Microsoft No Longer Seeking Removal of Cryptome or Leaked Compliance Handbook

Posted on March 5, 2010 by Gabriel M. Helmer

Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft's "Global Criminal Compliance Handbook" that pulled website Cryptome.org from the Internet, at least temporarily.  The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites.  Microsoft's DMCA demand to Cryptome's service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.

Microsoft made this public statement:

Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.

Cryptome advertises itself as a site that "welcomes documents for publication that are prohibited by governments worldwide."  The site also promises that "[d]ocuments are removed from this site only by order served directly by a US court having jurisdiction." 

The Microsoft Compliance Handbook, dated March 2008, is a guide for law enforcement officers seeking to investigate users of Microsoft services such as Hotmail email, IM, Windows Live and other services.  The Handbook outlines the data Microsoft keeps with respect to its users and provides law enforcement with instructions on what legal process is necessary for investigators to gain access to specific information.  In the Handbook, Microsoft offers to provide the following information to investigators in response to a subpoena:

Basic subscriber information includ[ing] name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old . . . .

This provision contrasts with Microsoft's limits on access to other user data, such as recent email,  "e-mail address book, Messenger contact lists, . . . [and] internet usage logs."  According to the Handbook, Microsoft will release this data in response to a search warrant or court order which, unlike a subpoena, must be approved by a judge after the government presents sufficient evidence.

Posts at Cryptome, as well as CNet, Tom's Hardware, The Register,describe the Handbook variously as a "spy guide" and "wiretap guide."  Cooperation with government agencies has been a touchy subject for privacy advocates and service providers in the wake of alleged abuses by some that occurred after the 2001 terrorist attacks.  However, the heart of the controversy generally has been the disclosure of customer information without any legal process or court involvement.  In this case, Microsoft's Handbook merely identifies what data is available in response to formal legal process, such as subpoenas, warrants and court orders. 

 

Tags: , , , , ,

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

 

Tags: , , , , , , , , , , ,

Conficker Worm Still Lurking, Threat Remains

Posted on June 29, 2009 by Ramzi Ajami

While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief. 

Conficker (also known as Downup, Downandup, Conflicker, and Kido), a computer worm that attacks Microsoft Windows operating systems, was pegged by the media to wreak havoc worldwide on April Fool’s Day of this year. In the weeks leading to what some experts dubbed our “digital Pearl Harbor,” numerous reports surfaced documenting the sheer scope of the worm’s reach: in addition to infecting millions of Windows operating systems worldwide, the worm also reportedly infiltrated the French government’s naval systems – forcing the French to ground their warplanes – and the British Parliament’s computer network.

Despite the massive media furor, April Fool’s Day passed with relatively little disruption. However, recent reports suggest that Conficker not only remains active – but that it has begun its bid to steal users’ private and financial information.

In its June, 2009 report, ESET, a security and anti-virus firm, listed Conficker as one of the top malicious threats to PC users, accounting for nearly 10% of all computer infiltrations worldwide in May, 2009. Other security experts have also reported that Conficker continues to infect computers at an alarming rate of up to 50,000 computers daily -- in part due to the worm’s ability to spread across computer networks with alarming efficiency, and to access even out-of-network computers by infecting popular computer-to-computer plug-in peripheral devices (such as USB drives and external hard drives). 

Despite its aggressive success in infecting computers worldwide, however, Conficker’s purpose still remains relatively unclear. Experts warned that, in theory, infected computers would essentially be transformed into “zombie machines” that follow almost limitless commands and download software from remote servers -- whatever those instructions or software may be, suspected to range from keystroke logging to spam generators

Not surprisingly, Conficker’s recent activity confirms that at least one of its purposes is to steal users’ financial information. Beginning in April, 2009, infected computers have begun installing bogus security software (or "scareware") in a bid to defraud users into paying for fake anti-virus programs. The software alerts users that their computers are infected with Conficker -- but unwitting users who agree to pay for the fake anti-virus software not only lose $50 in exchange for more malicious software, but also risk having their financial information stored and stolen, opening a gateway to identity theft

It is unclear if the worst is over. Conficker remains active, and its “commands” from remote servers can prompt infected computers to download further malicious software compromising users’ security and hijacking their computers in any number of ways. While the "scareware" tactic that Conficker has displayed so far may be transparent to even mildly sophisticated PC users, it should serve as a warning that the worm is actively pursuing users' private and financial information -- and may employ any number of methods to access it.  

