Computers & Security Editor-in-Chief Dr Eugene Schultz, CISSP Chief Technology Officer High Tower Software 26970 Aliso Viejo Pathway Aliso Viejo, CA92656, USA Email: [email protected] Academic Editor IFIP TC-11 Editor Prof. Eugene Spafford Prof. Dr Dimitris Gritzalis Professor and Director Dept. of Informatics Purdue University CERIAS Athens University of Economics Department of Computer Science and Business 1398 Computer Science Building 76 Patission Street, Purdue University, West Lafayette Athens GR-104 34 IN 47907-1398, USA Greece Email: [email protected] Email: [email protected] Editorial Board August Bequai Sarah Gordon Attorney At Law, McLean, Va. Senior Research Fellow, Symantec Security Response Email: [email protected] Email: [email protected] Professor William J (Bill) Caelli Stephen Hinde Head — School of Software Engineering and Data Group Information Protection Manager, BUPA Communications, Queensland University of Email: [email protected] Technology Email: [email protected] David Lacey David Lacey Consulting Ltd Prof. Zhenfu Cao Email: [email protected] Department of Computer Science and Engineering Shanghai Jiao Tong University Charles Pfleeger Email: [email protected] Pfleeger Consulting Group Email: chuck@pfleeger.com Dr Richard Ford Associate Professor Marcus K. Rogers Florida Institute of Technology Purdue University Email: rford@fit.edu Email: [email protected] Publisher David Clark Marketing Ursula Culligan PUBLISHED 8 ISSUES PER YEAR Orders, claims, and journal enquiries:please contact the Customer Service Department at the Regional Sales office nearest you: Orlando:Elsevier, Customer Service Department, 6277 Sea Harbor Drive, Orlando, FL 32887-4800, USA; phone: (877) 8397126 or (800) 6542452 [toll free numbers for US customers]; (+1) (407) 3454020 or (+1) (407) 3454000 [customers outside US]; fax: (+1) (407) 3631354 or (+1) (407) 3639661; e-mail: [email protected] or [email protected]; Amsterdam:Elsevier, Customer Service Department, PO Box 211, 1000 AE Amsterdam, The Netherlands; phone: (+31) (20) (4853757); fax: (+31) (20) 4853432; e-mail: nlinfo- [email protected]; Tokyo:Elsevier, Customer Service Department, 4F Higashi-Azabu, 1-Chome Bldg, 1-9-15 Higashi-Azabu, Minato-ku, Tokyo 106-0044, Japan; phone: (+81) (3) 5561 5037; fax: (+81) (3) 5561 5047; e-mail: jp.info@ elsevier.com; Singapore:Elsevier, Customer Service Department, 3 Killiney Road, #08-01 Winsland House I, Singapore 239519; phone: (+65) 63490222; fax: (+65) 67331510; e-mail: [email protected] © 2007 Elsevier Ltd. www.elsevier.com/locate/cose Number 2 March 2007 Contents Windows Vista: Microsoft’s brave Probabilistic analysis of an algorithm new world to compute TCP packet round-trip time E. E. Schultz 99 for intrusion detection J. Yang and S.-H. S. Huang 137 Security views 100 A study on decision consolidation methods using analytic models for security systems Advanced user authentication for S. Kim and H. J. Lee 145 mobile devices N. L. Clarke and S. M. Furnell 109 A framework for behavior-based detection of user substitution in a mobile context O. Mazhelis and S. Puuronen 154 Clustering subjects in a credential-based access control framework Information security in networkable K. Stoupa and A. Vakali 120 Windows-based operating system devices: Challenges and solutions I. Oshri, J. Kotlarsky and C. Hirsch 177 Privacy-preserving programming using sython Investigative response: After the breach M. Gaiman, R. Simha and B. Narahari 130 C. J. Novak 183 computers & security 26 (2007) 99 From the Editor-in-Chief Windows Vista: Microsoft’s brave new world Bythetimethiseditorialwillappear,Microsoftwillhave Microsoft alone owns the operating systemdthe user has justreleasedWindowsVista,itsnewclientoperatingsystem. only paid to use itdand that Microsoft can at any time and Every newly released Microsoft product includes numerous for