UK – HMRC Establishes New Data Security Policies

HM Revenue & Customs (HMRC) has established new procedures regarding data encryption and transfers following the loss of data storage disks that compromised 25 million personal records. There is now a team at HMRC whose job it is to ensure encryption is effectively and properly used to protect data. In addition, staff members are no longer permitted to use removable storage media. “HMRC is also investigating the electronic transmission of data.” [Source] See also: [Information watchdog warns of more data scandals] [£50k-worth of computers lost by Department of Justice] [UK: Lost data discs 'endanger protected witnesses'] [Data Loss Debacle]

US – Florida Partners with Google to Improve Open Government

Florida Governor Charlie Crist announced this week a new partnership between the State of Florida and Google. This collaboration will enable citizens to use search engines such as Google to locate government programs and services. Google has helped state officials implement these Web site improvements at no cost to Floridians. Florida joins California, Arizona, Michigan, Utah and Virginia as one of the first states to partner with Google to improve accessibility of its online services. [Source]

WW – Microsoft Wireless Keyboards Crypto Cracked

Security researchers have cracked the rudimentary encryption used in a range of popular wireless keyboards. Bluetooth is increasingly becoming the de-facto standard for wireless communication in peripheral devices and is reckoned to be secure. But some manufacturers such as Logitech and Microsoft rely on radio technology which, it transpires, is anything but secure. Using nothing more than a simple radio receiver, a soundcard and suitable software, Swiss security firm Dreamlab Technologies managed to capture and decode the radio communications between a keyboard and a PC. The attack opens the way up to all sorts of mischief including keystroke logging to capture login credentials to online banking sites or email accounts. Sniffing traffic between wireless keyboards and their base stations was possible because of the weak encryption used, as explained in a white paper from Dreamlab. [Source] [White Paper] [Video] See also: [Passwords now 100 times weaker]

EU – EC Seeks Breach Notification Law for Telecoms

The European Commission has published a proposal that suggests an amendment to the Privacy and Electronic Communications Directive to make telecoms subject to a security breach notification law. The exposure of personal data for subscribers “if not addressed in an adequate and timely manner, (could) result in substantial economic loss and social harm, including identity fraud,” according to the proposal. The Information Commissioner’s Office in the UK has been skeptical of the effectiveness of such a law on the grounds that over-notification could lead to public complacency about breaches. The ICO, according to this OUT-LAW.com article, seems more comfortable with a law that would assess the risk of the breach before notifying consumers about a particular incident. [Source]

EU – EC Commits to Raising Awareness About Data Protection

Speaking at the Microsoft Innovation Day in Brussels, Vice President of the European Commission, Franco Frattini, said there must be an effort to improve data protection efforts and reduce identity theft. He added that “better data protection would also have a positive impact on consumer trust” on the Internet. Frattini added that the commission supports “the development of privacy-protection technology.”

EU – Commission Steps Up Efforts in Privacy Enhancing Technologies

The European Commission is set to significantly increase its funding into the development of technologies which protect the privacy of users on the internet, announced the Commission Vice-President Franco Frattini. Speaking at the Microsoft Innovation Day in Brussels, Mr Frattini highlighted the importance the Commission places on Privacy Enhancing Technologies (PETs). 'We support the development of PETs. The Commission will encourage consumers to use PETs through awareness raising campaigns. We will provide money for data protection and privacy projects, studies on PETs' economic benefits and standards for using PETs,' he said. The EU Commissioner for Justice, Freedom and Security went a step further, stating that the EU's contribution to research into these technologies in the current Seventh Framework Programme (FP7) would go beyond the funding allocated in the previous programme. Under the Seventh Framework Programme, twenty-four new projects will be launched in Information and Communication Technology Security, identity management, privacy and trust.' For the Commissioner, as industry is the main developer and provider of these technologies, it makes sense for the private sector to enter into public-private partnerships and work together with the public sector to provide innovative solutions to enhancing privacy and security across Europe. The EU strategy on this issue has already included the launch in September of the first European Security Research and Innovation Forum (ESRIF), involving representatives of the public and private sectors. The European Commission is also expected to promote the development of these privacy enhancing technologies through large scale pilot demonstrations. [Source] [Information on ICT research under FP7] [Source]

