] The Carter-Baker Commission, formally known as the Commission on Federal Election Reform, this week released an extensive report on the country's electoral health, along with a wide range of suggested reforms. Most of the Commission's recommendations should cheer those concerned about the security of electronic voting.
The report found that there is an urgent need for the nation to increase transparency in voting processes and to institute robust security measures, and that the lack of transparency and robust security is undermining public confidence that votes are being accurately recorded.
[source: EFFector ]
(2005-09-22) [eWeek.com] Mobile phone providers are starting to fit security software to subscribers' cellphones, even though the threat from viruses and other rogue programs is still distant, hoping the mobile market will fend off the scourge of the Internet world.
"On the corporate side, the demand is already there. IT managers have understood the issue. But to the consumers it's still more like pushing it," said Tuukka Toivonen, head of corporate accounts at rival Finnish operator Elisa. "In smartphones, data security issues are similar to those we have in PCs today," he said, adding security software will become "a must-have" for phones within the next five years. (Excerpt from article by Tarmo Virki)
[source: News]
(2005-09-22) [Pinsent Masons] A bank whose website was incorrectly identified by Earthlink's anti-phishing toolbar as "potentially fraudulent" cannot sue the ISP, a judge ruled last week, finding that Earthlink was not the publisher of the information in terms of a US law.
The case concerned Scamblocker, a service launched by Earthlink in April 2004 to spot fraudulent websites set up to gather visitors' bank details.
[source: OUT-LAW.com]
(2005-09-21) [Pinsent Masons] The European Commission has adopted today a proposal for a Directive on the retention of communications traffic data that would see internet data held for six months, phone data held for one year, and ISPs and telcos compensated for their compliance costs.
But the proposal has tough competition: it needs the support of the European Parliament and Council of Ministers to become law -- and the Council has its own plans for data retention, set out in a Framework Decision. The Council plan allows for data retention periods of up to three years and it could be adopted by the Council acting alone, without any debate in Parliament.
[source: OUT-LAW.com]
(2005-09-19) [Pinsent Masons] Privacy chiefs from 40 countries have called upon the United Nations to prepare a legally binding instrument which clearly sets out in detail the rights to data protection and privacy as enforceable human rights.
The call to the UN was made in a declaration adopted at the 27th International Conference of Data Protection and Privacy Commissioners in Montreux last week.
[source: OUT-LAW.com]
(2005-09-15) [Pinsent Masons] One in 20 records in a database used by enforcement agencies across Europe is in breach of privacy laws, according to criticisms made by Denmark's data protection authority into the controversial Schengen Information System.
The Danish Data Protection Agency has criticised Denmark's National Commissioner of Police for what it calls an "unacceptably high" number of errors in reporting individuals to the Schengen Information System, or SIS.
[source: OUT-LAW.com]
(2005-09-08) [Pinsent Masons] The UK Government today unveiled a quality award scheme designed to ensure that users of off-the-shelf IT security products are buying a product that meets Government-approved standards. An encryption vendor won the first accreditation today.
The CSIA Claims Tested Mark scheme is primarily aimed at IT and information security managers across the public sector, but is also expected to serve as a useful guide to small and medium-sized businesses wanting to know their purchasing meets government's preferred standards.
[source: OUT-LAW.com]
(2005-04-18) [HNS] Zaklina Supica reviews "The Art of Computer Virus Research and Defense" (by Peter Szor, 2005, Addison-Wesley, 744 pages)
Quote: "The Art of Computer Virus Research and Defense is really a justified title for the book. With so much techniques, methods, strategies and examples it is the definitive guide for experienced IT professionals, especially for security experts."
[source: Reviews]
(2005-01-19) [HNS] Zaklina Supica reviews "Privacy: What Developers and IT Professionals Should Know" (by J. C. Cannon, 2004, Addison-Wesley, 384 pages).
Quote: "As mentioned before, the book is divided in three parts and each of them has its own specific focus. The first part is dedicated to everyone interested in privacy. The second part is specific for organization, and the third part covers developers interesting themes. All three parts offer an overview of privacy. Whether you are manager, IT professional, developer, or security specialist, this book will get you some quality information you need to protect your customers and your organization."
[source: Reviews]
(2005-09-28) [vnunet.com] The Trusted Computing Group (TCG) is working on specifications for a security chip that could show up in mobile phones by the end of next year. The initiative to make handsets more secure has broad support from phone manufacturers, carriers and semiconductor makers.
But the plans have been sharply criticised by consumer advocacy group the Electronic Frontier Foundation as an effort to further limit consumers in what they can do with their mobile phones. (Excerpt from article by Tom Sanders)
[source: News]
(2005-09-22) [EPIC] The Department of Homeland Security announced last week that the US-VISIT border security program will add 104 ports of entry, beyond the current 50, by the end of the year.
Problems have been found in US-VISIT's database and technology systems, and some errors have led to the improper flagging of crewmembers by government watch lists.
[source: EPIC Alert vol 12 no 19]
(2005-09-22) [EPIC] In the course of investigating a 2004 security breach involving 140,000 Americans, commercial data broker Choicepoint announced that another 9,903 individuals had their personal information sold without authorization.
Of these individuals, 4,667 are victims of the 2004 security breach where Choicepoint sold personal information to an identity thief ring posing as a business.
[source: EPIC Alert vol 12 no 19]
(2005-09-22) [EPIC] Rep. Edward J. Markey, a senior Member of the House Energy and Commerce Committee and the Co-Chair of the Congressional Privacy Caucus, recently released a report assessing the privacy risks for Americans when their data is outsourced to other countries.
The report ranked the countries based on eight principles of legal protections taken from the European Union's Data Privacy Directive, including security, enforcement and notification. The report found that 14 of the 20 countries profiled have privacy regimes that are weaker than that of the U.S.
[source: EPIC Alert vol 12 no 19]
(2005-09-22) [EPIC] The Commission on Federal Election Reform, co-chaired by former President Jimmy Carter and former Secretary of State James A. Baker III, released a report on the conduct of domestic elections. The report made 87 recommendations, which include a call for universal voter registration, use of the Real ID as a voter identification document, and verifiable paper trails for electronic voting machines.
The report said that a single ID, uniform ID requirement would reduce discrimination improve voter confidence and eliminate identification-related election fraud.
[source: EPIC Alert vol 12 no 19]
(2005-09-22) [EPIC] EPIC urged the Canadian government to assume an aggressive posture against identity theft by taking a number of measures to give individuals greater control over personal information.
In comments to the Consumer Measures Committee, EPIC explained the need for consumers to be able to freeze their credit files and for retailers to more carefully screen credit applications for signs of fraud.
[source: EPIC Alert vol 12 no 19]
(2005-09-22) [EPIC] Privacy commissioners from around the world called on governments and international organizations to establish data protection and privacy as fundamental human rights. At a privacy conference in Montreux, Switzerland, they also called for effective safeguards to limit the use of biometric passports and identity cards so that centralized database will not be established. They also urged greater cooperation with NGOs.
A day before the large privacy conference started, EPIC and other European and American civil liberties groups sponsored a conference entitled "Strategies for International Privacy Protection -- Issues, Actors, and Future Cooperation." Its principal aim was to debate one of the two most sensitive privacy issues governments are grappling with and to reinforce cooperation between non-governmental organizations and data protection authorities. Privacy officials, NGOs, and representatives from the industry all participated to the discussion.
[source: EPIC Alert vol 12 no 19]
(2005-09-27) [RSA Security] End Users Suffering from Password Overload Rely Upon Risky Password Management Behaviors; Password Reset Calls Driving Up IT Help Desk Costs
RSA Security Inc. today announced survey results that show the challenges end users face in managing passwords inside the enterprise, and the potential corporate IT security risks that result. The survey of almost 1700 enterprise technology end users in the United States showed that over a quarter of respondents must manage more than 13 passwords at work, and that nine out of ten respondents are frustrated with the password management challenge. This frustration is leading to behaviors that could jeopardize IT security, as well as compliance initiatives.
[source: Press release]
(2005-09-27) [CNet] As mobile phones become digital do-it-alls, handsets need better protection from hackers and from unauthorized access when they're lost or stolen, says an industry group proposing new, hardware-based security standards for the devices.
The Trusted Computing Group (TCG)--backed by big names like Nokia, Motorola, Intel, Samsung, VeriSign and Vodafone--plans to unveil its plan Tuesday at a conference sponsored by the Cellular Telecommunications & Internet Association. The TCG has already developed similar specifications for PCs and servers. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-09-25) [eChannelLine] Enterprise security vendor SurfControl has issued a warning about a newly discovered "Secured Phishing" technique that may fool Web site visitors into divulging personal information because they believe they are visiting a secured, trusted Web site.
SurfControl is rating this threat as "High Risk" due to the sophisticated elements of this technique that mask the scam, and its potential to victimize everyday Internet users with limited knowledge of Web security and digital certificates. (Excerpt from article by Mark Cox)
[source: Daily News]
(2005-09-25) [WorldNetDaily.com] Internet users hoping to protect their privacy by using anti-virus software, Web anonymizers, false identities and disabled cookies on their computer's Web browser have something new to worry about -- a patent filed by the National Security Agency (NSA) for technology that will identify the physical location of any Web surfer.
Patent 6,947,978, granted this week, describes a process based on latency, or time lag between computers exchanging data, of "numerous" known locations on the Internet to build a "network latency topology map" for all users. Identifying the physical location of an individual user, reports CNET News.com, could then be accomplished by measuring how long it takes to connect to an unknown computer from numerous known machines, and using the latency response to display location on a map.
[source: News]
(2005-09-23) [Wired] Efforts to secure the integrity of electronic-voting machines seemed to get a boost this week, but the debate over the best way to guard against election tampering remained at a fever pitch.
After five months of hearings and deliberations, a high-level election-reform commission led by former President Jimmy Carter and former Secretary of State James Baker recommended that Congress require electronic-voting machines to produce a voter-verifiable paper audit trail by 2008 (Excerpt from article by Kim Zetter)
[source: News]
(2005-09-22) [IDG] Virus writers have come up with a way to make their malicious software jump from a mobile phone to the PC. Security researchers on Thursday reported the first sightings of a new Trojan program, which masquerades as pirated software for mobile phones and attempts to infect PCs via the phone's memory card.
Though the malware is not considered to be a significant risk to users, it marks the first time that researchers have seen an attack that tries to move beyond mobile phones said Mikko Hypponen, director of anti-virus research with F-Secure (Profile, Products, Articles) Corp. "From a more academic point of view it's very interesting," he said. Sponsored by HP (Excerpt from article by Robert McMillan)
[source: Infoworld]
(2005-09-22) [CNet] The top three U.S. credit reporting companies said on Thursday they would adopt a single, shared encryption standard to better protect the huge amounts of sensitive electronic data they receive every day from banks, retailers and credit-card companies.
Equifax, Experian and TransUnion, which maintain huge databases on hundreds of millions of Americans, said the joint effort would involve the development and adoption of a data-cloaking code built on an encrypted algorithm and 128-bit, secret-key technologies. In a statement, the companies insisted they have "long employed information security tools and programs" to ensure the information they compile from third parties isn't intercepted by thieves.
[source: News.com]
(2005-09-21) [IDG] As the U.K. government moves ahead with a national identification card plan, it should be based on open standards, the executive director of the Liberty Alliance said Wednesday at a press briefing in London.
While the U.K. announced in May that it hopes to start issuing national ID cards by 2008, resolving broad issues of how citizens may interact with an increasingly Web-based government may be years away. However, companies are already speculating as to how the identity -- and security -- of people who access government information may be verified and managed. (Excerpt from article by Jeremy Kirk)
[source: InfoWorld]
(2005-09-21) [eChannelLine] The results from Symantec Corp.'s latest "Internet Security Threat Report Volume VIII -- The Changing Threat Landscape" has found global phishing threats continued to increase in volume and have begun focusing on smaller and regional targets over the past six months.
This latest report marks a shift in the threat landscape, Symantec said. Attackers are moving away from large, multi-purpose attacks on network perimeters in favour of smaller, more focused attacks on client-side targets. The new threat landscape will likely be dominated by emerging threats such as bot networks, customizable modular malicious code, and targeted attacks on Web applications and Web browsers, the report stated. (Excerpt from article by Liam Lahey)
[source: Daily News]
(2005-09-21) [IDG] The European Commission today presented a proposal that would require all telephone, Internet and e-mail traffic to be logged to combat terrorism and serious crime.
The move challenges European Union member states, which are negotiating a rival plan. Telephone and Internet companies are waiting for the outcome of the clash, since the proposals differ over how much industry will be expected to pay to store the data and how long it must be kept. (Excerpt from article by Huw Jones)
[source: ComputerWorld]
(2005-09-21) [IDG] Hoping to learn from the lessons of its unsuccessful Passport initiative, Microsoft Corp. is taking a more open tack in developing its new InfoCard identity management platform, a company executive said Tuesday.
Like Passport, InfoCard is designed to make it easier for users to surf the Web by keeping track of their usernames and passwords as they move from site to site. Unlike Passport, however, InfoCard is being designed to work on client and server software that was not developed by Microsoft. (Excerpt from article by Robert McMillan)
[source: ComputerWorld]
(2005-09-21) [IDG] The top security experts at the world's two biggest credit card companies say that the battle against Internet-based thieves has reached a stalemate and that the industry will have to spend millions of dollars over the next decade just to keep up with criminals.
Speaking at a conference in Memphis on Monday, John Shaughnessy, senior vice president for fraud prevention at Visa U.S.A. Inc. and Suzanne Lynch, vice president for security and risk services at MasterCard International Inc., said that organized crime rings -- with the help, in many cases, of former Soviet KGB cryptographers -- are successfully using the Internet and "crimeware" software programs to circumvent the defenses credit card issuers have erected against them. (Excerpt from article by James B. Kelleher)
[source: ComputerWorld]
(2005-09-20) [CMP] For the second day in a row, an unknown attacker Tuesday spammed major quantities of a new Bagle-esque Trojan horse that turns off virtually every known security program and blocks access to security sites on the Internet.
Several variants of the BagleDI-U Trojan -- dubbed Bagle.cd by McAfee, and Bagle.da by Trend Micro -- have been spammed since Monday at approximately 11 a.m. EDT. A second wave hit the Internet around the same time Tuesday, said U.K.-based security firm Sophos. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-09-20) [IDG] Security initiatives by the International Civil Aviation Organization (ICAO) could open up new avenues for the deployment of biometric technologies across the globe.
