Incident of the Week: Hackers to Demonstrate How To Take Control Over Every Apple iPhone In The World With A Single Text Message Today

Posted on July 30, 2009 by Gabriel M. Helmer

Speaking at the Black Hat computer security conference in Las Vegas only a few hours from now, hackers (or "security experts") Charlie Miller and Collin R. Mulliner are scheduled to expose an alleged security flaw in the Apple iPhone that may allow someone sending a single SMS message to take control of any iPhone.  According to a number of reports (note Forbes and AppleInsider), the exploit would allow a hacker to take control over all of the iPhone's functions.  This potentially could mean that a hacker could turn on the camera, microphone and GPS functions in your iPhone to record your activities, dial the phone or use your iPhone to infect others. 

Miller, who works as a security expert for Independent Security Evaluators, suggests that if you receive a text message with a single box-shaped character (e.g., ""), turn the iPhone off immediately.  [I'm not sure what the advice would be after that, but maybe you could use a break from all those emails while Apple fixes this problem.]  Because the alleged flaw could allow someone to take over your friends' and family's iPhones, the next suspicious text message you receive might be from someone you know.

Miller apparently notified Apple of this flaw some weeks ago and, concerned that Apple has not released a patch, intends to force the issue by demonstrating the hack today.

Links:

Tags: , , , , , , ,

ALERT: FTC Announces Delay in Red Flags Enforcement Until November 1, 2009.

Posted on July 29, 2009 by Gabriel M. Helmer

Amidst calls from the legal community, the Federal Trade Commission's (FTC) announced this morning that it was delaying enforcement of the FTC's Red Flag Rules until November 1, 2009.  The FTC's announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC's "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply."  The FTC appears to be stepping up its outreach efforts with an "Expanded Business Education Campaign" that is intended to address those businesses that "remain uncertain about their obligations."  This seems aimed at the recent statements from the American Bar Association (ABA), which has called on the FTC and Congress to exempt lawyers from the FTC's Red Flags Rules and threatened to sue the FTC to stop any enforcement action against the legal industry.  

To recap the events leading up to this postponement: in April, the ABA received word that the FTC intended to enforce the FTC's Red Flags Rule, 16 CFR Part 681, against lawyers.  The ABA immediately asked the FTC to extend the May 1, 2009 deadline and the FTC obliged by postponing the deadline until August 1, 2009 (see our post on this topic).  After a few months of thought, the ABA publicly called on the FTC and Congress to exempt lawyers from the Red Flags Rule.  The ABA's June report on "Why the Red Flags Rule Should Not Apply to Lawyers" lays out a legal argument for why billing a client is not really an extension of credit that turns every lawyer and law firm into a "creditor" under Red Flags Rule and the Fair and Accurate Credit Transactions Act (the FACT Act).  More recently, ABA President H. Thomas Wells, Jr. told the Blog of Legal Times that the ABA plans on filing a federal lawsuit during the this week to block enforcement of the Red Flags Rule, if "we don’t get some kind of sign."  And, perhaps on the ABA's urging, a House Appropriations subcommittee apparently asked the FTC to postpone its deadline yet again.  Other blogs and websites have been abuzz with "sources" close to the discussions between the ABA and the FTC and then today, the FTC announced that  delayed the enforcement deadline yet again.

Lest anyone think that the ABA is on its own on this issue, the Massachusetts Bar Association sent the FTC a letter objecting to the application of the Red Flags Rules to lawyers and the New York County Lawyers Association also issued a report objecting to enforcement against lawyers.  State bar associations are joining the ABA in calling on the FTC to excuse them from the reach of the "new" regulations (which are, in fact, more than a year old at this point, after numerous delays in enforcement by the FTC).  

Tags: , , , , , , , , ,

Incident of the Week: UAE Carrier Updates Blackberry Software With Spyware, Captures Outgoing User Emails

Posted on July 24, 2009 by Jeff Bone

On Tuesday, Research In Motion, Ltd. (RIM), the maker of Blackberry, posted a note on its website confirming that a software update offered to customers of its carrier Etisalat in the United Arab Emirates contained spyware.  According to the note, certain customers received an SMS message from Etisalat informing them of a software update (named "Registration") designed to improve performance.  However, RIM acknowledged, "[i]ndependent sources have concluded that Etisalat's Registration software application is not actually designed to improve performance of a Blackberry Handheld, but rather to send received messages back to a central server."

