Tuesday, July 13, 2004

SEC: SANS PrivacyBits Volume 2, No. 28

Gmail - SANS PrivacyBits Volume 2, No. 28

Hash: SHA1

SANS PrivacyBits July 13, 2004 Vol. 2, Num. 28


-- U.S.A.: DNA Databases Need Privacy Protection
-- U.S.A.: Private Calif. Info Erroneous Sent to Swedish Firm
-- U.S.A.: California Website Law Has Far Reaching Ramifications


-- U.S.A.: U.S.A. Patriot Act Stays as It Is
-- Phishing Predicted to Double by 2005
-- U.S.A.: Nevada Rates #2 for Identity Theft
-- U.S.A.: Gateway Settles Privacy Case with FTC
-- UN Wants Joint Cooperation to End Spam
-- U.S.A.: VoIP Vulnerable to Call ID Manipulation
-- Canada: BCGEU Protests Privatization of Welfare & Loss of Privacy Protection
-- Norway: ID Theft Victim Gets Divorce Papers Before She Marries
-- Australia: Trade Agreement and Telecom / IT Agreement Signed
-- U.K.: Blunkett to Call for EU-wide DNA Database
-- U.K.: Public to Get Access to Individual Insolvency Register
-- New Zealand: InternetNZ Responds to Proposed Anti-Spam Bill
-- U.K.: CMA Calls for Fix for Past Spam Legislation
-- Netherlands: 419 Scammers May Have Used Stolen UPC Cable-Modems
-- Switzerland: Data Protection Commission Report Warns of Privacy Threats
-- U.S.A.: Michigan to Get Child Porn Law
-- U.S.A.: Ex-FBI Agent Pleads Guilt to Illegally Accessing Gov't Computers


-- Protecting Your Children's Personal Information


-- Checking of Foreign Visitors Flawed
-- Will Store Tags Tag You?
-- Why the U.S. Can't Be Trusted With Our Personal Data


-- Shortlist for Nasty Privacy Invaders Oscars Announced


-- DOE Amends Personnel Assurance Program Records
-- Air Force Alters Student Records
-- DoD to Create Visual Information Management System

******************* Sponsored by SANS SCHOOL STORE ********************

Check out our School Store for recently released books on Business Law,
Solaris Securing Solaris, Computer Security Incident Handling and
exclusive books and merchandise. Also, check out our section on
recommended books written by SANS faculty, PDF samples on our
Step-By-Step Guides, and current specials on Oracle Security, 7-Pack
Guides, and T-shirts. For more information go to

This Week's Featured Security Training Program:

SANS largest Fall conference will be in Las Vegas this year

September 28 to October 6

with seventeen immersion tracks taught by SANS' best teachers, and
special one day technology update programs and a big vendor expo.



-- U.S.A.: DNA Databases Need Privacy Protection
(08 July 2004)
According to Dr. Russ B. Altman, a professor of genetics and medicine
at Stanford University, the number of genetic databases is continually
increasing. He asserts, "Now is the time for society to think about
privacy issues and come up with answers." There is currently hundreds
of thousands of people now in genetic databases whose data can be
accessed by a "determined knowledgeable person." In addition, Altman
notes Stanford has tried to keep their database of about 5,000
confidential but found that "every thing we tried ruined it for
research." He suggests the solution would be to set strict limits on
who can create genetic databases and to establish systems that would
limit access to those databases.
[Editor's Note (Murray): The issue that we need to debate is existence
and use, not access.]