Montreal-based ICAO, which sets guidelines and standards for passports and travel documents worldwide, is pushing for its 189-member countries to adopt machine-readable, electronic passports by 2010. (Excerpt from article by Mark Els)
[source: ComputerWorld]
(2005-09-19) [NewScientist.com] A HIGH-profile court case in Massachusetts is once again casting doubt on the claimed infallibility of fingerprint evidence. If the case succeeds it could open the door to numerous legal challenges.
The doubts follow cases in which the testimony of fingerprint examiners has turned out to be unreliable. The most high-profile mistake involved Brandon Mayfield, a Portland lawyer, who was incorrectly identified from crime scene prints taken at one of the Madrid terrorist bombings on 11 March 2004. Despite three FBI examiners plus an external expert agreeing on the identification, Spanish authorities eventually matched the prints to an Algerian. (Excerpt from article by Andy Coghlan and James Randerson)
[source: news service]
(2005-09-13) [University of California at Irvine] A UC Irvine criminologist Simon Cole has shown that not only do errors in fingerprint matching occur, but as many as a thousand incorrect fingerprint "matches" could be made each year in the U.S. This is in spite of safeguards intended to prevent errors.
Cole's study is the first to analyze all publicly known mistaken fingerprint matches. In analyzing these cases of faulty matches dating from 1920, Cole suggests that the 22 exposed incidents, including eight since 1999, are merely the tip of the iceberg. Despite the publicly acknowledged cases of error, fingerprint examiners have long held that fingerprint identification is "infallible", and testified in court that their error rate for matching fingerprints is zero. See also Cole's paper.
[source: Press Release]
(2005-08-16) [CDT] The Federal Communications Commission is considering rules that would require voice-over Internet Protocol (VoIP) providers to deploy automatic location technology for use in emergency calls. Location determination can be useful in emergency calls but such a mandate could endanger both personal privacy and the ability of companies to innovate.
CDT, Computer & Communications Industry Association, Electronic Frontier Foundation, and Pulver.com submitted joint comments urging that the FCC avoid writing rules that force the creation of a surveillance system that can track mobile VoIP users.
[source: Headlines]
(2005-08-11) [CDT] A Federal Appeals Court on Thursday reversed a troubling ruling that prevented the Justice Department from prosecuting an e-mail service provider who allegedly intercepted and read his customers' messages. In the case of United States v. Councilman, the full First Circuit Court of Appeals ruled 5-2 to reverse the opinion of a three-judge panel that Bradford Councilman did not violate the law by allegedly copying and reading his customers' e-mail.
The ruling reaffirms that e-mail is subject to protection, both against government wiretapping without a warrant and against misuse by service providers, but it fails to answer some key questions and it left in place increasingly outdated aspects of the surveillance laws that are inadequate to protect privacy. Those issues will need to be resolved by Congress.
[source: Headlines]
(2005-08-01) [CDT] The US Senate approved an amended version of the Patriot Act Reauthorization Bill by unanimous consent.
Although the measure, which was approved last week by the Senate Judiciary Committee, does not go as far toward restoring checks and balances as CDT would like, it contains important reforms and is a better bill for civil liberties than the bill approved by the House of Representatives in July. CDT has drafted a memo detailing the key provisions of, and differences between, the two measures.
[source: Headlines]
(2005-07-19) [CDT] In recommendations to the Data Privacy and Integrity Advisory Committee of the Department of Homeland Security, CDT urged the Committee to ask Congress to amend the Privacy Act to make it clear that it applies to government use of commercial data.
In addition, until Congress acts, CDT urged the Committee to recommend that DHS apply core Privacy Act principles as a matter of policy and contract when it accesses or uses personally identifiable information from commercial sources. See CDT Recommended Policies for Use of Private Sector Data.
[source: Headlines]
(2005-09-21) [EDRI] In the series Information Technology & Law, the Dutch University of Tilburg has published a volume on camera surveillance and workplace privacy, which includes 11 country reports.
The European countries covered by the report are: the Netherlands, Belgium, the UK, Germany, Hungary and Italy. See Reasonable Expectations of Privacy? (edited by Sjaak Nouwt, Berend R. de Vries and Corien Prins, IT & Law nr 7, The Hague 2005).
[source: Number 3.19, 21 September 2005]
(2005-09-21) [EDRI] EDRI and a coalition of civil liberty groups has organised a pre-event at the international conference of data protection commissioners on 12 September in Montreux. The aim was to strengthen cooperation between NGOs and official data protection authorities (DPAs).
The meeting was well-attended by NGOs, privacy officials and industry representatives and led to promising discussions on how to improve collaboration in the future. See agenda of EDRI pre-event in Montreux (12.09.2005).
[source: Number 3.19, 21 September 2005]
(2005-09-21) [EDRI] The 27th international conference of data protection commissioners took place in Montreux/Switzerland from 13 to 15 September 2005. The meeting with the title "The protection of personal data and privacy in a globalised world: A universal right respecting diversities" saw several hundred data protection authorities (DPA) officials, industry, cyberrights groups and other stake-holders for three intense days of discussion.
One big issue was the tenth anniversary of the EU's data protection directive from 1995. Part of the discussion focused on other means of privacy protection, ranging from industry self-regulation to incorporating privacy protection into the design of the technical infrastructures. The conference also passed resolutions on biometric identity documents and on the use of personal data for political communications. Find more information at the Montreux conference website.
[source: Number 3.19, 21 September 2005]
(2005-09-21) [EDRI] The Dutch ministry of Health, Welfare and Sport plans to introduce a new electronic file on every new-born, starting in January 2007.
The file will contain information about the child, the family situation and its surroundings, later adding educational data, information from social workers and possible police records. The file will be principally maintained by youth doctors and medics working for the child public health care service. The file will be connected to the citizen service number, a new electronic ID for every Dutch resident and citizen replacing the old social-fiscal number.
[source: Number 3.19, 21 September 2005]
(2005-09-21) [EDRI] The Guardian reports about a new daughter-company of the UK Supermarket chain Tesco, that is selling very detailed information about every household and every person in the UK to the highest bidder.
The database called Crucible contains "A map of personality, travel habits, shopping preferences and even how charitable and eco-friendly you are." And even if you don't shop at Tesco's, by combining data about for example magazine subscriptions from other sources such as Experian, Claritas and Equifax, the company has, in its own words collected a "massive pool" of consumer data. The company also uses government information, such as the electoral roll, which contains names, ages and housing information.
[source: Number 3.19, 21 September 2005]
(2005-09-21) [EDRI] In the first week of October the European Commission will publish a proposal for a Council Framework Decision on the protection of personal data exchanged by courts and police under the Third Pillar in EU Member States.
The framework decision will allow the EU to move forward with plans for full cross-border access to police databases under the "principle of availability". The Council has become increasingly eager for a proposal to be agreed, calling in July for the Commission to present proposals by October at the latest.
[source: Number 3.19, 21 September 2005]
(2005-09-212) [EDRI] The European Commission has finally launched its proposal for a directive on data retention.
The Commission proposal is very similar to the last versions of the proposal from the Ministers of Justice (JHA Council) for a framework decision. The Commission proposal only differs in a shorter retention period: one year retention for data about telephony behaviour, including location data of mobile phones. Internet data should be stored for 6 months. The Commission fails to provide any evidence for the need and benefits of data retention. See Commission press release (21.09.2005).
[source: Number 3.19, 21 September 2005]
(2005-09-22) "Crime, Justice and Surveillance" will take place on April 5 -- 6, 2006 (Sheffield, UK).
See calendar entry.
(2005-09-22) "Biometrics: Your Key To The World" will take place on September 28, 2005 (Singapore).
See calendar entry.
(2005-09-22) "Workshop Privacy Impact Assessment for Biometrics" will take place on March 9, 2006 (Wellington, Australia).
See calendar entry.
(2005-09-10) [CMP] Hospitals in Connecticut, Alabama and Pennsylvania are using Randianse Inc.'s RFID products to improve equipment management and patient and staff movement.
Randianse, of Lawrence, Mass., announced that it has installed its active RFID indoor positioning solution at Yale-New Haven Hospital to increase efficiency, enhance safety and reduce costs. It will cover nearly 1,000 pieces of medical equipment and managers, allowing convenient tracking with web-based searches. Later this year, the Connecticut hospital will add patient location, using a wrist-sized device. (Excerpt from article by K.C. Jones)
[source: RFIDinsight]
(2005-09-22) "Biometrics Institute Workshops" will take place on November 16, 2005 (Melbourne, Australia).
See calendar entry.
(2005-09-20) [BBC] Piracy costs movie studios as much as $3.5bn a year Six major Hollywood studios have formed a joint venture to protect their movies from the threat of electronic piracy.
Motion Picture Laboratories will research and create new technologies to stop the unauthorised distribution of films, particularly via the internet.
[source: News]
(2005-09-22) "Biometrics 2005" will take place on October 19 -- 21, 2005 (London, UK).
See calendar entry.
(2005-09-19) [Reuters] A top executive with Mastercard Inc. said on Monday the company, the world's No. 2 credit-card association, expected to have 4 million so-called "pay pass" cards in circulation by year's end.
Speaking at an industry conference here, Ruth Ann Marshall, Americas president for MasterCard, said that Citibank, HSBC and Key Bank had all begun offering the cards, which are equipped with a radio-frequency chip that allows customers to pay for purchases by simply waving their cards at readers posted near cash registers or gas pumps. (Excerpt from article by James B. Kelleher) (see also MasterCard PayPass page).
[source: Reuters.com]
(2005-09-22) "Biometrics on the Internet" will take place on October 27 -- 28, 2005 (Hatfield, Hertfordshire, UK).
See calendar entry.
(2005-09-19) [CNet] Computer hackers seeking financial gain rather than thrills or notoriety are increasingly flooding the Internet with malicious software code, according to a semi-annual report from security company Symantec.
Symantec's Internet Security Threat Report said that during the first half of 2005, the number of new viruses targeting Microsoft Windows users jumped 48 percent to nearly 11,000 compared with the previous six months, as hackers used new tools and a growing sophistication to create malicious code.
[source: News.com]
(2005-09-22) "Fall 2005 Biometrics Summit" will take place on November 1 -- 3, 2005 (New York, NY, US).
See calendar entry.
(2005-09-19) [CNet] Researchers at the Georgia Institute of Technology have come up with an inexpensive way to prevent digital cameras and digital video cameras from capturing that secret shot.
The technology they've devised detects the presence of a digital camera up to 33 feet away and can then shoot a targeted beam of light at the lens, according to Shwetak Patel, a grad student at the university and one of the lead researchers on the project. (Excerpt from article by Michael Kanellos)
[source: News.com]
(2005-09-22) "ID WORLD International Congress 2005" will take place on November 2 -- 4, 2005 (Rome, Italy).
See calendar entry.
(2005-09-18) [IEEE Cipher] An extensive report from the recent Symposium on Usable Privacy and Security (SOUPS) (Pittsburgh, PA, US, July 6-8, 2005) has been published.
Read the report, and follow links to papers presented.
[source: Conference Reports]
(2005-09-22) "IAPR International Conference on Biometrics 2006" will take place on January 5 -- 7, 2006 (Hong Kong).
See calendar entry.
(2005-09-16) [Datatilsynet] [Norwegian] En fersk undersøkelse om folks holdninger til personvern viser at det er de tryggeste blant oss som i størst grad føler seg tryggere med kameraovervåking. Få har motforestillinger. Vi vil imidlertid ikke overvåkes på arbeidsplassen.
Forsker Inger-Anne Ravlum ved Transportøkonomisk institutt har publisert rapporten "Setter vår lit til Storebror ... og alle småbrødrene med?". Rapporten viser at befolkningen er svært tillitsfull når det gjelder misbruk av kameraovervåking. Hele 86 prosent mener at lovlydige ikke har noe å frykte med slik overvåking. [Remark: Links to related research are found on that page]
[source: Nyheter]
(2005-09-22) "The 2nd Information Security Practice and Experience Conference (ISPEC 2006) " will take place on April 11 -- 16, 2006 (Hangzhou, China).
See calendar entry.
(2005-09-16) [IDG] A stolen laptop computer holding the personal information of more than 98,000 California university students and applicants has been recovered, but it is uncertain whether the information was tapped, the University of California, Berkeley, said yesterday.
The laptop, which stored names and Social Security numbers, disappeared in March from a restricted area of the university's graduate division offices, forcing the university to alert more than 98,000 students and applicants of the theft.
[source: ComputerWorld]
(2005-09-22) "DIM, Workshop on Digital Identity Management" will take place on November 11, 2005 (Fairfax, VA, US).
See calendar entry.
(2005-09-15) [IDG] While lawmakers decried a lack of concern in the U.S. about cybersecurity issues, representatives of the electricity, communications and other so-called critical infrastructure industries on Thursday said they take the potential for cyberattacks seriously.
Executives of companies in the electricity, communications, chemical and oil and gas industries told the U.S. House of Representatives Science Committee they have taken steps to protect against wide-scale cyberattacks, in some cases by setting up alternative networks not directly connected to the public Internet. Thursday's hearing focused on how a wide-scale cyberattack would affect industries critical to the U.S. economy. (Excerpt from article by Grant Gross)
[source: Infoworld]
(2005-09-22) "WPES 2005 Workshop on Privacy in the Electronic Society" will take place on November 7, 2005 (Alexandria, VA, US).
See calendar entry.
(2005-09-15) [IDG] While there is high interest in identity federation, the technology is still in flux and will likely be more expensive and time-consuming to implement immediately rather than three years from now, an identity and access management expert said Thursday.
Roy Wagner, a research vice president with Gartner Inc., told delegates at the company's IT Security Summit 2005 in London that identity federation -- the term for linking identities of users across multiple accounts without storing the information centrally -- is mostly being used now for single sign-ons across different domains (Excerpt from article by Jeremy Kirk)
[source: security.itworld.com]
(2005-09-22) "The 2006 IEEE Symposium on Security and Privacy" will take place on November 4, 2005 (Berkeley/Oakland, CA, US).
See calendar entry.
(2005-09-15) [Government Computer News] President Bush's former counterterrorism chief yesterday called for the government to establish a system of open-source and transparent standards for a federated identity card system, noting that Americans continue to face the dual threats of identity theft and terrorist attack.
Companies and government agencies that participate in such a system depend on each other to authenticate their respective users and permit them access to their services. They can share applications without having to adopt the same technologies for directory services, security and authentication. (Excerpt from article by Roseanne Gerin)
[source: Web Stories]
(2005-09-22) "I-NetSec, 4th Working Conference on Privacy and Anonymity in Networked and Distributed Systems" will take place on November 1, 2005 (Karlstad, Sweden).
See calendar entry.
(2005-09-15) [TCG] The Best Practices Committee of the Trusted Computing Group has published a "best practice" document: "Design, Implementation, and Usage Principles for TPM-Based Platforms Version 1.0" This document has been critically reviewed.
