A federal complaint charges that 27 people who went to H&R Block for help with tax preparation through April 2001 had their personal information stolen in an identity theft scam involving four suspects, who allegedly used names, addresses, SSNs, and dates of birth to alter the victims' addresses for tax refunds, opened new credit-card accounts, etc. H&R Block reportedly would not cooperate in the investigation until it was subpoenaed. [Source: Associated Press, 2 Jan 2003, PGN-ed] http://www.boston.com/dailynews/002/economy/H_R_Block_employee_accused_of_:.shtml
SSNs and other personal information for a half million military personnel and family members were stolen from hard-drives belonging to Phoenix-based TriWest Healthcare Alliance on 14 Dec 2002. [Source: Associated Press item, $100K Reward for stolen ID data, 2 Jan 2003; PGN-ed... Coincidentally, DoD is in the process of computerizing medical records of all military personnel. Can they spell Security? Encryption? Identity Theft?] http://www.wired.com/news/privacy/0,1848,57045,00.html
A former classmate of Amy Boyer, 20, paid an Internet information broker to track her down, and then shot her on 15 Oct 1999. Since her death, the family has been fighting to protect other potential victims, most recently suing the information broker for negligence and invasion of privacy. [Source: Parents of slain woman want to stop Internet brokers from selling personal information, by Holly Ramer, Associated Press, 30 Dec 2002; PGN-ed] http://www.boston.com/dailynews/364/nation/Parents_of_slain_woman_want_to:.shtml
The story starts here on The Smoking Gun (GPS angle appears at bottom of second page of typed complaint): http://www.thesmokinggun.com/archive/pseidler1.html As far as I can guess (not confirmed) this is the product allegedly used: http://www.landairsea.com/Land%20Air%20Sea%20Smart%20Track%20Brochure.pdf Now anyone, for better or worse, can be James Bond. [A 42-year-old Wisconsin man is accused of stalking an ex-girlfriend by placing a GPS tracking device under the hood of her car. The device George refers to is called SmartTrack. PGN]
http://www.bbc.co.uk/cgi-perl/whatson/prog_parse.cgi?FILENAME=20021229/20021229_1700_49700_9239_40 http://www.bbc.co.uk/cgi-perl/whatson/prog_parse.cgi ?FILENAME=20021229/20021229_1700_49700_9239_40 The programme is A Right to Know presented by Michael Crick on BBC Radio 4. He requested information held on him by a credit agency under the Data Protection Act. Interestingly, the company supplied the information -- including the credit history of another member of his family because this is used to assess your own rating. Apparently the agency's policy was to supply the data on other occupants at an address if they shared a surname. The representative of the agency didn't seem overly clear as to whether this procedure had now been corrected. Crick goes on to point out the rather obvious risks...
PGP.COM's Web site is programmed so that customers can go through all the forms required to order and pay for a license for PGP -- and then can refuse access to the download after the credit-card has been debited if it cannot do a reverse IP lookup on what it receives as the customer's IP address. The following message appeared on my screen when I clicked on the download button: "In accordance with current US Export restrictions, PGP 8.0 products may be downloaded by individuals throughout the world except those in the following countries: Cuba, Libya, Iran, Iraq, North Korea, Sudan, and Syria. If you are in one of these countries, you may not download PGP software." I was downloading from Vermont using my StarBand account. I tried again after disabling my firewall -- no luck. The customer service agent was very nice and obviously embarrassed about this situation and admitted that there are no measures in place for dealing with such a technical glitch. She diffidently suggested that I try to download the product again using a different ISP or Internet access point. I did suggest that the company might deal with such glitches in several ways: 1) Check the IP address BEFORE the user fills out all the forms and the credit card gets debited. 2) Send the user a CD-ROM to the US address listed in the order. 3) Ask the user for strong evidence that they are in fact living in the US: e.g., a) have the user send a fax from the appropriate US fax machine phone line with a US driver's license showing the same address as the one used in the order; b) ask for other corroborating evidence such as a US address listing in university or corporate Web sites. Of course, I canceled the charge on my card. Someday (not soon), I'll try to download the product from my university access point and -- if the university firewall does not conceal my IP address -- maybe I'll succeed in giving these people my money in return for an upgrade to their product. In the meantime, I'll just continue using my PGP v6.5.8 RISKS of assuming your automated system is perfect: you lose sales. M. E. Kabay, PhD, CISSP http://www2.norwich.edu/mkabay/index.htm * Associate Professor of Information Assurance Dept. of Computer Information Systems * Program Director, MSc in Information Assurance http://www3.norwich.edu/msia Norwich University, Northfield VT +1.802.479.7937 firstname.lastname@example.org