According to RIM, the software was not RIM-authorized and was not developed, tested, promoted or distributed by RIM.  On July 17, RIM sent a more detailed note to customers explaining that "Etisalat appears to have distributed a telecommunications surveillance application that was designed and developed by SS8," which is a California company that describes itself as "a leader in communications intercept and a worldwide provider of regulatory compliant, electronic intercept and surveillance solutions."  RIM has offered a new update to remove the spyware. 

The incident was discovered after customers who installed the software began complaining that it was draining the batteries on their devices.  According to an article in PC World, SS8 has not responded to telephone calls seeking comment, while Etisalat has described the problem as a "slight technical fault" that "has resulted in reduced battery life in a very limited number of devices."  An article from Wired notes that a security consultant in Asia named Sheran A. Gunasekera has released a white paper analyzing the code that made up the spyware.  According to Mr. Gunasekera, the spyware could only intercept outgoing e-mail messages.  It could not intercept incoming messages (whether they be e-mails, instant messages, PIN messages, phone calls, etc.), nor could it silently update itself with newer releases. 

Although this version of spyware apparently affected a limited number of Blackberry users, that is no cause for comfort.  Mr. Gunasekera believes that the source code used for "Registration" could easily be modified, improved and used in the future on unsuspecting Blackberry users.  In a New York Times article, Internet security and privacy consult Richard M. Smith of Boston Software Forensics was quoted as stating that smart phones are "perfect personal spying devices" and that the threat is "an evolving one.  As the technology advances, the security problems follow behind."  Given the ever increasing security risks in the information security world, it is likely only a matter of time before there is another, much larger incident related to smartphone security. 

Links:

 

Tags: , , , , , , , , ,

Social Security Numbers (SSNs) Can Be Predicted Using Basic, Widely-Available Public Data. Social Security Administration Not Surprised, and Continues to Offer Detailed SSN Information to the Public

Posted on July 22, 2009 by Ramzi Ajami

As has been recently reported, researchers from Carnegie Mellon University have announced that they have uncovered a method to accurately predict the Social Security Numbers (SSNs) of individuals by simply knowing two of the most basic and widely-available facts about people today: their dates of birth, and their States of birth. In their paper titled “Predicting Social Security Numbers from Public Data” (.pdf), researchers Alessandro Acquisti and Ralph Gross warn that they have uncovered a distinct and identifiable statistical pattern across SSNs of deceased persons – that, ironically, are made publicly available by the Social Security Administration (SSA or Agency) itself – and have used that pattern to accurately predict the SSNs of live Americans by simply knowing their birthdays and in which States they were born. In other words: “[A]ny third party with internet access and some statistical knowledge . . . [can deduce the pattern of SSN assignment] by analyzing publicly available records in the [Social Security Administration] Death Master File [and] interpolating an alive person’s state and date of birth with the patterns detected across deceased individuals.” 

What has received considerably less media attention, however, is the SSA's muted response to this fiasco, and, quite the opposite, the alarmingly broad set of explanatory guides and almost-complete SSNs that the Agency makes available to the public on their website.

Continue Reading...
Tags: , , , ,

House Subcommittees Hold Joint Hearing On Behavioral Advertising

Posted on July 20, 2009 by Stacy Anderson

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising.

Continue Reading...
Tags: , , , ,

Secret Service and Europe Plan a Cybercrime Task Force

Posted on July 20, 2009 by Jeff Bone

According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking.   Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level."  While it may seem odd at first for the Secret Service, whose most obvious mission is to protect members of the U.S. government and visiting heads of state, to be involved in a fight against cybercrime, the agency actually has a dual mission: both to protect heads of state and "to safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy.  Moreover, Congress has given the agency authority to investigate offenses under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030(d)

The task force will be named the European Electronic Crime Task Force, will be based in Rome and, according to Italian police, will be open to other European countries. Its main focus will be to combine the resources and efforts of the United States and European Union nations in order to fortify cyber-defenses for government sites hosting sensitive data. The Italian Postal Service (and, presumably, other entities that decide to contribute) will exchange alerts with the Secret Service, monitor computer networks across Europe using Italian Postal Service software for threats, and coordinate to quickly respond to attacks. According to the articles, the Italian Postal Service now makes more money from banking and insurance services than from traditional sending of letters and packages. Given this shift in focus, it has developed a software that can review electronic monetary transfers for suspcious signs.

Ironically, and as discussed in more detail elsewhere, the announcement of this new task force came just a few days before the Secret Service's website, along with the websites of the Treasury Department and Federal Trade Commission, were paralyzed due to cyberattacks, which government officials speculate originated from North Korea.  Perhaps the Secret Service should have first established a task force with Asia?