Among other things, the relationship between privacy issues and what this document says has been characterised -- pros and cons. See http://www.schneier.com/crypto-gram-0509.html#13, Karl-Friedrich Lenz's blog, and Stefan Bechtold's blog.
[source: News]
(2005-09-14) [IDG] Imagine a so-called smart card that contained your U.S. government-checked identity, complete with biometric identifiers, plus your three credit-card accounts, your check card account, possibly even your health records. This may be what we will have.
But advocates of government-mandated smart cards envisioned multiple uses for a small piece of plastic in the name of protecting the U.S. from illegal aliens and terrorists during a discussion in Washington yesterday. Many privacy advocates have protested proposals to create a national identification card, saying a card could be used to track U.S. residents and amass databases full of information. (Excerpt from article by Grant Gross)
[source: ComputerWorld]
(2005-09-22) "5th Annual PKI R&D Workshop: Making PKI Easy to Use" will take place on October 14, 2005 (Gaithersburg, MD, US).
See calendar entry.
(2005-09-14) [CNet] Companies are "fiddling while Rome burns" by continuing to put their faith in passwords to guarantee user authentication, a Gartner analyst has warned.
Speaking at the Gartner IT Security Summit in London on Wednesday, Ant Allan said that "passwords are no longer adequate, as threats against them increase." (Excerpt from article by Tom Espiner)
[source: News.com]
(2005-09-07) [NSF] The US National Science Foundation has awarded a grant to a project ("RFID Ecosystem", conducted at U of Washington) that will explore applications for RFID tags in homes and workplaces, rather than previously studied applications for product supply-chains.
Applications relevant to the workplace and home will be explored that will integrate RFID capabilities with other ubiquitous computing technologies. .... These technologies have deep privacy, legal, social, and policy implications. The project will incorporate researchers in both technology and social aspects of technology. See the NSF Award Abstract.
[source: News]
(2005-09-01) [IT Conversations] The audio recording of a panel discussion (from SofTech2004) covering RFID issues is available.
The panel, held on September 22, 2004, addressed questions like:
The panelists were: John Occhipinti (Managing Director, Woodside Fund), Keith Dierkx (Sr. VP Operations, Embarcadero Systems) Salil Padhal (CTO RFID Program, HP Labs) Steve Shafer (Senior Researcher, Microsoft Research) Jorge Fernandes (CEO and Co-Founder, VIVOtech ).
Go listen to the recording.
[source: News]
(2005-09-01) [Lafkon publishing] A short video on (or, rather, against) the marketed idea of "Trusted Computing" is available on the web.
You can look at this "anti-commercial" by visiting the page from which the video is started.
[source: News]
(2005-09-01) [Surveillance & Society] Article on the web -- Martin R. Gibbs, Graeme Shanks and Reeva Lederman "Data Quality, Database Fragmentation and Information Privacy".
Abstract: In this paper we use an Information Systems (informatics) perspective to critically examine legislation designed to regulate the way private sector organizations collect, store, use, and disclose personal information. We focus on The Privacy Amendment (Private Sector) Act 2000 (Cth), which has recently been enacted in Australia. We argue that the ability of organizations to respond to the requirements of this legislation is affected by the data quality of the personal information they possess. In particular, this paper examines one problem associated with data quality that erodes an organization's ability to comply with legislation designed to protect the information privacy of individuals -- the fragmentation of customer data across multiple databases owned and maintained by separate functional units within an organization. Given the ubiquity of these kinds of data quality problems we conclude that current legislative regimes to regulate private sector use of personal information in countries such as Australia and European Union member states can lead to contrary outcomes resulting in legislation that is either unenforceable or acts to encourage the development of high-quality, integrated customer databases that have the potential to erode information privacy. We believe that new models able to grapple with management of personal information in distributed, mobile and ubiquitous computing environments need to be developed. Read Data Quality, Database Fragmentation and Information Privacy Surveillance and Society, vol 3, Summer 2005, no 1).
[source: Articles]
(2005-09-01) [Surveillance & Society] Article on the web -- Mark Andrejevic: "The Work of Watching One Another: Lateral Surveillance, Risk, and Governance".
Abstract: This article explores a range of technologies for "lateral surveillance" or peer monitoring arguing that in a climate of perceived risk and savvy skepticism individuals are increasingly adopting practices associated with marketing and law enforcement to gain information about friends, family members, and prospective love interests. The article argues that the adoption of such technologies corresponds with an ideology of "responsibilization" associated with the risk society: that consumers need training in the consumption of services and the development of expertise to monitor one another. Rather than displacing "top-down" forms of monitoring, such practices emulate and amplify them, fostering the internalization of government strategies and their deployment in the private sphere. In an age in which everyone is to be considered potentially suspect, all are simultaneously urged to become spies. Read The Work of Watching One Another (Surveillance and Society, vol 2, Winter 2004, no 4).
[source: Articles]
(2005-09-01) [Journal of Information, Law & Technology ] The book "The Governance of Privacy" (Bennett and Raab) has been reviewed in JILT.
Fernando Galindo (Universidad de Zaragoza) has published a review of Colin J. Bennett and Charles D. Raab: "The Governance of Privacy: Policy Instruments in Global Perspective", (Ashgate Publishing Limited, 2003) in The Journal of Information, Law and Technology, 2005 (1). Read the review.
[source: Articles]
(2005-09-01) [CSD Berkeley] Acoustic emissions from keyborads can reveal what is being typed, which opens up new ways of snooping on what others do. What you think is observable only to you may in effect be accessible to other people nearby.
Quote: "We examine the problem of keyboard acoustic emanations. We present a novel attack taking as input a 10-minute sound recording of a user typing English text using a keyboard, and then recovering up to 96% of typed characters." The paper, authored by Li Zhuang, Feng Zhou, and J. D. Tygar, will be presented at the 12th ACM Conference on Computer and Communications Security, Nov 2005.
[source: News]
(2005-08-02) [MERL] The privacy-enhanced computer display uses a ferroelectric shutter glasses and a special device driver to produce a computer display which can be read only by the desired recipient, and not by an onlooker.
The Privacy Enhanced Computer Display is appropriate for situations where a computer display is to be located in a publicly accessible area, but the display itself may show information that should be kept private. Places such as banks (bank balances) hospitals (patient health information), pharmacies (drug information), airline ticketing and airport gate agent stations (passenger and security information) are all candidates for a privacy-enhanced computer display.
[source: News]
(2005-08-01) [EPIC] EPIC has published a page describing the differnt US programs for use of UAVs (Unmanned Aerial Vehicles) for border surveillance.
If you are interested in knowing what this is all about, go to Surveillance page: UAV.
[source: Special reports]
(2005-09-14) [Datatilsynet] [Norwegian] Datatilsynet har valgt å markere sitt 25-årsjubileum ved at Datatilsynets direktør har samtalt med tolv engasjerte og reflekterte mennesker om sentrale personvernspørsmål. Boka "Fra tillit til kontroll" ble lansert 22. august.
Samtalene har vært med en medisiner, en journalist, en jurist, en antropolog, en idehistoriker, en statsråd, en teknolog, en stortingsrepresentant, et ombud for personvern i EU-kommisjonen, en biograf og en religionshistoriker.
[source: Nyheter]
(2005-09-14) "Corporate Perspective on Privacy: The need to Collect Personal Data versus The Need to Protect Personal Privacy " will take place on October 7, 2005 (Denver, Colorado, US).
See calendar entry.
(2005-09-08) [Slyck] Only a very naïve person would believe that their identity is secure when using the internet, although most of us would like to think that our rights to privacy are protected in law.
Not so, according to a ruling of the Dublin Court in favor of the Irish Recorded Music Association (IRMA), the Irish equivalent of the RIAA. The IRMA had recently sought disclosure of the identities of 17 people from their ISPs, who had allegedly used P2P to distribute files. It was especially disturbing that these individuals apparently did not even know that the IRMA was pursuing them for alleged copyright infringement, thus denying them the chance of fair representation. (Excerpt from artícle by Nick Parker)
[source: Slyck.com]
(2005-09-12) [BBC] In the second report looking at privacy and the internet, Dan Simmons examines whether it is possible to be totally anonymous and asks if this is really a desirable thing.
"[Freenet's] goal was to provide a system whereby people could share information over the internet without revealing their identity and without permitting any form of government censorship."
[source: News]
(2005-09-13) [Jooang Daily] In a bid to crack down on cyber crimes, Korea's major portals are to introduce a "real-name system" by the end of this year.
The Ministry of Information and Communication unveiled a plan yesterday to require Internet users to provide identification, such as their real names and resident registration numbers (the Korean equivalent of U.S. social security numbers), before being allowed to make posts online. (Excerpt from article by Lee Hee-sung)
[source: IT/Science]
(2005-09-13) [TechWorld] "Where should location tracking start and stop? What about presence technology and privacy?"
"I think location tracking in general and perhaps RFID in particular have the potential to become the most revolutionary set of technologies since the cell phone itself, bringing us truly into the Star Trek age. We are now wise to the foibles that can arise with any communication and information technology, so it makes sense to anticipate the potential abuses up front so we can minimise the downsides." (Excerpt from article by Joanie Wexler)
[source: TechWorld.com]
(2005-09-13) [Datainspektionen] [Swedish] Connex registrerar uppgifter om sina tidigare anställda. I formuläret finns en ruta "icke lämplig för återanställning". Datainspektionen anser att registret är en spärrlista som strider mot personuppgiftslagen, PuL.
[source: Pressmeddelande]
(2005-09-12) [CNet] Dan Hunter recognized a familiar scam when he got an e-mail stating that his account in the game "Eve Online" had been suspended due to "unusual activity" and that he needed to click on the enclosed link to enter his login data to regain access.
Hunter, an assistant professor of legal studies and business ethics at the Wharton School of Business, knew that this type of hoax, a phishing scam, was usually used to get access to PayPal or online bank accounts. But this was a new one to him: phishers targeting an online game player's login data. (Excerpt from article by Daniel Terdiman)
[source: News.com]
(2005-09-10) [CIP] The CIP Program held a conference titled "Privacy, Security and Technology in the 21st Century: Addressing the Legal Landscape of Today and Tomorrow." A short opinion-piece by Maeve Dion has now been published.
See CIP report vol 4 no 3, p 13-14.
[source: CIP Report]
(2005-09-09) [IDG] According to a July report from the Pew Internet & Americal Life Project, more than 90% of Internet users have changed their online behavior to avoid spyware. That is a remarkably high level of awareness, considering the relative newness of the spyware threat.
The study generally reports on consumer behavior, but as you know, spyware is hardly a stranger to the enterprise. And while it's getting increasing attention from IT managers, it deserves another, closer look. Current developments in spyware engineering foreshadow dangerous challenges for enterprise security. Here's why. .... (Opinion by Irfan Salim)
[source: ComputerWorld]
(2005-09-09) [CNet] The feds need new privacy rules and technological methods to police their use of personal data from contractors like ChoicePoint and Acxiom, representatives from within and outside the government suggested Friday.
"There are some valid uses of commercial data," Nuala O'Connor Kelly, chief privacy officer for the Department of Homeland Security, said in closing remarks at a two-day public workshop hosted by the office she runs. She pointed to the roles data brokers have played during Hurricane Katrina's aftermath in providing, for example, information needed to verify the identities of displaced storm survivors seeking their prescription medications. (Excerpt from article by Anne Broache)
[source: News.com]
(2005-09-09) [EPIC] A recent Government Accountability Office report found that federal agencies are failing to adequately protect privacy rights when using data mining or knowledge discovery tools to find patterns and associations in massive amounts of information.
The report said that although most agencies are notifying the public that they are using personal information, few are notifying people about the intended uses of that information. A previous government program that sifted though troves of personal information, the Total Information Awareness project, was shut down amidst privacy and security criticism.
[source: EPIC Alert vol 12 no 18]
(2005-09-09) [EPIC] EPIC's September "Spotlight on Surveillance" scrutinizes the Student and Exchange Visitor Information System (SEVIS), a Homeland Security program.
SEVIS is also a part of the US-VISIT program, which has been criticized as flawed. Through SEVIS, the federal government is accumulating a massive amount of data on foreign students and exchange visitors, such as biographical information of the student or exchange visitor and their dependents (name, place and date of birth, spouse and children's data); academic information (status, date of study commencement, degree program, field of study, institutional disciplinary action); and employment information (employer name and address, employment beginning and end dates).
[source: EPIC Alert vol 12 no 18]
(2005-09-09) [EPIC] EPIC has petitioned the Federal Communications Commission to initiate a rulemaking to enhance security protections for individuals' phone records and renewed a call at the Federal Trade Commission for an investigation of online data brokers for selling personal information illegally.
At issue is customer proprietary network information (CPNI). CPNI includes calling history and activity, billing records, and unlisted telephone numbers of service subscribers. CPNI can only be released in limited circumstances, but online data brokers and private investigators widely advertise online that they can procure this information without informing the account holder.
[source: EPIC Alert vol 12 no 18]
(2005-09-09) [EPIC] In a letter to the US Senate Judiciary committee, members of the EPIC Advisory Board urged the senators to carefully explore the views of Judge John G. Roberts, Jr., the nominee for Chief Justice of the Supreme Court, on the right to privacy. The Senate confirmation hearings for Judge Roberts begin Monday.
EPIC discussed two issues in the letter: Judge Roberts's views on unlawful searches and his support for a national ID card.
[source: EPIC Alert vol 12 no 18]
(2005-09-13) "6th Annual Privacy and Security Workshop" will take place on November 3 -- 4, 2005 (Toronto, Canada).
See calendar entry.
(2005-09-08) [EDRI] The UK government has announced it will drop pilots with Internet and telephone votes, scheduled for the local elections in May 2006.
Answering a parliamentary question, Harriet Harman, the minister responsible, said government no longer looked for pilot requests from local authorities. She explained the time was not yet right for e-voting.
[source: Number 3.18, 8 September 2005]
(2005-09-08) [EDRI] European Digital Rights, together with a number of other international digital rights organisations, is organising two panels on data retention and on biometrics, as a pre-event to the annual DPA conference in Montreux, Switzerland on 13 September 2005.
See EDRI panels on data retention and biometrics.
[source: Number 3.18, 8 September 2005]
(2005-09-08) [EDRI] Ms Leena Luhtanen, Minister of Transport and Communications, announced on 26 August 2005 that Finnish ISPs will implement a censorship system to curb access to foreign web pages containing child pornography.
The announcement was accompanied by a study conducted by the ministry exploring the legal and practical aspects of such a system. The study concludes that the system is not efficient at curtailing child porn distribution, but may result in legitimate pages being blocked. The legal basis of the system is also somewhat suspect. Critics have denounced the Minister's plan as an empty attempt to woo voters. See Study by Ministry of Transport and Communications: Blocking access to foreign child pornography pages (26.8.2005, in Finnish).