I am just about calmed down after a trying time with a christmas present for a five-year old. The whole sorry episode is of course my fault, I merely needed to read the minimum system requirements more thoroughly and remember precisely the characteristics of the family machine. The details : The game - shall remain nameless to protect somebody. The stated minimum system: Win 95 (OK I have XP which should be compatible and Google says the game was released last year so I assume that the vendors/game programmers mean or equivalent) Pentium 90 MHz or faster (Much faster) 16 MB RAM (More than that) 15 MB Hard Disk (No problem) Quad-speed CD-ROM (Yeah, yeah) Stereo sound card (Got a sound card, two speakers ----- Oops missed that one ) So, eager five-year old by my side, go through installation. Fool the registration screen by lying about the location of Canterbury and the postal code (already said the country is Other but the stupid screen will not accept four digit post-codes or state/province abbreviations outside the US). First technical arrogance. Installation completed successfully Locate the shortcut to the game and launch, wait, FATAL error no stereo sound game over. Second technical arrogance and this one gets me steamed up enough to write. I have worked on system and product software for nearly eighteen years and every year somebody decides that the behaviour under an error condition can be specified by the programmers (only the expected normal behaviour is a requirement). Handling of errors is ALWAYS a system issue. (My feelings on the game are that it is a bit like causing a core meltdown in a nuclear facility because the siren doesn't work). Programmers in their techy way decide that the minimum hardware is a critical environmental requirement and nobody told them that the PC on their desk may be a bit better specified than the typically available. Has nobody heard of graceful degradation ?
http://news.statesmanjournal.com/article.cfm?i=54184 Despite "To protect drivers' privacy, using the system to track cars in real time would be illegal" the risks seem obvious. What about travel on private land and/or off-road mileage? Who pays when you car is towed? What about the fact that due to inaccuracies of GPS your position when stationary will often bounce back and forth between the extremes of those inaccuracies?
The last couple of RISKS have touched upon the so-called "Total Information Awareness" plan that various United State law enforcement and intelligence agencies are planning (dare I say "plotting?") to implement. The issue of false positives when sifting through the mountain of information that's planned to be collected should be a nice waste of time, money, and resources for our government, diverting them from doing _real_ police work by catching _real_ bad guys but if such a plan is implemented and is eventually developed to a minimum of perfection, innocent, lawful people who simply don't want to be identified, it seems to me, can eventually be so identified. Apparently Americans don't have the right to privcy or the right to lawfully disappear in America. Quite a few years ago someone anonymously sent me a text document titled, "Vanishing Point: How to disappear in America without a trace" which I originally thought was rather paranoid though, with the passage of the euphemistically named "Patriot Act" I'm thinking might not be so paranoid at all. After removing some of the more irresponsible text fragments from it, I posted it to my Web site, where it can be found at http://www.skeptictank.org/hs/vanish.htm One of the suggested items is: Alter your buying habits. When you throw your old self away, you need to discard as many predictable patterns as possible. One of the most common mistakes when hiding is maintaining old habits. If you're a smoker, stop. If you don't smoke, start. If you enjoy hot and spicy foods, stop purchasing those items and change to mild foods. If you frequent bars, stop. This may seem an unusual step but you're working toward disappearing, right? Patterns are predictable. Break them. There is the possibility that in the future people may be identifiable by their purchasing habits. Granted the point-of-sale data collected by computers would need to be immense yet eventually pattern-recognition software may some day be able to provide authorities with perhaps 100 of the best possible "hits" on people matching your known buying habits. When -- if ever -- that becomes a reality, you can be sure you won't know about it until it's shown on cable television. By that time the technology will have been in use for years and you may end up on a list of possible matching a purchase profile. It seems more and more likely to me that such technology will be upon us thanks to the galloping fascism we're experiencing in America ...