Links:

 

Tags: , , , , ,

California Hospital Fined $187,500 For Octuplet Mom Breach

Posted on July 17, 2009 by Colin J. Zick

As we reported on April 2, a California hospital breached the privacy of the infamous "OctoMom," Nadya Suleman.  When the breach was discovered, Kaiser Permanente’s hospital in Bellflower, California fired 15 employees.  These violations also were reported by Kaiser to the California Department of Public Health, which has announced a $187,500 administrative penalty against Kaiser.  CDPH has determined that the hospital "failed to prevent unauthorized access to patients’ medical information, as required by Section 1280.15 of the Health and Safety Code. The hospital compromised the privacy of four patients when eight employees improperly accessed records." 

The penalty amount of $187,500 represents "$100,000 for the first breach of four individual’s medical record and $87,500 for five additional breaches of those medical records after the first."  In addition to the penalty, the Kaiser facility is required to submit a plan of correction to CDPH within 10 working days and implement a plan of correction to prevent future incidents.

Tags: , , , ,

Good News and Bad News: An Employer Is Hiring; It's The HHS Office of Civil Rights!

Posted on July 17, 2009 by Colin J. Zick

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS's "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing, analyzing, implementing, promoting, or improving proposed or existing programs or policies needed to implement OCR's authority for ensuring compliance with the privacy of health information."  If you are a privacy officer, this could be the federal government stimulus you've been waiting for!

Tags: , , ,

Incident of the Week: French Hacker Compromises Twitter Employee Passwords, Steals Company Documents

Posted on July 16, 2009 by Gabriel M. Helmer

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter's internal company documents.  The hacker, who goes by the handle "Hacker Croll," has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called "Final Tweet" and a February 2009 financial forecast.  Many wait to see what other documents will come to light while TechCruch negotiates with Twitter's lawyers.

Postings on the French website Korben.info claim that Hacker Croll obtained a list of employees, along with employees' credit card numbers, telephone numbers, meeting reports, time sheets, salary information, confidential Twitter contracts with Microsoft, Nokia, Samsung and other companies, as well as a list of celebrity  "High Profile Users." (an English translation of the French website is available here).

Twitter's Evan Williams stated "This had nothing to do with the security of twitter.com, and there were no user accounts compromised here."  This was reiterated in Biz Stone's post on the Twitter blog, appropriately entitled "Twitter, Even More Open Than We Wanted."  Stone notes "This isn't about any flaw in web apps, it speaks to the importance of following good personal security guidelines such as choosing strong passwords." 

This is not the first time that poor password security has led to a noteworthy breach (see WIRED Magazine's account of how one hacker used publicly available information to hack into Sarah Palin's email).  This may serve as a good reminder to many of us that we may want to take the time to change our passwords today (and select a combination with at least 6 characters, at least one capital letter and at least one number).

Links:

 

Tags: , , , , , , ,

Bozeman, Montana Suspends Controversial Requirement That Job Applicants Provide Usernames and Passwords to Facebook Accounts

Posted on July 15, 2009 by David Pardo

When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism.  Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc."  In the aftermath of media exposure, Bozeman has decided to "suspend its practice of reviewing candidate’s password protected internet information until the City conducts a more comprehensive evaluation of the practice."

On June 19, 2009, city manager Chris Kukulski officially apologized (.pdf) for the intrusive application, stating “[t]he extent of our request for a candidate’s password, user name, or other internet information appears to have exceeded that which is acceptable to our community.”

This controversy is another indication that social networking sites and other digital media are coming under greater scrutiny as employers conduct background checks. For example, the application for high-level political positions in the Obama transition phase required applicants to include copies of e-mails that might embarrass the President, copies of all blog posts, a link to one’s Facebook page, and a list of “all aliases or ‘handles’ . . . used to communicate on the Internet.”

The Bozeman application would have required applicants to violate Facebook’s Terms of Use, which state that “You will not share your password, let anyone else access your account, or do anything else that might jeopardize the security of your account.” In addition, Bozeman’s request apparently was limited to obtaining usernames and passwords and did not seek authorization to access applicants’ sites. Consequently, any access by city officials might have run afoul of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a)(2)(C), which prohibits intentionally accessing a “protected computer” without authorization.

Links:

 

Tags: , , , , , , ,

Lawsuit Challenges Legality of HITECH Act

Posted on July 12, 2009 by Colin J. Zick

A federal suit has been filed that challenges the legality of the federal HITECH Act.  In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both.  This complaint appears to be the work of a gadfly or two.  The plaintiff's lawyer is her husband; interestingly, he was described by a federal judge as filing claims that were "without merit [and which] would have been perceived as such by any objectively reasonable attorney."  And this same attorney has been disbarred in Connecticut. 