[source: Number 3.18, 8 September 2005]
(2005-09-08) [EDRI] On Monday 5 and Tuesday 6 September the UK presidency tried its best to convince member of the European Parliament to give up their resistance against mandatory data retention.
A paper ("UK Presidency paper on data retention") on the effectiveness and viability of data retention measures was presented by the UK Presidency.
[source: Number 3.18, 8 September 2005]
(2005-09-07) [Government Computer News] New IT tools such as data mining ought to be used for homeland security only if their intrusiveness on privacy and infringement of due process rights can be adequately addressed in advance, according to a new report from a task force sponsored by the New America Foundation, a Washington-based think tank.
The task force of academics examined technologies including data mining, link analysis, data integration and biometrics, and recommended that they be deployed in efforts to counteract terrorism if and only if privacy protections are in place. It also suggested principles to follow to ensure the protections. "Even more important than its specific recommendations, this paper is an exhortation to technology developers: Consider privacy at the start of any system development," wrote task force member Paul Rosenzweig, senior legal research fellow at the Heritage Foundation (Excerpt from article by Alice Lipowicz)
[source: Web Stories]
(2005-09-06) [CMP] While sitting in Monterey, Calif., watching a group of high-tech crime-fighting experts exchange work-related yarns, a confident feeling came over Tony Kontzer. "No way were the cyber bad guys gonna get to me here," he thought. But then reality set in. ...
[source: Security Pipeline]
(2005-09-06) [CMP] New security technology such as smart ID cards or biometric safeguards won't stop identity thieves, a British criminology researcher said Monday at a science conference in Dublin.
"Many people depend on technology to beat identity theft, but fraudsters evolve their strategies to keep up with changes in security technology," said Emily Finch, of the University of East Anglia in a lecture before the British Association for the Advancement of Science. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-09-01) [CMP] Where in an enterprise computing infrastructure is private data most vulnerable? Ask any vendor, analyst, or politician, and they'll probably say something about the Internet, or perhaps outsourcing or wireless networks. But ask anyone running an IT department with a large number of laptops, and you'll likely hear a different story.
While vendors, analysts, and reporters have focused on network security, a much more serious threat has been neglected -- namely, physical security, and in particular stolen mobile devices. (Excerpt from article by Andy Dornan)
[source: Security Pipeline]
(2005-08-29) [CMP] To accelerate RFID deployment, the University of Wisconsin-Madison formally opened a lab this month to study how to make RFID work better, leaving to others to debate the broader issues such as implementation and privacy.
"When I see the move of RFID into universities, it concerns me," said Katherine Albrecht, a privacy advocate who specializes in RFID technology and shoppers. "It is sending a message that not only do we not have to worry about privacy but you can profit from it by a career perspective." (Excerpt from article by Ryan J. Foley)
[source: RFIDinsights]
(2005-07-05) [RFID Society] In a recent issue of the RFID Society Newsletter, there is an article about enhancing privacy, in the context of RFID, by use of zero knowledge proofs.
The article provides a simple description of what "zero knowledge proofs" are, and how this technique can be used for privacy protection.
[source: News]
(2005-05-27) [GAO] The United States Government Accountability Office (GAO) has published a report on the use of RFID in the federal government.
GAO investigates considerations surrounding RFID technology implementation in the federal government -- amongst others security and privacy considerations surrounding the technology and the tools and practices available to mitigate them Read the report INFORMATON SECURITY - Radio Frequency Identification Technology in the Federal Government (May 2005, 41 pages).
[source: News]
(2005-03-30) [EU] The European Commission has released a major new study on how biometric technologies - including fingerprint, iris and face recognition - will impact on our daily lives. Following an EU decision to introduce biometrics in passports, visas and residence permits starting in 2006, biometrics will become increasingly common in our daily lives.
Costs will come down, people will become used to them through their travels and further commercial and civil applications will undoubtedly follow. Therefore the report recommends that policy-makers should act now to shape the use of biometrics rather than waiting and being reactive. Social, economical, legal and technological issues are addressed. Read the report Biometrics at the frontiers -- Assessing the impact on Society. It can also be valuable to look at background papers, that offer extended discussions on these issues:
[source: Press room]
(2005-09-05) [CNet] New technology could increase rather than solve the problem of identity theft and fraud, a British criminologist said Monday.
Identity cards and chip and pin technology for credit cards will force fraudsters to be more creative and are unlikely to alleviate the problem, said Emily Finch, of the University of East Anglia in England.
[source: News.com]
(2005-09-13) [Forlaget Thomson] [Danish] Institut for Menneskerettigheder præsenterer en debatbog - "Overvågning eller omsorg - Privatlivets Grænser" (red: Rikke Frank Jørgensen, Birgitte Kofod Olsen).
I bogen diskuterer forfatterne emnet med vidt forskellige vinkler og tanker, og artiklerne spænder over konkrete praksiserfaringer, perspektiver fra især de juridiske forskningsmiljøer, politiske visioner og ønsker samt debat om teknologiens muligheder. Bogens forfattere er: Lars Findsen, Politiets Efterretningstjeneste, Kasper Skov-Mikkelsen og Helge Kierkegaard, SikkerhedsBranchen, Mette Hartlev, Københavns Universitet, Anne Baastrup, Folketinget, Peter Blume, Københavns Universitet, Peter Garde, Retten i Hillerød, Rikke Frank Jørgensen og Birgitte Kofod Olsen, Institut for Menneskerettigheder, Sten Schaumburg-Müller, Århus Universitet, Per Helge Sørensen, Forfatter, Stephan Engberg, Open Business Innovation, Sune og Mira Skadegård Thorsen, Lawhouse.dk, Jeanette Viale, Næstved Kommune, Hanne Lykke Jespersen, Prosa.
[source: Nyheter]
(2005-09-07) "OUT-LAW Phishing Conference" will take place on October 27, 2005 (London, UK).
See calendar entry.
(2005-09-07) "Canada-Australia Comparative IP & Cyberlaw Conference" will take place on September 30 -- October 1, 2005 (Ottawa, Ontario).
See calendar entry.
(2005-09-06) [CanWest] Police and security agencies would be able to surreptitiously track unwitting Canadians via their cellphones, BlackBerries and laptop computers, even when the devices are turned off or their location features are disabled, under a "creepy" measure contemplated as part of the federal government's planned electronic surveillance bill.
The government made the proposal during consultations this year on a legislative package that is anticipated to be unveiled in the fall. The proposal, which was raised by justice officials with groups consulted by the government, would amend the Criminal Code to expand the types of "tracking devices" available to police under a warrant. (Excerpt from article by Cristin Schmitz)
[source: Canada.com]
(2005-09-05) [Freedom Communications] The recent rash of identity disclosures probably didn't result from an unprecedented surge in identity thefts. Instead, it's because companies are now required to inform people whose information has been breached.
Such thefts of data probably have been happening all along, the experts say - we just didn't know it. Some evidence indicates that cases of actual identity fraud, in which information is not only taken but also misused, have begun to slow.
[source: East Valley Tribune]
(2005-09-07) [IDG] Technology and the profit motive combine to offer us tremendous benefits -- often life-saving ones. But this combination also challenges our right to privacy.
Take, for example, the amazing new health care devices unveiled at the recent Intel Developer Forum (IDF) conference held in San Francisco. (Excerpt from article by Ephraim Schwartz)
[source: InfoWorld]
(2005-09-05) [IDG] New technology could increase rather than solve the problem of identity theft and fraud, a British criminologist warned today.
Identity cards and chip and personal identification number (PIN) technology for credit cards will force fraudsters to be more creative and are unlikely to alleviate the problem. (Excerpt from article by Patricia Reaney)
[source: ComputerWorld]
(2005-09-01) [Courtenay Communications] We continue to focus on the Real ID Act, a new federal law that establishes strict standards and procedures for the issuance of driver's licenses by the states.
Last month's column covered the law's convoluted passage despite opposition from immigration groups, privacy advocates and the states. Now we will look closer at the privacy consequences. (Excerpt from article by Robert Gellman)
[source: DMNews]
(2005-09-01) [CMP] A privacy consultant provides 10 ways to reduce the risk that confidential information will be accessed from lost or stolen mobile devices.
The perspective is from an organisation point of view, where mobile devices are becoming vital communication components.
[source: Compliance Pipeline]
(2005-08-31) [Pinsent Masons] Any national identity card introduced in the UK will have to meet new international standards for biometrics.
The standards body, BSI, has published a set of four new BS ISO/IEC 19794 standards, covering the science of biometrics, using biological characteristics to identify individuals, according to reports. (Excerpt from article by Lucy Sherriff)
[source: OUT-LAW.COM]
(2005-08-31) [CNet] The advent of Firefox and other alternatives to Internet Explorer means cybercops have to learn new tricks for their investigations.
Internet Explorer hides nothing from police and other investigators who examine PCs to discover which sites the user has visited, according to a class held Wedensday at the annual training meeting of the High Tech Crime Investigation Association. Investigators know the location of the IE browser cache, cookie files and history, and they know how to read those files. Also, popular forensics tools can help out. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-08-31) [CMP] Two vendors of mobile anti-virus products made separate claims this week that attacks on mobile devices are becoming more serious.
F-Secure said earlier this week that the Commwarrior B virus has made its first appearance in devices used by a company. The vendor did not name the company that was struck, but claimed that "several dozens of employees" of the company received infected Bluetooth or MMS transmissions of the virus.
[source: Security Pipeline]
(2005-08-31) [CMP] Creative Technology acknowledged this week that it shipped about 4,000 of its Zen Neon portable music players with an extra no one wanted: a ready-to-roll Windows worm.
The players, which were sent to Japan in an allotment during late July, are infected with the Wullik.b worm, a mass-mailed worm code that harks back to 2003. The Neon's file system includes an infected file, but according to Creative, the worm won't infect a connected PC unless the user browses the device's file list and clicks on the infected file.
[source: Security Pipeline]
(2005-08-31) [IDG] Microsoft Corp. later today plans to release a pair of add-ins to its MSN Search Toolbar with Windows Desktop Search, including one that detects Web sites that could be used to carry out phishing scams, according to an Microsoft official.
The company had said last week it planned to release an antiphishing add-in for the free Internet Explorer tool bar, but didn't say when it would be available. The plan now is to make the Microsoft Phishing Filter Add-in, along with another one for gaming enthusiasts, available today, said Justin Osmer, an MSN product manager. (Excerpt from article by Juan Carlos Perez)
[source: ComputerWorld]
(2005-08-30) [Pinsent Masons] Five federal agencies in the US that use data mining techniques to collect information are not fully complying with the privacy and security requirements necessary to protect the individuals affected, according to the Government Accountability Office (GAO).
Its report on data mining, published yesterday, had been requested by Senator Daniel K Akaka, Ranking Member of the Senate Subcommittee on the Oversight of Government Management.
[source: OUT-LAW.COM]
(2005-08-30) [IDG] The expanding investigation into this month's Zotob worm outbreak is uncovering evidence of the growing nexus between worm writers and gangs looking to profit from cybercrime, according to security experts.
The FBI today confirmed that Turkish law enforcement officials are investigating 16 more suspects in connection with the Zotob worm and its variants. (Excerpt from article by Jaikumar Vijayan)
[source: ComputerWorld]
(2005-08-30) [CMP] The Electronic Privacy Information Center (Epic), an online privacy advocacy group, on Tuesday petitioned the Federal Communications Commission to require that telecommunications carriers establish better policies and procedures to prevent customer billing records from being sold illegally online.
The group's request that the FCC establish stronger security standards governing the release of consumer proprietary network information follows a July 7 complaint against the illegal sale of consumer information by Intelligent e-Commerce Inc. (Excerpt from article by Thomas Claburn)
[source: Security Pipeline]
(2005-08-29) [CMP] A trick reminiscent of a fun-house mirror might improve the security and privacy of the access-control technology that examines fingerprints, facial features, or other personal characteristics.
In such systems, known as biometrics, a computer generally reduces an image to a template of "minutia points" -- notable features such as a loop in a fingerprint or the position of an eye. Those points are converted to a numeric string by a mathematical algorithm, then stored for later analysis. (Excerpt from article by Brian Bergstein)
[source: Developer Pipeline]
(2005-08-29) [Government Computer News] Young singles aren't the only people looking for a perfect match. Government IT managers, border guards, payroll clerks and homeland security officers are just as concerned with matching employees, visitors and others against personally identifiable information to authenticate them for building access, network privileges or entry into the United States.
To improve identification procedures, Congress included biometric passport provisions in the Patriot Act as well as in the Enhanced Border Security and Visa Entry Reform Act of 2002. Last year, the federal government awarded Accenture Ltd. a $10 billion contract to provide program management services for the Homeland Security Department's U.S. Visit program, including the collecting of biometric data as part of visa applications. (Excerpt from article by Drew Robb)
[source: News]
(2005-08-29) [CNet] A new Web site aims to help determine whether a specific computer has been sending legitimate e-mail or spam.
The TrustedSource Web site uses data from reputation filters, which are billed as the next big thing in e-mail security. Makers of spam-fighting tools collect data on e-mail senders and use that to assign "reputations" to e-mail sending computers and Internet domains. Those who send a lot of spam get a negative rating and their messages are more likely to be filtered out. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-08-29) [Datatilsynet] [Norwegian] Folkehelseinstituttet (FHI) ønsket tillatelse til å lage en varig forskningsfil med opplysninger om 2,2 milliloner nordmenn. FHI klaget på Datatilsynets vedtak om å avslå varig lagring. Nå har Personvernnemnda valgt ikke å ta klagen til følge.
Registrene som var tenkt sammenkoblet var Medisinsk fødselsregister, Dødsårsakregisteret, samt fødelandsregister og opplysninger om utdanning fra Statistisk sentralbyrå. Forskningsfilen var tenkt å bli oppdatert hvert femte år med ferske opplysninger fra registrene. Datatilsynet ga konsesjon for en periode begrenset til fem år, det vil si at Folkehelseinstituttet fikk et delvis avslag på sin konsesjonssøknad.
[source: Nyheter]
(2005-09-06) [Reed Business Information] Preventing the release of confidential information will be a major challenge for IT directors as they strive to comply with the EU Privacy Directive, analyst firm Gartner has warned.
One of the main security issues facing IT directors is how to cope with requests made under the Freedom of Information (FOI) Act, which can affect all public sector bodies and private sector companies contracted to them. Jay Heiser, research vice-president at Gartner, said, "Government and organisations will have greater responsibility to protect the identity of people." (Excerpt from article by Cliff Saran)
[source: Computer Weekly]
(2005-08-25) [EPIC] A new report has determined that many major American companies misuse consumer information they collect through the Internet.