-- U.S.A.: Private Calif. Info Erroneous Sent to Swedish Firm
(07 July 2004)
An investigation is underway to determine how hundreds of internal
e-mails containing private employee data were sent out erroneously to a
Swedish firm for the last two years. Robert Carlesten, managing
director of Sweden-based internet company Ord&Bild, contacted magazine
Computerworld asserting he has been receiving e-mails at his internet.ac
domain containing personal information including names, employee
numbers, attachments relating to the payroll files for Contra Costa
County, California's Superior Court for the last two years. Attempts
to contact the senders were not answered. Tom Whittington, CIO of
Contra Costa County, admits the county was not aware of the problem
until being notified by Computerworld.
[Editor's Note (Triulzi): A long long time ago (as in early 90's)
someone had registered a lot of names of systems in Imperial College's
Computer Centre (domain cc.ic.ac.uk) under the .cc domain. This might
sound stupid but in Imperial you could always reach a box using name.cc
if the resolver was setup correctly but if it wasn't... you'd end up
straight on the rogue systems (actually: one box, many aliases). Why?
Well, speculation is rife but of course you could always alter the login
program and harvest logins and accounts.]

-- U.S.A.: California Website Law Has Far Reaching Ramifications
(06 July 2004)
Under a new Californian law, the On-line Privacy Protection Act (OPPA)
of 2003, effective July 1, 2004, California companies operating a
commercial Web site are required to post a conspicuously placed privacy
policy on their website, disclose the kinds of personal data that they
collect and share with third parties clearly marked in their privacy
statements, abide by their policies, inform consumers of processes to
opt out of data sharing and to publish a date it goes into effect.
After a 30-day notification period, sites violating any of these
provisions will be subject to civil lawsuits. Noting that the Web
effectively has no borders thereby holding any company doing business
with a Californian accountable for compliance, Carolyn Hodge director
of marketing for Truste, which operates an online privacy certification
program, asserts, "There are a lot of companies, period, that are
dealing with California citizens that are not in compliance."
[Editor's Note (Murray): It is one thing for California to pass laws
governing enterprises domiciled in California. It would be quite
another for them to attempt to regulate every business, wherever
domiciled, with whom a California resident elects to do business.]

*************************** SPONSORED LINKS ***************************
Privacy notice: These links may redirect to non-SANS web pages.

(1) Are you concerned about or tasked with HIPAA security implementation?
Get guidance from

(2) Are you surfing bugged web pages?
Find out:

(3) Do you worry about the security of you Oracle backend database?
Check out:



-- U.S.A.: USA. PATRIOT Act Stays as It Is
(10 July 2004)
Efforts to block the part of the Uniting and Strengthening America by
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
(USA PATRIOT ACT) Act of 2001 allowing authorities to obtain special
court orders requiring book dealers, libraries and others to surrender
records of purchases and visits on library computers were defeated in
the Republican-led House of Representatives in a 210-210 vote. While
there have been bills introduced to block portions of the Act, Congress
has never passed any of them. President Bush had threatened to veto the
bill if passed.

-- Phishing Predicted to Double by 2005
(08 July 2004)
A new study, "E-mail Anti-Phishing and Anti-Fraud Market Trends
2004-2008", by The Radicati Group, a technology market research firm,
predicts that the amount of unique phishing scams will increase from 51
per month to 110 per month by 2005; this will result in a significant
amount of money being spent on e-mail anti-phishing and anti-fraud
solutions. According to Jonathan Penn, principal analyst for identity
and security at Forrester Research, "As it [phishing] grows it affects
more and more [consumers] by eroding their confidence in both e-commerce
transactions as well as the companies." Janice Yee, author of this
study, recommends organizations monitor domain name registrations,
provide written instructions for accessing specific pages instead of
sending emails with links, and institute policies to let customers know
what kind of e-mail they can expect to receive. Yee maintains that
increased consumer education is the solution to controlling phishing
[Editor's Note (Murray): There is a minimum threshold of public trust
and confidence necessary to the success and value of the internet. The
increasing level of fraudulent traffic puts that trust and confidence
in jeopardy. Once broken, it will take generations to repair.]

-- U.S.A.: Nevada Rates #2 for Identity Theft
(08 July 2004)
According to the Federal Trade Commission, the state of Nevada makes up
a large portion of the half-a-million people filing identity theft
complaints last year; more than 2,500 Nevadans filed identity theft
complaints. According to the statistics 30 percent were victims of
credit card fraud, 26 percent telephone or utilities fraud, and 20
percent were bank fraud.