Regarding the attempted manipulation of stock via spreading a virus in the company, the item noted "He had reportedly been hoping to gain from the resulting stock price drop." This might leave the RISKS digest reader with the impression that the price of the stock did in fact fall as the result of the viral infection, which is not true, according to the NYTimes article, a link to which Mr. Solomon also provided. The article states: "The plan failed when a computer virus that Mr. Duronio personally transmitted to 1,000 of the 1,500 computers used by PaineWebber brokers across the country failed to disrupt work seriously or cause a sharp change in the stock price." It wasn't that the virus was, like most viruses, harmless, or that computers are just not as important as we all think... Apparently backup computers kicked in and minimized any disruption. Good management of RISKS. Thank you Paine Webber... [And incomplete PGN-ed]
Well, the CNN URL has expired and I can't find anything via their search facility, so taking a hint from the URL looked it up directly on reuters.com: "Why Does This Metal Detector Keep Going Off??" http://www.reuters.com/newsArticle.jhtml?type=topNews&storyID=1921184 "Several days later the woman had an X-ray [...] It showed a 12-inch-long, 2-inch-wide surgical retractor". Hmm. None of "canadian", "surgical" or "retractor" find it even on Reuters, despite those words definitely being in the article, only "x-ray" seems to turn it up. Looking at news.google.com whose search actually works gives more variations: 33cm; 30cm x 5cm; 30cm (11.7in); 11.7in; 11.7in x 5cm; 30cm x 6cm; 30cm (13in) x 6cm (2in); 13in. http://news.google.com/news?hl=en&q=surgical+retractor&btnG=Search+News You can almost trace the history of unit conversion and rounding errors through the various sources. A RISK various space agencies are painfully aware of. Averaging to get a more accurate figure ;-) gives about 12 inches though. Ow. [I had already updated the archive copy, which notes the broken URL, offers http://www.hon.ch/News/HSN/510912.html instead, which says it was a 33-centimeter retractor. PGN]
> ... So don't trust caller ID to show that the caller is someone you know, > or from your own company. [Don Norman] I was thinking about this last night when I called American Express to dispute a charge. Normally, after entering your card number, Amex has requires the last four digits of your SSN to "authenticate" you (no risk there, right? :-). This time, a recording said something like "we have verified your home or office phone number" and connected me to a customer service rep who asked no further authorization questions. Faking caller ID is a lot easier these days because you don't need to buy a DMS-100 (bulky and expensive), learn how to program it (a specialized task with little generally available documentation), and buy the right kind of interconnect to your local telco (the really expensive and time-consuming bit). Any voice over IP gateway that uses an ISDN PRI interface will allow you to configure any calling number (caller ID) you like, and then signal it to the PSTN via the PRI during call set-up. The ability to control caller ID is necessary to seamlessly integrate VoIP endpoints (e.g. IP Phones) into the PSTN. A Cisco 3620 would do the job, is 2" high by 19" wide and can be bought on Ebay today for $849. There is good, free 3620 configuration advice on www.cisco.com. There are likely cheaper alternatives, I just know setting caller ID can be done on a 3620. T1 PRI pricing is dependent on your distance from the central office and whether you have a competitive alternative to your local RBOC, but can cost as little as $300/month. An E1 PRI will work just as well overseas.
BKPYDPRV.RVW 20020924 "Protect Your Digital Privacy", Glee Harrah Cady/Pat McGregor, 2002, 0-7897-2604-1, U$29.99/C$44.95/UK#21.99 %A Glee Harrah Cady email@example.com %A Pat McGregor %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2002 %G 0-7897-2604-1 %I Macmillan Computer Publishing (MCP) %O U$29.99/C$44.95/UK#21.99 800-858-7674 317-581-3743 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/0789726041/robsladesinterne %P 652 p. %T "Protect Your Digital Privacy: Survival Skills for the Information Age" Part one sets the stage. Chapter one gives vague ideas about protecting your privacy in the twenty first century, mostly about e-commerce. A variety of definitions of privacy, from differing perspectives, are listed in chapter two. Part two discusses privacy and the individual. From celebrity magazines to publicly available government databases to e-commerce loyalty programs, chapter three discusses who might want to know different types of information about people. Chapter four presents the usual information about kids and the net: the net is potentially dangerous for kids, talk to your kids about their net use, and safe sites. Although there is nothing new here, the material is reasonable and well presented. Email address harvesting and cookies are reviewed in chapter five. Chapter six talks about high speed Internet access, including little content on security or privacy, but an odd bit on malware. There is a similar discussion of cellular phones and technology in chapter seven. Chapter eight examines cell phone location systems, "pay-fobs," face recognition and other miscellaneous technologies. Part three talks about taking control of your privacy and information. Chapter nine suggests taking an inventory of your personal information (available online) and looks at Web search engines and the inaccuracy of commercial search services. Chapter ten is a mixed bag of security topics, including a little cryptography, something on passwords, and cookies again. Although there are some good tips on protecting online transactions, chapter eleven suffers from a lack of structure. The advice to know where you are and who you are dealing with, for example, is on page 308, but the material on server authentication is on page 294. Neither location