CPNI Public Comment

The FCC has asked for comments on “TELECOMMUNICATIONS CARRIER’S USE OF CUSTOMER PROPRIETARY NETWORK INFORMATION AND OTHER CUSTOMER INFORMATION.” “Customer Proprietary Network Information” is newspeak for “selling your phone records.”

Several anonymous readers commented on “Selling Your Phone Records” about their troubles with T-Mobile. Here’s a chance to tell the FCC what you went through. Please do. (Via Chris Hoofnagle.)

Salesman uses credit application to stalk and rape customer

Police say a convicted murderer used his job as a car salesman in Sandy to track a female customer to her home and rape her.

Cleon Jones, 34, was arrested Wednesday on multiple first-degree felonies and remains in the Salt Lake County Jail without bail.

Authorities allege Jones tracked down his victim by using her credit application to obtain her personal information including her address, said West Valley Police Capt. Tom McLachlan…

All sales personnel at car dealerships in Utah are required to be licensed by the state, which includes a background check.

Wow. I’m hard pressed to know what to say. Women are often more aware of the privacy of their home addresses because of exactly this? Background checks shouldn’t act as a replacement for good personal judgment about the people you employ?

(The source article, in Deseret news is fairly graphic and unpleasant. Via Canadian Privacy Law Blog.)

University of Northern Iowa, 6000 W-2 forms, virus-infected laptop

An IT person troubleshoots dodgy printing of US earnings documents by loading 6,000 of them onto a laptop. Hilarity ensues when the laptop later turns out to be infected with malware detected during “routine monitoring”.
Via wcfCourier.com:

The University of Northern Iowa has warned students and faculty to monitor their bank accounts after someone accessed a computer system holding confidential information.
The university detected last week that a laptop computer holding W-2 forms was illegally accessed, though officials said the person likely did not realize he could obtain tax information for about 6,000 student employees and faculty.
“A virus was detected during routine monitoring,” said Tom Schellhardt, vice president for administration and finance. “We immediately took steps to fix the problem and increase security.”
The university sent letters to everyone whose data was on that computer, warning them to protect against identity theft by monitoring their accounts and contacting credit reporting agencies.
Steve Moon, the school’s director of network services, said the person who used the laptop computer did so to review the print jobs for the W2 forms.

John Robb on the Next Attack

John Robb has some very interesting thoughts on the next major al Qaeda attack on the United States in “The Next Attacks on America:”

The impact of these attacks, particularly if they are numerous (attracting copycats?) and spread out over an extended period of time will be severe. Given their lack of symbolic content (and the potential that they will be relatively anonymous), the moral benefit to US cohesion will be small. Initial outrage against the attackers will quickly turn against the government itself, with severe repercussions (particularly if the government’s response is crude and deemed ineffective).

I’ve also added John’s Global Guerrillas blog to the blogroll, because he’s been on a roll with insightful stuff. Since I limit the blogroll to twenty (copying Kip Esquire’s plan) I had to remove someone, and decided to remove Bubbler.net, based on a lack of posting volume. It feels bad to be removing a blog, and I may consider a different policy, like only adding one blog a month to the roll.

[Update: Cancel that cancellation. I should have listened to my gut. Having read Guy Kawasaki’s “How to Suck Up to A Blogger,” I realized I was doing little but hurting Mario, and myself by copying Kip’s Elite Eleven policy. I’ve put Mario back in the blogroll, and will try to control bloat by adding no more than one blog a month.]

Old Dominion, 601 SSNs, Grad Student’s Dismal Process

In 2004, a graduate student apparently posted a class roster of 601 students, complete with names an social security numbers on the web. (“ODU Graduate Student Posts Student Information on Website, School Investigating,” via Netsec.)

Update: Lyger of Attrition pointed out that the dates in the WAVY-TV story don’t add up. There’s a story in the Virginian Pilot, ”
Social Security numbers of 601 ODU students posted to Web,” which says that the data was up for nearly two years. I suspect that the TV news site made a simple mistake.

Second OSX Proof of Concept

Today we got a sample of rather interesting case, a Mac OS X Bluetooth worm that spreads over Bluetooth.

OSX/Inqtana.A is a proof of concept worm for Mac OS X 10.4 (Tiger). It tries to spread from one infected system to others by using Bluetooth OBEX Push vulnerability CAN-2005-1333.

Via F-Secure. I feel weird linking a CVE to not-MITRE. F-Secure’s full description explains that the code expires, and isn’t in the wild.

Dept of Agriculture, 350,000 Tobacco Farmers, Dismal Process

The Agriculture Department says it accidentally released Social Security numbers and tax IDs for 350,000 tobacco farmers.

But the department says those who received the information agreed to destroy copies and return discs to the government.

The agency said it inadvertently released the data in response to Freedom of Information Act requests about the tobacco buyout program. The information went to eight different people or groups. (“Government accidentally releases farmers’ Social Security numbers, AP.”