-- U.S.A.: Gateway Settles Privacy Case with FTC
(07 July 2004)
A settlement was reached in a privacy case by the Federal Trade
Commission (FTC) against Gateway Learning Corporation, known for its
"Hooked on Phonics" products. The FTC charged that Gateway Learning
altered its privacy policy to allow the sharing of information with
third parties without notifying and receiving consent from consumers.
Gateway Learning, according to the FTC, subsequently rented its customer
list, which included the address and names and age range of the children
of its customers, to direct marketers. It was alleged that Gateway
Learning failed to remove the names of those who had opted in under the
previous privacy policy. Howard Beales, director of the FTC's Bureau
of Consumer Protection maintains, "It's simple if you collect
information and promise not to share, you can't share unless the
consumer agrees. You can change the rules but not after the game has
been played."

-- UN Wants Joint Cooperation to End Spam
(07 July 2004)
The International Telecommunications Union (ITU), a United Nation agency
based in Geneva, Switzerland, hosted a meeting for industry regulators
from approximately sixty countries to discuss standardizing legislation
around the world in order to make it easier to prosecute spammers.
According to Robert Horton, acting chief of the Australian
Communications Authority, "(We have) an epidemic on our hands that we
need to learn how to control. International cooperation is the ultimate
goal." The ITU states that legislation from the United States, Europe,
Australia and South Korea will be suggested as models for other
countries to base new laws on.

-- U.S.A.: VoIP Vulnerable to Caller ID Manipulation
(07 July 2004)
People have used Caller ID blocking to maintain their privacy, but with
the introduction of Voice over Internet Protocol (VoIP) that privacy can
not be guaranteed. Hackers have discovered that by manipulating quirks
in VoIP they can spoof Caller ID and reveal blocked numbers. Land and
cellular phone services in the U.S. are strictly regulated by the
Federal Communications Commission (FTC) who determines how telephone
carriers must handle Calling Party Numbers (CPNs), Caller ID and
blocking; some financial institutions and businesses were often allowed
by the FCC to unblock numbers by paying a high fee. However, VoIP
networks, which are currently not under the control of the FCC, allow
ordinary netcitizens to manipulate the systems to unblock blocked
numbers. A hacker who successfully demonstrated his ability to unblock
numbers sent over a VoIP connection, is scheduled to give a talk on this
subject at the DefCon hacker convention later this month.
[Editor's Note (Murray): This is IP telephony, not simply VoIP. In IP
telephony our expectation about how the system will behave is the same
as we already have from POTS (plain old telephone service.)
(Triulzi): Caller ID "manipulation" is an interesting concept... In
Europe the ID returned can be rather creative. For example a large
Italian multinational uses BT Concert to make international calls so on
UK mobiles their calls appear to be from a London number (and calling
it gets you a Concert calling card message). Another example is
occasional calls from the US which present themselves as "001" which is
sort of correct except for the lack of detail. There are many more
without forgetting to mention the "anonymous" ID which can mean a number
of things: caller ID witheld, no caller ID exchange between networks,
network failures, etc. It would make a pretty amazing change for caller
ID to suddenly start working reliably with VoIP which would then make
it meaningful to manipulate.]

-- Canada: BCGEU Protests Privatization of Welfare & Loss of Privacy
(07 July 2004)
George Heyman, president of the British Columbia Government and Services
Employees' Union (BCGEU), wrote a letter to British Columbia's Privacy
Commissioner David Loukidelis, asking for an investigation of the
government's plan to privatize the delivery of welfare in rural areas
under Section 42 of the Freedom of Information and Protection of Privacy
Act. In his letter he wrote, "the services [in the government proposal]
... require the submission of very personal information. The Ministry
of Human Resources ... is not protecting the personal information from
such risks as unauthorized access, collection, use, disclosure and
disposal. The Invitation to Quote (ITQ) therefore violates the Section
30 requirements that the Ministry must protect this personal
[Editor's Note (Murray): Governmental services of all kinds are
routinely delivered in sparsely populated parts of Canada by private
contractors. Modern systems have greatly increased the quality of that
service delivery while reducing some of the necessity for it. I would
have a great deal more sympathy for this complaint if came from a more
disinterested party.]