Links
Tags: , , , , , , , , , ,

Highlights from the IAPP Privacy Summit - March 11-13, 2009 Washington, D.C.

Posted on March 15, 2009 by Gabriel M. Helmer

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

  •  Frank W. Abagnale spoke at length about his life, made famous by the Spielberg movie "Catch Me If You Can."  What became clear through his stories was that armed with only an agile mind, Mr. Abagnale was able to compromise a series of security and anti-fraud systems at financial institutions and other businesses.  And today, according to Mr. Abagnale, it is "4000 times easier" because of the leaps made in computer technology.  "Technology breeds crime. It always has. It always will."
  • Bruce Schneier, a luminary in the field of information security, spoke at length about how "data is today's pollution problem" - a problem that requires a new generation of professionals fluent in technology and law to manage a new "data environmentalism." 
  • Peter Cullen, Microsoft's Chief Privacy Strategist and member of the Consumer Privacy Legislative Forum (now called the Business Forum for Consumer Privacy) discussed the CPLF's decision to first generate a set of self-regulatory privacy guidelines before seeking to draft a comprehensive federal privacy standard.  According to Mr. Cullen, businesses "need self-regulation" and to compile what have become best practices before attempting to impose a single federal standard.  "[L]egislation is only part of the puzzle" and "bad legislation [would be] worse than no regulation." 
  • A panel of security experts from (ISC)2, discussed the roles of the Chief Privacy Officer and Chief Information Security Officer during incident management.  The panel also outlined several essential elements of an incident response plan, including: (1) a procedure for ensuring that a breach initiates an incident response team meeting, (2) a procedure to confirm that a breach has occurred, (3) anticipation and preparation of likely scenarios, (4) draft press releases and notifications, and (5) identifying key consultants and vendors used in investigating and resolving incidents.
  • Representatives from Google and Salesforce.com discussed privacy issues raised by cloud computing models that may require different types of end user licenses, policies and agreements.  Key issues include: (1) selecting the cloud model that is appropriate for your needs; (2) data persistence - ensuring that there is an appropriate policy for destruction of data; (3) data centralization and security - the more data served by a single service, the more of a target it will become for those seeking unauthorized access; (4) data use - centralizing data permits the cloud provider with the ability to provide additional services, but what limits should apply to the service provider's use of that data?
  • A legislative update - the consensus is that consumer protection is one of Congress' top priorities and that Congress may be moving towards authorize the FTC to regulate information security more broadly. 
  • Jeffrey M. Kopchick, Senior Policy Analyst for the FDIC, reported that federal agencies involved in the development of federal Red Flags Rules were preparing FAQs regarding compliance with those rules that should be published in the near future.   He also indicated that because banks and other financial institutions have been subject to those rules since November 1, 2008 (unlike many other companies, who will see the rules go into effect on May 1, 2009), a number of common problems have been observed by FDIC examiners: (1) confusion in identifying what accounts give rise to the risk of identity theft; (2) insufficient oversight of third party service providers; and (3) lack of internal training to teach staff how to recognize red flags and mitigate the harm from identity theft.
  • Joel Winston, Associate Director of the FTC's Division of Privacy and Identity Protection, updated members on recent trends in FTC enforcement.  He indicated that the FTC intends to harmonize rulemaking on information security under a single federal standard evident in the recent Red Flags Rules: requiring businesses to adopt "reasonable and appropriate procedures." Given the speed of innovation, the FTC believes that requiring "reasonable" protections is the only manner for regulation to keep pace with technology.  The FTC has considered and rejected suggestions that it impose specific security tools on businesses, as some states (including Massachusetts) have done.  "Technology is too fluid."  For example, "encryption may not always be the perfect solution - there could be good alternatives."  The FTC appears to be unwilling to extend the May 1, 2009 deadline for enforcement of the Red Flags Rules and will be expecting businesses to demonstrate good faith efforts to comply with the regulations.

Links:
Tags: , , , , , , , , , , , , , ,