Wednesday, August 31, 2005

IBM NORA Spookware Strip-mining Privacy Landscape


This Computerworld article disusses data mining software projects, including IBM owned NORA - Non Obvious Relationship Awareness. NORA appears to need access to vast amounts of information to collect huge amounts of data to compare. The Computerworld author calls this one of the "Coolest" database projects, and while it could serve useful to large companies subject to fraud, like casinos - and valuable to governments and public safety agencies like TSA and Homeland Security - IT IS STILL FRIGHTENING for what it means to the average citizen.

Databases of personal information are, in absolute fact, confirmed by technologies such as NORA, being merged, collated and stored with data on every single human being that comes in contact with any database owned, used or accessed by any company or government. The example listed uses of NORA turning up insider fraud in the gaming industry. British IT commentary site, TheRegister.com goes as far as calling the IBM system "Spookware" since it is used to gather evidence for criminal cases so often.

Combine all of this with web reputation monitoring by major firms, the extensive use of blogs, articles and discussion forums to see that everything said online in blog comments or forums, email storage by Yahoo, Gmail and Hotmail, and you have complete monitoring of beliefs, merged with credit history, financial information and connections available in databases everywhere.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:26 PM 0 comments

Tuesday, August 30, 2005

Distorting biometrics enhances security


CNN news story linked in headline above. Cancelable biometrics are a supposedly secure way to alter original algorithmic parameters used in facial scans, finger prints and iris scans so that hackers cannot access and steal the identity of those in the database. The rationale goes that since biometrics are stored as a mathematical template, that it can be altered in a repeatable way for all of those stored in the database, so that if the database of biometric algorithms of approved people is stolen, it must first have the altering algorithm applied before it can confirm identity and allow access to a person. How odd that proponents of this system believe that the altering algorithm can't be stolen as well as the database. If hackers can access the database, they certainly ought to be able to access the key to the altering algo. The idea that biometric database theft is expected to be a big threat to security systems is proof that the technology is not ready for primetime.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 9:42 AM 0 comments

Wednesday, August 24, 2005

Hacker Raids Air Force Personnel Database


Randolph Air Force Base was the target for a hacker seeking private data on 33,000 officers and enlisted personnel, including social security numbers, birthdays and other sensitive information. The number of people affected amounts to about half of the total number of the officers in the US Air Force. The hack was discovered over two months ago and just reported this week, supposedly to allow time to notify those affected by the data breach and conduct an internal investigation.

If we began to add up the total number of people affected by high profile data breaches over the last few months it stretches to over 50 million people. Certainly some of those overlap with multiple exposures of the same names, but if leaks, hacks, losses and thefts continue at the rate exposed just this year continues, then all Americans will be exposed to privacy invasion, identity theft and more.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:29 PM 0 comments

Sunday, August 14, 2005

Privacy News


Privacy Laws

Identity fraud cases on the rise, says agency
ABC Online - Australia
The credit reporting agency Dun and Bradstreet says identity fraud is increasing in Australia, and the states' privacylaws are allowing it to go unchecked. ...

RFID Privacy

Securing data can get under your skin
Palm Beach Post - Palm Beach,FL,USA
... The privacydebate has escalated recently as RFID has spread among businesses. In 2003, clothing giant Benetton backed off introducing ...

Chips track more people, products
Milwaukee Journal Sentinel - Milwaukee,WI,USA
... Privacy concerns have not slowed the technology's growth so far because companies are ... kind of bad publicity that can go with subversively puttingRFID tags on ...identity theft

Identity Theft

Workshop offers tips to avoid identity theft
Boston Globe - United States
By Robert Knox, Globe Correspondent | August 14, 2005. Karen Leonard knows identity theftcan happen to anyone. ... 25 on how to prevent identitytheft. ...

Identitytheft on the rise across nation
Orange Leader - Orange,TX, USA
Earlier this week an Orange man joined an annual club of 20,000 people in the state of Texas when he reported a case of identity theft to the Orange Police ...


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:01 PM 0 comments

Saturday, August 13, 2005

Privacy Conviction - Acxiom Data Theft


Levine Convicted in Acxiom Privacy Hack. This Reuters story was found in the Saturday Los Angeles Times Business section in a two paragraph recap! Further searching done online turned up the source of the story as Reuters and Google news served up this longer version at News.com.

When a story involves what the Assistant U.S. Attorney General Christopher Wray calls, "the largest intrusion of personal data ever," then it belongs on the front page. To be fair, this conviction came Friday from a Florida court and may not have made it's way to Los Angeles until too late to make the front page (the Times may be on a dialup connection, who knows?)

