Boston Globe, Worcester Telegram and Gazette, CC#s printed on routing slips, 240,000 subscribers


Two newspapers owned by The New York Times Co., the Boston Globe and Worcester (Massachusetts) Telegram & Gazette, said Tuesday they had mistakenly sent out slips of paper with credit card data of up to nearly a quarter million subscribers.
The credit card numbers were been printed on routing slips attached to 9,000 bundles of newspapers sent to retailers and carriers last weekend, according to the newspapers.

I can see how this mess-up might get a carrier the credit-card info for subscribers on his or her route, but what credit card number(s) would be sent to a retailer?

January 20, Honeywell International, 19,000 current+former employees, SSNs and bank account info, published on web site

Long Island Newsday reports on Honeywell paying for credit monitoring for 19,000 current and former employees after their information somehow wound up on a web site:

The company notified employees about the breach within a day of learning of it Jan. 20, according to spokesman Robert C. Ferris.
“The company immediately contacted the relevant service provider, had the page removed from the Internet and is continuously monitoring the Internet to ensure that the Web page and any copies of it remain taken down,” said Ferris.
He said the company was working with federal and state investigators to determine who posted the data. Ferris said he didn’t know whether the posting was the work of a disgruntled employee or resulted from an administrative error or other cause.

The South Bend Tribune provides the important detail that the 19,000 worked for Honeywell in 2003.
Update 2/6/2006: Honeywell believes this to have been the work of a disgruntled insider, as reported here.

TSA Records

tsa-foia.jpgBack in August, (“Demand Your records“) I mentioned the effort to request, under the Freedom of Information Act, records relating to the TSA’s illegal data grab on Americans. In December, I got a response, and share a redacted copy here. All redactions are mine. (The whole process of redaction is remarkably difficult, but that’s a separate post. Feel free to try to defeat my “scan a magic markered copy” technique.)

Since I redacted what I’m sharing, allow me to explain what I’m choosing not to share. The number starting:

  1. …218 is my Delta frequent flyer number.
  2. …617 is the phone number I tend to use for such things.
  3. …3823 is my Diner’s club card.

Some comments:

  1. I appreciate being addressed by our civil servants as “Dear Shostack.”
  2. I am utterly stymied by the 12/31/89 19:00:00 apparent date. I know why I might have called one year later, but not in 1989. John Gilmore pointed out that that’s localtime for midnight, GMT, in both Boston (where I was) and Atlanta (where Delta was, and mostly remains).

The records: tsa-redacted.PDF

[Update: Fixed spelling. Thanks Samablog!]

New Passports More Secure than Wet Paper Bags (Barely)

seasoned-vs-newbie.jpgRemember the US Government plan to put a radio chip in your passport? The one whose security has never been seriously studied, whose justification seemed to boil down to a hope that it would speed processing, but even that was wrong? The one whose security gets worse every time anyone competent looks at it? Well, someone else just looked at it.

Bart Jacobs & Ronny Wichers Schreur of Radboud University Nijmegen, Netherlands have discovered that an eavesdropper can decrypt everything sent over the air under the latest scheme. In about two hours. They presented at a SafeNL workshop, and have a working demo. It turns out the error is really basic, as explained in this press release:

The secret key is made up of the passport expiry date, birth date and the passport number stored in the passport’s Machine Readable Zone. The Dutch passport numbering scheme proves to be sequential and has a relation with the passport expiry date. Further, the last digit of the number is a checksum introducing additional predictability. The selection of a new and unpredictable passport numbering scheme would considerably improve the security.

Now, why does that sound familiar? Oh yeah! Its because that’s the same predictable key source attack I found on the SecurID client-server protocol a decade ago.

Is this fixable? This particular hole probably is, with a re-issued passport. The important questions are not about whether or not a new scheme can be designed and analyzed. That game of penetrate and patch doesn’t lead to secure systems, it leads to more penetrate and patch.

The important lessons are: First, the people doing this work are either incompetent, or working under such a compressed timeframe that they can’t get it right. Second, the chips should not have a radio. Let me say it again. The radio has no function, and introduces a plethora of security holes. It should be removed now, before the State Department needs to replace millions of passports.