The Customer Respect Group's 2005 Privacy Report analyzed 464 corporate Web sites, and found that 72 percent of those companies had "poor" policies concerning reusing personal data for marketing purposes. The worst performer was the pharmaceutical and health care industry.
[source: EPIC Alert vol 12 no 17]
(2005-08-25) [EPIC] In a 5-2 decision, the full Court of Appeals for the First Circuit has ruled in United States v. Councilman that the interception of e-mail temporarily stored while en route to its final destination violates federal wiretap law.
The holding reversed a three-judge panel's earlier ruling that an e-mail service provider did not violate the law by acquiring users' incoming e-mails without their knowledge or consent to gain a commercial advantage over a competitor.
[source: EPIC Alert vol 12 no 17]
(2005-08-25) [IDG] Users of Microsoft Corp.'s MSN Messenger should be aware of a new "smart" worm that checks the configuration of their Windows client and sends a message in the appropriate language, according to security companies Akonix Systems Inc. and Symantec Corp. Both companies published alerts on yesterday.
The Kelvir.HI worm, a variant of the Kelvir IM malware that surfaced earlier this year, appears to be the first instant-message bug capable of checking systems settings and communicating in the victim's native tongue. (Excerpt from article by John Blau)
[source: ComputerWorld]
(2005-08-24) [IDG] Spyware is getting more dangerous and has become a greater threat for the enterprise, according to the latest quarterly state of spyware report from Boulder, Colo.-based Webroot Software.
Despite the fact that spyware definition writers have kept pace with spyware writers, the threat has become more malicious, more insidious, and is now going after bigger paydays, the report said. (Excerpt from article by Jeff Jedras)
[source: ComputerWorld]
(2005-08-24) [IDG] Is the Real ID Act a step toward a safer society or a threat to the liberties we hold dear?
Gary Klinefelter of Fargo Electronics examines some of the issues raised over the act, which authorizes the first national ID card.
[source: ComputerWorld]
(2005-08-24) [AIM] Ross Stapleton-Gray responds to an earlier AIM essay entitled "The ROI of Privacy Invasion."
Quote: " With 20/20 hindsight, we probably ought to have built more hooks for the establishment and authentication of identity on the Internet -- we're now stuck trying to retrofit the Net with the means to rebuff spammers, and detect phishing attempts. And perhaps now is the time to figure out how to build in more privacy protections in the future "Internet of Things," and to anticipate what will become possible once the infrastructure is too pervasive and critical to live without."
[source: Articles]
(2005-07-01) [O'Reilly] A new book has been published, "Computer Privacy Annoyances" by Dan Tynan (July 2005)
The blurb: "From the moment you're born, you enter the data stream-from birth certificates to medical records to what you bought on Amazon last week. As your dossier grows, so do the threats, from identity thieves to government snoops to companies who want to sell you something. Computer Privacy Annoyances shows you how to regain control of your life. You'll learn how to keep private information private, stop nosy bosses, get off that incredibly annoying mailing list, and more. Unless you know what data is available about you and how to protect it, you're a sitting duck. 'Computer Privacy Annoyances' is your guide to a safer, saner, and more private life"
[source: News]
(2005-06-06) [Government Computer News] As the government gears up to distribute smart cards, electronic passports and other devices using radio-frequency identification, policy-makers are wrestling with concerns over RFID's security.
As the government gears up to distribute smart cards, electronic passports and other devices using radio-frequency identification, policy-makers are wrestling with concerns over RFID's security. On one side are industry and federal proponents who have paved the way for acceptance of the technology by crafting standards to assure its security and privacy. And on the other are the experts from the Government Accountability Office, who recently issued a report raising questions about how well RFID devices protect information. (Excerpt from article by Wilson P. Dizard III)
[source: News briefs]
(2005-05-27) [CNet] Radio frequency identification is becoming increasingly popular inside the U.S. government, but agencies have not seriously considered the privacy risks, federal auditors said.
In a report published Friday, the Government Accountability Office said that 13 of the largest federal agencies are already using RFID or plan to use it. But only one of 23 agencies polled by the GAO had identified any legal or privacy issues--even though three admitted RFID would let them track employee movements. (Excerpt from article by Declan McCullagh)
[source: News.com]
(2005-05-26) [Surpriv] Telecoms Korea reports that the South Korean government, through its Ministry of Information Communication, is working on guidelines for RFID privacy protection.
The guidelines ban storing personal information on RFID tag against related laws or without clear statement of consent from the person in question. Furthermore, RFID-tagged products should be indicated with proper mark accompanied by methods of removing the tag. To install a RFID reader, you have to inform shoppers or customers of the fact.
[source: Blog]
(2005-03-16) [CSTB] The Workshop "Technology, Policy, and Cultural Dimensions of Biometric Systems" was held on March 15-16, 2005 in Washington, D.C., US, organised by CSTB.
The workshop sessions were:
Material from the workshop can be accessed at the workshop page.
[source: News]
(2005-01-01) [CSTB] The CSTB Committee on Radio Frequency Identification Technologies has published its workshop report.
The privacy issue is of course discussed, though technology itself and its applications get more attention. The report, Radio Frequency Identification (RFID) Technologies: A Workshop Summary (51 pages, 2004) can be accessed on the web.
[source: News]
(2005-08-31) [Datainspektionen] [Swedish] Det finns inga särskilda regler i PuL som handlar om publicering på Internet. Det är de generella reglerna för behandling av personuppgifter som gäller. Datainspektionen får många frågor om Internetpublicering, och praxis för vissa typfall har dokumenterats i informationsbladet "Personuppgifter och Internet", som nu finns i en ny, uppdaterad upplaga.
Skriften kan hämtas på Datainspektionens webbplats: Personuppgifter och Internet (PDF-fil 92 kb).
[source: Nyheter]
(2005-08-29) [CMP] Federal investigators say the government isn't doing all it should to notify citizens that information about them is being collected by systems employing data-mining techniques.
The Government Accountability Office, the investigative arm of Congress, reviewed five data-mining efforts employed by the Small Business Administration, Agriculture's Risk Management Agency, the Internal Revenue Service, the State Department, and the FBI. (Excerpt from article by Eric Chabrow)
[source: Compliance Pipeline]
(2005-08-29) [eChannelLine] A survey released by RSA Security Inc. shows that -- despite widespread fears of fraudulent activity and identity theft -- consumers are willing to increase the amount of personal business they do online if their banks and other online service providers offer them strong authentication.
With nearly 50% of survey respondents indicating that they would be more or much more likely to switch to a competitive service provider if that provider offered a strong authentication option and their current provider did not, and with more than two-thirds willing to migrate more of their transactions online if offered a hardware authenticator, consumers are laying down a stark business challenge for organizations that don't invest in appropriate identity protection for their customers. (Excerpt from article by Steve Wexler)
[source: Daily News]
(2005-08-29) [Datainspektionen] [Swedish] Datainspektionen, Statistiska centralbyrån och Socialstyrelsen har gemensamt tagit fram en skrift med sin syn på hur personuppgifter i forskningen ska hanteras och hur de kan lämnas ut.
Skriften, som är gratis, ersätter Datainspektionen informationsblad "PuL och känsliga uppgifter i forskningen". Se skriften Personuppgifter i forskningen - vilka regler gäller? (PDF-fil 266 kb).
[source: Nyheter]
(2005-08-29) [IDG] Anti-spam filtering technologies have been perfected to the point where you can expect to see better than 95 percent accuracy, with no more than a couple of false positives out of every 10,000 messages. Despite this amazing progress, enterprises are still under attack. The grim truth is that filtering even 100 percent of incoming spam doesn't necessarily solve the spam problem for large organizations.
The reason is that a high volume of spam, even when it's caught, can be extraordinarily expensive for larger organizations that are finding that they need to add more mail servers, and more spam filters, to handle the load. Considering that spam can amount to between 80 percent and 95 percent of all incoming e-mail, a large enterprise could substantially reduce the number of mail servers and filters it manages and maintains if most of that spam would just go away. (Excerpt from article by Logan G. Harbaugh)
[source: InfoWorld]
(2005-08-27) [Wired] The creator and several buyers of a computer program designed to allow jealous lovers to snoop on their sweethearts' online activities have been indicted for allegedly violating federal computer privacy laws.
Carlos Enrique Perez-Melara, 25, was indicted Friday on 35 counts of manufacturing, sending and advertising a surreptitious interception device and unauthorized access to protected computers.
[source: News]
(2005-08-26) [CNet] New international standards on biometric technology have been published. They will underpin the government's controversial identity card project.
The BS ISO/IEC 19794 series of standards cover the science of using "biological properties" to identify individuals, such as fingerprints, iris scans and facial recognition. (Excerpt from article by Steve Ranger)
[source: silicon.com]
(2005-08-26) [IDG] Microsoft plans to release an antiphishing tool before the release of the next version of its Web browser, Internet Explorer 7, as an add-on to the MSN Search Toolbar.
The phishing filter -- which issues a pop-up window warning if a user navigates to a Web site that exhibits behavior typical of phishing sites, and blocks access to currently recognized phishing sites -- will be available for Internet Explorer 6 running on Windows XP with Service Pack 2 installed, said Justin Osner, product manager for MSN Search (Excerpt from article by Elizabeth Montalbano)
[source: ComputerWorld]
(2005-08-26) [InfoWorld] Two studies released this morning by London-based StreamShield Networks, a provider of security products, indicate that the public is largely ignorant of online threats. The second study demonstrates that women Internet users are less likely than men to succumb to viruses and the like
StreamShield measured online fraud, viruses, spam, unwanted pop-up ads, spyware, phishing and keyloggers. The firm said, in fact, that in all categories women experienced fewer difficulties than men, even though a higher percentage of men are aware of computer viruses, spyware, adware, et al.
[source: TechWatch]
(2005-08-25) [CNet] Aiming to step up its battle against malicious Web sites, Microsoft said Wednesday that its MSN unit will offer a browser add-in that will help identify both known scam sites as well as those that appear suspicious.
Microsoft is already building similar "antiphishing" features into Windows Internet Explorer 7, the next version of its browser. In the new browser, users will be interrupted and warned when they try to go to a site that is known to deceptively try to grab personal information, a practice known as phishing. Those who go to sites not known as scam sites, but whose behavior appears suspicious, will see a warning. (Excerpt from article by Ina Fried)
[source: News.com]
(2005-08-22) [CMP] Attackers are increasingly turning to stealthy rootkits to keep anti-virus vendors from detecting and deleting malicious worms or Trojan horses, a Russian security firm said Monday.
"Over the last 12 months, we've seen a large jump in the use of rootkits," said David Emm, a senior technology consultant with Kaspersky Labs, a Moscow-based anti-virus vendor. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-08-22) [CMP] Employee and customer data is exposed, and potentially within the reach of hackers, at a whopping 91 percent of companies monitored by a security firm.
According to the second monthly Insider Threat Index generated by Reconnex, a Mountain View, Calif.-based enterprise risk management vendor, 91 percent of the companies undergoing assessment in July exposed credit card numbers, and 82 percent exposed employee Social Security numbers.
[source: Security Pipeline]
(2005-05-04) [WorldChanging] Quote: "Soon -- probably within the next decade, certainly within the next two -- we'll be living in a world where what we see, what we hear, what we experience will be recorded wherever we go. There will be few statements or scenes that will go unnoticed, or unremembered. Our day to day lives will be archived and saved. What's more, these archives will be available over the net for recollection, analysis, even sharing. ..."
Quote [contd]: ... And we will be doing it to ourselves." These quotes come from a transcript of a talk given at the MeshForum 2005 (Chicago, Il, May 1-4, 2005) by Jamais Cascio.
[source: Blog]
(2005-08-19) [CMP] The First Circuit Court of Appeals ruled this month that an email service provider who secretly read messages before they were delivered violated federal wiretap laws.
Privacy advocates consider the decision, which reversed an earlier three-member panel, to be a small victory that holds the potential to spur Congress to patch the holes in current surveillance laws with more modern legislation. (Excerpt from article by Christopher T. Heun)
[source: Developer Pipeline]
(2005-08-24) [EDRI] The EDRI and XS4ALL petition against data retention has attracted almost 30.000 signatures, of which over 10.000 from the Netherlands (where the campaign was launched) and over 5.000 from Germany. The number three position is held by Finland, with almost 5.000 signatures.
Runners-up in the daily country count are Bulgaria, Austria and Italy, with over a 1.000 signatures each. In Sweden, Belgium, France, the UK and Hungary over 500 people each have signed the petition.
[source: EDRI-Gram Number 3.17, 24 August 2005]
(2005-08-24) [EDRI] In response to the article about the Norwegian Supreme Court decision on hyperlinks in the previous EDRI-gram, subscriber Matthias Spielkamp from Germany pointed to an article he wrote about recent jurisprudence in Germany.
Contrasting the Norwegian decision that a hyperlink can not be considered unlawful in a copyright context, irrespective of the legal or illegal nature of the content offered, the appeal court of Munich decided to uphold a ruling that the e-zine Heise had to remove a link to the website Slysoft.com. At the site software was offered to make copies of copy-protected CDs and DVDs.
[source: EDRI-Gram Number 3.17, 24 August 2005]
(2005-08-24) [EDRI] The September edition of the German industry magazine Die Bank contains renewed speculation about the introduction of spy-chips in the Euro banknotes.
The article discusses three possible new measures against the counterfeiting of the notes; a new biological paint, a colour-switch foil and the introduction of RFIDs (Radio Frequency Identification Devices) on every note. See also Sicherheits-Innovationen: Banknoten der Zukunft (September 2005).
[source: EDRI-Gram Number 3.17, 24 August 2005]
(2005-08-24) [EDRI] The European Commission has started infringement procedures against the governments of Austria and Germany for not creating adequate independence of the Data Protection Authorities.
Besides the lamentable lack of independence the Austrian DPC suffers from a chronical shortage of staff. The German state-embedded provincial DPAs respond 'in a lethargic way' to complaints from citizens, while the truly independent provincial DPAs defend civil rights in a very engaged way.
[source: EDRI-Gram Number 3.17, 24 August 2005]
(2005-08-24) [EDRI] The general German industry association (BDI) and the two telecommunication associations (BITKOM and VATM) have jointly published a strong position paper against the European proposals for mandatory data retention.
The German industry calls on both the European Commission and the ministers of Justice and Home Affairs to provide a solid and adequate impact assessment, since "LEAs have demonstrated neither the concrete need for a data retention regime nor the alleged lack of effectiveness of the current practice."