It is still shocking to see privacy matters treated as so unimportant. Hopefully there will be larger coverage on the weekend and if not major by Monday, I'll put a large bet that says Acxiom is paying to keep the story low profile. That will succeed for only a short period due to the power of the web and the privacy advocates such as EPIC and EFF.

Levine was indicted in July of 2004 and conviction just came over a full year later, suggesting that Levine used his organized crime connections and high-powered defense attorneys to drag it on this long. He was acquitted of money laundering and conspiracy, but his bulk email (read "Spam") company used a weakness in Acxiom's security to download files including street addresses, email addresses, credit card and checking account numbers and other privacy invading personal and financial data to pump up the value of his spamming business.

Levine and his ilk are not the issue at all in this case. What should be focused on here is that a low grade slimeball spammer was able to hack a major data aggregation and information broker that holds data on vast mumbers of consumers. Since he did that evil deed earlier than 2004 and since we have seen multiple major data thefts from dozens of sources just this year, you can bet more are coming and will lead to major legislation and a lockdown on the data brokering industry. They don't protect that data and it is open to organized crime, hacking, social engineering and insider theft as seen in the many high-profile cases so far in 2005.

I suspect that the data brokering business just got vastly less profitable due to increases in the cost of doing business due to rises in security costs, insurance costs and a squeeze on the vetting of the legitimacy of their customers. Private detectives have lost the ability to gather much information already and much is being done to reduce the amount of data available to police and federal investigators through these commercial sources.

The exposure of data theft as a major privacy concern all began due to California laws requiring notice to consumers affected by data theft or loss, New York Governor Pataki just signed a similar data breach notification law and it is fast becoming a national requirement. Thank goodness for that.

Stay tuned for further developments and hang on tight to your personal, private information. If Acxiom, Lexis/Nexis, Choicepoint, CardSystems, or any of dozens of other data brokers holds your data, you haven't a chance of it remaining private since they all sell data to organized crime and are so very cavalier about protecting that data which has made them monstrously profitable corporate entities.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:47 PM 0 comments

Monday, August 08, 2005

Google balances privacy, reach - but over-reaches on power


Google balances privacy, reach according to this News.com story by Elinor Mills at C|Net. This coverage apparently got News.com banned by Google news, according to another story at British IT journal, theRegister.com. After reading the three page story at news.com, I was curious what it was that got C|Net banned by Google. Unless they are extraordinarily sensitive to criticism, or Google CEO Eric Schmidt, is terribly sensitive about their mention of his political affiliations and hobbies - there is nothing there that seems to warrant a ban of News.com from Google News headlines.

August 9 Update It appears, according to extensive coverage elsewhere in the media, that News.com was not banned by Google News as previously mentioned here and other early sources, but was instead told that Google "Will not talk with them until August 2006" as a snub to the online news outlet for Googling the Google CEO, Eric Schmidt and exposing his home address, net worth, and his political affiliations and hobbies. My concerns, expressed below, that anyone using Google services might be banned from using those services if they criticize Google, was incorrect and, thank goodness, an over-reaction to a misunderstood action by Google against news.com and C|Net. Although I certainly don't support Google refusing to talk to News.com reporters because they were victims of their own resources, it is not as severe a move as banning C|Net from Google News would be.

They simply can't be that sensitive to media or they will end up banning thousands of web sites. The fact that this arose over a privacy news story makes it all the more nerve wracking to me. Am I at risk of banning from the Google index because I discuss privacy here and linked to these stories? Although I am just a little guy observing a big industry, I do still make my living online and I count on those services owned by Google in a big way. I'd be able to find replacements, but the disruption in my tiny business would be dramatic.

This has to hurt C|Net and News.com as we all know how much traffic Google sends to many web sites - as much as 85%. Google News has to be substantial driver of Traffic to news sites as well, although I don't have the numbers on that.

I also mentioned Google privacy and security concerns last week in similar (although less thoroughly researched than the C|Net story) concerns that Google wields a lot of personal information on the average user and that info is at risk from IT consultants, hackers and insiders with low ethical standards. I worried that they need to guard that information and instill ethics in all those insiders who may have access to it because I am a user of many of their services. This was all in response to a ComputerWorld story on ethics in the IT industry.

Am I at risk of banning from all those services, or only from blogger because I use that Google-owned tool to create my privacy blog and mention Google in regards to privacy concerns? Why is CNN not banned from Google news when they ran a much more visible privacy article on their site? Maybe only those who mention the liesure activities of Eric Schmidt get banned?

What is this and why won't Google comment on it? Stay tuned...