UK – UK Websites Sell Secret Bank Data and PINs

Security breaches that are allowing the financial details of tens of thousands of Britons to be sold on the internet are to be investigated by the country’s information watchdog. Without paying a single penny, The Times downloaded banking information belonging to 32 people, including a High Court deputy judge and a managing director. The private account numbers, PINs and security codes were offered as tasters by illegal hacking sites in the hope that purchases would follow. Richard Thomas, the Information Commissioner, will begin an investigation into the security breach today and Scotland Yard is also investigating. Experts said that the findings suggested that more personal data than ever before was going astray. The Times found: More than 100 websites trafficking British bank details A fraudster offering to sell 30,000 British credit card numbers for less than £1 each A British “e-passport” for sale, although the Government insists that they are unhackable. [Source]

US – Credit Card Receipt Rule Leads to Class-Action Suits

A US law to protect against identity theft has spawned more than 300 class-action lawsuits across the country. The lawsuits claim merchants failed to remove both the expiration date and sufficient digits of the credit card number on receipts they give back to customers. Lawyers are trying to get the lawsuits certified as class actions, potentially opening restaurants and stores to thousands or even millions of dollars in liability. The claims are filed under the Fair and Accurate Credit Transactions Act, or FACTA. Congress enacted the law in 2003 to address identity theft and credit card fraud. [Source]

WW – Rising Cost of Internet Financial Crimes Tallied

Two newly published studies report an accelerating threat of Internet financial crime, the latest evidence of the growing danger. The Ponemon Institute reports that the average cost for a business victimized by a data breach rose 30% this year to $6.3 million. A separate FTC report issued last week estimates that more than 8 million Americans were victims of identity theft in 2005, based on comprehensive survey data collected and analyzed during the past year and a half. [Source]

US – TJX Agrees to Pay Banks for Losses

TJX will set aside nearly US $41 million to reimburse banks for costs incurred as a result of the company’s massive data security breach that exposed approximately 100 million credit and debit card accounts. In return, the affected banks will agree not to sue TJX or its business partners. TJX made the deal with Visa; issuing banks must approve the deal before it is finally accepted. It is expected that a similar agreement will be reached between TJX and MasterCard, although a spokesperson for MasterCard had no comment. [Source] [Source] [Source]

UK – Banks Resisting HMRC Calls for Offshore Account Details

Banks and building societies are becoming increasingly restive at the UK taxman’s attempts to extract confidential information about clients with offshore bank accounts. ‘The banking and building society industry believes a balance must be found between maintaining appropriate customer confidentiality and tracking down people who fail to pay their taxes,’ says a statement from the British Bankers Association (BBA). Her Majesty’s Revenue & Customs is trying to coerce the banks and building societies into voluntarily providing information on clients without having to take them to court, by getting the institutions to fill in a questionnaire. Last week accountants KPMG effectively told their banking clients not to comply with the taxman’s fishing expedition for client information. In 2006 HMRC won a case against Barclays Bank, forcing it to reveal the names of all its clients with offshore bank accounts. In June of this year the taxman issued an amnesty to those with undeclared offshore income but of the estimated 400,000 or more liable to tax in the UK, only 25,000 voluntarily disclosed income from offshore sources by the 7 July deadline. The taxman is now pursuing the rest. [Source]

US – Data Theft Touches 150,000 Massachusetts Seniors

The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief in August who had been using information taken from the program in an attempted identity theft scheme, said a spokeswoman for the state’s Executive Office of Health and Human Services.Prescription Advantage is a state-run program that offers drug insurance to seniors in Massachusetts. Although the thief used information from just a small number of participants in the scheme, state data-breach laws require that the 150,000 people who could have possibly been affected by the breach be contacted. [Source]

