STE WILLIAMS

The American Civil Liberties Union has compiled 381 information requests to establish who is slurping information from phone networks and what they’re finding out.

The initial data reveals huge disparities between operators when it comes to how much information is stored and what is made available to the authorities. ATT, for example, knows everywhere its customers have been since July 2008, and the details of every text message sent in the last five years, not to mention keeping videos of punters in its stores for a couple of months. All for the good of the people obviously.

Other operators clearly have smaller hard drives. Verizon deletes historical locations after a year, but does keep the contents of text messages for a few days. Virgin Mobile hangs onto text message content for three months, though it promises to only reveal them when presented with a search warrant. The other operators keep the details of the messages, but not the messages themselves.

In Europe, our rules on data retention are pretty standard: everything gets stored for six months and is available to the plod on request. That’s currently being challenged in Germany, but American operators work under no such mandated obligation. The details over who gets access to what information can be decided on a state-by-state basis, which is why the ACLU has had to ask so many organisations what they’re asking for and when.

The fact is that every one of us is voluntarily carrying a tracking device, all the time, as perfectly demonstrated by Malte Spitz who plotted his own movements on an interactive map having extracted them from his network operators. A mobile phone is now the second thing police pull from a corpse, yet it is more valuable than the wallet as it can establish movements prior to death, but concerns over misuse of the information are growing.

The ACLU has shown what operators know, and is in the process of finding out with whom they share that data, but it’s up to citizens to decide if they care enough to do anything about it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/aclu_phone_logging/

Nominet, the .uk address registry, has suspended hundreds of internet domain names as part of a global police crackdown on crime gangs peddling fake pharmaceuticals.

Operation Pangea IV saw almost 13,500 websites taken down and dozens of suspects arrested in 81 countries, according to Interpol, which coordinated the swoop.

Over 2.4 million potentially harmful counterfeit pills, worth about £4m, were seized in raids between 20 and 27 of September, Interpol said. Confiscated medicines included everything from diet pills to anti-cancer drugs.

Cops worked with customs agencies, ISPs, payment processors and delivery companies to close down the allegedly criminal operations, Interpol said.

In the UK, Nominet acted upon advice given by the Medicines and Healthcare products Regulatory Agency and the Police Central e-Crime Unit to suspend about 500 .uk domains, according to director of operations Eleanor Bradley.

While the domains were not “seized” as some have been in the US in recent months, suspending a domain stops it from resolving, essentially shutting down the associated website.

Bradley said that Nominet worked with its registrar partners to shut down the domains, which were all in “clear breach” of either Nominet’s or the registrar’s terms and conditions.

“If we didn’t think it was in specific breach of our terms of conditions, we would take no action against the domain name,” Bradley said.

As it has on previous occasions, Nominet was able to shut down the addresses because their owners had provided bogus contact information for the Whois records, in violation of the registration agreement.

Nominet is also in the late stages of a policy development process that will formalise the ways in which law enforcement agencies can ask for domain names to be taken down, without a court order if they are believed to be hosting criminal content.

The process could be completed, and a policy implemented, before the end of the year. A Nominet working group recently held a period of public comment before finalising its recommendations.

It is not currently clear whether domain registries in other countries also cooperated with their local law enforcement agencies as part of Pangea IV, or whether police worked with web hosting providers instead.

A spokesperson for VeriSign, the registry for .com and .net, which has previously enabled the US Immigration and Customs Enforcement agency to seize domains under court order, could not confirm or deny the company’s involvement in the crackdown in time for this article’s publication. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/nominet_suspends_fake_pharma_addresses/

San Francisco-based security firm Qualys is throwing its support behind an experimental project designed to improve the security and privacy of website authentication by reducing reliance on certificate authorities that issue secure sockets layer credentials.

The Convergence project was devised by Moxie Marlinspike, a security researcher who has exposed repeated flaws in the SSL system that serves as the internet’s foundation of trust. At the Qualys Security Conference in San Francisco on Thursday, the company said it was financing and running two new notary servers that Convergence users query to make sure the SSL certificate being offered by a given site is legitimate.

Most of the weaknesses Marlinspike has documented stem from the unwieldy number of organizations – about 650 by his count – authorized to cryptographically sign the certificates that PayPal, Gmail, and millions of other services use to prove their https-appended websites are authentic rather than easily forged counterfeits. With so many digital stamps, there are too many single points of trust. All it takes to subvert the system is for one of them to suffer a security breach like the one that hit Netherlands-based DigiNotar.

In stark contrast to the public key infrastructure at the heart of the SSL system, Convergence relies on a loose confederation of notaries that independently vouch for the authenticity of a given SSL certificate. Thursday’s announcement by Qualys that it will run two of the servers is an important endorsement of the alternative project.

