WEEKLY PRIVACY-SECURITY REPORT by oeq50233

VIEWS: 131 PAGES: 23

									                                        Privacy & Security News Brief
                                                    December 1 – December 7, 2007
                                                            Vol. 1, No. 9

                                                           TABLE OF CONTENTS
BIOMETRICS ..............................................................................................................................................................4
   Biometric security gains importance in increasingly online world ____________________________________ 4
DATA BREACH ...........................................................................................................................................................4
   UK data breach: stripping data 'would not have been costly' ________________________________________ 4
   Personal information lost in Ireland ___________________________________________________________ 4
   Oak Ridge National Lab Reports "Sophisticated" Cyber Attack _____________________________________ 4
   No ID Theft Reported from Stolen Computers ___________________________________________________ 4
   Breach in Web site security found by Duke Law School ___________________________________________ 5
   Forrester Loses Laptop Containing Personnel Data _______________________________________________ 5
   IPL fixes Web glitch exposing customers' personal info ___________________________________________ 5
   Memorial Blood Centers Notifying Donors of Possible Data Loss (St. Paul, MN) _______________________ 5
   Security flaw on Passport Canada's website exposes applicants' personal information ____________________ 5
   Community Blood Center affected by laptop theft ________________________________________________ 6
   Data theft touches 150,000 Massachusetts seniors ________________________________________________ 6
         150,000 Bay State seniors notified of Prescription Advantage security breach ____________________ 6
   Hackers Breach Charity Databases ____________________________________________________________ 6
E-COMMERCE ............................................................................................................................................................6
   Ad targeting improves as Web sites track consumer habits _________________________________________ 6
   Marketers Laud Facebook's Retreat On Privacy Controls __________________________________________ 7
   Data Breaches More Expensive Every Year _____________________________________________________ 7
EDITORIALS & OPINION .........................................................................................................................................7
   A holistic view of data-driven security _________________________________________________________ 7
   How TJX Became a Lesson In Proper Security __________________________________________________ 7
   Was Facebook's Privacy Move a Blunder or Just Premature? _______________________________________ 8
   Ironic: Facebook Complains About Mag Article Invading Founder's Privacy ___________________________ 8
   If Security Is Expensive, Try Getting Hacked ___________________________________________________ 8
EDUCATION................................................................................................................................................................8
   Colleges Move Boldly On Student Drinking ____________________________________________________ 8
   Camera plan pits security vs. privacy __________________________________________________________ 8
EMPLOYEE .................................................................................................................................................................9
   German Privacy Watchdog May Limit Internet Searches, Welt Says _________________________________ 9
FINANCIAL .................................................................................................................................................................9
   TJX escapes a beating ______________________________________________________________________ 9
GOVERNMENT – U.S. FEDERAL ............................................................................................................................9
   Beginning Jan. 31, New Travel Document Requirements in Effect for Anyone Entering the U.S. ___________ 9
   FTC Offers Tutorial on Protecting Personal Information ___________________________________________ 9
   GAO praises TSA for its handling of sensitive info _______________________________________________ 9
   DHS submits revised Real ID plan to OMB ____________________________________________________ 10
GOVERNMENT – U.S. STATES .............................................................................................................................. 10
   Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age 18+ ___________ 10
   ALABAMA ____________________________________________________________________________ 10
   Governor Riley Unveils "Virtual Alabama" to Enhance Emergency Response and Disaster Preparedness ___ 10
   CALIFORNIA __________________________________________________________________________ 10
   .Gov Site Reinfested Due to Hosting Provider Sloppiness _________________________________________ 10
   CONNECTICUT ________________________________________________________________________ 11
   New Internet-Based System to Monitor Connecticut Dams ________________________________________ 11
   FLORIDA ______________________________________________________________________________ 11
   Florida Governor Announces New Initiatives For Open Government ________________________________ 11
         Florida Partners with Google to Improve Open Government _________________________________ 11
   LOUISIANA ___________________________________________________________________________ 11
   Louisiana Army National Guard Upgrades to Broadband Interoperable Communications for Public Safety __ 11
   WASHINGTON _________________________________________________________________________ 11
   City of Federal Way's Safe City Initiative Will Demonstrating City-Wide Public Safety Camera Technology 11
HEALTH & MEDICAL ............................................................................................................................................. 12
   Doctors Left Behind Medical Files and Waste __________________________________________________ 12
   For Health Records, Access Trumps Privacy ___________________________________________________ 12
IDENTITY THEFT .................................................................................................................................................... 12
   A call for rational discourse on identity theft ___________________________________________________ 12
         Identity-theft report called into question _________________________________________________ 12
   ID scam suspects face more charges, parents ___________________________________________________ 12
   IT pro admits stealing 8.4M consumer records _________________________________________________ 13
   Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy ________________ 13
INTERNATIONAL..................................................................................................................................................... 13
   AFRICA.................................................................................................................................................................. 13
   ASIA/PACIFIC ...................................................................................................................................................... 13
   EUROPE ................................................................................................................................................................ 13
    EUROPEAN UNION _____________________________________________________________________ 13
    Navigating the Complexities Of U.S.-E.U. Data Protection And Electronic Discovery Issues _____________ 13
    EC Seeks Breach Notification Law For Telecoms _______________________________________________ 13
    EC urges unity on data protection____________________________________________________________ 14
         Commission steps up efforts in Privacy Enhancing Technologies _____________________________ 14
    EU Criticizes Social Networks for Privacy Flaws _______________________________________________ 14
    UNITED KINGDOM _____________________________________________________________________ 14
    Thinktank calls for ID cards debate __________________________________________________________ 14
    Changes to data protection laws ‘will give company bosses the shivers’ ______________________________ 14
    Privacy chief given another chance to seek new powers __________________________________________ 14
    ICO Poised To Probe Any Complaint About Apology Letters For Government Breach __________________ 15
   MIDDLE EAST ..................................................................................................................................................... 15
   NORTH AMERICA .............................................................................................................................................. 15
    CANADA ______________________________________________________________________________ 15
    Breach at Passport Canada Web site closed, says Bernier _________________________________________ 15
   SOUTH AMERICA ............................................................................................................................................... 15
LEGISLATION – FEDERAL .................................................................................................................................... 15
   Major copyright bill boosts penalties, creates new agency _________________________________________ 15
LEGISLATION – STATE .......................................................................................................................................... 16
   CALIFORNIA __________________________________________________________________________ 16
   Amendment to SB-1386 Takes Effect Jan. 1 ___________________________________________________ 16
   Schwarzenegger backs digital moves _________________________________________________________ 16



                                                                                                                                                                            2
LITIGATION & ENFORCEMENT ACTIONS ........................................................................................................ 16
    [Texas] AG's office says two Web sites invade privacy ___________________________________________ 16
    TJX reaches settlement with Visa over breach __________________________________________________ 16
MOBILE/WI-FI .......................................................................................................................................................... 16
ODDS & ENDS .......................................................................................................................................................... 17
   Privacy concept — bane for BPO sector ______________________________________________________ 17
   Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere _______________________ 17
   Solving the privacy puzzle in a federated model ________________________________________________ 17
   Technology Allows Monitoring Of Teen Drivers, Raising Questions ________________________________ 17
   State refuses to spy on students for the RIAA __________________________________________________ 17
ONLINE ...................................................................................................................................................................... 18
   Watching What You See on the Web _________________________________________________________ 18
   Facebook’s Beacon Just the Tip of the Privacy Iceberg ___________________________________________ 18
          Some Facebook Partners Bail on Beacon ________________________________________________ 18
          Facebook in privacy U-turn over Beacon ________________________________________________ 18
          Facebook's Zuckerberg Apologizes for Ads Debacle _______________________________________ 18
   Google's Gdrive (and Its Ad Potential) Raise Privacy Concerns ____________________________________ 18
RFID ........................................................................................................................................................................... 18
   You are Tagged _________________________________________________________________________ 18
SECURITY.................................................................................................................................................................. 19
   Researchers hack and crack Microsoft wireless keyboards ________________________________________ 19
   Hackers force mass website closures _________________________________________________________ 19
   Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools ________________________ 19
   New Threats Call for a Fresh Approach _______________________________________________________ 19
   The Next Generation of Security Threats ______________________________________________________ 19
   F-Secure: Malware Samples Doubled in One Year ______________________________________________ 20
   Study Reveals Overlooked Sources of Leaks ___________________________________________________ 20
   Government-Sponsored Cyberattacks on the Rise, McAfee Says ___________________________________ 20
   FBI: Millions of Computers Roped Into Criminal 'Robot Networks' _________________________________ 20
   Spyware New Champ Among IT Security Worries: Survey _______________________________________ 21
   Cryptic Messages Boost Data Security ________________________________________________________ 21
   Firewalls Ready for Evolutionary Shift _______________________________________________________ 21
   Tests Demonstrate Maturity of TSAT Encryption System _________________________________________ 21
   Update: Subverted Search Sites Lead to Massive Malware Attack in Progress _________________________ 22
   Buffer Overflows Are Top Threat, Report Says _________________________________________________ 22
   Best Practices for LAN Security Projects ______________________________________________________ 22
SEMINARS ................................................................................................................................................................. 23
PAPERS ...................................................................................................................................................................... 23
   Self-disclosure, Privacy and the Internet ______________________________________________________ 23