CA – Massive Privacy Breach at Passport Canada

A security flaw in Passport Canada’s website has allowed easy access to the personal information - including social insurance numbers, dates of birth and driver’s licence numbers - of people applying for new passports. The breach was discovered last week by an Ontario man completing his own passport application. He found he could easily view the applications of others by altering one character in the Internet address displayed by his Web browser. That data included social insurance numbers, driver’s licence numbers and addresses. Also available were home and business phone numbers, a federal ID card number and even a firearms licence number. “This is exactly how identity theft happens,” said Carlisle Adams, an Internet data security expert and professor at the University of Ottawa. [Source] [Privacy Commissioner To Look At Passport Canada Web Site Breach] Update: [Passport security breach repaired, official says] Related: [IPL fixes Web glitch exposing Indiana customers' personal info]

US – Duke Law School Reports Web Site Breach

Duke Law School has notified about 1,400 people whose Social Security numbers were stored on a school Web site that was compromised during an electronic attack. The school said it was uncertain whether the intruder had accessed the personal data, but nonetheless decided to notify prospective applicants who had requested information from the school’s admissions office, according to this story in The News & Observer. [Source] FOR A MORE COMPREHENSIVE ROUNDUP OF REPORTED BREACHES, SEE: [Data “Dysprotection:” breaches reported last week]

WW – Your identity is Worth $21 on the Net

All of your personal banking and credit card information, your birthdate and your social security data are worth about $21 on the Internet, according to a study released today. And much of that data may have been stolen from government offices, says the report by computer security firm Symantec Corp. Symantec says thousands of Internet chatrooms and websites openly sell credit card and personal information for the purpose of identity theft -- and are doing plenty of business. [Source]

UK – Public Says No to ID Cards, No2ID Says ‘Starve The Beast!’

No2ID has launched a new campaign of civil disobedience* against ID cards, as a new poll shows that for the first time, opponents of the cards outnumber supporters. The poll shows 48% against versus 43% for.

The poll turnaround bears out a long-standing prediction by Simon Davies of Privacy International, who for some years has insisted that UK public opinion on ID cards would follow the same pattern as was the case in Australia. There, early support turned into hostility as the public learned more and more about the cards. Here, a 2003 YouGov poll showed 78 per cent for and 15 per cent against, with this falling to 45% pro and 42% against shortly after the July 2005 bombings. Subsequent movement likely has something to do with the Government’s less-than-glorious recent record of protecting ID data, and as there seems a never-ending supply of bad news in that area, the numbers can surely only get worse for the Government. The latest No2ID pledge takes the form of a fetching certificate, forming the basis of a mass campaign to refuse to register, provide personal details or fingerprints, apply for any document or service linked to the ID Register, or co-operate with any Identity and Passport Service interview. [Source]

EU – France Announces Massive Internet Surveillance by ISPs

In a breathtaking act of arrogance reminiscent of the heyday of Louis XVI, the French government and he entertainment industry, along with a collection of ISPs, have announced an agreement for ISPs to become the Internet Police Force in France. Under the agreement (see below for links) ISPs will monitor users for presumed illegal activities (read that as “file sharing”) and send reports on the accused to what amounts to an anti-piracy board. [BBC] [Le Monde (French)] [Google translation] [Source]

WW – CA Security Researcher Sounds Alarm on Facebook

A CA security researcher sounded the alarm that Facebook’s controversial Beacon online ad system goes much further than anyone has imagined in tracking people’s Web activities outside the popular social networking site. Beacon will report back to Facebook on members’ activities on third-party sites that participate in Beacon even if the users are logged off from Facebook and have declined having their activities broadcast to their Facebook friends. That’s the finding published late last week by Stefan Berteau, senior research engineer at CA’s Threat Research Group in a note summarizing tests he conducted. Of particular concern is that users aren’t informed that data on their activities at these sites is flowing back to Facebook, nor given the option to block that information from being transmitted, Berteau said in an interview. “It can happen completely without their knowledge, unless they are examining their network traffic at a very low level,” Berteau said. [Source] UPDATE: [Facebook CEO Apologizes To Users Over Tracking Ads] [Zuckerberg blog] [Facebook CEO capitulates (again)] See also: [Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools] and [Privacy is key to new social networking site, Kaioo]