-- Norway: ID Theft Victim Gets Divorce Papers Before She Marries
(06 July 2004)
A 22-year old Norwegian woman was surprised when she recently received
a notice of divorce in her mail; she never was married. A victim of
identity theft, her ID was used during a wedding of a Pakistani man last
year conducted at the Islamic Cultural Centre in Oslo. However, the
Cultural Centre maintains it carefully checks all credentials before
performing a marriage; they did not marry the wrong people. According
to the police, the man has several aliases and will probably never be
[Editor's Note (Murray): As our society becomes more and more mobile and
congregations more dynamic, the potential for this very serious kind of
fraud will increase. It demonstrates the necessity for roles of both
the church and the state in marriage.]

-- Australia: Trade Agreement and Telecom / IT Agreement Signed
(06 July 2004)
Australia's Prime Minister John Howard and Thai Prime Minister Thaksin
Shinawatra signed a Free Trade Agreement between the two nations which
contains an agreement to open up the IT and telecommunications. At the
same time, Australian Communications Minister Daryl Williams and his
Thai counterpart Surapong Suebwonglee were signing a joint
telecommunications and information technology agreement aimed at
targeting spam. Mr. Williams states, "I welcome the opportunity it
provides for our two countries to share information about anti-spam
strategies and policies."

-- U.K.: Blunkett to Call for EU-wide DNA Database
(06 July 2004)
U.K. Home Secretary David Blunkett is hosting a two-day informal summit
for the "Group of Five" ("G5") nations of France, Germany, Italy and
Spain in his Sheffield constituency to discuss increasing cross-border
cooperation. Reports indicate that Blunkett will be calling for the
creation of an EU-wide DNA database of criminals and terror suspects to
aid the government's war on terror. Prior to the summit, Blunkett told
the Press Association, "Cooperation between European member states is a
powerful tool in the fight against terrorism and organized crime."
[Editor's Note (Murray): Nation states often attempt to accomplish by
treaty what they cannot do politically or constitutionally. The citizen
usually comes out on the short end of such arrangements.]

-- U.K.: Public to Get Access to Individual Insolvency Register
(06 July 2004)
The U.K. Insolvency Services has launched an online version of its
Individual Insolvency Register (IIR), offering instant access to
information about bankrupts 24 hours a day, seven days a week. The
register will contain information on whether a person is an undischarged
bankrupt the subject of a bankruptcy restriction order, or party to an
individual voluntary arrangement. Desmond Flynn, chief executive of the
Insolvency Service, notes that members of the public will be able to use
the IIR to make informed decisions such as whether or not a person would
make a good business partner.
[Editor's Note (Murray): Such notices used to be a routine source of
revenue or copy for newspapers. It should not surprise anyone that in
the modern world such information would be on-line.]

-- New Zealand: InternetNZ Responds to Proposed Anti-Spam Bill
(05 July 2004)
InternetNZ, New Zealand's non-profit Internet Society, has responded to
Associate IT Minister David Cunliffe's signal he intents to introduce
an anti-spam bill into parliament this year by making a series of
recommendations including that sending an e-mail of a "commercial or
promotional" nature without the consent of the recipient by made a civil
offence, responsibility for policing the spam law be given to either the
Internal Affairs Department or the Commerce Commission and internet
service providers be given the right to bring action under the law.
Cunliffe is expected to present a plan for the anti-spam bill for
consideration by the Cabinet by next month.
[Editor's Note (Murray): While unsolicited commercial e-mail is a
nuisance, it is only a small part of all spam. While commercial
enterprises can be expected to comply with the law, most spammers
cannot. Paper junk mail exists in part because it is subsidized by
first class mail. Spam exists in large part because the sender is
subsidized by the receiver. As long as this inequity persists, it is
likely that spam will persist.]