                                                                                                                                                                                 3
                          ARTICLE SUMMARIES AND LINKS
BIOMETRICS
Biometric security gains importance in increasingly online world
Biometrics, the technology of using unique physiological or behavioral characteristics to identify a person, will take
on greater importance in the consumer world to protect against identity theft. But a hurdle large U.S. financial
institutions must overcome with the use of biometrics is the fear of appearing too intrusive to customers. For
example, asking customers to authenticate their identity through their fingerprint conjures up images of criminal
activity.
http://www.dallasnews.com/sharedcontent/dws/bus/columnists/pyip/stories/DN-
moneytalk_03bus.ART.State.Edition1.2a442e0.html
(Dallas Morning News – 12/03/07)



DATA BREACH
UK data breach: stripping data 'would not have been costly'
It would have cost less than $102,000 to strip confidential data from the records of 25 million people lost in transit
between HM Revenue and Customs and the National Audit Office, HMRC's acting chair Dave Hartnett has said.
Hartnett -- acting in place of Paul Gray, the former HMRC chair who resigned as the data loss scandal broke -- made
the admission to MPs on the Commons Treasury committee. The acting HMRC chief also admitted that the child
benefit data on the two CDs was the latest in a string of data security breaches, acknowledging that there had been
seven breaches "of some significance" since the merger between Inland Revenue and HM Customs and Excise in
April 2005.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051339
(ComputerWorld 12/6/07)

Personal information lost in Ireland
Personal details of up to 60,000 people have been lost by Citizens Advice, it was revealed today. Bank account
numbers, National Insurance numbers, names, addresses and dates of birth were on a laptop stolen from a staff
member`s car in Belfast earlier this week. The details are of people who have sought advice from the bureau - but it
said they were encrypted and the bureau claimed it was unlikely it could be accessed.
http://u.tv/newsroom/indepth.asp?id=86401&pt=n
(u.tv – 12/7/07)

Oak Ridge National Lab Reports "Sophisticated" Cyber Attack
The Oak Ridge National Laboratory revealed today that a "sophisticated cyber attack" over the last few weeks may
have allowed personal information about thousands of lab visitors to be stolen. Lab officials said the assault
appeared "to be part of a coordinated attempt to gain access to computer networks at numerous laboratories and
other institutions across the country."
http://www.myeyewitnessnews.com/news/local/story.aspx?content_id=c5af9893-1fe1-40e0-96a6-
0d2b81569062&rss=59
(myeyewitnessnews.com – 12/6/07)

No ID Theft Reported from Stolen Computers
Employees at a Modesto mortgage company that had computer equipment stolen last month say they believe
information on the equipment can't be used for identity theft. Matt Crawford, broker at All-American Mortgage, said
the information on a stolen computer server was password protected, so it would be difficult for someone to access
it.
http://www.modbee.com/local/story/143953.html
(Modesto Bee – 12/6/07)




                                                                                                                     4
Breach in Web site security found by Duke Law School
The Social Security numbers of about 1,400 prospective Duke Law School students may have been accessed by a
hacker to the school's Web site, officials said Tuesday. Two databases -- one for students who have requested
information about the law school and one for students who have submitted applications -- were available for viewing
by hackers. The database for interested students included the Social Security numbers of about 1,400 students. The
issues for applicants were e-mail addresses and user-generated passwords used to check their application status to
the law school. About 1,800 people were registered on the second database, she said.
http://www.newsobserver.com/news/story/811800.html
(News-Observer – 12/05/07)

Forrester Loses Laptop Containing Personnel Data
The incident appears to be a clear case of, "Do as I say, not as I do." Thieves stole a laptop from the home of a
Forrester Research employee during the week of Nov. 26, potentially exposing the names, addresses and Social
Security numbers of an undisclosed number of current and former employees and directors, the company said in a
letter mailed to those affected on Dec. 3. Forrester "Chief People Officer" Elizabeth Lemons said in the letter that
the hard drive is password-protected but made no mention of encryption. The laptop contained records pertaining to
those who have received grants of Forrester stock options or who have participated in the research firm's Employee
Stock Purchase Plan, according to the letter. Those who have done contractual work for the consultancy, but who
haven't participated in either stock plan, also appear to be affected.
http://www.eweek.com/article2/0,1895,2228887,00.asp
(eWeek.com – 12/05/07)

IPL fixes Web glitch exposing customers' personal info
Indianapolis Power & Light said it has fixed a security glitch that potentially exposed compromising personal
information of some of its customers. The utility said it notified by mail last week the nearly 3,000 residential
customers who could have been affected that their names, addresses and Social Security numbers were contained in
electronic files accessible via the Internet. IPL said there is no evidence the files were accessed or the information
actually was stolen. The company discovered the lapse during a routine check of its security systems. It did not
know why it happened. The utility told customers it would pay for credit monitoring.
http://www.indystar.com/apps/pbcs.dll/article?AID=/20071204/BUSINESS/71204039/0/LOCAL
(Indianapolis Star – 12/05/07)

Memorial Blood Centers Notifying Donors of Possible Data Loss (St. Paul, MN)
Memorial Blood Centers reported today that it has begun notifying blood donors of the theft of a laptop computer
holding donor information. About 268,000 donor records on this laptop computer contain a donor name in
combination with the donor’s social security number. The laptop computer was stolen on November 28, 2007 in
downtown Minneapolis during early morning preparations for a blood drive. The theft was captured on building
security cameras. The Minneapolis Police Department was notified and Memorial Blood Centers is working with
law enforcement authorities to recover the laptop computer. Access to the donor information on the laptop is
protected by multiple levels of passwords and requires the use of other technologies to prevent unauthorized use.
The donor records do not contain medical information.
http://www.businesswire.com/portal/site/google/index.jsp?ndmViewId=news_view&newsId=20071205005914&ne
wsLang=en
(Business Wire – 12/05/07)

Security flaw on Passport Canada's website exposes applicants' personal information
A security flaw at Passport Canada's website has allowed an Ontario man access to the personal information of other
people applying for new passports. The Globe and Mail reported the breach was discovered last week while Jamie
Laning was completing his own passport application. He found he could view the applications of others by altering
one character in the Internet address displayed by the Web browser. The information he viewed included social
insurance numbers, driver's licence numbers and addresses.
http://680news.com/news/local/article.jsp?content=20071204_080504_1760
(The Canadian Press – 12/04/07)




                                                                                                                         5
Community Blood Center affected by laptop theft
Community Blood Center is the latest business to be notified that employees' information was stored on a laptop
stolen in October from a Kettering auditing firm. Battelle & Battelle LLC was conducting an audit of the blood
center's 401K plan when a laptop was stolen from a Battelle employee's vehicle, said Blood Center spokeswoman
Sher Patrick. Up to 600 employees appeared to be affected. Donors should not be concerned, though, she said. "The
message we want to get out is that this does not affect our blood donors in any way," Patrick said. Only employees
and their 401K information was on the laptop stolen in Oakwood. The Ohio Masonic Home, based in Springfield,
was notified last month that personnel information on 600 of its employees were also compromised.
http://www.springfieldnewssun.com/hp/content/oh/story/news/local/2007/11/30/sns120107laptop.html
(Springfield (OH) News-Sun – 12/01/07)

Data theft touches 150,000 Massachusetts seniors
The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their
personal information may have been snatched by an identity thief. Local authorities arrested a lone identity thief in
August who had been using information taken from the program in an attempted identity theft scheme, said Alison
Goodwin, a spokeswoman for the state's Executive Office of Health and Human Services. Goodwin could not add
many details on the nature of the breach, citing an ongoing criminal investigation, but she said Prescription
Advantage is conducting an internal review of the incident to determine if additional security measures might be
required.
http://www.infoworld.com/article/07/11/30/Data-theft-touches-Massachusetts-
seniors_1.html?source=rss&url=http://www.infoworld.com/article/07/11/30/Data-theft-touches-Massachusetts-
seniors_1.html
(InfoWorld – 11/30/07)
Also see:
      150,000 Bay State seniors notified of Prescription Advantage security breach
          http://www.southcoasttoday.com/apps/pbcs.dll/article?AID=/20071130/NEWS/71130010/-1/NEWS01
          (South Coast Today – 11/30/07)

Hackers Breach Charity Databases
A marketing software company serving nonprofits across America including The American Red Cross said Tuesday
that a hacker stole e-mail addresses and password information from its clients' databases. Tad Druart, a spokesman
for Austin-based Convio Inc., said the company has notified federal authorities of a data breach between Oct. 23 and
Nov. 1. The hacker used an employee's password to get at the data, Druart said. No Social Security numbers or bank
account information was stolen, Druart said. He said the company immediately notified the 92 companies affected,
though he would not name them, and it was not known how much information was compromised. Red Cross
spokeswoman Stephanie Millian confirmed that roughly 278,000 e-mail addresses and a smaller number of
passwords were taken from a Red Cross blood drive Web site that ran on Convio's software. She said the Red Cross
notified affected users Nov. 14.
http://www.toptechnews.com/story.xhtml?story_id=010000CEVB0W
(Top Tech News – 11/28/07)