Even if there are questions about the specific allegations in this complaint and questions about the credentials of the counsel who filed it, the complaint points to some legitimate concerns about the move to electronic medical records and health information exchange.  However, it will probably be a different case that brings real scrutiny to these questions.

Tags: ,

Incident of the Week: Goldman Sachs Programmer Arrested for Transfer of Top Secret Source Code for Goldman's Automated Trading System

Posted on July 9, 2009 by Gabriel M. Helmer

On July 3, 2009, FBI arrested Sergey Aleynikov, a Goldman Sachs programmer, as he disembarked at Newark airport on charges that he violated the Electronic Espionage Act (18 U.S.C. sec. 1832) when he sent company data to an overseas document server. 

According to the criminal complaint and supporting affidavit (.pdf) filed in the federal court for the Southern District of New York, Aleynikov was part of the team that developed a high-speed, automated trading system for Goldman Sachs.  He resigned and left the company on June 5th, but federal prosecutors allege that in his last four days of work, Aleynikov encrypted and transferred 32 megabytes of source code relating to the automated trading system from Goldman's servers in New Jersey to a privately run document server in Germany.

Below we detail some of the evidence behind the arrest - evidence that demonstrates why adequate workplace monitoring and an appropriate response plan is key in protecting proprietary information.

Continue Reading...
Tags: , , , , ,

U.S. and South Korea Targeted in Ongoing Denial of Service Attacks

Posted on July 8, 2009 by Aaron Wright

On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is, brief explanations are available from U.S. Computer Emergency Response Team (CERT) and CNET.]

The U.S. government routinely faces threats like these (note coverage of prior events in 2001 and 2000), but the recent attacks have been especially long lasting, apparently very well coordinated and sophisticated, and “remarkably successful”. In fact, a number of government websites were brought down over the weekend and some are still experiencing service problems as a result of this attack. [As of this posting, the FTC website is still showing signs of overload.] Of particular note is that the website of at least one agency charged with investigating cybercrime violations in the United States, the Secret Service website, was successfully brought down by this attack.

At the moment, the source of the attack is unknown, but some are reporting that North Korea is behind the attack. In particular, there is some suggestion that North Korea may be running a “cyber warfare unit” which is tasked with hacking into military websites and disrupting traffic to those sites.  If such reports are accurate, then we have seen a demonstration that a hostile government has the capability to disrupt traffic to government websites, even the websites of government agencies involved in cyber security. Of course, the apparent impact of these attacks has been minimal, they have effectively disrupted the use of public websites, but there appears to be little lasting impact.

U.S. officials have not issued any public comment on the attacks. 

Links:

 

Tags: , , , , , , , ,

Garbage Dump in Ghana A Gold Mine For Sensitive Information

Posted on July 7, 2009 by Aaron Wright

In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes.  The highlight of the investigation was when they discovered unencrypted information from government contractor Northrop Grumman.  The hard drives were was obtained by Frontline for $40.

Northrop Grumman said in a statement to IT World, that it believes the hard drive was stolen from an unidentified contractor hired to dispose of the computer, though that does not appear to explain how the hard drive ended up in a dump in Ghana with its information intact.  Apparently, sources in Ghana indicated to the Frontline team that "data thieves" routinely search through disposed electronics for valuable information.

The moral of this story is that electronic media, even hard drives that have been wiped of sensitive data, may retain residual information.  When disposing of them, care should be taken to ensure that information is no longer recoverable. Some suggest physically destroying hard drives containing sensitive information before disposing of them. The FTC provides a more detailed list of disposal recommendations at their OnGuradOnline website.

Links:

 

Tags: , , , , , , , , ,

Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before "Devil's Day" Attack

Posted on July 2, 2009 by Gabriel M. Helmer

This week, the U.S. Attorney's Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital's computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.

McGraw had given his one week notice to hospital security contractor, United Protective Services, and was scheduled to depart on July 3, 2009.  His intrusion into hospital systems was allegedly made in preparation for a larger attack on July 4th, a day he referred to as "Devil's Day."  The story behind the arrest is laid out in the criminal complaint and supporting affidavit filed in federal court (.pdf); however, a number of other details have emerged over time that demonstrate how vulnerable many institutions may be to insiders.

Continue Reading...
Tags: , , , , , , , , , ,