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 1:33 AM 0 comments

Saturday, August 06, 2005

Identity Theft by Family Members or Relatives


When I read this statistic quoted by Darryl Campbell in the following article, I was stunned. Much the same way vitims of this crime must be, that 50% of Identity Theft is committed by FAMILY MEMBERS! We do spend a lot of time in the privacy community discussing data security and protection from hackers, when over half the ID theft crimes happen in our own homes or are committed by next door neighbors lifting private information from our mailboxes. It's a sticky problem and not easily solved by paper shredders or encryption, since the thief is right under our own roof. Scary statistic with little you can do to avoid being victimized if you have family you can't trust. Wow. Here's Darryl's article:

Identity Theft: Oh No. Not Them

Copyright © 2005 Daryl Campbell

You'll never hear the end of it if you decide to press charges. And besides you're not even sure you really want to do that. They might pay you back the money. Not. The burden is on you to sort this mess out and the worst part is once a relative or friend steals your identity, it's almost impossible to trust them again.

We hear about the high profile cases of hackers breaking into the databases of Lexis Nexus or DSW Shoe warehouse, yet most instances of identity theft never make the news. Usually it's something basic like a neighbor stealing a credit card application from your mailbox or a relative going thru your personal belongings

In the Better Business Bureau's 2005 Fraud Survey report they found relatives, close friends and neighbors make up 50 percent of all identity thieves. They also cost you more time and money trying to fix the problem. Javelin Research calculates that the average cost to identity theft victims is $15,607 when the perpetrator is known.

But even that figure is misleading. Many children are falling victim to identity theft (a half million last year according to the Federal Trade Commission) which means the full impact of the damage may not be known until years later when as adults they apply for credit.

For some parents, stealing their child's identity is a stop gap solution. Their own credit is destroyed, so "borrowing" their child's social security number becomes a necessity. All the while, they assure themselves the money will be paid back. Yet the same pattern that destroyed the parent's credit, now puts a negative on the child.

It doesn't matter if the thief is a parent, sibling or best friend, the process of recovering your identity is a tough one and it gets more complicated. Should you report the crime?

"Frequently when we would break up a ring and get a list of victims and find family members were involved in the crime, relatives are very reluctant to co-operate" says Ken Hunter, former Chief Postal Inspector and current president of the Council of Better Business Bureaus.

According to a study done by Gartner, Inc., the chances of an identity thief getting prosecuted are 1 in 700. However, when a relative is the culprit those odds go through the roof. The attitude understandably becomes, "Yes, they did me wrong but I can't send them to jail."

Ken Hunter: "If it's a matter of pilferage at a very low level, nothing much is really going to happen to that person."

On the other hand, if your identity is used to commit crimes on a higher scale, by all means report it to the authorities. You may feel guilty and make a lot of people angry in the process. Families get torn apart because relatives feel the matter should stay private.

It's a tough decision, but remember, this is your good name the identity thief destroyed, not your relatives and it's you who may be wanted for a crime, not them.

About The Author: Daryl Campbell is an identity theft expert as well as writer and home business owner. Banks say you should review your credit once a year. Nothing wrong with that. Except it gives identity thieves the other 364 days to destroy it. Sleep peacefully while professionals guard your credit and good name 24/7. Check them out


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 3:02 PM 0 comments

Friday, August 05, 2005

Car Insurance Cheaper Under Surveillance Scheme


For a price, would you let car insurer along for the ride? - asks this USA Today technology story by Kevin Maney. It seems that Progressive Insurance and IBM have worked out a scheme to pay drivers to be safer - by monitoring their every move in their own cars, and how fast they make that move, and where they park, and what time they drive.

The program is being tested in Minnesota and in the U.K. in a privacy busting program that rewards drivers for keeping under the maximum speed limits and driving during safer times of day. It's an interesting twist that is compared here to a shopper reward card that monitors what you buy, although it doesn't give you lower prices if you buy healthy food - which seems like the best analogy. (But it does let the food chains know how often you shop and how much you spend on which types of food, and alcohol, and cigarettes and trashy tabloids.)

Drivers must attach an electronic monitor to their cars that downloads information already generated and stored there in a diagnostic chip included in most newer model vehicles. As they drive, it stores current driving behavior - and location - and driving times and at the end of the defined time, drivers take the unit into the house, attach a USB cable and download that information into their computer and transmit it to Progressive.

But the insurance discount program does have an interesting twist in the Minnesota test. Apparently drivers who see from their downloaded information (or just know they drove badly at times) that they exceeded maximum speed limits, drove during expensive times (2am when bars close is most expensive, after 11pm is next) can choose NOT to send that information to Progressive and pay the normal undiscounted insurance rate.