E-COMMERCE
Ad targeting improves as Web sites track consumer habits
Based on the weather reports and restaurant listings you check out online, Yahoo Inc. has a good idea where you
live. Based on searches you've done, the Web portal might also know where you want to go. Elsewhere, online
hangout Facebook is mining friends' buying habits, and major Internet portals have bought companies to expand
their reach and capabilities for "behavioral targeting" -- all so advertisers can try to hit you with what they believe
you're most likely to buy, even as doing so means amassing more data on you. "When you are online today, you've
been labeled and tagged as this type of consumer in milliseconds," said Jeff Chester, executive director of the Center
for Digital Democracy. "
http://www.cnn.com/2007/TECH/12/02/targeting.ads.ap/index.html
(CNN – 12/05/07)




                                                                                                                        6
Marketers Laud Facebook's Retreat On Privacy Controls
Facebook's tightening this week of its privacy controls was an embarrassing retreat for a company that just three
weeks ago claimed to have discovered the "Holy Grail" of advertising. It also, though, appears to be exactly what it
needed to do. After more than 50,000 complaints from users, the social-networking startup said Thursday that it was
tightening privacy controls that would almost surely limit the reach of its controversial word-of-mouth Internet
advertising system, which tells Facebook users what their friends are doing and buying on other Web sites. But
advertisers and industry analysts said Facebook's retreat may prove to be the key tactical shift that makes consumers
and marketers more comfortable with the company's innovative, yet intrusive, advertising system.
http://money.cnn.com/news/newsfeeds/articles/djf500/200711301654DOWJONESDJONLINE000915_FORTUNE5
.htm
(CNN – 11/30/07)

Data Breaches More Expensive Every Year
Recent reports emphasize that data breaches are growing more costly for companies to fix each year. According to a
study by the PGP Corporation, the average total per-incident cost grew from $4.8 million in 2006 to $6.3 million in
2007, and is anticipated to continue rising. Additionally, data breaches cost companies additional revenue because
customers are alienated and business opportunities are damaged. Indeed, the cost of lost business rose by 30 percent
in 2007, to an average of $4.1 million, which is approximately two-thirds of the average total cost per incident. All
told, 80 percent of the data breaches examined stemmed from human errors, such as the loss of laptop computers
and thumb drives, says PGP's John Dasher. A separate study by the Ponemon Institute and prevention firm Vontu
found that about 96 percent of breaches stem from the inadequate enforcement of data security policies. As with the
PGP research, this study attributes breaches to human missteps, such as a salesperson emailing sensitive information
from an Internet cafe, as well as flawed business practices.
http://www.ecommercetimes.com/story/60508.html
E-Commerce Times – 11/28/07)



EDITORIALS & OPINION
A holistic view of data-driven security
Gordon Rapkin, CEO of Protegrity, encourages organizations to avoid "a never-ending frenzied effort to stay one
step ahead of regulatory requirements" and threats. Reacting to security breaches is not the right approach to data
protection. "We have to move beyond dealing with the crisis of the moment and focus on securing data holistically,"
writes Rapkin in SC Magazine. Rapkin acknowledges that some organizations may find it "difficult to free up the
time and the budget to institute a comprehensive data security plan." But in the end, a "unified approach will be far
more effective, increasing security and saving both time and money." The piece then lays out a road map to achieve
a holistic approach to data security.
http://www.scmagazineus.com/A-holistic-view-of-data-driven-security/article/99594/
(SC Magazine – 12/05/07)

How TJX Became a Lesson In Proper Security
This internetnews.com article labels the TJX Cos. security breach as "one of the most expensive lessons in corporate
data security policies." The article puts the price tag at "anywhere from $500 million to nearly $1 billion in
expenses, not to mention a black eye with the public over how their credit card data is secured." While the breach
provides some lessons to retailers, it remains unclear how well they are learning, according to the article. The
company bolstered its security program and made improvements to become compliant with the Payment Card
Industry (PCI) standards to the point that "there is some discussion about TJX becoming a 'spokescompany' for PCI
security," according to Avivah Litan, a Senior Security Analyst for Gartner. Litan adds that some companies refuse
to make significant investments in security expenditures because "they see no return on investment." However, other
experts consulted for the article say that some companies have learned from the breach.
http://www.internetnews.com/ent-news/article.php/3714611
(Internet News – 12/05/07)




                                                                                                                    7
Was Facebook's Privacy Move a Blunder or Just Premature?
Did Facebook cross the line? I'd rather say that they made this move inappropriately. The difference is that I do
agree with Facebook that something very similar to this program could work, but it needs to be presented properly
and at least start with more-than-ample opt-out options. Facebook is right that this is a huge marketing and
advertising opportunity and that their customers could benefit from this. But they didn't properly sell those benefits
to users. Targeted ads based on private history are dicey stuff. Sharing private purchases with everyone on a friends
list is an order of magnitude touchier.
http://www.eweek.com/article2/0,1895,2227796,00.asp
(eWeek.com – 12/04/07)

Ironic: Facebook Complains About Mag Article Invading Founder's Privacy
Facebook's legal team has gone after 02138 magazine, after the publication posted court documents revealing
sensitive information regarding CEO Mark Zuckerberg. Ironically, this news comes just as Facebook is retooling its
Beacon system amid user privacy concerns. According to Kara Swisher of AllThingsD, sources close to the matter
said that the documents featured in 02138's story included Zuckerberg's Social Security number, and parents'
address. The magazine's intention was to include the documents as part of an expose covering the
Facebook/ConnectU dispute. However, editors were unaware of some of the sensitive highlights when the
documents were uploaded (in a downloadable format) as part of the story.
http://blog.wired.com/business/2007/11/facebook-sics-l.html
(Wired.com – 11/30/07)

If Security Is Expensive, Try Getting Hacked
Altogether, 2007 will go down in the record books as a thoroughly lousy year for keeping information private. And
now, it seems, consumers are getting fed up. A set of case studies released Wednesday by the Ponemon Institute
surveyed 35 companies that had experienced data breaches and found the average cost of a private information leak
in 2007 to be $6.3 million, up from $4.8 million in 2006. Specifically, breached companies reported that the costs
stemming from lost customers after a data leak accounted for 65% of that financial hit, compared with 54% in both
2006 and 2005.
http://www.forbes.com/home/technology/2007/11/27/data-privacy-hacking-tech-security-
cx_ag_1128databreach.html
(Forbes.com – 11/28/07)



EDUCATION
Colleges Move Boldly On Student Drinking
The Virginia Tech shootings and other tragic incidents on campuses this year have shown that many colleges and
universities are reluctant to reach out to parents when there are signs of trouble, such as a missing or potentially
suicidal student. Citing a federal law meant to protect student privacy, many schools rope off young people's records
from parents and authorities. But in one area, administrators are increasingly exploiting an exception in the law that
allows them to reach out: drinking and drugs.
http://online.wsj.com/public/article/SB119690910535115405-
OIU7iI6dMP4Lu3K6y8dZk_O_wNo_20080104.html?mod=tff_main_tff_top
(Wall Street Journal – 12/06/07)

Camera plan pits security vs. privacy
When Ann Arbor Schools officials brought up the idea of putting surveillance cameras in Pioneer High School, the
student council acted quickly. It passed a resolution against the plan and brought in the American Civil Liberties
Union. Security cameras are fast becoming commonplace in schools across the country. No one knows what
percentage of schools have added cameras, but almost all large school systems have them, said Ronald Stephens,
executive director of the National School Safety Center. But some worry that the cameras infringe on civil rights and
question whether they help with security.
http://www.freep.com/apps/pbcs.dll/article?AID=/20071130/NEWS05/711300395
(Detroit Free Press – 11/30/07)




                                                                                                                     8
EMPLOYEE
German Privacy Watchdog May Limit Internet Searches, Welt Says
Germany may make it harder for employers to trawl the Internet for information on workers and job applicants, the
newspaper Die Welt said in an e-mailed statement. The plan would bar employers from firing a worker or refusing
to offer a job if the decision is based on Internet information that's older than five years.
http://www.bloomberg.com/apps/news?pid=20601100&sid=a65yRuwKFHSA&refer=germany
(Bloomberg – 12/07/07)



FINANCIAL
TJX escapes a beating
Retailer TJX Cos. agrees to reimburse banks $40.9 million to cover costs incurred in the mother of all financial data
breaches, which compromised as many as 100 million debit and credit cards. It's been nearly a year since an
unprecedented security breach at the Framingham company, which operates TJ Maxx and Marshalls, was first
disclosed. Eventually, what is believed to be the simplicity of the actual theft - accessing wireless local area
networks at two stores in Miami - became part of the story. The retail industry is making some progress on financial
security, but about one out of every three big players still failed a Sept. 30 deadline set by Visa Inc. to meet new
standards covering credit card safety. (TJX itself only recently said it met those standards.)
http://www.boston.com/business/globe/articles/2007/12/04/tjx_escapes_a_beating/
(Boston Globe – 12/04/07)