actually demonstrates the ability to verify the certificate, or the "Paypal/Paypa1" fraud. Chapter twelve deals with what to do if your information is compromised, but doesn't cover the topic particularly well. There is mention of spam filters, but not the dangers of losing email; there are directions for reporting frauds, but few details on the levels below which the agencies aren't interested; addresses of credit agencies, but little useful information on identity theft. Part four looks at legal protection. Chapter thirteen is an excellent overview of laws regarding privacy, covering both the United States and a number of other countries. (While the rest of the book is primarily directed at home users, this chapter alone may be worth the price of the volume for security practitioners. I am not aware of any other text that deals with current laws as well.) Advocacy groups are listed in chapter fourteen, with self-regulation programs in fifteen. Electronic voting is examined in chapter sixteen, concentrating on Internet or online voting, although most of the studies cited dealt with other forms of voting technology. Chapter seventeen asks where we are going, and meanders around so much that it is hard to say. There is a vague wrapup in chapter eighteen. A number of other authors have attempted to provide a book about privacy for the masses. Chris Peterson's attempt (cf. BKILIWMP.RVW) was about privacy, but not really about the net. David Brin's "The Transparent Society" (cf. BKTRASOC.RVW), which gets a mention in the current work, is fascinating, but doesn't really cover the present situation. "Privacy Defended" (cf. BKPRVDFN.RVW) is only nominally about privacy. Cady and McGregor have managed to stick pretty close to the topic. They present a good deal of useful information, although the book would definitely benefit from an improved framework and a general tightening up of the writing: with a trimming of verbiage and a more focussed thread to the ideas the volume could be lightened by a third or more. However, for those who want some guidance on the topic and don't want the academic classics like "Privacy on the Line" (cf. BKPRIVLN.RVW) or "Technology and Privacy" (cf. BKTCHPRV.RVW), this would be a good choice. copyright Robert M. Slade, 2002 BKPYDPRV.RVW 20020924 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
BKPRVDFN.RVW 20020923 "Privacy Defended", Gary Bahadur/William Chan/Chris Weber, 2002, 0-7897-2605-X, U$34.99/C$54.99/UK#25.50 %A Gary Bahadur email@example.com %A William Chan firstname.lastname@example.org %A Chris Weber email@example.com %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2002 %G 0-7897-2605-X %I Macmillan Computer Publishing (MCP) %O U$34.99/C$54.99/UK#25.50 800-858-7674 firstname.lastname@example.org %O http://www.amazon.com/exec/obidos/ASIN/078972605X/robsladesinterne %P 699 p. %T "Privacy Defended: Protecting Yourself Online" The introduction states that this is a privacy book for non- specialists, but the write up seems to deal with computer intrusions or malware rather than privacy issues. Part one talks about life in the digital age. Chapter one is an uncompelling demonstration of how to obtain personal information online plus more on intrusions and a lengthy outline of the rest of the chapters in the book. There is a slightly unfocused look at privacy laws and related issues in chapter two. Various government, industry, commercial, and other groups and agencies (as well as a few programs) are described in chapter three. Part two tells us that the enemy is out there. Chapter four points out legal threats to individual privacy that people may not know about, but not in much detail. Illegal threats, such as blackhats, intruders, identity theft, and fraud (as well as those of questionable legality, like spyware) are reviewed in chapter five. Part three looks at protecting your privacy. Chapter six lists lookup and anonymity tools. Cookies, spyware, some tools, and payment systems are presented in chapter seven. Spam, malware, and PGP are discussed in chapter eight, along with miscellaneous other topics related to e-mail. Part four advises on securing your PC. Chapter nine reviews SSL (Secure Sockets Layer) and digital certificates, but because cryptography has not been explained the background discussion is poor. (It is also sometimes erroneous: for most people SSL does *not* authenticate the client.) A collection of random security factors and tools, by operating system, is presented in chapter ten. (The division by operating system is not always clear: tools vary on different versions of Windows, and this is not made clear. There are also a number of errors: IPSec is an Internet protocol and has nothing to do with the Microsoft Windows IP Security Policy.) Screen shots of configuration menus for personal firewalls make up most of chapter eleven. Chapter twelve deals with viruses (poorly), chat (chat systems seem to be almost inherently insecure, so it's hard to understand why), and cryptography (poorly and briefly). Miscellaneous and random network topics are covered in chapter thirteen. Part five looks at other devices, in a single chapter, fourteen, covering various gadgets, threats, and protections--not necessarily for those threats. Part six says what to do if your privacy is compromised. Chapter fifteen mentions kids, mostly rehashing previous material and adding content restriction. Intrusion detection and a review of other tools from prior chapters finishes out in sixteen. This book is not really about privacy, it is yet another attempt at a general security guide. "Protect Your Digital Privacy" (cf. BKPYDPRV.RVW) sticks much closer to the privacy topic. "Inside Internet Security" (cf. BKININSC.RVW) and even "Access Denied" (cf. BKACCDEN.RVW) are better at covering general security for non- professionals. copyright Robert M. Slade, 2002 BKPRVDFN.RVW 20020923 email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
Please report problems with the web pages to the maintainer