Incident(s) of the Week: Disgruntled Hacker Disables 100 Cars Purchased from Texas Auto Center

Posted on March 19, 2010 by Gabriel M. Helmer

In late February and early March, around 100 cars in and around Austin, Texas either would not start or would not stop honking.  This was apparently caused by 20 year old hacker, Omar Ramos-Lopez, who remotely triggered the vehicle immobilization system installed by dealership Texas Auto Center. 

Apparently the dealership installed the GPS-enabled devices so that cars can be immobilized and repossessed when a customer fails to make scheduled payments. The web-based system developed by Pay Technologies apparently lets auto dealerships trigger the horn and disable the car's ignition system from the relative safety of the Internet.  (Something you may want to be aware of if you are financing a car these days.)

Ramos-Lopez was laid off from Texas Auto Center in February (Wired reports this event as a "workforce reduction") and apparently retained a username and password to the dealership account.  Weeks later, he used the credentials from home to access the account and trigger the immobilization devices.  His reign of terror, which included changing customer names to "Tupac," was apparently somewhat modest.  While he had access to all 1,100 cars in the system, the 100 cars affected were the result of Ramos-Lopez going through the customer database in alphabetical order.  Austin's High Tech Crime Unit arrested Ramos-Lopez on Wednesday after police traced the IP address he used to his home.

Tags: , , , , , , ,

Update on HIPAA Business Associate Regulations -- OCR Says They Still Aren't Ready, Gives No Date

Posted on March 18, 2010 by Colin J. Zick

In a notice apparently posted March 17, 2010, the Office of Civic Rights of the Department of Health and Human Services ("OCR") acknowledged its delay in issuing regulations for HIPAA business associate agreements.  Those regulations are now a month overdue and from OCR's language, they do not appear imminent:

OCR will implement important privacy and security provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act through notice and comment rulemaking, as required by the Administrative Procedure Act.  These provisions include: business associate liability; new limitations on the sale of protected health information, marketing, and fundraising communications; and stronger individual rights to access electronic medical records and restrict the disclosure of certain information.  OCR continues work on a Notice of Proposed Rulemaking (NPRM) regarding these provisions.  Although the effective date (February 17, 2010) for many of these HITECH Act provisions has passed, the NPRM and the final rule that follows will provide specific information regarding the expected date of compliance and enforcement of these new requirements.

(Emphasis added.)  What does seem clear from this notice is that OCR enforcement of the underlying law is not imminent and that more guidance on that will come when the regulations are issued.

 

Tags: , , , , ,

Internet Crime Complaint Center (IC3) Releases 2009 Report on Internet Crime

Posted on March 12, 2010 by Gabriel M. Helmer

Today, the Internet Crime Complaint Center (IC3), a federal organization run as a partnership between the FBI and National White Collar Crime Center, released its 2009 Internet Crime Report (.pdf).  Highlights include:

  • IC3 received 336,655 complaints in 2009, an increase of 22% over the prior year.
     
  • The dollar loss caused by incidents reported to IC3 increased more than 100% to $559.7 million.
     
  • 146,663 complaints were referred to local, state and federal law enforcement agencies.
     
  • Complaints were typically not referred to authorities when "there was no documented harm or loss (e.g., a complainant received a fraudulent solicitation email but did not act upon it)" or when there was no jurisdictional tie to the United States.
     
  • 16.6% of all complaints involved fraudsters pretending to be affiliated with the FBI.
     
  • 11.9% of all complaints involved a seller's failure to deliver items purchased online or a buyer's failure to pay for goods delivered.

Tags: , , ,

LifeLock To Pay $12 Million to Settle Charges That Identity Theft Prevention and Data Security Claims Were False

Posted on March 10, 2010 by Colin J. Zick

LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against a few types of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only about 17 percent of identity theft incidents. The FTC also alleged that Lifelock provided no protection against other types of identify theft, such as medical identity theft and employment identity theft. 

The FTC’s complaint further alleged that LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened.  Ironically, the FTC also charged that LifeLock’s own data repositories were not encrypted, and sensitive consumer information was shared inappropriately, and could have been exploited by hackers. 

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement.

Tags: , , , , ,

Incident of the Week: Israeli Soldier Posts Details of Planned West Bank Raid on Facebook

Posted on March 5, 2010 by Gabriel M. Helmer

This week the Incident of the Week title decisively goes to the Israeli soldier who updated his status on Facebook to identify the secret military raid on a town in the West Bank.  His status apparently read: "On Wednesday we clean up Qatanah, and on Thursday, god willing, we come home" and provided the exact time of the raid.  After detecting the clear breach of OPSEC, the Israeli Defense Force (IDF) canceled the raid and jailed the soldier for 10 days. 