GOVERNMENT – U.S. FEDERAL
Beginning Jan. 31, New Travel Document Requirements in Effect for Anyone Entering the
U.S.
The U.S. Department of Homeland Security (DHS) and the U.S. Department of State (DOS) today reminded the
traveling public that as of Jan. 31, 2008, all adult travelers will be required to present proof of citizenship, such as a
birth certificate, and proof of identity, such as a driver's license, when entering the United States through land and
sea ports of entry. DHS will be issuing a notice in the Federal Register formally announcing the
changehttp://www.govtech.com/gt/articles/215426?utm_source=newsletter&utm_medium=email&utm_campaign=J
PS_2007_12_5
(Government Technology – 12/04/07)

FTC Offers Tutorial on Protecting Personal Information
Protecting the personal information of customers, clients, and employees is good business. The Federal Trade
Commission has a new online tutorial to alert businesses and other organizations to practical and low- or no-cost
ways to keep data secure. The tutorial, Protecting Personal Information: A Guide for Business, takes a plain-
language, interactive approach to the security of sensitive information. Although the specifics depend on the type of
company and the kind of information it keeps, the basic principles are the same: any business or office that keeps
personal information needs to take stock, scale down, lock it, pitch it, and plan ahead.
http://www.govtech.com/gt/215639?topic=117671
(Government Technology – 12/04/07)

GAO praises TSA for its handling of sensitive info
The Government Accountability Office (GAO) has found that the TSA has improved its handling of unclassified,
sensitive data, according to FCW.com coverage of the audit's findings. The agency had improved its guidance,
criteria and training for sensitive security information (SSI) gathered as a result of security screening programs. The
2007 U.S. Department of Homeland Security's appropriations bill had required the GAO to investigate the agency's
handling of SSI. A TSA spokesman credited the agency's improvements in staff training and response in processing
data requests for the report's positive findings.
http://www.fcw.com/online/news/150982-1.html
(Federal Computer Week – 12/04/07)



                                                                                                                         9
DHS submits revised Real ID plan to OMB
After taking public comments into account, Homeland Security Department officials have submitted a revised set of
minimum federal standards that states must meet when issuing driver’s licenses and identification cards to satisfy
the Real ID Act. of 2005. And although the Office of Management and Budget will now have 90 days to review the
rules, it likely will not take that long, said Darrell Williams, director of DHS’ Real ID Program Office. The review
process should be shorter because the department has been keeping OMB in the loop on changes made during the
public-comment process, he said at a Nov. 29 event hosted by the Information Technology Association of America
and Northern Virginia Technology Council.
http://www.fcw.com/online/news/150938-1.html
(Federal Computer Week – 11/29/07)



GOVERNMENT – U.S. STATES
Awareness of Security Freeze Legislation and Use of Security Freezes by Consumers Age
18+
All but eleven states have enacted Security Freeze laws designed to protect consumers from identity theft. These
laws give consumers the right to block their credit report from the view of others. This April-May 2007 AARP
telephone survey explores the awareness of security freezes and the use of such freezes among consumers aged 18
and over living in California, Connecticut, Louisiana, Maine, Nevada, New Jersey, and North Carolina. In these
selected states, the security freeze laws have been in effect for at least one year and they allow all consumers to
place a security freeze on their credit report. Respondents across all states show high concern about identity theft,
yet awareness of security freeze laws is extremely low. The cost and complexity of placing and thawing freezes are
seen as significant barriers to the use of this protection against identity theft.
http://www.aarp.org/research/frauds-scams/fraud/security_freeze.html
(AARP Report – 11/07)

ALABAMA
Governor Riley Unveils "Virtual Alabama" to Enhance Emergency Response and Disaster
Preparedness
Alabama Gov. Bob Riley last week unveiled Virtual Alabama, a comprehensive database of satellite imagery and
aerial photography designed to assemble, display, evaluate and share critical data for emergency responders. Riley
was joined by Google Earth Chief Technology Officer Michael T. Jones and Alabama Homeland Security Director
Jim Walker to demonstrate the uses and capabilities of the new tool for state officials. At Riley's direction, the
Alabama Department of Homeland Security and Google Earth have been working to create a visualization tool that
provides a common operational picture across the state that first responders, county planners and other officials can
use to get detailed geographic views overlaid with pertinent information.
http://www.govtech.com/gt/articles/215146?utm_source=newsletter&utm_medium=email&utm_campaign=DC_200
7_12_4
(Government Technology – 12/03/07)

CALIFORNIA
.Gov Site Reinfested Due to Hosting Provider Sloppiness
In September, the Marin County, Calif., Transportation Authority announced that it would stop hosting its Web site,
tam.ca.gov, with hosting company StartLogic because the site had been suffering from malware-seeding problems.
After TAM stopped doing business with StartLogic, it began hosting its site on a new, independent Web host called
ValueWeb. On Nov. 29 and Nov. 30, the TAM site was found to be once again serving up pornography and
malware, even though it had not been hacked. The malware seeding on the TAM site was attributed to the fact that
StartLogic still had an open Web page assigned to the transportation agency. Security experts say the latest incident
is just another example of how some Web hosting providers are doing a poor job of securing their customers' sites or
cleaning up after themselves.
http://www.eweek.com/article2/0,1759,2225954,00.asp
eWeek – 12/03/07)



                                                                                                                    10
CONNECTICUT
New Internet-Based System to Monitor Connecticut Dams
Governor M. Jodi Rell said Friday the state is now using high technology to monitor dam safety across the state.
Rell said Dam Watch -- a new electronic, Internet-based solution being put in place by the Department of
Environmental Protection (DEP) -- will give state inspectors the ability to constantly monitor the conditions of the
state's 234 dams during adverse weather conditions. Dam Watch, developed by USEngineering Solutions Corp. in
Hartford, gives DEP instant access to all plans, inspection reports and records related to these dams as well as "real
time access" to gauges that monitor rain fall and water levels near these dams.
http://www.govtech.com/gt/articles/215006?utm_source=newsletter&utm_medium=email&utm_campaign=JPS_20
07_12_5
(Government Technology – 12/03/07)

FLORIDA
Florida Governor Announces New Initiatives For Open Government
Florida Governor Charlie Crist recently announced two new open government initiatives that will go a long way in
improving public access to government documents and meetings in Florida. The first initiative seeks to improve
Internet access to state agency information by requiring agencies to create links from their individual homepages to
a website that directs users on how to make public records requests or learn more about Florida’s open government
laws. These new websites will also include organization charts, open government contacts, budget information,
contracts with vendors and providers, legislative budget requests and legislative priorities. The second initiative
involves a bill of rights for all Floridians trying to access public records.
http://www.citmedialaw.org/blog/2007/florida-governor-announces-new-initiatives-open-government
(CitiMediaLaw – 11/18/07)
Also see:
      Florida Partners with Google to Improve Open Government
          http://www.govtech.com/gt/articles/215610?utm_source=newsletter&utm_medium=email&utm_campaign
          =DC_2007_12_4
          (Government Technology – 12/04/07)

LOUISIANA
Louisiana Army National Guard Upgrades to Broadband Interoperable Communications
for Public Safety
In a move that might demonstrate a promising solution to the nation's emergency communications problems, the
Louisiana Army National Guard (LAARNG) is adopting a ground-breaking communications system designed by
Rivada Networks. This solution will equip LAARNG with a powerful, broadband, fully interoperable system
delivering high-speed voice and data for both day-to-day and emergency uses, over a network that can survive
natural or man-made disasters. LAARNG made the selection after a period of competitive evaluation and testing.
http://www.govtech.com/gt/articles/215308?utm_source=newsletter&utm_medium=email&utm_campaign=JPS_20
07_12_5
(Government Technology – 12/03/07)

WASHINGTON
City of Federal Way's Safe City Initiative Will Demonstrating City-Wide Public Safety
Camera Technology
LenSec, a provider of IP-based public safety camera solutions to cities, school districts, and universities, has
announced their involvement in Safe City Federal Way (Washington), a project the company says will that will
usher in a new era of community policing. Brian Wilson, Federal Way police chief, said. Safe City Federal Way
will utilize 25 wireless cameras set in strategic locations within an approximate 1-square mile of the downtown area.
Each camera will be accessible from any computer accessed by the Federal Way Police, including laptops located in
each patrol vehicle.
http://www.govtech.com/gt/articles/216184?utm_source=newsletter&utm_medium=email&utm_campaign=JPS_20
07_12_5
(Government Technology – 12/04/07)


