Monthly Archives: July 2009

Incident of the Week: Hackers to Demonstrate How To Take Control Over Every Apple iPhone In The World With A Single Text Message Today

Speaking at the Black Hat computer security conference in Las Vegas only a few hours from now, hackers (or "security experts") Charlie Miller and Collin R. Mulliner are scheduled to expose an alleged security flaw in the Apple iPhone that may allow someone sending a single SMS message to take control of any iPhone.  According to a number of reports (note Forbes and AppleInsider),… More

ALERT: FTC Announces Delay in Red Flags Enforcement Until November 1, 2009.

Amidst calls from the legal community, the Federal Trade Commission’s (FTC) announced this morning that it was delaying enforcement of the FTC’s Red Flag Rules until November 1, 2009.  The FTC’s announcement of the delay emerged almost as a footnote to a public statement devoted largely to the FTC’s "redoubled" efforts to "provid[e] additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply." … More

Incident of the Week: UAE Carrier Updates Blackberry Software With Spyware, Captures Outgoing User Emails

On Tuesday, Research In Motion, Ltd. (RIM), the maker of Blackberry, posted a note on its website confirming that a software update offered to customers of its carrier Etisalat in the United Arab Emirates contained spyware.  According to the note, certain customers received an SMS message from Etisalat informing them of a software update (named "Registration") designed to improve performance.  However, RIM acknowledged, "[i]ndependent sources have concluded that Etisalat’s Registration software application is not actually designed to improve performance of a Blackberry Handheld,… More

Social Security Numbers (SSNs) Can Be Predicted Using Basic, Widely-Available Public Data. Social Security Administration Not Surprised, and Continues to Offer Detailed SSN Information to the Public

As has been recently reported, researchers from Carnegie Mellon University have announced that they have uncovered a method to accurately predict the Social Security Numbers (SSNs) of individuals by simply knowing two of the most basic and widely-available facts about people today: their dates of birth, and their States of birth. In their paper titled “Predicting Social Security Numbers from Public Data” (.pdf), researchers Alessandro Acquisti and Ralph Gross warn that they have uncovered a distinct and identifiable statistical pattern across SSNs of deceased persons –… More

House Subcommittees Hold Joint Hearing On Behavioral Advertising

On June 18, 2009, the House Subcommittee on Commerce, Trade and Consumer Protection held a joint hearing with the Subcommittee on Communications, Technology, and the Internet on the topic of “Behavioral Advertising: Industry Practices and Consumer Expectations.” The subcommittee members explained that they hoped the hearing would help determine the need and possible parameters for new legislation governing privacy and behavioral advertising. More

Secret Service and Europe Plan a Cybercrime Task Force

According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking.   Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level." … More

California Hospital Fined $187,500 For Octuplet Mom Breach

As we reported on April 2, a California hospital breached the privacy of the infamous "OctoMom," Nadya Suleman.  When the breach was discovered, Kaiser Permanente’s hospital in Bellflower, California fired 15 employees.  These violations also were reported by Kaiser to the California Department of Public Health, which has announced a $187,500 administrative penalty against Kaiser.  CDPH has determined that the hospital "failed to prevent unauthorized access to patients’… More

Good News and Bad News: An Employer Is Hiring; It’s The HHS Office of Civil Rights!

In an email to its listserv earlier today, the federal Department of Health and Human Services announced it "is expanding its health information privacy enforcement team."  In particular, HHS is hiring for two new positions are located in HHS’s "Office of the Secretary, Office for Civil Rights (OCR), Office of the Deputy Director Health Information Privacy (ODDHIP)."  As described on USAJOBS.GOV, the people to be hired "will be responsible for reviewing,… More

Incident of the Week: French Hacker Compromises Twitter Employee Passwords, Steals Company Documents

This week, Twitter co-founder Evan Williams confirmed that the company has been the victim of an attack that compromised a number of employee personal accounts at Amazon, PayPal and AT&T, employee personal email and Twitter’s internal company documents.  The hacker, who goes by the handle “Hacker Croll,” has apparently emailed a collection of 310 internal Twitter documents to TechCrunch, including a presentation for a proposed reality television show called “Final Tweet”… More

Bozeman, Montana Suspends Controversial Requirement That Job Applicants Provide Usernames and Passwords to Facebook Accounts

When, in June, the City of Bozeman, Montana sought to change its job application to require municipal job seekers to disclose usernames and passwords for popular social networking sites, it immediately drew widespread criticism.  Specifically, Bozeman asked applicants to "Please list any and all, current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook,… More

Lawsuit Challenges Legality of HITECH Act

A federal suit has been filed that challenges the legality of the federal HITECH Act.  In the course of 30 often rambling pages, this complaint alleges that "HIPAA codified the Hippocratic Oath" and that HITECH improperly undermines both.  This complaint appears to be the work of a gadfly or two.  The plaintiff’s lawyer is her husband; interestingly, he was described by a federal judge as filing claims that were "without merit [and which] would have been perceived as such by any objectively reasonable attorney." … More

U.S. and South Korea Targeted in Ongoing Denial of Service Attacks

On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is,… More

Garbage Dump in Ghana A Gold Mine For Sensitive Information

In June, a team of researchers investigating the disposal of electronics in Ghana for PBS series Frontline discovered that computers dumped in Ghana still contained highly sensitive data from their prior owners. The researchers procured seven hard drives from the dump in Ghana and they contained credit card numbers and resumes.  The highlight of the investigation was when they discovered unencrypted information from government contractor Northrop Grumman. … More

Incident of the Week: FBI Arrests Hacker Posing as Security Guard Who Infiltrated Texas Hospital Days Before “Devil’s Day” Attack

This week, the U.S. Attorney’s Office for the Northern District of Texas announced that the FBI has arrested Jesse William McGraw, a 25 year old contract security guard at the W. B. Carrell Memorial Clinic, a hospital in Dallas, Texas, for hacking the hospital’s computers and air conditioning system. For many businesses, an attack on ventilation systems might be an inconvenience, but the threat could be much more serious for critical care patients in healthcare institutions like the Carrell Clinic. McGraw is charged with violations of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030.