It appears to have the true benefit of making drivers become more cautious and drive within limits of the law during safe hours. There is nothing wrong with this for those willing to give up the information. This allows those willing to be monitored the choice to send the information to their insurer and get a discount or NOT send it to pay normal rates. It's worth considering.

I'm among those who continues to use supermarket loyalty cards, even though I dispise the fact that they can see my purchase history and note my travel habits. The savings are just too great to pass up. (I used a false name to set the card up, but quickly noted that they tied together my debit card name and loyalty card purchases, thus gaining that information that I had denied them with the false name - now I use cash.) You certainly can't do the same with the insurance driving discounts. Information must be accurate to properly insure and discount the policy.

The UK program is more invasive and offers far less choice. Drivers must always download the information from the car module to gain insurance discounts and the British company monitors more information from those UK drivers.

The US version may have some merit if choice remains a part of the equation upon full rollout to American drivers who want that ten percent discount on auto insurance policies in exchange for giving up the privacy of their driving habits.

The disturbing part of this, again, as always, is the possible merging of multiple databases to form near perfect surveillance pictures of us with each new development. Our supermarket discounts show that big database what we eat and what else we buy at the grocery, the insurance information defines our travels and schedule, our credit and debit card use defines our spending, travel and lifestyles, while multiple other databases from airline security info to phone records can be merged at any time to form near perfect pictures of our lives for anyone that wants to access it.

Once a national ID (driver licenses will soon carry mandatory magnetic information and will serve as a defacto national ID), we can be fully monitored, tracked, analyzed and digitized to form a truly invasive database of numbers and bits of information about each of us.

The sources of data about each of us are growing daily. The concern is the loss or abuse of that data through commercial and/or governmental negligence and/or criminal intent. The methods to access that data are growing as the sources proliferate.

Privacy is something we give up in small bits for small benefits, like cheaper produce using supermarket loyalty cards and insurance discounts using car monitors hooked up to our insurance carrier. We need laws to control and safegaurd each of those databases and stop any merging of those multiple sources of data into the ultimate Big Brother database.

I want my car insurance reduced and I'm willing to consider this newest scheme if I have choice of whether to send my info to my insurer. I will send it when I've been good and won't when I have been less good. But I don't want it merged with my other sources of data or shared among commercial interests who may see fit to sell it to each other.

It gets more interesting daily. Who is in control of this privacy devouring data monster?

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:52 PM 0 comments

Thursday, August 04, 2005

Privacy Issues for IT Security Professionals


Ethical & privacy issues for IT security professionals is covered in this ComputerWorld article looking at the sensitive data available to "Computer Guys" in all businesses, including outsourced consultants who handle IT for multiple clients. Reference is made to ethics courses for medical professionals during their education and pointing out that security consultants are often unschooled in ethics.

This lack of ethics education could lead to unethical behavior by IT guys, but I doubt it. If they are unethical, they will snoop on company emails and may install key loggers to tap into client secrets (whether personal or corporate) and if they are ethical, they may be exposed to secrets in their work, but will respect the boundaries of ethics and not abuse their knowledge or access.

I noted in an earlier post last week that insiders at Google would have access to vast stores of data about those of us that use multiple Google company services for ourselves and our clients. I hope that the big G has ethics courses and policies internally to keep the employees from exploiting the huge databases of customer information. Outsourcing is less likely at a technology company, but it is still possible that vendors and partners could have access to Google customer data and unethical people are, unfortunately, everywhere.

I agree that ethics should be taught to IT pros-in-training, but don't think it will lead to changing the human nature of those who might exploit their access privileges and rout databases for sensitive information to sell, or otherwise abuse. Ethics can be taught, but adoption of ethical standards will depend on whether the IT personnel choose good or evil. Will they respect the privacy of employees at companies where they work?

We can only hope those doing the hiring of IT pros don't hire those with questionable ethics and somehow screen out the bad guys. Our privacy and security is at stake and in the hands of IT professionals that we must trust. Large scale data breaches have proven how tenuous that trust is.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:33 AM 0 comments

State Of Surveillance - Big Brother Technology & Privacy


The State Of Surveillance is a BusinessWeek Cover Story discussing the technology of surveillance, including biometrics, video surveillance, gait recognition systems, RFID (Radio Frequency Identification) systems, database merging and monitoring through data aggregation providers, software defined radio snooping over cell phones and wireless networks, nanotechnology for air analyzers to monitor public spaces and other fascinating technologies - all meant for snooping, monitoring and tracking the public.

The overview of the available surveillance technology is fascinating, but the implications of the big brother uses of that technology are disturbing. One would think that all the whiz-bang goodies available to spies would only be used to monitor and stop criminals and terrorists, but the technological wonders are NOT just pointing, sniffing and analyzing evil doers, they are prodding into all of our lives.