US – California Amends Security Breach Law to Include Medical & Health Insurance Info

Lawmakers in California have approved legislation, signed recently by Gov. Arnold Schwarzenegger, which would amend the state’s first-in-the-nation security breach notification law. The amendment, which takes effect Jan. 1, 2008, “represents a dramatic increase in the scope of the California law,” according to this Mondaq news article. The amendment adds two new categories of information to the definition of personal information, medical information and health insurance information. [Source] See also: [Michael Zimmer: Are Anonymous Data-sets Possible?]

WW – Dutch Researchers Focus on RFID-Based Sensors for Monitoring Apnea, Epilepsy

Hospitalized epilepsy patients are often monitored via electrodes attached to the face and scalp, wired to a box that receives brain and facial activity data and tracks their condition around the clock. Those with sleep apnea, meanwhile, are usually monitored overnight at a clinic, with electrodes connected to a receiving device that measures eye and jaw muscle movement, as well as brain activity, and wires the data to a computer for analysis. IMEC-Nederland (IMEC-NL) is working to make such procedures wireless, affording patients mobility and possibly the ability to monitor their condition from home. The nonprofit research institute has built prototype human body-monitoring systems using active RFID tags integrated with sensors. These sugar cube-sized devices record a wearer's vital signs and transmit that data to a central system. In the event of a shift in brain activity, the system can send an alert to an interrogator up to 10 meters away. Apnea patients previously monitored at a clinic would be able to check sleep patterns from home, attaching electrodes to the chin and around the eyes to record muscle and brain activity during the night. The electrodes' data and ID would be transmitted to an interrogator, then to a PC, which would store the information and send it to a physician over the Internet. The prototypes have been tested at a Dutch university, as well as on IMEC employees and patients at a hospital in Belgium. IMEC is now seeking partners to commercialize the systems. [Source]

US – New Jersey Medical Center Implements RFID-Based Asset Tracking

Our Lady of Lourdes Medical Center, a 410-bed regional hospital in Camden, N.J., is implementing a real-time location system (RTLS) to track a variety of mobile equipment and hospital assets so they're easier to find and maintain. "Our objective is to reduce the burden on the nursing staff from chasing the equipment needed for direct patient care," says Maureen Hetu, CIO at Our Lady of Lourdes Medical Center. The hospital will employ about 1,000 tags in the initial installation to track specialty beds, stretchers, mobile telemetry monitors, IV pumps and wheelchairs. [Source]

US – Companies Still Failing to Enforce Security Rules: Survey

Creating the most comprehensive and restrictive security policies in the world won’t do your company any good if you don’t enlist means of enforcing them. According to a new study published by Ponemon Institute many companies are failing to implement their existing security rules, or express them in a manner that actually drives users to obey them. Among the results:

§ 51% admitted that they have copied confidential information onto USB drives, even though 87% of those people conceded that their companies’ policies forbid the practice.

§ 39% said that they have lost or misplaced a portable device bearing company information, and 72% of those individuals said they didn’t report the incident immediately.

§ 56% said that their employers would never be able to determine the type of data contained on any lost devices, and only 10% of those surveyed said their organizations have a policy to deal with the loss of a portable storage device that holds sensitive information.

§ 46% admitted that they share their computer or network passwords with others, even though 67% of those people admitted that their companies ban the practice.

Some of the other findings indicate a substantial level of uncertainty regarding their companies’ policies governing certain risky behaviors. This would seem to indicate that in addition to failing to properly enforce their security rules, a number of firms are failing to communicate the policies to their employees (or maybe even failing to create the laws in the first place). For instance:

§ 45% said that they access personal Web mail accounts on work systems, with 74% of those people submitting that their employers have no stated policy that forbids it.