“Qualys running the notaries is a huge help and a step in the right direction,” Marlinspike said.

The move comes three weeks after Google developer Adam Langley said his team had no plans to fortify their Chrome browser with the crowd-sourcing technology. He cited a variety of practical considerations, including the technical strain Convergence would put on notaries, and the risk of Chrome breaking if they failed to keep up with the demand.

Qualys Director of Engineering Ivan Ristic said Langley’s concerns were “perfectly valid,” but added that alternative approaches could easily break the potential bottlenecks the Google researcher envisioned. One possibility, he said, is to set up thousands of notaries that operate in a peer-to-peer fashion to balance the load.

“The challenge with Convergence is to get it into a state where you can use it without knowing it,” he said. “We need to figure out the mechanisms so it just works.”

A peer-to-peer design that distributes the load among huge numbers of notaries wasn’t the precise blueprint Marlinspike envisioned when he proposed Convergence in April. One of the key benefits of the system was a “trust agility” that allows users to query specific notaries they trust.

Another advantage of Convergence is its use of two separate notaries that, for privacy reasons, are intentionally kept in the dark when vouching for a certificate. One notary gets to see the IP address of the Convergence user but not the SSL certificate she wants validated. The other one sees the certificate but not the IP address.

The design is intended to remedy a fundamental weakness of the current system, which allows certificate authorities to track huge numbers of individual requests for SSL-protected websites. This shortcoming was brought home in the aftermath of the DigiNotar breach, when it was revealed the CA logged the time and IP address for more than 300,000 IP addresses exposed to a counterfeit Google.com certificate.

So far, Convergence is made up of about 50 notaries. It works only on the Firefox browser running an add-on. Ristic has more about the new notaries here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/qualys_endorses_convergence/

A number of Cahoot customers were left mildly confused this week when they received an email from the bank asking them to confirm their, er, email address.

The missive invited customers to “log in to your personal homepage at cahoot.com and select ‘change my details’ to check your information is correct”.

Apart from the obvious concern that most people would have – that the email was a phishing attempt – it also seems rather futile, as customers who had changed email address would not receive the message and it would be irrelevant to those still using the current address.

Cahoot, which is the internet division of Santander UK, told El Reg that the email aimed to check that people still wanted to use the same address in connection with their account. The bank added that it would have contacted those customers whose email bounced back through some other means.

”A legitimate communication was issued from Cahoot this week asking customers to confirm that their email address was correct. In order to do this, they would have needed to log into their account,” a Cahoot spokesperson said in a hastily drafted statement.

“Cahoot, like all other banks, would never send a customer an email asking them to enter, reconfirm or change their security details such as account numbers. We apologise for any confusion this may have caused. It is essential that internet banking customers remain vigilant at all times. Cahoot has robust security measures which it constantly reviews to ensure customers remain protected at all times,” the bank added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/unusual_verification_process_causes_confusion/

Police in Shanghai have arrested five suspects in a phony iPhone case that is thought to have netted over three quarters of a million dollars.

According to the Shanghai Daily, police raided an underground workshop in July in the city’s Zhabei district, not far from the Shanghai Multimedia Valley technology zone, and found that the gang was assembling iPhones using some of the components used in authorized handsets. When shown the finished product, Apple engineers said that the “it’s really hard for customers to distinguish the fake ones from the genuine ones.”

The raid netted 200 of the faux iPhones, together with around 5,000 components, which would either be assembled onsite or farmed out to freelance assemblers who worked from home. The finished products were sold online and via illegal market stalls by the gang, which was headed by a local man named Dong.

The phony iPhones actually worked properly, the report notes, albeit with a reduced battery life. Because they used proper components, they cost around 2,000 yuan to make, and they were sold for around 4,000 yuan, slightly less than the cost of a proper iPhone.

“The cell phones sell well with more than 30 … sold in one day,” officers said.

Demand for Apple products among China’s emerging middle class is huge, so much so that analysts have speculated that Cupertino will release a cut-down version for the Middle Kingdom. Earlier this year there was also concern that Chinese entrepreneurs were running entirely fake Apple stores, although it seems these may simply have been resellers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/chinese_police_bust_faux_iphone/

Victims of the Sony Playstation Network hack included Sony, according to Australian Privacy Commissioner Timothy Pilgrim.

His just-concluded investigation, launched in April, was designed to determine whether or not the hack compromised the personal information of Australian subscribers to the service, and the degree to which Sony was responsible for compromised information.

According to Pilgrim’s investigation, the PSN and Qriocity breaches did not breach National Privacy Principles. The two NPPs that applied in this case were NPP 2.1, which regulates the circumstances under which an organization is allowed to disclose the personal information of its customers; and NPP 4.1, which requires companies to take reasonable steps to protect personal information of their customers.