                                                                                                                    11
HEALTH & MEDICAL
Doctors Left Behind Medical Files and Waste
A realtor says a pair of doctors left an office filled with medical files and waste. NEWSCHANNEL 5 found about a
dozen vials of blood on the floor of what used to be the McAllen Primary Care Clinic. Medical files, equipment,
binders, and bank statements were scattered on the floor. There were also containers full of prescription medicines.
The offices had thousands of X-rays and medical records with names, addresses, phone number, social security
numbers, and other personal information. We contacted the Texas Medical Board. A spokesman tells use the messy
office poses public danger. People's records are vulnerable to identity theft, and potential HIPPA confidentiality
laws could be violated. Investigators could find the doctors guilty of unprofessional conduct.
http://www.newschannel5.tv/2007/12/4/983388/Doctors-Left-Behind-Medical-Files-and-Waste
(News Channel 5, KRGV, Weslaco, TX – 12/04/07)

For Health Records, Access Trumps Privacy
Americans believe digital medical records can greatly reduce treatment errors, and their worries about privacy are
waning, according to a new survey. A significant majority of respondents to a just-released poll by The Wall Street
Journal and Harris Interactive said electronic records will cut the chance for mistakes or redundancy in testing and
treatment. Privacy concerns exist, but they are declining. While just over half said digital records make it harder to
ensure privacy, that number is down 10 percent from 2006. And a higher number said the benefits of digital records
outweigh the risks.
http://www.cioinsight.com/article2/0,1540,2224649,00.asp
(CIO Insight – 11/29/07)



IDENTITY THEFT
A call for rational discourse on identity theft
The 100-page report boils down to one extraordinary finding: identity theft occurs far less today than reported in
2003, both in numbers of people affected and amount of goods stolen. The FTC now says identity theft affects 8.3
million American adults annually as opposed to 9.9 million in 2003. The estimated annual loss from identity theft
has declined to $15.6 billion from the $47.6 billion in the earlier survey. In a nutshell, the FTC sees the problem as
one third the size it estimated in 2003.
http://www.news.com/A-call-for-rational-discourse-on-identity-theft/2010-1029_3-6221615.html
(CNet – 12/07/07)
Also see:
      Identity-theft report called into question
         http://www.dispatch.com/live/content/business/stories/2007/12/03/ftc_id_theft.ART_ART_12-03-
         07_C12_6N8KMA3.html?sid=101 (Columbus Dispatch – 12/03/07)

ID scam suspects face more charges, parents
For Jocelyn Kirsch and Everett native Edward Anderton, it was the morning after. Investigators say the pair paid for
exotic trips and luxury items by stealing identities, some of them from neighbors. The case has captured
international attention as photographs of a glamourous couple — now dubbed the Bonnie and Clyde of identity theft
— in such locales as Hawaii, Paris, and the Turks and Caicos Islands sped across the Internet.
http://seattletimes.nwsource.com/html/localnews/2004058572_webscammers07.html
(Seattle Post-Intelligencer – 12/7/07)




                                                                                                                     12
IT pro admits stealing 8.4M consumer records
A senior database administrator for a consumer reporting agency in Florida has admitted stealing more than 8.4
million account records and selling them to a data broker. He netted $580,000 over five years from the scheme.
William Gary Sullivan, a DBA for Fidelity National Information Services, faces up to 10 years in federal prison and
$500,000 in fines, although prosecutors agreed to recommend a more lenient sentence in exchange for his guilty
plea. Working for a subsidiary called Certegy Check Services, Sullivan used his access to Fidelity's database to
pilfer records that included individuals' names, addresses and financial account information, according to court
documents.
http://www.channelregister.co.uk/2007/12/04/admin_steals_consumer_records/
(Channel Register – 12/04/07)

Who's Stealing Your Passwords? Global Hackers Create a New Online Crime Economy
[An excerpt from a multi-part report about online crime:] By 2006, online banking was ubiquitous and form-
grabbers had been refined into remarkably efficient, multi-purpose bots. Corpse himself was peddling a
sophisticated Haxdoor derivative called Nuclear Grabber for as much as $3,200 per copy. Nordea Bank in Sweden
lost 8 million kronor ($1.1 million) because of it. But by last October, despite his success, Corpse decided that it was
time to lay low. This past January, a reporter for Computer Sweden chatted with Corpse, pretending to be a potential
customer. Corpse tried to sell him Nuclear Grabber for $3,000 and crowed that banks sweep 99 percent of online
fraud cases under the rug.
http://www.cio.com/article/135500
(CIO Magazine – 9/17/07)



INTERNATIONAL
AFRICA
ASIA/PACIFIC

EUROPE
EUROPEAN UNION
Navigating the Complexities Of U.S.-E.U. Data Protection And Electronic Discovery Issues
U.S. multinationals that are making efforts to comply with data protection and e-discovery laws, rules and
regulations in both the U.S. as well as other international jurisdictions face a multitude of challenges. If they are not
in compliance, multinationals also bear the additional risk of significant sanctions, including monetary penalties. By
identifying the appropriate experts within an organization and through proper planning, multinational organizations
can ensure that they are in compliance.
http://www.metrocorpcounsel.com/current.php?artType=view&artMonth=December&artYear=2007&EntryNo=757
9
(The Metropolitan Corporate Counsel – 12/07)

EC Seeks Breach Notification Law For Telecoms
The European Commission has published a proposal that suggests an amendment to the Privacy and Electronic
Communications Directive to make telecoms subject to a security breach notification law. The exposure of personal
data for subscribers "if not addressed in an adequate and timely manner, (could) result in substantial economic loss
and social harm, including identity fraud," according to the proposal. The Information Commissioner's Office in the
UK has been skeptical of the effectiveness of such a law on the grounds that over-notification could lead to public
complacency about breaches. The ICO, according to this OUT-LAW.com article, seems more comfortable with a
law that would assess the risk of the breach before notifying consumers about a particular incident.
http://www.out-law.com/page-8741
(OUT-LAW.com – 12/05/07)




                                                                                                                      13
EC urges unity on data protection
The European Commission is intent on boosting data security and raising awareness around the protection of
personal information. Speaking at the Microsoft Innovation Day in Brussels on Tuesday, vice president of the
European Commission Franco Frattini, said: "We must dramatically improve people's awareness of these crimes.
Better data protection would also have a positive impact on consumer trust in cyberspace." Frattini added: "We fully
support the development of privacy-protection technology. I think privacy and protection of personal data is a long-
term goal."
http://news.zdnet.co.uk/security/0,1000000189,39291316,00.htm
(ZDNET.com – 12/05/07)
Also see:
      Commission steps up efforts in Privacy Enhancing Technologies
         http://cordis.europa.eu/fetch?CALLER=EN_NEWS&ACTION=D&SESSION=&RCN=28802 (Cordis
         News – 12/05/07)

EU Criticizes Social Networks for Privacy Flaws
The European Network and Information Service Agency (ENISA) report details several well-known threats to
privacy on social networks and describes some chilling new possibilities. For instance, the photos that users post, the
ENISA report warned, can be used as a facial-recognition tool to identify anonymous profiles on other sites.
According to the European Network and Information Service Agency (ENISA), the popularity of social-networking
sites often leads to disclosures that are "not appropriate to a public forum." In October, ENISA issued a detailed
report describing the privacy threats faced by users of social networks and offered several recommendations to
minimize the associated risks.
http://www.sci-tech-today.com/news/EU-Slams-Social-Networks-over-
Privacy/story.xhtml?story_id=0100018019G0
(Sci-Tech Today – 12/04/07)

UNITED KINGDOM
Thinktank calls for ID cards debate
The Government should launch a "serious renewed debate" on ID cards or scrap the scheme, a thinktank report has
said. Researchers from Demos warned that the identity card project was launched without adequate public
engagement, and said more consideration should be given to what information the cards carry and how they will be
used. The call came in a report entitled The New Politics of Personal Information, which found that the average
economically-active British adult now has details recorded on 700 databases.
http://www.guardian.co.uk/uklatest/story/0,,-7135160,00.html
(Guardian – 12/7/07)

Changes to data protection laws ‘will give company bosses the shivers’
MPs are considering changes to the law that would make chief executives directly responsible for safeguarding the
public’s personal data and make the improper or careless treatment of personal information a criminal offence. The
toughening of data laws, which is likely to be fiercely opposed by companies that deal with large amounts of
personal data, such as banks, search engines and telecoms groups, is likely to follow a presentation by Richard
Thomas, the Information Commissioner, to the Justice Committee of the House of Commons.
http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article3013223.ece
(TimesOnline – 12/07/07)

Privacy chief given another chance to seek new powers
The Information Commissioner will have the chance to lobby MPs for greater powers in the wake of the HM
Revenue & Customs data loss scare when he is grilled by the House of Commons Justice Committee today. This
afternoon Commissioner Richard Thomas will appear before the committee to give evidence about data protection
and his powers, which he is known to believe are too limited. Last month HMRC lost 25 million names and
addresses from the child benefits database when two CDs were lost in transit between government offices. In the
aftermath of that crisis Thomas was given a small measure of the extra power he has been seeking, but he is known
to believe that a tougher data protection regime is essential.
http://www.out-law.com/page-8737
(OUT-LAW.com – 12/04/07)