[source: EDRI-Gram Number 3.17, 24 August 2005]
(2005-08-23) [CNet] A total of 14,135 unique phishing campaigns were reported in July, according to the Anti-Phishing Working Group. That is down from 15,050 a month earlier, the group said in a report Tuesday.
In phishing attacks, fraudulent Web sites are used to trick Internet users into giving up sensitive information such as credit card details and social security numbers. The number of attacks has been increasing steadily, with slight drops only in April and December. July's decrease could just be a summer dip, an APWG representative said. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-08-23) [CNet] It may not come as a surprise to many online shoppers, but a new study released this week shows that many major American companies misuse information they collect from consumers over the Web.
The Customer Respect Group, the Boston research firm that conducted the study, rated the privacy practices of a whopping 72 percent of 464 North American companies it surveyed earlier this year as "poor" with respect to reusing personal data for marketing purposes. (Excerpt from article by Alorie Gilbert)
[source: News.com]
(2005-08-25) "Conference On Passenger Facilitation & Immigration: Newest trends in achieving a seamless experience in air travel " will take place on October 3 -- 5, 2005 (Singapore).
See calendar entry.
(2005-08-22) [CMP] University of Tokyo professor Ken Sakamura has been talking about pervasive computing since before the term was invented. In this interview, he talks about his vision and how he hopes to attain it.
Quote: "We also intend to embed chips in cities -- that is, to embed ucode tags in roads and buildings to establish a location information system. The tags provide location information to users of personal-navigation systems, or help handicapped people with the information in a ubiquitous environment."
[source: RFIDinsights]
(2005-08-22) [RDIDNews] A short interview with Stapleton-Gray about the Sorting Door project, a project about RFID, surveillance and privacy issues.
Quote: "In a nutshell, while the read ranges of passive RFID tags are fairly short, they might be readily scanned in constrained spaces, like doorways; doorways are also natural places to want to monitor individuals, e.g., to welcome a friend (or valued customer), or bar access to a threat."
[source: News]
(2005-08-22) [IDG] The malicious code enters your network undetected, rapidly infecting more than 100 machines. But this is no ordinary virus. Your antivirus and disk recovery tools can't help, because the disk drives won't spin up at all. The drives are toast. The PCs are completely inoperable.
The era of microcode attacks has begun.Could viruses really attack the low-level microcode that makes disk drives run? It's entirely possible, disk technology experts say. Dimitri Postrigan knows how such a virus might be created -- but he's not telling. Postrigan reverse-engineers and programs hard disk drives at ActionFront Data Recovery Labs. (Excerpt from article by Robert L. Mitchell)
[source: ComputerWorld]
(2005-08-22) [IDG] So-called spear-phishing attacks -- customized spoof e-mails that appear to come from trusted sources and ask recipients to part with confidential information -- pose a dangerous and emerging threat to organizations.
There are no mature technical solutions to the problem, so IT must emphasize education, security experts said during a telephone briefing on the topic last week. (Excerpt from article by Jaikumar Vijayan)
[source: ComputerWorld]
(2005-08-22) [MIT Technology Review, Inc.] A Federal Communications Commission (FCC) announced earlier this month that it intends to expand a mid-1990s ruling that allows law enforcement officers to wiretap conventional phone lines. Now it wants to apply the ruling to certain broadband and voice-over-Internet (VOIP) providers as well.
The FCC announcement has outraged not only civil libertarians, but also a coalition of broadband providers and Internet associations, who are worried that the government's move could actually threaten national security, as well as dampen industry innovation. (Excerpt from article by Trey Popp)
[source: technologyreview.com]
(2005-08-25) "World e-ID 2005" will take place on September 21 -- 23, 2005 (Sophia Antipolis, France).
See calendar entry.
(2005-08-19) [IDG] The German government, looking to better protect the country's systems from viruses and other attacks, yesterday announced a national IT security plan that includes the establishment of a computer emergency response center.
The plan, unveiled in Berlin by Interior Minister Otto Schily, comes as Germany and many other industrialized nations are struggling to come to grips with increasing attacks on IT systems in both the public and private sectors. (Excerpt from article by John Blau)
[source: ComputerWorld]
(2005-08-19) [IDG] Even people with PCs not directly infected by Zotob may be feeling the worm's impact. The Zotob virus has done more than just infect some 250,000 PCs and engage in a botwar with Bozori and Ircbot this week: Zotob has generated spam.
CipherTrust, in fact, issued findings this morning that indicate Zotob spurred a 14 percent increase in spam during the past 24 hours. (Posted by Tom Sullivan)
[source: InfoWorld TechWatch]
(2005-08-19) [CNet] Some 11 per cent of the British population are convinced that spyware is "a gadget from Star Wars", according to research published on Thursday.
The survey, carried out by NOP and commissioned by security company Blue Coat, appears to highlight a lack of concern in the UK market about spyware, with more than half of those surveyed unaware that spyware is software on a user's computer that tracks their behaviour and reports it back to a third party. (Excerpt from article by Colin Barker)
[source: silicon.com]
(2005-08-19) [CNet] UK consumers have pledged to spend more money online and conduct more business via the internet if banks and retailers provide the tools for greater authentication.
A number of credit card companies have trialled systems which allow shoppers to generate single use passwords or codes for authenticating online transactions but such systems require a card reader, albeit one produced at pretty low cost, as well as the full support of payment firms and merchants. (Excerpt from article by Will Sturgeon)
[source: silicon.com]
(2005-08-19) [IDG] The German government aims to counter the alarming rise in computer viruses with a national IT security plan that includes the establishment of a computer emergency response center.
The new plan, unveiled Thursday in Berlin by Interior Minister Otto Schily, comes as Germany and many other industrialized nations struggle to come to grips with attacks on IT systems in both the public and private sectors. (Excerpt from article by John Blau)
[source: InfoWorld]
(2005-08-25) "27th World Conference of Data Protection Commissioners" will take place on September 14 -- 16, 2005 (Montreux, Switzerland).
See calendar entry.
(2005-08-18) [CDT] The Federal Communications Commission is considering rules that would require voice-over Internet Protocol (VoIP) providers to deploy automatic location technology for use in emergency calls. Location determination can be useful in emergency calls but such a mandate could endanger both personal privacy and the ability of companies to innovate.
CDT, Computer & Communications Industry Association, Electronic Frontier Foundation, and Pulver.com submitted joint comments urging that the FCC avoid writing rules that force the creation of a surveillance system that can track mobile VoIP users.
[source: News]
(2005-08-18) [IDG] Finland called on its citizens to take more care securing their Wi-Fi networks after it emerged this week that about 200,000 Euros had been stolen from a local bank using an unprotected home network.
The Helsinki branch of global financing company GE Money called on police to investigate the theft in June. The money, which has since been recovered, was stolen from one of GE Money's accounts at a local bank, said Jukkapekka Risu, investigating officer for the Helsinki police. (Excerpt from article by James Niccolai)
[source: InfoWorld]
(2005-08-18) [IDG] Acrobat and Acrobat Reader, two of the most widely used desktop applications, contain serious security flaws that could be used to take over a system, according to Adobe. The company urged users to update the software immediately.
The bug is found in a core application plug-in found in both Acrobat and Reader, according to Adobe, and could be exploited by tricking the user into opening a malicious PDF file. Because PDFs can be embedded into Web pages, such an attack wouldn't necessarily require any user intervention. (Excerpt from article by Matthew Broersma)
[source: InfoWorld]
(2005-08-18) [CNet] Academic institutions want to maintain the free exchange of ideas and information between faculty, students and researchers, both on campus and from university to university. That presents a challenge for keeping networks secure. Unlike businesses, schools can't rely on using the typical firewall to keep threats out.
"Universities try to foster a more open environment, so individuals have freedom to do things like collaborate on research or do things with other universities," said Michael Gavin, a senior analyst at Forrester Research. "Universities, as a result, are reluctant to put in security that would prevent people from collaborating." (Excerpt from article by Dawn Kawamoto)
[source: News.com]
(2005-08-18) [IDG] Online criminals trying to pry passwords and other sensitive information out of companies have started using phony e-mails that look as if they were sent from powerful executives of the targeted organizations, experts said yesterday.
Known as "spear phishing," the technique is an ingenious wrinkle on the "phishing" e-mail scams that try to trick consumers into giving up bank-account information and other sensitive details that can be used in identity theft.
[source: ComputerWorld]
(2005-08-25) "Strategies for International Privacy Protection: Issues, Actors, and Future cooperation" will take place on September 13, 2005 (Montreux, Switzerland).
See calendar entry.
(2005-08-17) [CMP] The ongoing attack of multiple bot worm families stepped up Wednesday, said security experts, who noted that so far more than 175 corporations have been hit with malicious code exploiting Windows 2000's Plug and Play vulnerability.
A new wave of bots, including two that are particularly malicious, have struck scores of corporations, including the Associated Press, the Canadian Imperial Bank of Commerce, Caterpillar, Inc., CNN, Daimler/Chrysler, General Electric, SBC Communications, and United Parcel Service. (Excerpt from article by Gregg Keizer)
[source: Advanced IP Pipeline]
(2005-08-17) [CMP] Just as the author of the Zotob bot worm was tentatively identified Wednesday as the same individual who wrote some of the Mytob worms, several security firms warned users that a Bagle vs. Netsky-style battle between bots is under way.
"Competing factions seem to be dueling for control of the botnets of PCs in order to perpetrate wider Internet criminal activity," said Alex Shipp, a senior anti-virus technologist at U.K.-based security vendor MessageLabs, in a statement e-mailed to TechWeb. "We may well now see a period of intense malware activity as these groups vie for pole position." (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-08-17) [IDG] Based on the last 24 hours of news, we (the computers users of the world) are being attacked by a series of "worm" attacks. It would seem that one certain versions of a popular OS is move vulnerable than others.
(Posted by John Monaghan)
[source: ComputerWorld Blog]
(2005-08-17) [IDG] A former America Online employee was sentenced to 15 months in prison today for stealing 92 million e-mail screen names from the Internet company and selling them to a spammer.
Jason Smathers, 25, pleaded guilty in February in federal court in Manhattan to charges that included conspiracy and interstate trafficking of stolen property. He was paid $28,000 by an Internet marketer for the names, which were taken from AOL's database of 30 million subscribers at the time. (Excerpt from article by Christine Kearney)
[source: ComputerWorld]
(2005-08-17) [IDG] Computer worms that have brought down systems around the world in recent days are starting to attack each other, Finnish software security firm F-Secure Corp. said today.
"We seem to have a botwar on our hands," said Mikko Hypponen, chief research officer at F-Secure. "There appear to be three different virus-writing gangs turning out new worms at an alarming rate, as if they were competing to build the biggest network of infected machines."
[source: ComputerWorld]
(2005-08-17) [IDG] U.S. media companies and other corporations hit by a wave of computer viruses this week said business was back to normal today, but analysts warned the attacks showed that hackers have gained a dangerous advantage in speed in the battle over network security.
ABC news writers resorted to typewriters to prepare copy for the "World News Tonight" broadcast yesterday, as the network and other media companies, including The New York Times, reported disruptions. CNN broke into programming with descriptions of its problems. (Excerpt from article by Spencer Swartz)
[source: ComputerWorld]
(2005-08-17) [CNet] The recent surge in worms could be part of an underground battle to hijack PCs for use in Net crimes, some security experts say--but others aren't convinced.
Signs of a turf war between cybercrooks lie in the behavior of the worms that have emerged since Sunday, said Mikko Hypponen, chief research officer at F-Secure, a Finnish security software company. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-08-17) [CNet] Microsoft has made available a free software tool to help victims of the worms that hit Windows computers in the past days clean their systems.
The Zotob worm started spreading on Sunday. Since then, the worm, its variants, and other worms that take advantage of the same security flaw have hit Windows computers, especially those running Windows 2000. Systems at ABC, CNN and The New York Times were among those infected. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-08-17) [MIT Technology Review] Several new variants of a computer worm emerged Wednesday to attack corporate networks running the Windows 2000 operating system, just a week after Microsoft Corp. warned of the security flaw.
As experts predicted, the Windows hole proved a tempting target for rogue programmers, who quickly developed more effective variants on a worm that surfaced over the weekend and by Tuesday had snarled computers at several large companies. (Excerpt from article by Greg Sandoval)
[source: TR on the web]
(2005-08-17) [eChannelLine] Last week's Zotob family of worms took a nasty turn this week, with a new variant slamming companies around the world starting on Tuesday.
The new worm, dubbed IRCbot, has been rated "high" risk by most anti-virus vendors, who say the worm is making quite an impact, with hundreds of infections reported, including high-profile infections at financial institutions and media outlets such as CNN and ABC. (Excerpt from article by Robert Dutt)
[source: Daily News]
(2005-08-17) [CNet] Just as the initial threat of the Zotob worm fades, new and much more malicious worms have hit the Internet with force.
Early signs are that there are as many as eleven different worms each using a variety of patched vulnerabilities, including DCOM-RPC, LSASS, WebDAV, and the recent MS05-039 Windows Plug and Play vulnerability. The new worms include an IRC backdoor for communication, as well as the ability to add or delete network shared folders, steal private information, and launch a denial-of-service attack on random targets. (Excerpt from article by Robert Vamosi)
[source: Security Center]
(2005-08-16) [CNet] Network worms that shut down computers running Microsoft's Windows 2000 operating system on Tuesday may be linked to competition between rival hackers, security experts said.
Computers across the United States have been hit, including those at cable news station CNN, television network ABC and The New York Times. Tokyo-based antivirus company Trend Micro blames the havoc on various worms, including the Zotob worm that hit the Internet over the weekend and new variants of the Rbot worm. (Excerpt from article by Joris Evers)
[source: News.com]
(2005-08-15) [IDG] The U.S. is about to begin distributing electronic passports and this has some right-to- privacy advocates worried. The U.S. isn’t the only country planning to go this route; Germany also plans on doing the same come November.
This brings up the important (and often heated) topic: our right to privacy. Is privacy really a constitutional right? (Posted by Douglas Schweitzer)
[source: ComputerWorld Blog]
(2005-08-15) [Pinsent Masons] The Ministry of Defence has received 3000 requests under the Freedom of Information Act since the Act came into force on 1st January. Queries have included a request for an old Royal Navy recipe for curried meatballs, and details of the MoD's policy on alien abduction.
The Freedom of Information (FOI) Act came into full effect on 1st January, giving individuals for the first time the statutory right to see a massive amount of information held by Government departments and thousands of public bodies.
[source: OUT-LAW.com]
(2005-08-25) "Big Brother Awards" will take place on October 29, 2005 (Zurich, Switzerland).
See calendar entry.
(2005-08-25) "Big Brother Awards" will take place on October 28, 2005 (Prague, Czech Republic).