-- U.K.: CMA Calls for Fix for Past Spam Legislation
(05 July 2004)
The Communications Management Association (CMA), during a debate into
Broadband Britain at the Enterprise Networks show in London, stated new
laws are needed to fight the threats to Britain's Internet-enabled
companies and consumers. The CMA also noted that these new laws would
help correct the mistakes made by the government in its previous
attempts to combat spam. According to Carolyn Kimber CMA chair, "We
want to see the Computer Misuse Act and the privacy and electronic
communications legislation combined into a single effective piece of

-- Netherlands: 419 Scammers May Have Used Stolen UPC Cable-Modems
(05 July 2004)
Norbert Spekking, security officer for the Dutch cable operator UPC,
admitted at the trial of the fifty-two Nigerians arrested earlier this
year in Amsterdam for running so-called 410 scams that someone in the
company may have provided the cable modems used in the scams. UPC does
not tolerate spammers; last year its Internet subsidiary Chello cut off
dozens of subscribers sending 410 e-mails. Due to the fact that the
Nigerians were not registered users, it took longer to shut them down.
Since the Nigerians' arrests, almost no 419 scams have been sent through
UPC's network.
Related Article: Amsterdam: Home Of the 419 Lottery Scam
Related Article: Dutch Police Arrest 52 Email Scammers
[Editor's Note (Murray): In order to deal with the spam and phishing
problems, edge connector ISPs must reliably identify and authenticate
their customers and users. Their motive for doing it will be to ensure
that users are paying customers.]

-- Switzerland: Data Protection Commission Report Warns of Privacy Threats
(05 July 2004)
The head of Switzerland's data protection commission Hanspeter Thur,
speaking at the launch of the commission's annual report asserted that
anti-terrorism measures and more e-government are undermining personal
privacy. He condemned the U.S. for its new border control requirements
in which incoming airlines must hand over sensitive passenger data
including information about religion and credit card numbers calling the
new measures inappropriate and not useful. His main concern was that
personal data stored on a database could be abused. The commission's
annual report noted that the United States' data protection law was not
comparable to the one in Switzerland. He also criticized the government
of Switzerland's e-governance drive, claiming that recent technological
developments could result in conditions described by George Orwell in
his book, "1984."
[Editor's Note (Murray): Law enforcement advocates have a much louder
and more convincing voice in the policy formulation than to the privacy
advocates. That said, if all of Mr. Thur's colleagues were speaking
out, the policy would be more moderate.
(Triulzi): Switzerland is normally rather restrained on these matters,
especially as it is widely noted for being fanatically precise with
personal detail verification (e.g. getting a CHF32/$25 dollar season
pass for the swimming pool requires me to show my residence permit and
passport at the local town hall) so for the data protection commissioner
to speak out against CAPPS there must really be something wrong (not
that this hadn't been noted before]

-- U.S.A.: Michigan to Get Child Porn Law
(04 July 2004)
Michigan will become the second state to make sending adult spam to
children illegal when Governor Jennifer Granhold signs a bill that
allows parents to declare their kids' e-mail addresses off-limits to
certain types of spam such as pornography. The law will create a
state-run registry of e-mail addresses for children submitted by parents
which can not be used to market anything that children can not legally
purchase. According to the bill's sponsor, Senator Mike Bishop,
(R-Rochester Hills), "The Internet is such an unknown frontier, it very
much intimidates parents looking to protect kids. There's so much filth
and garbage that comes right at them."