                                                                                                                    14
ICO Poised To Probe Any Complaint About Apology Letters For Government Breach
A spokesman for Information Commissioner Richard Thomas said the commission will investigate apology letters
containing personal data that were mailed to incorrect addresses -- if the office receives a complaint. HM Revenue
and Customs sent out letters apologizing for a recent breach involving child benefit recipients, but the letters
contained national insurance and child benefit numbers -- many of which were sent to old addresses. The HMRC is
urging parents to ensure the agency has their correct addresses. The agency also said it is not responsible for sending
letters to the wrong addresses because parents should have notified them of any change in address, according to this
Telegraph article.
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/11/29/ntaxman129.xml
(UK Telegraph – 11/29/07)


MIDDLE EAST


NORTH AMERICA
CANADA
Breach at Passport Canada Web site closed, says Bernier
Foreign Affairs Minister Maxime Bernier assured the Canadian public on Tuesday that a "serious" privacy breach at
Passport Canada's website had been fixed, even as the office of the federal privacy commissioner promised to
investigate the matter. Passport Canada acknowledged Tuesday that individuals applying for passports online were
able to view the personal information of other applicants. The breach occurred in the fifth step of the application,
where individuals are asked to provide supporting documentation, such as a birth certificate, driver's licence or
social insurance number. Applicants must also provide contact details -- including name, address and phone
numbers -- or two references and an emergency contact.
http://www.nationalpost.com/news/story.html?id=144179
(National Post – 12/04/07)

SOUTH AMERICA


LEGISLATION – FEDERAL
Major copyright bill boosts penalties, creates new agency
In the aftermath of the $222,000 jury verdict that the Recording Industry Association of America recently won
against a Minnesota woman who shared 24 songs on Kazaa, the U.S. Congress is preparing to amend copyright law.
Politicians want to increase penalties for copyright infringement. It's no joke. Top Democrats and Republicans in the
U.S. House of Representatives on Wednesday introduced a sweeping 69-page bill that ratchets up civil penalties for
copyright infringement, boosts criminal enforcement, and even creates a new federal agency charged with bringing
about a national and international copyright crackdown. "By providing additional resources for enforcement of
intellectual property, we ensure that innovation and creativity will continue to prosper in our society," Judiciary
Committee Chairman John Conyers (D-Mich) said in a statement. The legislation, called the Prioritizing Resources
and Organization for Intellectual Property Act, or PRO IP Act, is throughly bipartisan.
http://www.news.com/8301-13578_3-9829826-38.html
(CNET News – 12/05/07)




                                                                                                                    15
LEGISLATION – STATE
CALIFORNIA
Amendment to SB-1386 Takes Effect Jan. 1
Lawmakers in California have approved legislation, signed recently by Gov. Arnold Schwarzenegger, which would
amend the state's first-in-the-nation security breach notification law. The amendment, which takes effect Jan. 1,
2008, "represents a dramatic increase in the scope of the California law," according to this Mondaq news article. The
amendment adds two new categories of information to the definition of personal information, medical information
and health insurance information.
http://www.mondaq.com/article.asp?articleid=54690
(Mondaq – 12/04/07)

Schwarzenegger backs digital moves
Just as striking scribes are demanding a higher percentage of the new media dollars Hollywood takes in, California
Gov. Arnold Schwarzenegger said the state needs more digital infrastructure. Rollout of broadband throughout
California will help create 1.8 million jobs and $132 billion in payroll over the next decade, Schwarzenegger said
Tuesday before a panel discussion sponsored by the USC Annenberg School for Communication's Center for the
Digital Future at the W Hotel in Westwood. The governor will present his digital plans next month in a report
compiled by a broadband task force. Schwarzenegger's goal to have the state's residents connect to the Internet via
high-speed lines were part of an overall view of California's need to spend more on infrastructure -- from improving
roads to water distribution.
http://www.variety.com/article/VR1117976590.html?categoryid=1009&cs=1
(Variety.com – 11/27/07)



LITIGATION & ENFORCEMENT ACTIONS
[Texas] AG's office says two Web sites invade privacy
At The Doll Palace Web site, children can create virtual dolls and use them in interactive games. But to use certain
features, they are required to answer personal questions, including their smoking and drinking habits, that the Texas
attorney general believes violate federal online privacy laws. The AG's office Wednesday filed a lawsuit against The
Doll Palace Corp. and a second Web site that operates as Gamesradar.com, accusing them of illegally collecting
personal information from children without their parents' permission. Attorney General Greg Abbott said Texas is
the first state to file an enforcement action under a 7-year-old federal Children's Online Privacy Protection Act. The
act was designed to place parents in control over what information is collected from their children under 13. Critics
say the act has done little more to control Web sites than to ask users to affirm that that they are 13 or older or that,
if young, that they have their parent's permission to register.
http://www.chron.com/disp/story.mpl/headline/metro/5355738.html
(Houston Chronicle – 12/05/07)

TJX reaches settlement with Visa over breach
The TJX Cos. Inc. have reached a settlement with Visa Inc. and Fifth Third Bancorp related to a highly publicized
security breach. The Framingham discount clothing company is expected to fund up to a maximum of $40.9 million
pretax in alternative recovery payments to card issuers. The estimated costs of this settlement are already reflected in
the charge related to the breach that TJX took in its fiscal 2008 second quarter, according to the companies. Card
issuers are expected to be paid by Dec. 27, 2007, according to the companies. Each accepting issuer would waive
certain rights to any other recovery through litigation or otherwise and provide certain releases of TJX and its U.S.
acquiring banks. Under the agreement, Visa would forego certain fines.
http://www.bizjournals.com/masshightech/stories/2007/11/26/daily37.html
(Mass High Tech: The Journal of New England Technology – 11/30/07)



MOBILE/WI-FI


                                                                                                                      16
ODDS & ENDS
Privacy concept — bane for BPO sector
Sharing information about health and financial matters with others is perhaps a typical trait among many Indians.
This feature in fact makes Indian culture distinct in comparison with that of the West. But the Business Process
Outsourcing (BPO) industry is getting increasingly concerned about the notion of privacy in Indian culture as it is
impacting the business. One of the serious concerns of the outsourcing industry is the wide gulf between Indian and
Western notions of privacy which is causing problems in information and data security aspects.
http://www.thehindubusinessline.com/2007/12/07/stories/2007120756841100.htm
(Hindu BusinessLine – 12/06/07)

Mind the GAPP: Accountants bring GAAP-like principles to the privacy sphere
If you haven't heard of the Generally Accepted Privacy Principles (GAPP), take stock: They're likely to become the
most important new source of requirements for your IT projects since Y2k and Sarbanes-Oxley. Why is this? The
accounting industry has closed ranks around the idea that the GAPP is the best international framework for assessing
the privacy health of an organization. So when it comes to IT projects, any system or related business process
touching personal data will have new rules to play by. The GAPP is a framework that bridges the differences
between North American, European and Asian privacy standards through a set of privacy principles common to all.
http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=privacy&articleId=9051
459&taxonomyId=84&intsrc=kc_feat
(ComputerWorld – 12/06/07)

Solving the privacy puzzle in a federated model
Governments face a dilemma. As more and more services move online, identifying and authenticating citizens in
cyber-space are becoming more difficult. Citizens want one-stop service but they also want assurances their personal
information is kept private. Sharing information across jurisdictions can create seamless service delivery, but
government entities must ensure they are dealing with the same person. Online initiatives will only continue to
expand in the future, so governments will need to settle on a common authentication method for their citizens.
http://www.intergovworld.com/article/abc978260a01040800129dda8cb5dba1/pg1.htm
(InterGovWorld.com – 12/6/07)

Technology Allows Monitoring Of Teen Drivers, Raising Questions
Ever wanted to know what your teenage driver is doing with the car right now? Technology that gives parents the
answer is poised to make the jump into the mainstream if some big car insurers can resolve worries about privacy.
You might already be aware that a small number of auto insurance companies are starting to offer systems that can
monitor how a car is being driven, either by capturing and transmitting digital data about speed or location or
capturing video of the driver. They are promoting these systems to consumers as a way to keep tabs on a newly
licensed teenage driver. Some of these systems use GPS devices to gather and transmit information about the
vehicle's location and speed. Other systems offer speed, location, braking and other data, plus video of the driver and
passengers.
http://online.wsj.com/public/article/SB119646328920709889-
XOQ0PWoBv3exaOuS5SS7ffix5Og_20080101.html?mod=tff_main_tff_top
(Wall Street Journal – 12/03/07)

State refuses to spy on students for the RIAA
The Oregon State Attorney General's office went to federal court Wednesday to protect the privacy of state
university students against subpoenas issued by the Recording Industry Association of America (RIAA), writes the
Associated Press. It's first time a state attorney general has stepped in to block RIAA subpoenas. The RIAA sent the
University of Oregon subpoenas demanding that the school identify 17 students that it claims violated copyrights by
downloading music files. In documents it filed in US District Court in Eugene, the state moved to quash the
subpoenas, calling them "overbroad and burdensome."
http://www.theinquirer.net/gb/inquirer/news/2007/11/29/state-refuses-spy-students-riaa
(The Inquirer – 11/30/07)