See calendar entry.
(2005-08-25) "Big Brother Awards" will take place on October 228, 2005 (Bielefeld, Germany).
See calendar entry.
(2005-08-25) "Big Brother Awards" will take place on October 25, 2005 (Vienna, Austria).
See calendar entry.
(2005-08-15) [Pinsent Masons] The US Court of Appeals for the First Circuit on Thursday overturned a landmark ruling that it was not a violation of criminal wiretap laws for the provider of an email service to monitor the content of users' incoming messages without their consent.
Privacy groups had argued that, unless reversed, the ruling would have a serious effect on email privacy in the US. See the ruling.
[source: OUT-LAW.com]
(2005-08-15) [CMP] UPS Strategic Enterprise Fund, a private-equity strategic investment arm of UPS Inc., has provided Series A funding to G2 Microsystems Inc., which makes radio-frequency identification chips for managing and tracking mobile devices using Wi-Fi networks.
Mobile-resource management lets businesses track assets worldwide and monitor their environment and security. G2 Microsystems is developing an ultra-low-power, active-asset tracking-system-on-a chip product line, called SmarTag, for location-based service applications that tap into Wi-Fi networks. (Excerpt from article by Laurie Sullivan)
[source: RFIDInsights]
(2005-08-15) [Bruce Schneier] Is e-mail in transit communications or data in storage? Seems like a basic question, but the answer matters a lot to the police. A U.S. federal Appeals Court has ruled that the interception of e-mail in temporary storage violates the federal wiretap act, reversing an earlier court opinion.
Basically, different privacy laws protect electronic communications in transit and data in storage; the former is protected much more than the latter. E-mail stored by the sender or the recipient is obviously data in storage. But what about e-mail on its way from the sender to the receiver? On the one hand, it's obviously communications on transit. But the other side argued that it's actually stored on various computers as it wends its way through the Internet; hence it's data in storage. (Excerpt from article by Bruce Schneier)
[source: Blog]
(2005-08-15) [CMP] In what ways should one understand the legal aspects on using wireless access found "in the open"?
What does the law say? What are the ethics? And is being denied Internet access for a few hours really the equivalent of death by drowning? (Excerpt from article by Parry Aftab)
[source: Security Pipeline]
(2005-08-12) [CMP] The growing online menace of identity and data theft has resulted in the introduction of another bill to address the problem. Last month, Senator Gordon Smith (R-Ore.) introduced the Identify Theft Protection Act, the 10th identity theft bill put into play this session.
As in previous bills, the Identity Theft Protection Act requires companies, schools or other groups that collect personal information to disclose any data breach. Failure to do so could result in fines of up to $11 million. Breaches that involve more than 1,000 people require that the organization inform the Federal Trade Commission (FTC). But, unlike other bills, this one has a low bar when it comes to consumer notification. Even if only one consumer's information is disclosed by a breach, that consumer must be notified. (Excerpt from article by Gregg Keizer)
[source: Security Pipeline]
(2005-08-25) "World E-ID" will take place on September 21 -- 23, 2005 (Sophia-Antipolis, France).
See calendar entry.
(2005-08-11) [Wired] Ever wonder if that spouse, friend or co-worker on the other end of the phone is really paying attention? The "Jerk-O-Meter" may hold the answer.
Researchers at the Massachusetts Institute of Technology are developing software for cell phones that would analyze speech patterns and voice tones to rate people -- on a scale of 0 percent to 100 percent -- on how engaged they are in a conversation. [Remark: what could this do for VoIP?]
[source: News]
(2005-08-11) [IDG] The U.S. government plans to begin issuing electronic passports in December that feature a built-in chip that contains information about the passport holder and facial-recognition capabilities.
In an announcement Tuesday, the U.S. Department of State said the first electronic passports will be issued only through the department; By October 2006 domestic passport agencies, such as local government offices and post offices, will be able to provide them. (Excerpt from article by Todd R. Weiss)
[source: ComputerWorld]
(2005-08-11) [CMP] For the third straight month, most of the spam sent across the Internet originated on zombie machines, hijacked computers remotely controlled by spammers, a mail security firm said Thursday.
According to Denver-based MX Logic, 56 percent of the spam it tracked during July was sent by zombies infected with a malicious Trojan horse and transformed into a spam-spewing monster. That's down from June's 62 percent, but up slightly from May's 55 percent.
[source: Developer Pipeline]
(2005-08-11) [EPIC] According to CNET News, Google has blacklisted the entire news agency because one of its reporters published an article that included information on Google's CEO gleaned from the company's own search engine.
The article, by Elinor Mills, explored the difficult privacy issues implicated by search engines, and began with a listing of personal interests and basic biographical information about Google CEO Eric Schmidt. Google's retaliation is interesting because the company largely hasn't confronted the privacy implications of its own products.
[source: EPIC Alert vol 12 no 16]
(2005-08-11) [EPIC] The British government is preparing to test new high-tech license plates containing Radio Frequency Identification chips capable of transmitting unique vehicle identification numbers and other data to readers more than 300 feet away.
"A single reader can identify dozens of vehicles fitted with an e-Plate moving at any speed at a distance of up to 100 metres [328 feet]," according to e-Plate manufacturer Hills Numberplates. The RFID-enabled license plates can cost up to 10 times more than regular plates. The British government will begin using them later this year.
[source: EPIC Alert vol 12 no 16]
(2005-08-11) [EPIC] Responding to a petition by federal law enforcement agencies, the Federal Communications Commission has determined that the Communications Assistance for Law Enforcement Act (CALEA) applies to broadband Internet providers and Internet telephony.
As a result, some providers of both services will have to make their systems easier to wiretap. Passed in 1994, CALEA requires telecommunications providers to customize their systems so that law enforcement can easily surveil wire and electronic communications.
[source: EPIC Alert vol 12 no 16]
(2005-08-11) [EPIC] A New York district court last week dismissed a nationwide class action privacy lawsuit against JetBlue Airways, data aggregator Acxiom Corporation, and government contractors SRS Technologies and Torch Concepts.
The suit was based on the transfer of passenger information from JetBlue and Acxiom to Torch Concepts for a Pentagon data mining study. JetBlue passengers argued that the disclosure of their personal information without their knowledge or consent violated the Electronic Communications Privacy Act, as well as state privacy laws and torts.
[source: EPIC Alert vol 12 no 16]
(2005-08-11) [EPIC] In comments to the Department of Homeland Security (DHS), EPIC has urged the agency to abandon a proposal to embed Radio Frequency Identification (RFID) tags into the Form I-94 or Form I-94W, which is the Arrival-Departure record issued to a traveler to the United States.
US-VISIT will test the use of passive RFID tags to "automatically, passively, and remotely" record the entry and exit of covered individuals, DHS said. EPIC said the plan lacks basic privacy and security safeguards, and repeats many of the problems with the controversial proposal of the State Department for wireless passports.
[source: EPIC Alert vol 12 no 16]
(2005-08-11) [EPIC] This month's Spotlight on Surveillance shines on unmanned aerial vehicles (UAVs), equipped with cameras and sensors that produce high-resolution imagery and track moving targets.
UAVs, which cost $350,000 to $4.5 million each, were designed for military use and have been deployed in Afghanistan and Iraq. Now this military technology could be used by the federal government for aerial surveillance of civilians in the United States.
[source: EPIC Alert vol 12 no 16]
(2005-08-11) [EPIC] EPIC has submitted comments to the Department of Justice in opposition to Georgia's proposal to require citizens to provide a government-issued photo ID to vote in a state or federal election.
EPIC's opposes the proposal because it will negatively impact voter privacy, discourage voter turnout, and is inconsistent with the federal Help America Vote Act.
[source: EPIC Alert vol 12 no 16]
(2005-08-10) [EDRI] The German Constitutional Court has outlawed a special security law of the state of Niedersachsen that allowed police to wiretap telephone connections without any specific suspicion, as well as collect traffic data, GSM location data, e-mail and SMS traffic.
The ruling also affects the state of Thuringen, which has a similar law, and Bavaria that is currently developing a similar law.
[source: EDRI-Gram Number 3.16, 10 August 2005]
(2005-08-10) [EDRI] On 27 January 2005 the Norwegian Supreme Court ruled on an old case; the existence of the website napster.no, which Norwegian internet users could use in 2001 to find music files (not more than 170 in practice) on the Napster file-sharing system.
The Court states that it is beyond doubt that making a web-address known on a website does not constitute a 'making available to the public', regardless of whether or not the link refers to a web-address containing legally or illegally published material. Whether a web-address is expressed on the Internet or in a newspaper is immaterial.
[source: EDRI-Gram Number 3.16, 10 August 2005]
(2005-08-10) [EDRI] On 27 July 2005 the Italian government published a decree 'with urgent measures to fight international terrorism'. Under Article 6 all telephony providers are obliged to store traffic data until 31 December 2007. The measure was converted into law on 31 July 2005.
The data retention period for information about mobile and fixed telephony in Italy thus minimally is 2 years and 5 months, but the decree also obliges providers not to destroy any traffic data they already have of their customers, at least two years for telephony providers. Internet providers must retain all data for at least 6 months, with a possibility for extension to another 6 months.
[source: EDRI-Gram Number 3.16, 10 August 2005]
(2005-08-10) [EDRI] Over 21.000 people have already signed the new EDRI and XS4ALL petition against mandatory data retention. The petition is now available in 13 languages, including Bulgarian, Polish, Czech and Hungarian and will remain open for signatures until October 2005.
Divided per country, the Netherlands keep their number 1 position, with over 7.300 signatures. But relatively, the amount of signatures from Finland (almost 4.500) is actually much higher, when compared to the number of inhabitants (5 million). Germany is taking a third position with almost 3.500 signatures, followed by Austria and Italy with almost a 1.000 signatures each. France, Belgium and Sweden all have contributed over 500 signatures. The petition is also supported by 45 organisations and companies.
[source: EDRI-Gram Number 3.16, 10 August 2005]
(2005-07-29) [The Kinston Whig Standard] Kingston's closest U.S. border crossing will employ high-tech radio frequency technology to monitor visitors from other countries who want to enter the States from Canada -- a move that alarms both a Kingston privacy expert and an immigration specialist.
The U.S. Department of Homeland Security said this week that the crossing between Lansdowne and Alexandria Bay, N.Y., will be one of three Canada-U.S. land borders to require non-Canadians to carry wireless devices as part of a pilot project. Travellers will be required to carry the devices as of Aug. 4. (Excerpt from article by Jennifer Pritchett)
[source: Local News]
(2005-07-28) [RFID journal] Consultant Ross Stapleton-Gray has launched a project called the Sorting Door to examine how RFID will affect personal privacy.
The Sorting Door project aims to examine the potential for RFID's application to surveillance, and to assess the resulting impact on privacy of such an application. The research will focus on surveillance of individuals based on RFID tags embedded in clothing they are wearing, or in devices or objects they are carrying, such as building access badges and contactless payment cards. (Excerpt from article by Mark Roberti)
[source: Articles]
(2005-07-12) [The Register] A former CIA intelligence analyst and researchers from SAP plan to study how RFID tags might be used to profile and track individuals and consumer goods.
"I believe that tags will be readily used for surveillance, given the interests of various parties able to deploy readers," said Ross Stapleton-Gray, former CIA analyst and manager of the study, called the Sorting Door Project. (Excerpt from article by Mark Baard)
[source: News]
(2005-07-07) [EU] Security and trust in Internet usage is difficult to quantify as it has a highly subjective component. In this publication, security and trust is indirectly measured through an analysis of behaviour and use. Furthermore, the figures presented in this publication (survey-based, see Methodological Notes) may be biased due to a low awareness of the respondents with regards to the risks of certain Internet usage aspects.
Read the report.
[source: Information portal]
(2005-06-06) [Addison-Wesley] The book "RFID: Applications, Security, and Privacy" edited by Simson Garfinkel and Beth Rosenberg, has been published.
It consists of 32, grouped into five main parts:
[source: News]
(2005-08-17) [ACM] In his article "Notes on Malware," Michel Kabay says: "With the help of unethical, immoral, careless, stupid or crazy virus authors, viruses evolve in response to selection pressures, hiding themselves in new niches of the computer universe, or 'cyberspace.' Virus authors even take ideas from each other's viruses, leading to a form of primitive viral sexuality.
Kabay is Associate Professor, Information Assurance & Program Director, Master of Science in Information Assurance, Division of Business & Management, Norwich University, Northfield, VT.
[source: Ubiquity Volume 6, Issue 30]
(2005-08-15) [CNet] Internet users are taking back control of their computers, and online marketers and publishers are not pleased with the results. But they don't quite know what to do about their conundrum--if it is a conundrum, since they can't even agree on that.
Until recently, Internet businesses could track their users freely, using what are known as cookies, tiny text files they embed on the user's hard drive. Now, with the proliferation of anti-spyware programs that can delete unwanted cookies, merchants often cannot tell who has been to their Web sites before or what they have seen. And this erosion of control over a tool for gaining insight into consumer behavior has many of them fretting. (Excerpt from article by Bob Tedeschi)
[source: News.com]
(2005-08-02) [CMP] What's really scary about identity fraud is the final chapter, when victims - not their banks or credit card companies - discover the crime, usually almost six months afterward, with no real advocate to help them argue their innocence and get their money back.
Sometimes, that last chapter has no ending. More than 1 of every 4 victims of identity fraud are unable to resolve their cases after a year of trying, according to a survey by Nationwide Mutual Insurance Co. Even more alarming: 16 percent of victims wind up paying an average of $6,440. (Excerpt from article by Christopher T. Heun)
[source: Security Pipeline]
(2005-08-12) [CNet] Phishers have added a new lure to their tackle boxes: emails that ask people to fax sensitive information to bogus security investigators.
In a new scam, attackers are sending email warnings that appear to come from PayPal, security specialist Sophos said on Wednesday. These emails say that someone tried to reset the recipient's password and asks him or her to participate in an investigation. (Excerpt from article by Dawn Kawamoto)
[source: silicon.com]
(2005-08-12) [CNet] The UK government has detailed the technology it will need to underpin its controversial identity cards project.
In a "prior information notice" for interested suppliers published this week, the Home Office outlined the systems and services it will want to procure if the ID card legislation makes it through parliament. (Excerpt from article by Steve Ranger)
[source: silicon.com]
(2005-08-11) [eChannelLine] A new poll finds that only four per cent of firms do not monitor employee Internet activity at all, while execs believe employees spend an average of 56 minutes a day at work on non-business related Internet activity.
(Article by Mark Cox)
[source: Daily News]
(2005-08-08) [CMP] Writer Dave Piscitello says that when it comes to pulling in that next anti-spyware tool you must pay attention to the accuracy claims, otherwise you'll be doing more work to fight spyware than ever before.