§ 45% said that they download personal software onto their company-issued devices, with 60% stating that their employer has no official policy governing the practice.

§ 33% said that they send workplace documents to their home computers as attachments, with 48% claiming that they are unsure whether this violates any existing policy.

§ 17% of respondents said that they have previously shut off some form of security settings or firewall on their workplace computers, with 80% unsure whether or not this violates policy.

Conventional wisdom would dictate that even the most lax companies probably wouldn’t let this type of behavior continue if they knew it was going on. Yet, it would also seem that if companies merely reframed their policies and made sure that workers had been exposed to them, they might be able to change some of the problematic habits. “Privacy and data protection policies are meaningless if they do not address the full spectrum of threats and if they are not enforced, and our research points to an urgent need to address this pervasive vulnerability in corporate data security programs,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “The development of comprehensive policies, along with training and stringent enforcement of those policies should be a priority in any enterprise-wide data security program.” [Source] See also: [Survey Finds Employees Put Corporate Data and Security at Risk - Results]

WW – Pros and Cons of IT Security Workers Becoming Professionals

Speaking at a security conference in Toronto, Dr. Richard Reiner, chief security and technology officer for Telus Security Solutions, raised the possibility of IT security workers establishing themselves as self-regulating professionals. While there are a variety of certifications available, the landscape is fragmented, according to Reiner. If IT security workers established themselves as professionals, training and licensing would be regulated and standards of ethical conduct established. Organizations hiring IT security professionals would have the confidence of knowing that the people would adhere to established practices. Reiner also enumerated the drawbacks to establishing IT security as a profession. The necessary legislation would likely take years. Personal ethics would have to take a back seat to established professional ethics. Also, professionalization would require that members face disciplinary action from a governing body. [Source] See also: [Government Contract Hopefuls Must Establish and Enforce Code of Ethics] and [again]

US – DHS to Hold Public Workshop on CCTV: Developing Privacy Best Practices

U.S. Department of Homeland Security (DHS) Privacy Office Announces Public CCTV Workshop

On Dec. 17 and 18, the DHS Privacy Office will hold a free workshop, CCTV: Developing Privacy Best Practices, at the Hilton Arlington Hotel in Arlington, Va. Register by email at PrivacyWorkshop@dhs.gov or call 703.235.0780. [Source]

US – California Government Surveillance Cameras Thrive Without Safeguards

California cities are moving quickly to install video surveillance cameras on public streets and plazas without regulations, with little or no public debate, and without an evaluation of their effectiveness, according to an ACLU report released earlier this year. A public records survey done by the ACLU disclosed that, even though 37 cities have some type of video surveillance program and 10 are considering expansive programs, none has conducted a comprehensive evaluation of the cameras’ effectiveness [full list of cities and their responses]. Only 11 police departments have policies that even purport to regulate the use of video surveillance. In the last two years, the federal Department of Homeland Security has made more than $1.4 billion available to cities for anti-terrorism projects. This funding, along with rising homicide rates and aggressive marketing by security companies, has led many cities to approve and install surveillance camera systems. The ACLU is urging local governments to pause and consider whether this is the best way to make our cities safer before rushing to adopt this new technology, given its civil liberties implications. [ACLU report and supporting documents including news coverage] [Source] See also: [UK: CCTV could track branded suspects] and [Strong growth predicted for CCTV market]