(Research reports from Dave’s Bit Bucket, via Alec Muffet. “Seasonsed vs. Newbie” photo by Antomic.)

On Disclosure

In comments on “Bank of America Customers Under Attack,” Options Scalper writes:

I’m uncertain of the “mandatory disclosure” that you discuss here. If by this you mean of data lost in transactions similar to what you mention above, I agree. But if you mean data from the call center to determine the level of theft/fraud or other crime, I’m not sure that I agree with mandatory disclosure. That data, while useful to the awareness of security provides information that cannot be made transparent to an entity’s competitors, i.e. the availability of this data may provide for means of advantage in key markets based on the data “surrounding” the security data. I’m a proponent of mandatory disclosure of “lost data”, but I just think that this topic needs a great deal more discussion.

I admit, I have been using “mandatory disclosure” in a somewhat slippery way. The mandatory disclosure of a loss of confidentiality of personal information, such as is mandated by California’s SB 1386, and a host of other laws, and emerging new custom and expectation. I also use it in a somewhat tongue in cheek way to refer to the benefits that mandatory disclosure is bringing, despite the discomfort involved in the transition.

Beyond that, I note the utter paucity of good information about security breaches. This paucity hurts us deeply as a profession, as we talk about how über-hackers tromp undetected through networks. Compare and contrast the quality of data we have about computer security incidents to the quality of data about burglaries. Should we mandate disclosure of these things? We mandate lots of disclosure under laws like SarBox. Its not clear if it does much good for the expense it entails.

There is, of course, the whole bloody “debate” over disclosure of vulnerabilities in software. Like all right-minded people, I believe in full disclosure and only practice it when left no choice.

As to the concern that competitors may start jumping on a lack of security as a way to poach customers, I can’t see that as justification for allowing a company to mislead the public. We demand lots of disclosures from companies, especially around the reporting of crimes. Why should online crime be different?

Musings on The Future of the State

cathedral.jpgI love the little corners of the law that is ancient rights and privileges. They illustrate ways in which our institutions have evolved, and from where they came, we can learn much about where they may go. That’s why I was delighted to read “Russian-Israeli who Left Newfoundland and Labrador Church Sanctuary Is Deported.” Church sanctuary! In 2006! What a great living fossil of the days when the Church in Rome was an important power, equal to or even superior to local Lords. That power was shattered by a series of wars (‘the thirty years war‘) for what was called freedom of conscience. More properly, it was freedom of christian conscience: Jews were barely, if at all tolerated, and Muslims, pagans, and infidels were still anathema.

Today, where those wars were won, even if there is a a `state religion,’ contributions are optional–a right Thomas Jefferson had to argue for in Virginia. Heretics of all sorts, even atheists, are tolerated. Freedom of conscience has turned from a controversy that engulfed Europe into a settled tenet of modern liberalism. The role of the Church has been quite sharply curtailed.

Perhaps something similar is happening to the state. Since this isn’t my area of expertise, I hesitate to try to speak definitevely, but I see a possibility that expansion of communication networks, re-globalization of economies, strong disagreements about the appropriate limits of power, catastrophic failures of response to events like hurricane Katrina, modern migratory trends, etc will combine to transform the state to the point where its architects, from Cardinal Richelieu to Kaiser Willhelm, would not recognize it.

(Oviedo Cathedral, photograph by R. Duran, “Torre de San Salvador,” on Flickr.)

Newspeak Alert

Dear San Jose Mercury News,

In re your article, “Date set for hearing on Google data-sharing.

It’s not sharing when you’re holding a court hearing. It’s a demand. I share my toys with my friends. The man with a gun demanded my wallet. Please make a note of it.

PS: If you didn’t promulgate the use of the word “sharing” to mean the promiscuous trading of personal data, this never would have happened.

Langley, British Columbia, Canada, 1,000 medical records, courier firm

There are calls for tougher guidelines in the handling of private information after 1,000 medical files went missing when a courier car was stolen in Langley on Thursday.
The courier company says the driver left the car running for less than a minute.
When the car was stolen, so was a box of health records of patients from Langley, Aldergrove and Surrey. The files were later found dumped near a recycling bin in Surrey.