                                                                                                                    17
ONLINE
Watching What You See on the Web
CenturyTel Inc., a Monroe, La., phone company that provides Internet access and long-distance calling services, is
facing stiff competition from cellphone companies and cable operators. So to diversify, it's getting into the online-
advertising business. And not just any online advertising. The technology it's using could change the way the $16.9
billion Internet ad market works, bringing in a host of new players -- and giving consumers fresh concerns about
their privacy.CenturyTel's system allows it to observe and analyze the online activities of its Internet customers,
keeping tabs on every Web site they visit.
http://online.wsj.com/article/SB119690164549315192.html
(Wall Street Journal – 12/6/07)

Facebook’s Beacon Just the Tip of the Privacy Iceberg
Facebook's Beacon ad service may, ironically, be the best thing that's happened to the online privacy movement in a
while. The controversy raised by the social networking site's use of the Beacon technology has helped drag into the
open the widespread but hitherto largely hidden problem of online consumer-tracking and information-sharing,
according to privacy advocates. "This Facebook debacle is in one way very good, because it shows people just what
is happening," said Pam Dixon executive director of the World Privacy Forum. "There are other sites and other
places where very similar data arrangements exist, but it is all happening," said Pam Dixon executive director of the
World Privacy Forum. "There are other sites and other places where very similar data arrangements exist, but it is all
happening under the radar and people simply don't realize it."
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=16&articleId=905069
8&intsrc=hm_topic
(Computer World – 12/03/07)
Also see:
      Some Facebook Partners Bail on Beacon
         http://www.eweek.com/article2/0,1895,2227201,00.asp (eWeek.com – 12/03/07)
      Facebook in privacy U-turn over Beacon
         http://www.ft.com/cms/s/0/2df7d2e0-9f86-11dc-8031-0000779fd2ac,dwp_uuid=e8477cc4-c820-11db-
         b0dc-000b5df10621.html?nclick_check=1 (Financial Times – 11/30/07)
      Facebook's Zuckerberg Apologizes for Ads Debacle
         http://www.pcmag.com/article2/0,2704,2228622,00.asp
         (PC Magazine – 12/05/07)

Google's Gdrive (and Its Ad Potential) Raise Privacy Concerns
It’s still shrouded in secrecy, but Google’s free storage service is headed for the Web next year. Still, if the so-called
Gdrive becomes as rapidly popular as the company’s e-mail service has in the past three years, what happens to your
secrets? The prospect of a massive, speedy and tricked-out online hard drive already has privacy experts and illegal
downloaders alike worried—especially if all that data is in the hands of a third-party giant and its cash cow to
compete with Apple and Microsoft. http://www.popularmechanics.com/technology/industry/4234444.html
(Popular Mechanics – 11/29/07)



RFID
You are Tagged
It is the technology that is everywhere and no place. It is invisibly inserted into the perky keyless remote that
unlocks your car. It opens the garage door. It is wedged in the pass cards that let employees into office buildings.
Subtle and controversial, the radio frequency identification device, or RFID, makes our lives more convenient in
myriad small ways. But on a larger scale, critics warn that these dime-sized radio transmitters will one day become
digital tattle-tales, a tool of what privacy experts call uberveillance: information about us gathered without our
knowledge.
http://www.nationalpost.com/news/story.html?id=139966
(National Post – 12/03/07)




                                                                                                                       18
SECURITY
Researchers hack and crack Microsoft wireless keyboards
Weak encryption used by Microsoft Corp.'s wireless keyboards can be cracked in a matter of moments, a pair of
Swiss security researchers said today (download PDF), giving hackers a way to snatch passwords and financial
account information in real-time and from a distance. Max Moser and Philipp Schrodel, of the Swiss security
company Dreamlab Technologies AG, cracked the one-byte encryption key used by Microsoft's Optical Desktop
1000 and 2000 keyboards, Moser said, then eavesdropped on keystroke traffic using an inexpensive radio receiver
and a few inches of copper wire. "All we need is about 30 characters," Moser said, referring to the number of
keystrokes necessary for analysis, "and we can decipher the text." Armed with a radio receiver that costs less than
$80 and a copper-wire antenna, Moser and Schrodel were able to sniff out and pull in wireless signals between
keyboards and computers from as far away as 33 feet.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051480
(ComputerWorld – 12/6/07)

Hackers force mass website closures
Hundreds of websites have been shut down temporarily by one of the largest web hosting companies in Britain after
the personal details of customers were stolen by computer hackers. The hackers managed to access the master
database of Fasthosts for information, including addresses, bank details, e-mails and passwords. The action is
expected to lose vital business for hundreds of small companies in the run-up to Christmas.
http://technology.timesonline.co.uk/tol/news/tech_and_web/article3007298.ece
(Times Online [UK] – 12/06/07)

Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools
Just because your Web browser is set to block third-party tracking cookies that doesn't mean all of them are being
blocked. A growing number of Web sites are quietly resorting to the use of "first-party," subdomain cookies to skirt
anti-spyware tools and cookie blockers and allow third-party information gathering and ad serving, according to
some privacy advocates and industry analysts. Though the cookies are not fundamentally different from other third-
party cookies, they are very hard to detect and block.
http://computerworld.com.my/ShowPage.aspx?pagetype=2&articleid=7037&pubid=4&issueid=125
(Computer World – 12/06/07)

New Threats Call for a Fresh Approach
In today's world, security should no longer strive to abolish risk entirely, writes Symantec's Tom Kendra. Instead, a
new approach to security should concentrate on identifying the most dangerous risks and establishing a system for
eradicating those. This new type of security, which Kendra calls Security 2.0, is akin to Web 2.0 in that it provides
new methods for improving productivity and boosting revenue. Security 2.0 builds on Security 1.0--in which IT
departments worked to lock things down to keep hackers out--by enlarging protection to safeguard the data itself. To
do so, IT departments must work with businesses to establish where the data resides, what information is sensitive,
who is authorized to access data and who needs access to data, and how to balance accessibility with security.
http://www.ft.com/cms/s/0/b262ff4a-a2d4-11dc-81c4-0000779fd2ac.html
Financial Times Digital Business – 1205/07)

The Next Generation of Security Threats
Security experts warn that hackers are focusing on areas outside of operating systems, with software applications
and Web-connected mobile devices emerging as new areas for exploitation. At the most recent Blue Hat security
conference, Microsoft security engineer Robert Hensing reported that a decline in operating system vulnerabilities is
being accompanied by an increase in application vulnerabilities. Experts predict that malware will adopt even more
evasive methods, while IronPort Systems executive Tom Gillis says new malware attack techniques are so complex
that they could only have been borne out of refined research and development. IronPort suggests that contemporary
malware borrows many traits from social networking sites, such as adaptability and reliance on collaboration, while
Trojans and malicious software are likely to become "increasingly targeted and short-lived."
http://www.news.com/The-next-generation-of-security-threats/2009-7349_3-6221150.html
(CNet – 12/05/07)




                                                                                                                      19
F-Secure: Malware Samples Doubled in One Year
F-Secure reports that 250,000 malware samples have been collected for this year, a figure that was the equivalent of
all malware collected within a two-decade span ending in 2006. Incidences of malware are on the rise, with a 185
percent increase in the amount of malware observed for the first half of this year compared to last year. F-Secure
notes that the prevalence of more sophisticated malware has declined, supplanted by mass-produced malware
threats. Security vendors have been consequently challenged to compete with hackers in suppressing malware
storms, particularly in light of malware variants that can circumvent vendors' detection. Variants also utilize ploys
such as encryption and obfuscation to slide under the radar of security programs. F-Secure chief research officer
Mikko Hypponen says that although automated detection signatures can thwart hackers' success, "in the end, a
human makes the decision where we add detection" signatures.
http://www.networkworld.com/news/2007/112907-spyware-top-security-concern.html
(IDG News Service - 12/04/07)

Study Reveals Overlooked Sources of Leaks
Many security leaks are caused accidentally through non-technical means, reveals a recent study conducted by the
Information Security Forum--an international, non-profit consortium of security-focused enterprises and vendors.
The study analyzed 887 leak incidents and found that the most common causes of the leaks were lost laptops, emails
being sent to the wrong address, sensitive documents being left on copying machines, and employees taking
confidential papers or storage media outside the office. The study also found that companies can lose data because
their employees do careless things such as repeating sensitive information on social networking sites, or talking
about sensitive information in places where they can be overheard. ISF research analyst Simone Seth noted that data
leak prevention tools would be unable to prevent data from being lost in these ways. As a result, companies should
make sure that their employees are aware of security issues and enforce security policies so that there are
consequences for leakage, she said.
http://www.darkreading.com/document.asp?doc_id=140412
(Dark Reading – 12/03/07)