[source: Security Pipeline]
(2005-08-10) [IDG] Let's face it; we live in a litigious society. With the potential to circulate the globe at breakneck speeds, malware is forcing companies and individuals to be mindful of the liabilities of passing on viruses via e-mail.
(by Douglas Schweitzer)
[source: ComputerWorld blog]
(2005-08-11) [IDG] Apparently, phishing is getting more personal. Rather than using the standard or traditional tactic and dispersing spam to a very wide audience, then sitting back and seeing who takes the bait, Phishers are now sending more targeted e-mails aimed at specific individuals or businesses.
(by Douglas Schweitzer)
[source: ComputerWorld blog]
(2005-08-09) [IDG] Privacy columnist Jay Cline provides a five-point agenda for preventing the kind of information security breaches that are triggering big headlines and legislation.
[source: ComputerWorld]
(2005-08-11) [IDG] Visitors to the World Athletics Championships in Finland have had to brave wind and rain, and now officials say they face the possibility of catching the world's first mobile phone virus.
Officials in mobile-mad Finland, home to the world's largest cell phone maker, Nokia Corp., said there had been outbreaks of the Cabir virus at Helsinki's Olympic Stadium. "At most we are speaking about dozens of infections, but during a short period and in one spot, this is a huge number," said Jarmo Koski, a security official at telecommunications firm TeliaSonera AB.
[source: ComputerWorld]
(2005-08-10) [CNet] Gateway is plugging two security devices into its machines, including a LoJack-style technology to help customers track down lost or stolen laptops.
The Mobile Theft Protection product is now available in Gateway's M250, M460 and M680 notebooks, the PC maker said on Tuesday. The hardware, which uses technology from Absolute Software's Computrace, promises to locate computers that have gone astray. It includes a so-called Data Delete feature that removes sensitive personal or corporate data by remote control. (Excerpt from article by Michael Singer)
[source: News.com]
(2005-08-08) [CNet] A major identity theft ring has been discovered that affects up to 50 banks, according to Sunbelt Software, the security company that says it uncovered the operation.
The operation, which is being investigated by the FBI, is gathering personal data from "thousands of machines" using keystroke-logging software, Sunbelt said Monday. The data collected includes credit card details, Social Security numbers, usernames, passwords, instant-messaging chat sessions and search terms. Some of that data is then saved in a file hosted on a U.S.-based server that has an offshore-registered domain, according to Sunbelt. (Excerpt from article by Ingrid Marson)
[source: News.com]
(2005-08-08) [CNet] The U.S. Department of Homeland Security has begun testing immigration documents laced with radio-frequency identification chips at five spots on the Mexican and Canadian borders.
The goal of the technology is to speed up--if not automate--secure entry and exit of visitors at the nation's ports, according to a Homeland Security press release. (Excerpt from article by Anne Broache)
[source: News.com]
(2005-08-07) [CNet] Early last year, the corporate stalker made his move. He sent more than a dozen menacing e-mail messages to Daniel I. Videtto, the president of MicroPatent, a patent and trademarking firm, threatening to derail its operations unless he was paid $17 million.
In a pair of missives fired off on Feb. 3, 2004, the stalker said that he had thousands of proprietary MicroPatent documents, confidential customer data, computer passwords and e-mail addresses. Using an alias of "Brian Ryan" and signing off as "Wounded Grizzly," he warned that if Videtto ignored his demands, the information would "end up in e-mail boxes worldwide." (Excerpt from article by Timothy L. O'Brien)
[source: News.com]
(2005-08-04) [CNet] The volume of stock scam spam has risen, posing a new threat to investors, warns a new study from network security firm Sophos.
Though traditional spam categories--medication, mortgage and pornography--continue to dominate, new ones such as stock scams are growing, according to the study, which covered the first six months of 2005. (Extract from article by Dinesh C. Sharma)
[source: News.com]
(2005-08-09) [Wired] The federal government moves ahead with a trial of e-passports that are readable at a distance, despite criticism that they endanger Americans. United Airlines pilots and crew are the test subjects.
(Article by Ryan Singel)
[source: News]
(2005-08-09) [Wired] Companies and government agencies increasingly use radio frequency identification technology to track products and people, and RFID opponents say it poses privacy risks. Here's what the technology is all about.
(Article by Kim Zetter)
[source: News]
(2005-08-09) [Wired] The British government is preparing to test new high-tech license plates containing microchips capable of transmitting unique vehicle identification numbers and other data to readers more than 300 feet away.
Officials in the United States say they'll be closely watching the British trial as they contemplate initiating their own tests of the plates, which incorporate radio frequency identification, or RFID, tags to make vehicles electronically trackable. (Excerpt from article by Mark Baard)
[source: News]
(2005-08-08) [Daily Telegraph] Victoria's privacy watchdog will investigate a serious bungle by the Office of Police Integrity (OPI) after it released confidential police files on hundreds of people to one complainant.
Files on more than 400 people were sent by the OPI to a woman in country Victoria in May after she complained that a policewoman had breached her privacy by accessing her files. (Excerpt from article by Nick Lenaghan)
[source: News]
(2005-08-03) [IDG] U.S. banks are putting customer convenience ahead of security and, in the process, making it much easier for online "phishers" to create counterfeit bank cards, according to a Gartner Inc. report released yesterday.
U.S. banks are putting customer convenience ahead of security and, in the process, making it much easier for online "phishers" to create counterfeit bank cards, according to a Gartner Inc. report released yesterday. And with the Internet now a common source of stolen account information, phishers make up a growing portion of the estimated $2.75 billion in annual losses that bank card abuse is costing U.S. banks, according to the Stamford, Conn.-based research firm. (Excerpt from article by Robert McMillan)
[source: ComputerWorld]
(2005-08-03) [IDG] If you happen to hear a disembodied computer voice tell you to "drive carefully" the next time you're behind the wheel, you've probably met the Car Whisperer.
Released late last week at the What the Hack computer security conference in Liempde, Netherlands, Car Whisperer is software that tricks the hands-free Bluetooth systems installed in some cars into connecting with a Linux computer. (Excerpt from article by Robert McMillan)
[source: ComputerWorld]
(2005-08-03) [Pinsent Masons] Fraudsters can get cash from ATMs because some banks fail to scan security codes in the magnetic stripes on cards, according to Gartner. Counterfeit cards are made when consumers, tricked by phishing, disclose account numbers and PINs.
[source: OUT-LAW.com]
(2005-08-03) [Government Technology] A new public-private partnership looks to create standards in the evolving world of privacy protection in the public sector.
The International Association of Privacy Professionals (IAPP) created a certification program called the Certified Information Privacy Professional/Government (CIPP/G) program to assist the public sector in setting sound privacy policies.
Underwritten by IBM, the program is designed exclusively for employees of government and of businesses that interact with government. Its goal is institutionalizing the knowledge necessary to ensure government compliance with existing privacy law. (Excerpt from article by John Marcotte)
[source: News]
(2005-08-02) [CMP] Banking fraud is as old as the industry itself, and it continues to be one of the largest expenses faced by many financial institutions, according to Virginia Garcia, research director for Needham, Mass.-based TowerGroup. Garcia estimates that 30 percent to 50 percent of the industry's $55 billion in annual operating losses is attributable to fraud.
With the growing popularity of online banking, account takeover has emerged as a major fraud threat. One method that banks are adopting to battle such fraud is multiple-layer authentication, according to Bill Harris, chairman of PassMark Security in Redwood City, Calif. "The banking industry has spent the past year-and-a-half determining what is the biggest problem - keylogging, phishing, e-mail or something else," he says. (Excerpt from article by Phil Britt)
[source: Compliance Pipeline]
(2005-08-02) [CMP] Banking fraud is as old as the industry itself, and it continues to be one of the largest expenses faced by many financial institutions, according to Virginia Garcia, research director for Needham, Mass.-based TowerGroup. Garcia estimates that 30 percent to 50 percent of the industry's $55 billion in annual operating losses is attributable to fraud.
"There are a couple of drivers that are convincing the banks to start rethinking some of their fraud management strategies," Garcia says. She points to the current media storm surrounding fraud and the evolution of ever-more-sophisticated fraud techniques as examples. New fraud schemes require new tools and strategies to prevent losses, she explains. (Excerpt from article by Phil Britt)
[source: Security Pipeline]
(2005-08-02) [CNet] New York Attorney General Elliott Spitzer's recent enforcement action against adware vendor Intermix Media has opened up a new front in the battle against this type of software.
Though Intermix claims to have settled the matter for $7.5 million, any disposition leaves open a number of issues regarding Spitzer's ultimate plan for a possible sweep against the entire adware industry. (Excerpt from article by Eric Goldman)
[source: News.com]
(2005-08-02) [CNet] Phishing attacks have led to an estimated $2.75 billion in losses related to ATM and debit cards over the past 12 months, according to a new Gartner report.
The report, released Tuesday, includes a recent survey of 5,000 U.S. bank customers. From the survey, Gartner estimates that 3 million Americans have lost an average of more than $900 each due to online scams over the past year. (Excerpt from article by Dawn Kawamoto)
[source: News.com]
(2005-08-01) [RFID Journal Inc] Katherine Albrecht, a vocal opponent of RFID technologies, will publish "Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID" this fall.
Katherine Albrecht is a founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and a vocal opponent of RFID technologies, The book is described as: "An explosive exposé on how major corporations are working to install secret tracking devices on all consumer products, and how this seemingly innocuous commercial maneuver will inevitably turn our society into a Big Brother nightmare." (Excerpt from article by Mark Roberti)
[source: RFID Journal]
(2005-08-01) [CMP] Spanish authorities said Saturday they had disbanded an Internet fraud network in an operation that resulted in 15 arrests.
The Interior Ministry said the ring was involved in a form of identity theft called phishing and may have netted several million euros (dollars).
[source: Networking Pipeline]
(2005-08-01) [Statewatch] The London School of Economics says the Home Office's recent rebuttal of their critique of the Government's identity cards scheme was misleading and inaccurate, containing "substantial errors and misrepresentation of fact".
See LSE response to HO critiqueHome Office critiqueThe Identity Project: an assessment of the UK Identity Cards Bill and its implications (published by the LSE, 27 June 2005)
[source: News]
(2005-07-29) [E-Health-Media] An A-and-E doctor and CIO who has had an RFID tag implanted into his arm on which his medical reference number is encoded has expressed concerns about lack of privacy standards and erosion of his anonymity.
John Halamka, chief information officer at Harvard Medical School, had the VeriChip tag encased in an unbreakable glass capsule and implanted in his arm at the end of last year. The chip contains a code that can be inputted into a website, where his medical records and GP contact details can be found. However, there are downsides, not least with the ethical problems of implanting tags into people who cannot consent to this. Furthermore, the "Friends and associates have commented that I am now 'marked' and lost my anonymity. Several colleagues find the notices of a device implanted under the skins to be dehumanising."
[source: E-Health Insider]
(2005-07-29) [CNet] Con artists are setting up Web sites for fake U.S. regulatory agencies to lure stock investors, many from overseas, into fraudulent transactions, officials from New Jersey to Montana warned Thursday.
These "phantom regulators"--with names like the International Compliance Commission and the Securities Protection Agency--have been brought to the attention of actual regulators, the officials said.
[source: News.com]
(2005-07-28) [CMP] The National Association of Securities Dealers on Thursday warned investors against using public Wi-Fi connections for accessing online accounts, saying that they pose additional risks of confidential information being stolen by cyber criminals.
The NASD, based in Washington, D.C., issued two formal alerts, one for investors and the other for brokerage firms, offering guidance for protecting personal information.
[source: Networking Pipeline]
(2005-07-14) [Statewatch] Statewatch has published a paper on passports and biometrics, with special attention to proposed EU recommendations.
Some conclusions: The EU does not have the powers to introduce biometrics for national ID cards; The ICAO standard only requires a "facial image"; USA not intending to introduce biometrics on its passports - only a digitised normal passport photo.
[source: Paper]
(2005-07-12) [European Data Protection Supervisor] Peter Hustinx, the European Data Protection Supervisor, has issued a paper providing guidelines for dealing with requests for access to public documents containing personal data.
See press release and report Public access to documents and data protection.
[source: Press release]
(2005-07-06) [Statewatch] In a little reported decision the full European Commission meeting on 11 February 2005 the policy brief for data protection in the EU was transferred from the Directorate-General on the Internal Market to the Directorate-General on "Freedom, justice and security".
There was no public debate and no consultation with national or European parliaments.
[source: News]
(2005-08-12) [CNet] Michael Kanellos at CNet has interviewed Accenture's Chief Scientist, Glover Ferguson about Accentures position, ideas, and plans for use of sensors.
This covers RFID, of course, but also touches upon other types of wireless sensors, and novel applications. Privacy issues are also touched upon.
[source: News.com]
(2005-08-04) [eChannelLine] It seems that human suffering has a new constant following -- a new spin on the notorious "Nigerian" e-mail scam that looks to take advantage of those sensitive to, or greedy to take advantage of, that suffering.
The latest example is taking advantage of the identity of a victim of the July 7 London bombings, seeking to get banking information from those greedy and naïve enough to believe they can cash in on the death. (Excerpt from article by Robert Dutt)
[source: Daily News]
(2005-08-03) [CMP] Recent disclosures of massive data leaks at information brokers, banks and retailers have prompted US Congress to once again consider tightening access to Social Security numbers, which have evolved into dangerous master keys for fraudsters.
But Social Security numbers already have come under a hodgepodge of restrictions over the years, and many experts question whether the new proposals would truly hinder identity theft. In fact, reducing some companies' access to Social Security numbers could even worsen the situation.
Several identity theft watchdogs say the bills would neglect the deeper reason why financial fraud is relatively easy: Speed, not identity assurance, is the main priority of U.S. financial institutions that issue credit.
[source: Security Pipeline]
(2005-07-28) [EPIC] In a statement to the Committee on Foreign Relations, EPIC has urged the United States Senate to oppose ratification of the Council of Europe Convention on Cybercrime.
EPIC cited the sweeping expansion of law enforcement authority, the lack of legal safeguards, and the impact on US Constitutional rights.
[source: EPIC Alert vol 12 no 15]
(2005-07-28) [EPIC] A company has proposed to track users through a feature in Macromedia Flash software. "Flash cookies" make it possible for Web sites to track users, even if they delete their normal cookies.
EPIC's new Flash Cookies page describes what they are, and how to prevent being tracked by them.
[source: EPIC Alert vol 12 no 15]
(2005-07-28) [EPIC] A news series of bombings in London have increased pressure in the U.S. for more surveillance programs.
There have been calls to significantly expand vid