“It is an offence to leave a vehicle running unattended and the driver may face charges for that. The investigator is looking at that and he may follow up with that and charge this driver with an insecure vehicle,” says RCMP spokesperson Cpl. Diane Blain.

[Darrell Evans of the B.C. Freedom of Information and Privacy Association] calls the possibility of charges “over the top.”

Thanks, Darrell! Way to look out for our rights!

(From the CBC, “Medical records stolen in Langley.”)

State of Rhode Island, 4,118 or 53,000 CC, Hacker

Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said Friday.

The private company that runs said that 4,118 credit card numbers had probably been taken, a state official said. All online transactions were suspended Friday until any possible security problems could be fixed.

The breach was uncovered when a security company discovered a Web site in Russian, Najarian said. The author claimed he obtained 53,000 credit card numbers.

Loring said Web site was breached on Dec. 28, and far fewer than 53,000 numbers were stolen. She said the company notified credit card companies of the breach, but did not notify card holders.

From the AP, via techdirt, who ask, “So, if the government is out fining those, like ChoicePoint, who leak data to criminals, what do they do when they’re the ones doing the leaking?”

Octopus vs. Submarine


Rare video footage shows a giant octopus attacking a small submarine off the west coast of Vancouver Island.

Salmon researchers working on the Brooks Peninsula were shocked last November when an octopus attacked their expensive and sensitive equipment.

The giant Pacific octopus weighs about 45 kilograms, powerful enough to damage Mike Wood’s remote-controlled submarine.

From “Video captures octopus attack on sub in B.C..” Video links on the CBC page. [Update: check out the the voice over at Irregular Times. I do question the ability of a five year old to independently and authoritatively answer a leading question like “Is it a nice octopus?” However, alternate and plausible interpretations are welcome.]

Providence Home Services, 365,000 medical records, Car Thief

About 365,000 hospice and home health care patients in Oregon and Washington are being notified about the theft of computer backup data disks and tapes late last month that included personal information and confidential medical records…In an announcement yesterday, Providence Home Services, a division of Seattle-based Providence Health Systems, said the records and other data were on several disks and tapes stolen from the car of a Providence employee at his home. The incident was reported by the employee on Dec. 31, according to the health care system…The data on the tapes was encrypted, Walker said. The data on the disks was in a proprietary file format that was not encrypted, but “is stored in a way that would make it difficult, if not impossible, for someone to access it, then make any sense out of it,” he said.

As far as I know, there is no law requiring that the loss of encrypted data be reported. The new rules around disclosure march onwards.
(From Computerworld, via InfoSec News.

Providence Home Services, 365, 000 people, health records, theft from employee vehicle

From Computerworld (via Slashdot) we learn that a home health care business deliberately sent patient info home with an employee as part of their disaster recovery plan. I’m serious. Now, unless this guy lives under Cheyenne Mountain, I’m saying that’s a dumb plan. Anyhoo, some of the information was encrypted, but much of it was not. Specifics on what was stolen:

The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions and some lab results. For approximately 250,000 of the patients, Social Security numbers were on the records, according to the health system. Some of the records also included patient financial information.

Funny. A guy at Ameriprise (foolishly) takes his work home and gets canned for it. Meanwhile, the exact same activity is mandatory at another regulated institution.
(BTW, sorry if I sound snarky — low on caffeine at the moment)
Update 02/04/2006: The police report is now available online. It is very interesting. It’s also worthy of note that a single individual whose PII was stolen has so quickly created a community web site dealing with the breach through which his information was revealed.

Choicepoint to Pay $15M Fine

Atlanta-based data aggregator ChoicePoint today agreed to pay $15 million to settle charges that it violated federal consumer protection laws when it allowed criminals to purchase sensitive financial and personal data on at least 163,000 Americans.

The settlement addresses a pair of lawsuits filed against ChoicePoint by the Federal Trade Commission and represents the largest civil penalty ever obtained by the agency.

Via Brian Krebs at the Security Fix blog.