In the case of NPP 2.1, the issue of responsibility is relatively straightforward: the subscriber information gained when the network was breached wasn’t “disclosed” by Sony. “Rather, the information was accessed as a result of a sophisticated cyber-attack against the network platform,” the PC’s report states.

As for NPP 4.1, Pilgrim found that just because a company like Sony has its security breached does not necessarily mean it did not take “reasonable” steps to protect information against being compromised.

Based on information provided by Sony, he has found that the company had reasonable measures in place, including “physical, network and communications security measures”, encryption of credit card information, and ISO/IEC 27001-compliant security standards.

The report does, however, underline Australia’s lack of data breach notification laws. Currently, all that exists is a set of notification guidelines. Even these do not stipulate suggest a particular period in which breaches should be notified.

Nonetheless, Pilgrim said, “the affected individuals could have been notified earlier” than the seven days Sony Computer Entertainment Europe dithered after the attack occurred. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/sony_cleared_by_privacy_commissioner/

UK-based defence conglomerate Ultra Electronics has acquired security appliance firm AEP Networks in a deal valued at up to $75m. Ultra Electronics agreed to pay $57.5m plus a further $17.5m, depending on sales figures, for the remote appliance firm.

AEP Networks specialises in SSL VPN appliances that allow workers to securely connect into corporate applications and databases without the need to install client software on every PC, thus saving money. The technology works in conjunction with remote access hardware encryption products. More recently AEP also began marketing a subscriber-based thin client virtualisation service called Cloud Protect.

Most of AEP’s 80 employees are based in Ascot, Berkshire and Hemel Hempstead, Hertfordshire. AEP also has a sales and engineering operation in New Jersey in the US. It claims 5,000 blue chip and government customers in over 60 countries.

Ultra Electronics’s main line of business is defence and aerospace, although it has a finger in many pies, including energy and transport. AEP will join Ultra’s Tactical Sonar Systems division.

The end game for most security firms is to be bought by the likes of Symantec, Cisco or Juniper. Less frequently start-ups grow to the point where an IPO is possible.

The AEP deal shows that a greater range of businesses – including those in the defence sector – are looking to expand their cyber-security capabilities, primarily because it might allow them to gain a slice of lucrative government net security contracts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/ultra_buys_aep/

It’s been a few short months since Murdoch rag-for-suits the Wall Street Journal perplexed the world by releasing a flawed whistle-blower website for people wanting to leak tasty secrets to the newspaper.

Now the WSJ has tweaked its privacy policy and switched on creepy browser-tracking by default.

It brazenly confirmed yesterday: “The Wall Street Journal revised its website privacy policy on Tuesday [27 September] to allow the site to connect personally identifiable information with web-browsing data without user consent.”

Until this change, the paper had stated “it would obtain ‘express affirmative consent’ to combine personal data with ‘click stream information’ culled from the website.”

But that’s a thing of the past. It will now slurp up that information without prior consent from any visitor to the site.

Like other companies that don hard hats to mine such data online, the paper – which is owned by Rupert Murdoch’s News Corp – claimed that the rejig to its privacy policy would mean it could more readily “customise” its service for its readers.

“It is not being applied retrospectively and only applies going forward to new registered users and subscribers,” said the organ’s digital network boss Alisa Bowen.

The paper then appeared to swallow the kind of jargon adopted by various social networks and other web companies that trade in user data by claiming that the tweak “simplified” its privacy policies across its network that includes WSJ.com, Barrons.com and AllthingsD.com.

WSJ‘s own report on the changes cheerily noted that the new policy “contains expanded disclosures of online tracking techniques and contains links to opt-outs from third party tracking networks. It also adds a disclosure that it collects mobile device IDs.”

Apparently, the company plans to only share such mobile identifier data with outfits that make cash from the “internal analytics” market.

On top of that, the Journal will continue to sell its print subscriber list while keeping the online version private – at least for now.

Bowen added that the whole thing “allows us to be consistent with how we handle privacy across our network of sites, it makes our policy easier to understand and use, and it ensures our practices are consistent with the way we are evolving to better meet the needs of our users”.

So that’s alright, then! ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/wall_street_journal_tweaks_privacy_policy/

Does the use of Gmail or Hotmail by a Minister’s Private Office (in order to evade Freedom of Information (FOI) obligations) also lead to breaches in the Data Protection Act? Well, I can see how this could be the case.

The press has raised this issue only in the context of FOI. Yesterday’s Sunday Times, for example, noted that the allegations facing Michael Gove and his special adviser, Dominic Cummings, were that by using personal email accounts, they were assuming that any requested information could not be held by a public authority and therefore not subject to a FOI regime.