The IDF has apparently begun distributing posters depicting a fake Facebook page with friend requests from Iranian and Syrian presidents as well as a Hezbollah chief with the question: "You think everyone is your friend?"

Tags: , ,

Microsoft No Longer Seeking Removal of Cryptome or Leaked Compliance Handbook

Posted on March 5, 2010 by Gabriel M. Helmer

Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft's "Global Criminal Compliance Handbook" that pulled website Cryptome.org from the Internet, at least temporarily.  The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites.  Microsoft's DMCA demand to Cryptome's service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.

Microsoft made this public statement:

Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.

Cryptome advertises itself as a site that "welcomes documents for publication that are prohibited by governments worldwide."  The site also promises that "[d]ocuments are removed from this site only by order served directly by a US court having jurisdiction." 

The Microsoft Compliance Handbook, dated March 2008, is a guide for law enforcement officers seeking to investigate users of Microsoft services such as Hotmail email, IM, Windows Live and other services.  The Handbook outlines the data Microsoft keeps with respect to its users and provides law enforcement with instructions on what legal process is necessary for investigators to gain access to specific information.  In the Handbook, Microsoft offers to provide the following information to investigators in response to a subpoena:

Basic subscriber information includ[ing] name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old . . . .

This provision contrasts with Microsoft's limits on access to other user data, such as recent email,  "e-mail address book, Messenger contact lists, . . . [and] internet usage logs."  According to the Handbook, Microsoft will release this data in response to a search warrant or court order which, unlike a subpoena, must be approved by a judge after the government presents sufficient evidence.

Posts at Cryptome, as well as CNet, Tom's Hardware, The Register,describe the Handbook variously as a "spy guide" and "wiretap guide."  Cooperation with government agencies has been a touchy subject for privacy advocates and service providers in the wake of alleged abuses by some that occurred after the 2001 terrorist attacks.  However, the heart of the controversy generally has been the disclosure of customer information without any legal process or court involvement.  In this case, Microsoft's Handbook merely identifies what data is available in response to formal legal process, such as subpoenas, warrants and court orders. 

 

Tags: , , , , ,

"Data, Data Everywhere" -- Recommended Reading

Posted on March 3, 2010 by Colin J. Zick

The February 27 issue of The Economist has an excellent special report, "Data, data everywhere:  A special report on managing information."  It features a series of articles on the volume of information that is overtaking business and society, and the means by which business and governments are responding.

Tags: , ,

HHS Reports 35 Breaches Impacting 500 or More People

Posted on March 2, 2010 by Colin J. Zick

At the end of February, the HHS Office of Civil Rights (“OCR”) posted on its website a list of HIPAA “covered entities” that have reported breaches of unsecured health information affecting more than 500 individuals.  OCR’s posting showed 35 health data breaches that impacted over 700,000 individuals (with individual breaches ranging in size from 359,000 individuals, due to the theft of a  laptop to 501 individuals impacted by the theft of a portable USB device). 

This posting by OCR was required by the August 2009 Interim Final Rule, which was issued pursuant to the HITECH Act.  In particular, § 164.408 of this breach notification interim final rule implements § 13402(e)(3) of the HITECH Act. The rule became effective September 23, 2009. 

Under this rule, breaches that affected 500 or more individuals must be reported to OCR within 60 days, via an OCR online notification form.  Training materials and related guidance on breach notification can be found on the OCR web site.  

Tags: , , , , , ,

Deadlines, Deadlines, Deadlines: Three Important Privacy and Security Dates

Posted on March 1, 2010 by Colin J. Zick

In the past several days, three important information privacy and security deadlines have arrived.  To recap, they are:

  • February 17, 2010:  the provisions of the HITECH Act regarding HIPAA business associates went into effect (albeit without regulations, which are expected to be issued any day now).  Many HIPAA covered entities have been revising their Business Associate Agreements in an effort to comply with what they think the regulations will say.  Others are waiting until they see the regulations to amend those agreements.
     
  • February 22, 2010:  FTC rules regarding health information breaches went into effect.  The FTC has provided a standard reporting form for such breaches.  And the FTC is putting its money where its mouth is:  in the Fiscal Year 2011 Congressional Budget Justification, the FTC is seeking two full-time employees for “data security enforcement and rulemakings." 
     
  • March 1, 2010:  Last but not least, the Massachusetts Data Security regulations went into effect on March 1, although we have not received word from the Massachusetts Attorney General as to how these regulations will be enforced.  A recent Boston Globe article (for which I was interviewed) details the apparent state of readiness for these regulations. 
Tags: , , , ,