Blue Cross of Florida, 27,000 employee SSNs, Contractor

The names and Social Security numbers of about 27,000 Blue Cross and Blue Shield of Florida current and former employees, vendors and contractors were sent by a contractor to his home computer in violation of company policies, the company said Thursday.

The contractor had access to a database of identification badge information and transferred it via e-mail to a home computer, said Lisa Acheson Luther, a Blue Cross and Blue Shield spokeswoman. (“Blue Cross says contractor took 27,000 Social security numbers (AP).”

LEAP.A Mac Trojan

There seems to be a trojan out for the Mac. See New MacOS X trojan/virus alert, developing…. There’s some interesting tidbits:

6a) If your uid = 0 (you’re root), it creates /Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
6b) If your uid != 0 (you’re not root), it creates ~/Library/InputManagers/ , deletes any existing “apphook” bundle in that folder, and copies “apphook” from /tmp to that folder
7) When any application is launched, MacOS X loads the newly installed “apphook” Input Manager automatically into its address space

Name is from F.Secure. See my “The Approaching Apple OSX86 Security Nightmare” for my prior thoughts. If any reader has an archived copy, I’d like one so I can do some analysis.

First thought: It’s not attacking that nice, secure, BSD Unix base, but the Apple-designed parallel bits that help make the Mac so beautiful, usable, and extensible.

[Update: Second thought: there’s a lot of Mac-specific code here. Its not simply a port of a UNIX trojan.]
[2nd Update: The wording above implies a contrast between secure and usable; I meant only to acknowledge Apple’s longstanding focus on making a polished product.]

Suffolk County, NY, 7,000+ SSNs, Dismal Process Failures

The Suffolk county [New York] clerk’s office has exposed the Social Security numbers of thousands of homeowners on its Web site, and officials said they don’t have a way to remove them. And soon, a new plan will make it easier to retrieve them.

Mortgages and deeds that contain Social Security numbers for an estimated 7,000 to 8,000 individuals have been “scanned” and posted on the county clerk’s Web site.

From “Glitch puts Social Security numbers online.”

Thank You, Choicepoint

It’s been a year since Choicepoint fumbled their disclosure that Nigerian con man Olatunji Oluwatosin had bought personal information about 160,000 Americans. Bob Sullivan broke the story in “Database giant gives access to fake firms,” and managed to presage much of what’s happened in the opening paragraphs of his story:

Last week, the company notified between 30,000 and 35,000 consumers in California that their personal data may have been accessed by “unauthorized third parties,” according to ChoicePoint spokesman James Lee.

California law requires firms to disclose such incidents to the state’s consumers when they are discovered. It is the only state with such a requirement but such data thefts are rarely limited to a single geographic area.

Lee said law enforcement officials have so far advised the firm that only Californians need to be notified.

I raised the question of other states the next day on a panel at the RSA Conference, and have been getting milage out of Choicepoint and breaches ever since. I’d like to take a moment to look back at what’s happened, what we’ve learned, and yes, to honestly thank Choicepoint for the dramatic changes in international privacy law and norms that they’ve brought about. Derek Smith, Choicepoint’s CEO, had been fond of calling for a national debate. I don’t think he anticipated the answers that debate has produced.

  • The first result of the debate is 20 new laws, as summed up by the National Conference of State Legislatures. These new laws, and the breaches that we learn about because of them are an important window into the true and pathetic state of data security.
  • Remarkably, we have no new law which is explicitly about limits on collection, use, or accuracy of data held by businesses. When I say explicitly about, I mean a law such as Dan Solove and Chris Hoofnagle have laid out in “A Model Regime for Privacy Protection” and I’ve discussed such things much more briefly in “New American Privacy Law: What Could it Say?
  • Those laws, and the new expectation of disclosure have lead to enough data coming out that it can be analyzed. What’s more, analysis, mostly by the Ponnemon Institute, has helped define how to disclose these issues.
  • Choicepoint stock has still not recovered, despite a plethora of actions designed to boost it, including stock buybacks. The largest fine ever imposed by the FTC didn’t help. Choicepoint, despite the increased brand recognition, also faces increased scrutiny, as I discussed in “Cost of Breaches,” and the Bode cancellation, mentioned in the November 7th “Choicepoint Roundup.”
  • Speaking of stock, the SEC investigation into insider trading by Choicepoint executives continues.
  • To improve their reputation, Choicepoint has stepped up their internal audit processes, annoying some customers, as discussed in “CounterTerroristm and Bureauracy.”
  • In “Why Choicepoint Resonates,” I analyzed the news story, and am both happy with my analysis, and note that Choicepoint really should have talked to their trademark attorneys when I told them to, in “Cardsystems and Choicepoint.”
  • Finally, due to certain irregularities arising from background checks, “Choicepoint’s acquisition of Emergent Chaos” has been cancelled.

And so, for all these things, a hearty thank you to Choicepoint.