-- U.S.A.: Ex-FBI Agent Pleads Guilty to Illegally Accessing Gov't Computers
(02 July 2004)
A retired Federal Bureau of Investigations agent pleaded guilty to a
federal misdemeanor charge admitting he illegally conspired to access
personal information from government computers; he never disclosed why
he wanted the information. He will be sentenced October 4, 2004.


-- Protecting Your Children's Personal Information
Learn what kind of information list brokers have for sale and what you
can do to protect your children from direct marketing.


-- Checking of Foreign Visitors Flawed
By Joan Friedland Michele Waslin
Waslin discusses the U.S. Department of Homeland Security's U.S. Visitor
and Immigrant Status Indicator Technology (US-VISIT) program and the
various flaws in the program.

-- Will Store Tags Tag You?
By Arik Hesseldahl
According to Hesseldahl, where ever the acronym RFID (radio frequency
identification) is used in any context, the word privacy is not far
behind. His opinion piece looks at the various privacy issues
surrounding RFID.
Related Article: Buy With A Wave Of A Phone
Related Article: Master Of The RFID Universe

-- Why the U.S. Can't Be Trusted With Our Personal Data
This opinion piece looks at the European point of view regarding the
U.S. demand for personal data of Europeans entering the U.S.


-- Shortlist for Nasty Privacy Invaders "Oscars" Announced
Privacy International has announced the shortlist for awards for nasty
privacy invaders; awards areas include: Worst Public Servant, Most
Invasive Company, Most Appalling Project, Most Heinous Government
Organization and Lifetime Menace Award. Among the nominees are British
Gas (Most Invasive Company) for blaming the Data Protection Act when an
elderly couple died when British Gas disconnected their gas and the Safe
Harbour Agreement (Most Appalling Project) governing the transmission
of data between European Union nations. While the awards are given to
U.K. nominees, the U.S. was also mentioned. The awards ceremony will
be held July 28, 2004 at the London School of Economics.


- -- DOE Amends Personnel Assurance Program Records
The Department of Energy (DOE) is amending its Personnel Assurance
Program Records system and identifies the new authority for collecting
and maintaining the information.
Comments due: 22 August 2004.
Effective: 23 August 2004.

-- Air Force Alters Student Records
The Department of the Defense's Department of the Air Force is renaming
its Student Records system and expanding the category of individuals
covered to include "foreign military personnel, civilians, faculty and
staff," and expands the categories of records maintained to include
"aero rating, flying status, and equipment issue."
Comments due: 08 August 2004.
Effective: 09 August 2004.

-- DoD to Create Visual Information Management System
The Office of the Secretary of the Department of Defense is providing
notice of the addition of the Visual Information Management System
(VIMS), which will track individual who uses the VIMS Internet site to
order multimedia products, to its Inventory of Record
Systems Subject to the Privacy Act of 1974.
Comments due: 08 August 2004.
Effective: 09 August 2004.


PrivacyBits Editorial Board:
Jim Dempsey, Aminah Grefer, Roland Grefer, Mark Hofman, William Hugh
Murray, Stephen Northcutt, Arrigo Triulzi

If you would like to provide public feedback regarding this issue of the
eNewsletter, you can do so at the PrivacyBits Feedback Forum

To discuss related topics and legislation, or contribute tutorials or
comments, you can enter the PrivacyBits Forum at

Participation in the SANS forums requires free registration. Go to
http://forum.sans.org/cgi-bin/discus/board-profile.cgi to register a
forum account or to update your current forum account.

If you prefer to submit your comments in private, have additional
news items or other information you would like to share with us,
please send an email to PrivacyBits@sans.org.

Please feel free to share this with interested parties via email,
but no posting is allowed on web sites. For a free subscription,
(and for free posters) or to update a current subscription, visit

An archive of past issues of the PrivacyBits newsletter
is available at http://www.sans.org/newsletters/privacybits

The PrivacyBits newsletter is also available as a RSS feed at

Version: GnuPG v1.2.4 (Darwin)



Post a Comment

<< Home

Get Firefox!