A spokesman for the Department for Education (DfE) has told the press that “The Cabinet Office is clear that private email accounts do not fall within the FOI Act and are not searchable by civil servants. Neither the Secretary of State nor special advisers have been asked to disclose emails sent from private accounts”.

The DfE spokesman then added: “The Permanent Secretary is satisfied that ministers and special advisers act within the law.” Despite this, the Information Commissioner has entered the fray and has said that private account emails discussing Government business could be subject to FOI requests.

Whether these emails are, or are not, subject to FOIA will no doubt be resolved in the near future. However, what I am certain about is that all these emails contain some personal data (even if the personal data is limited to email addresses) and these emails are regulated by the Data Protection Act.

Mr Gove, the Sunday Times reports, uses the username of “Mrs Blurt” in his emails. However, suppose the advisor (Dominic Cummings perhaps using the name of “Mr Blurt”) sends an email to “Mrs Blurt” or vice-versa. Now further suppose that email says the following: “Can we talk to the Whips to make sure that Joe Bloggs MP does not get on the Standing Committee that is scrutinising the Education Bill?”. (This kind of exclusion happens as MPs are usually selected for Committees by the Whips on the basis the less troublesome they are, the easier it is for Government business to get through).

Perhaps another email might go: “I have just had a meeting from Head Teacher X who publicly asked some very awkward questions about our education reforms. Just in case there are ‘future complications’ , I recommend that this head teacher’s school should not be in the first wave of schools that get compulsory Academy status?”.

Could these be the sort of emails that a special advisor could send to a Minister – especially if they think the FOI regime does not apply? Well I think this is distinctly possible.

First data protection question: are these emails personal data? I think we can say: “obviously yes”. There are four data subjects: Mr Gove, Dominic Cummings (i.e. “Mr and Mrs Blurt”) and the MP or Head Teacher X. Who is the data controller? Well if it is not the Department for Education (remember, the claim is that the emails are exempt from FOIA) then it has to be Mr Gove and possibly Mr Cummings as well.

Does the personal data fall into the domestic purpose exemption in Section 36 of the DPA? Well, if there are emails that have the content described above, I suggest that this exemption is inapplicable. Do the emails impact on the MP and Head Teacher mentioned in them, so much so that they should be informed about the processing purpose via the fair processing rules? Well, I can’t see an exemption from this obligation.

Michael Gove, as an MP, has a register entry that describes his constituency casework for the purpose of “the carrying out of casework on behalf of individual constituents”. Any “personal emails” about an MP or head teacher as postulated above have nothing to do with this purpose as the data subjects are not constituents. Dominic Cummings, as of today, is not registered at all.

So we have one, possibly two data controllers, likely to be processing personal data in breach of the data protection principles:- one for an unregistered purpose and the other just, plain simple unregistered. Not only could we have FOI evasion but we are also likely to have DP evasion in addition. This means that Mr Gove has gone one better than Tony Blair: Mr Blair only disapproves of FOI.

So if the Information Commissioner finds resistance to his FOI enforcement powers, perhaps he should put his data protection hat on. After all, I think the data protection arguments are sound and failure to comply with the Commissioner’s data protection powers can be a criminal offence (unlike with FOIA).

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/does_gove_email_policy_breach_data_protection_act/

Most retailers and other businesses are continuing to struggle with payment card industry standards, placing confidential customer data at a heightened risk of exposure as a result.

A Payment Card Industry (PCI) Compliance Report from Verizon found that just one in five (21 per cent) organisations achieved compliance during initial Payment Card Industry Data Security Standard (PCI DSS) audits. While the compliance situation has neither worsened nor improved compared to previous years, it is still “disappointing”, according to Verizon.

Compliance requirements that organisations most struggled with included protecting stored cardholder data, maintaining security policies, tracking and monitoring access, and regularly testing systems and processes, all factors directly linked to protecting cardholder data.

Failure to achieve compliance means fines and increased transaction fees from the credit card brands, but complacency, overconfidence and other factors mean that many organisations who take credit card payments are continuing to struggle to make a passing grade.

Verizon’s analysis come from the results of more than 100 PCI Data Security Standard assessments alongside information gathered in researching Verizon’s annual studies into real-world payment card data breaches. The assessments include data from organisations based in the US, Europe and Asia.

Security researchers at Verizon argue there’s a direct correlation between data breaches and non-compliance. Breached organisations are significantly more likely to not be PCI compliant and are more likely to suffer from identity theft and fraud issues, it concludes.

“We had hoped to see more organisations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organisations and in all likelihood lead to fewer breaches,” said Wade Baker, director of risk intelligence, Verizon. “By reviewing this report, organisations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit-card environment for consumers and businesses,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/pci_compliance_survey/