US – U.S. Plans to Screen All Who Enter, Leave Country

The U.S. federal government disclosed details this week of a border-security program to screen all people who enter and leave the U.S., create a terrorism risk profile of each individual and retain that information for up to 40 years. The details, released in a notice published in the Federal Register, open a new window on the government's broad and often controversial data-collection effort directed at American and foreign travelers since 9/11. While long known to scrutinize air travelers, the Department of Homeland Security is seeking to apply new technology to perform similar checks on people who enter or leave the country "by automobile or on foot," the notice said. The department intends to use a program called the Automated Targeting System, originally designed to screen shipping cargo, to store and analyze the data. "We have been doing risk assessments of cargo and passengers coming into and out of the U.S.," DHS spokesman Jarrod Agen said. "We have the authority and the ability to do it for passengers coming by land and sea." The Senate Homeland Security and Governmental Affairs Committee, chaired by Sen. Susan Collins (R-Maine), has asked Homeland Security to brief staff members on the program. According to the notice, the program is exempt from certain requirements of the Privacy Act of 1974 that allow, for instance, people to access records to determine "if the system contains a record pertaining to a particular individual" and "for the purpose of contesting the content of the record." [Source]

US – DHS Data Mining Sparks More Controversy

Although the Homeland Security Department terminated a controversial visual analytics data mining program this summer, it continues to engage in visual analytics research in a separate program, a spokeswoman confirmed. The ongoing visual analytics research at the Science and Technology Directorate is being publicized as a means of eventually identifying terrorists through potential use of data collected from video surveillance footage, cell phone calls, photos, bank records, chat rooms and e-mails. But no real-world, operational data is actually being used in the research, said DHS spokeswoman Amy Kudwa. “It relies on synthetic data. It is purely research on ways to interact with data.” [Source] See also: [Terrorism: The Slide Show - A Power Point demonstration by the Department of Homeland Security]

US – GAO Commends TSA for Handling Sensitive Data

The Government Accountability Office (GAO) has found that the TSA has improved its handling of unclassified, sensitive data, according to FCW.com coverage of the audit’s findings. The agency had improved its guidance, criteria and training for sensitive security information (SSI) gathered as a result of security screening programs. The 2007 U.S. Department of Homeland Security’s appropriations bill had required the GAO to investigate the agency’s handling of SSI. A TSA spokesman credited the agency’s improvements in staff training and response in processing data requests for the report’s positive findings. [Source] [GAO Report]

US – Civil liberties Group Wants US Wiretapping Legislation Changed

The Center for Democracy and Technology (CDT) has urged the U.S. Congress to make changes to a bill that would extend a controversial wiretapping program. The group called for the U.S. Senate to pass a substitute to the FISA Amendments Act, which is likely to be debated on the Senate floor later this week. The legislation, as approved by the Senate Intelligence Committee, would reauthorize warrantless wiretapping of some U.S. residents’ telephone and electronic communications in the name of protecting the U.S. against terrorists. One of the most controversial provisions would give telecommunications carriers immunity from civil lawsuit judgments for assisting the government wiretapping efforts, but CDT officials said this week that there are other important questions raised by the legislation, including the role the U.S. Foreign Intelligence Surveillance Court (also known as the FISA court) plays in overseeing the wiretapping program. The Intelligence Committee version of the bill, which was put together with help from the Bush administration, offers “no meaningful protection” to U.S. residents and limits the involvement of the FISA court in approving wiretapping, the CDT said. Several civil liberties groups have called the wiretapping program illegal because it spies on U.S. residents communicating with oversees suspects without court approval. “The biggest issue is, what’s the role of the court in protecting the privacy of communications?” [Source]

CA – Canadians Want Clearer Guidelines at Work for Personal Use of Email and Internet

Canadians believe too much time is being wasted on personal email and Internet use at work, with more than half calling for clearer guidelines and one in three actually saying employers should monitor such activity, according to a new Monster.ca poll. The online poll, in which 3,457 Canadians participated, asked if employers should be allowed to monitor staff use of email and the Internet in order to improve productivity. More than half, 57%, said no to monitoring employees but agreed that employers should provide "clearer guidelines" that would serve to maintain both productivity and trust in the workplace. Perhaps surprisingly, nearly one in three people responding to the poll (29%) said yes to the idea of employers monitoring email and Internet use, agreeing that "people spend an excessive amount of time on personal email and surfing the Internet." The remaining 14% said "never" to the idea of their employer monitoring email and Internet use, calling it "an invasion of privacy that shows a lack of trust." [Source]

--------