Government-Sponsored Cyberattacks on the Rise, McAfee Says
Governments and groups across the world are harnessing the Internet to mount cyberattacks on their enemies by
attacking key systems such as financial markets, electricity, and government computer networks, according to a new
report by McAfee. The report, which was created with input from the FBI, NATO, and other intelligence groups,
notes that China has been charged with launching attacks against four countries in 2007. The United States and 119
other nations are also believed to be conducting Web espionage operations, reports McAfee. Such assaults are well-
organized, well-funded, and can operate on technical, economic, political, and military fronts. Moreover, the attacks
have grown so sophisticated that they can evade the radar of government cyber defenses, according to McAfee.
David Marcus of McAfee anticipates the eventual creation of a privatized model, under which governments will
authorize cybercriminals to attack enemies, noting that state-sponsored malware has already emerged. Meanwhile,
cyberattacks are also a growing threat to online services such as banking and new targets include VoIP and social-
networking applications such as Facebook
http://www.darkreading.com/document.asp?doc_id=140412
Network World – 11/29/07)

FBI: Millions of Computers Roped Into Criminal 'Robot Networks'
Over the past five months more than 1 million computers have become part of "botnets," an emerging type of cyber
attack in which hackers take over computers without their owners' knowledge and use them to commit fraud,
identity theft, and denial of service attacks, according to the FBI. That figure comes on top of the 1 million
computers that were known to have been part of botnets five months ago, when the FBI launched an initiative aimed
at stopping the growth of the networks. Despite the increase, the FBI's initiative--called Operation Bot Roast--has
had an impact. Since the initiative was launched in June, 13 search warrants have been issued around the world--
including one for a person in New Zealand whose international botnet coding group is suspected of infecting more
than 1 million computers. In addition, eight people in Washington, Pennsylvania, Florida, California, and Kentucky
have been indicted or found guilty of crimes related to botnets.
http://www.cnn.com/2007/TECH/11/29/fbi.botnets/
(CNN – 11/29/07)




                                                                                                                   20
Spyware New Champ Among IT Security Worries: Survey
Spyware is now the top security concern for businesses, according to a Computer Technology Industry Association
survey of 1,070 companies. More than half of the companies surveyed said that spyware was their prime concern.
Meanwhile, nearly 50 percent cited viruses and worms as top security threats, while 54 percent said that lack of user
awareness was to blame for security vulnerabilities. Other top concerns included authorized-user abuse and browser
attacks. The survey found that fewer companies were threatened by phishing attacks or social-engineering ploys,
though some noted that viruses and worms would continue to be formidable threats for the future. Fourteen percent
stated that spyware would be an ongoing security issue, while wireless security and email attachments were cited as
static threats for the future. Close to half of the companies surveyed said they would allocate more funds for security
technology spending and security training.
http://www.networkworld.com/news/2007/112907-spyware-top-security-concern.html
(Network World – 11/29/07)

Cryptic Messages Boost Data Security
The first "real-life" application in quantum cryptography was the use of id Quantique's unbreakable data code in the
Swiss national elections in October 2007. "Protection of the federal elections is of historical importance in the sense
that, after several years of development and experimentation, this will be the first use of a 1 GHz quantum encrypter,
which is transparent for the user, and an ordinary fiber-optic line to send data endowed with relevance and purpose,"
said id Quantique co-founder Nicolas Gisin. Through quantum cryptography, two communicating parties can
generate a shared random bit string only they know, which can be used as a key to encode and decode messages.
http://cordis.europa.eu/ictresults/index.cfm/section/news/tpl/article/BrowsingType/Features/ID/89350/highlights/cry
ptic
(ICT Results – 11/28/07)

Firewalls Ready for Evolutionary Shift
Since applications are increasingly using Port 80, or HTTP, the protocol inspection method used by traditional
firewalls is no longer sufficient protection for networks. In an effort to address this problem, most firewall vendors
are developing products that use an "all-ports/all-protocols" approach. Under this approach, signatures and other
known characteristics of specific applications are used to identify them on the network. Traffic is then classified and
secured with antivirus and antispyware software. Matasano Security's Thomas Ptacek says that firewalls must go
deeper than this approach since there are too many applications to account for.
http://www.darkreading.com/document.asp?doc_id=140121
(Dark Reading – 11/28/07)

Tests Demonstrate Maturity of TSAT Encryption System
The Boeing Company has successfully demonstrated the communications and transmission security architecture of
its proposed Transformational Satellite Communications System (TSAT). During recent tests, Boeing used TEAM
TSAT partner General Dynamics C4 Systems' Advanced INFOSEC Machine (AIM) to demonstrate how TSAT will
send and receive encrypted messages once operational. The mature, established embedded encryption programming
in the AIM technology will further reduce certification risk and increase TSAT's adaptability to real-life scenarios."
The tests, conducted at General Dynamics' facilities in Scottsdale, Ariz., supported the Defense Department's Crypto
Modernization Initiative (CMI) to transform and modernize information assurance capabilities.
http://www.govtech.com/gt/articles/212069?utm_source=newsletter&utm_medium=email&utm_campaign=JPS_20
07_12_5
(Government Technology - 11/28/07)




                                                                                                                     21
Update: Subverted Search Sites Lead to Massive Malware Attack in Progress
Attackers are conducting a large-scale, coordinated campaign to direct users from Internet search engines to Web
sites containing malware, security researchers announced. Attackers are getting links to malicious sites to appear
near the top of search result listings in the hopes that an unwitting user will click on the link and download the
malware contained on the site. Attackers have been able to trick search engines into listing these sites at the top of
their search results by using tactics such as "comment spam" and "blog spam" in which bots flood the comment
areas of sites with links or mass large numbers of them as phony blog posts. The links do not appear to be unusual
unless the user notices the URL, which is typically just a jumble of characters with China's .cn domain at the end.
Once users click on the link, they are directed to sites that use fake codec installation dialogs and IFRAMES to
install malware such as fake toolbars, Trojan horses, and rootkits.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9049269&intsrc=hm_list
(Computerworld – 11/27/07)

Buffer Overflows Are Top Threat, Report Says
According to Telus' analysis of vulnerabilities reported and disclosed between January 2004 and November 2007,
the most common flaws reported are old-fashioned buffer overflow bugs. The finding surprised researchers, as
"buffer overflows are among the easiest vulnerabilities to avoid or correct," says Richard Reiner of Telus. Buffer
overflows were also found to be the most severe vulnerabilities. Telus' research discovered that the majority of
common Web application vulnerabilities, such as cross-site scripting, are less dangerous than other kinds of
vulnerabilities, which suggests that off-the-shelf Web platforms are comparatively safe. However, the customized
Web applications analyzed by Telus were crawling with critical bugs.
http://www.darkreading.com/document.asp?doc_id=139871&f_src=darkreading_section_296
(Dark Reading – 11/26/07)

Best Practices for LAN Security Projects
LAN security projects are complex, in that they involve multiple teams, directories, and applications, and must
tackle issues such as insider threats, regulatory compliance, and user access to sensitive data. However, successful
LAN projects share certain best practices. For one, IT departments that confer with business units to understand the
project's business drivers tend to be the most successful. Indeed, the first step in any LAN security project is to
pinpoint and rank the business unit access requirements. By doing so, the company is identifying the wider set of
network access control (NAC) issues: Establishing who can get onto the LAN and restricting what they can access.
Next, companies must figure out what role their endpoints will play in the overall LAN security system. An
important component of LAN security is admission control. Therefore, security and desktop teams, along with the
business units, should discuss "posture checking" software.
http://www.bcr.com/architecture/local_area_networks/best_practices_for_lan_security_projects_200711211483.htm
(Business Communications Review – 11/07)




                                                                                                                     22
SEMINARS
US Department of Homeland Security Privacy Office Public Workshop: CCTV
Developing Privacy Best Practices.
December 17-18, 2007
Arlington, VA
privacyworkshop@dhs.gov

ACI's 7th National Symposium on Privacy & Security of Consumer and Employee Information
January 23-24, 2008
Philadelphia, PA.
http://www.americanconference.com/privacy

Computer Professionals for Social Responsibility: Technology in Wartime Conference
January 26, 2008
Stanford University
http://cpsr.org/news/compiler/2007/Compiler200707#twc

IAPP Privacy Summit
March 26-28, 2008
Washington, D.C.
http://www.privacysummit.org/

Future of the Internet Economy - OECD Ministerial Meeting
June 17-18, 2008
Seoul, Korea
http://www.oecd.org/document/19/0,2340,en_2649_37441_38051667_1_1_1_37441,00.html

Conference on Ethics, Technology and Identity.
The Hague.
June 18-20, 2008.
http://www.ethicsandtechnology.eu/ETI


               _____________________________________________________________________

PAPERS
Self-disclosure, Privacy and the Internet
With public concern over online fraud, new research, funded by the Economic and Social Research Council, has
revealed that internet users will reveal more personal information online if they believe they can trust the
organisation that requests the information. ‘Even people who have previously demonstrated a high level of caution
regarding online privacy will accept losses to their privacy if they trust the recipient of their personal information’
says Dr Adam Joinson, who led the study. The findings of the study are vital for those aiming to create online
services that pose a potential privacy threat, such as Government agencies involved in developing ID cards. The
project found that even those people who declared themselves unconcerned about privacy would soon become
opposed to ID cards if the way that they were asked for information made them feel that their privacy was
threatened.
http://iet.open.ac.uk/pp/a.n.joinson/prisd/PRISD_report2.pdf




                                                                                                                      23

								
To top