Most surveillance goodies are so far useful only after the fact. There is discussion over how the London bombing investigation tracked terrorists by analyzing footage of surveillance cameras and tracked down known associates and traced their movements in recorded footage. AFTER the fact, and leading to few clues, but it is noted that a FAILED bombing attempt allowed the same tracking and tracing and arrests in many cases of terrorists involved in that attempted attack. So we see that if an attack FAILS, then surveillance tracking and monitoring can be successfully used to find and arrest bad guys.

Let us hope for far more failures and bungled attempts.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 10:36 AM 0 comments

Tuesday, August 02, 2005

ID protection plans are flawed for fraud


ID theft is a major consumer concern, though there is apparently much confusion about proactive protection initiatives and apparently safe and unsafe spending behaviour. For example, many consumers remain reluctant about shopping online, but they may still give out personal details over the phone in a cold call, or they may have redundant or dormant accounts and financial products which are susceptible to fraud.

If reducing fraud vulnerability wasn’t sufficiently difficult already, consumers are now being offered anti-ID theft services and ID protection insurance by banks, insurance companies and credit reference agencies. There is also considerable debate around such policies however, as they do not offer full financial compensation. In The Observer last week, Richard Brown, Chief Executive of consumer finance site moneynet http://www.moneynet.co.uk stated that:

Few, if any, of them appear to offer insurance protection against actual financial loss in the event that a credit company, for example, refuses to cover the loss – and this is what consumers really need. While ID protection services may have a degree of value, they shouldn’t be used as a reason to take an otherwise uncompetitive product.”

Brown continued that consumers could actually take out simple, cost effective measures against ID theft such as buying a shredder and checking credit reports regularly. The National Consumer Council http://www.ncc.org.uk/ takes a similar approach, advising consumers to avoid becoming a victim of credit card and identity fraud by:

* Not giving personal information away too easily

* When passing details over the phone, do ensure it’s to a legitimate business. Ask friends and family for recommendations

* Shred all documents with sensitive personal data

* Choose your bank security details carefully and avoid obvious passwords

* Avoid carrying around details of your address with your credit cards

* Close any accounts you no longer need

* Check your credit file at the credit reference agencies on an annual basis

Callcredit states warning signs of identity theft and identity fraud could include:

* Bank or credit card statements start disappearing or fail to appear in the first place

* Some of your mail goes missing

* Items on your credit card bill which you did not purchase

* A debt collection agency contacts you about goods you did not order or even an account you did not open

* You receive phone calls for accounts you know nothing about

* Royal Mail writes to your address about a mail redirection order you did not request

However, by just incorporating some of the measures above and keeping a regular check on your finances (e.g. don’t activate that second credit card and then put in a box for a year!), a great deal of financial protection is already set in place and you don’t have to pay a penny.

Examples of standard protection within English law encompass:

* Protection from forged signatures on cheques

* Protection from forged signatures in documents which enforce an action (the prosecution has to prove that you made the signature, rather than you prove that you didn’t)

If your credit card is stolen (or lost), you should be fully protected providing you report the missing credit card within 24 hours of the loss or theft.

If you have never had your credit record checked why not give it a go?

* Callcredit offers a service from http://www.mycallcredit.com/home.asp starting from £7.50

* Experian offers a service from https://www.creditexpert.co.uk/ with a membership fee of £49.99

* Equifax provides a credit report for £9.95 from https://www.econsumer.equifax.co.uk/


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 6:34 PM 0 comments

Phishing for ATM/Debit Card Pins - Financial Privacy


ATM/Debit Card Fraud, Phishing for Card Numbers and Pins The link here leads to a press release distributed by Gartner Financial Service Technology Summit - for banking professionals to held in new York, August 29-31. But the information here points out the prominence of Phishing attacks and how they lead to real world crime. Accessing bank ATM machines with fraudulently gathered information and targeting specific banks and specific ATM machines with lower than normal security precautions - is a newer exploit attacking financial privacy.

Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 11:16 AM 0 comments

Monday, August 01, 2005

RFID Journal - RFID Opponent to Publish Book


RFID Journal - RFID Opponent to Publish Book


Aug. 1, 2005- Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering (CASPIAN) and a vocal opponent of RFID technologies, has written a book entitled Spychips: How Major Corporations and Government Plan to Track Your Every Move with RFID. This title is slated to be published by Nelson Current, a division of Thomas Nelson Publishers."


Save To Del.icio.us    Digg! Digg This!
posted by RealitySEO at 2:04 PM 0 comments