any reason whatsoever revoke the user’s use of its newfeaturesdesignedtoenticeusersintobuyingtheproduct. operating system. A feature in Vista ‘‘phones home’’ to Manysuchnewfeaturesaredesignedtobolstersecurity;the aMicrosoftserveroraspecialkeymanagementservertoacti- features in Windows Vista are no exception. Some features vateVista.ThisfeatureprovidesMicrosoftwithaconsiderable aredesignedtohelppreventmalwareinfections,otherswill amountofinformationaboutthesysteminwhichVistaisin- help to protect against data security breaches, others will stalled.Userswhoaresuspectedofhavingillegalversionsof reducethelikelihoodthatuserswillsuccumbtophishingat- Vista may have their usage revoked. Additionally, Digital tacks,andstillotherswillhelpincounteringrisksduetousers Rights Management (DRM) functionality that can negatively runningVistawithAdministrator-levelprivileges.Thesecu- affect the quality of audio and video substantially is built rity-relatedchangesinVista’sversionoftheInternetExplorer7 intoVista. areparticularlyimpressive.Vistapromisestobethebestoper- ItissafetopredictthatthisEULAandVista’sinformation- ating system it has developed from a security perspective. gathering functionality will be strongly challenged in court. Microsofthastrulycomealong,longwaywhenitcomestoin- PerhapsintimeMicrosoftwillbecompelledtobackdowncon- tegratingsecurityfunctionalityintoitsoperatingsystems. cerningitsclaimedrighttoforanyreasonrevoketheuser’s Vista’s release also raises several very interesting issues, right to use Vista and to gather so much information about thefirstofwhichistheneedforuserinterventionatcritical eachsystem.Whatisworseinmymind,however,isthepos- pointsduringwhichtheriskofamalwareinfectionorunau- sibility that Microsoft’s new licensing and enforcement thorizedchangetothesystemescalates.Oneofmanyexam- schemes will encourage other software vendors to follow ples in Vista’s version of the Internet Explorer 7 concerns suit, leaving a large portion of the user community at the whenaWebsiteattemptstousebrowserextensionstoinstall mercy of vendors who have become too avid in their fight newsoftware.Vista’sInternetExplorer7doesnotautomati- againstpiracy. cally allow this to occurdby default, users must decide Microsofthasineffectcreateda‘‘bravenewworld’’withits whetherornottoallowthesoftwaretobeinstalled.Likeany- newEULAandotherprovisions.Iwonderwhetherorganiza- thingelseinthesecurityarena,thisfunctionhasanassoci- tionsandindividualswilloverlookwhatMicrosofthasdone ated cost in that it requires user intervention. The tradeoff andbuyVistaanyway,orwhethertherewillbesuchanegative between the costdthe need for user interventiondand the reactionthatVistasaleswillfallfarbelowexpectations.For- benefitdamuch-lowerprobabilityofamalwareinfectiondis merUSAttorneyGeneralRobertF.Kennedyoncesaid‘‘May on the surface trivial to analyze. The fact that there are so you live in interesting times.’’ One thing is for suredtimes manystepsinuserinteractionsequencesinwhichuserinter- arecertainlygettingmoreinterestingforusersandpotential ventionofthisnatureisbydefaultrequiredinflatesthecost usersofVista. factor considerably, however. Another concern is that users may not know enough to make good decisions concerning Dr.E.EugeneSchultz,CISSP,CISM whetherornottoallowsomethingsuchasadownloadthat HighTowerSoftware,ChiefTechnologyOfficer, mayhavediresecurityconsequencestooccur;theymay,in 26970AlisoViejoPathway, fact,soonsimplyalloweverypotentiallydangerousoperation AlisoViejo,California92656,USA tooccurwithoutthinkinganymore.Still,itisbettertooffer E-mailaddress:[email protected] usersachoicethantooffernochoiceatall. OneoftherealdownsidestoVistahaslittletodowithse- 0167-4048/$–seefrontmatter curity per se. The End User License Agreement (EULA) that ª2007ElsevierLtd.Allrightsreserved. comes with this operating system in essence states that doi:10.1016/j.cose.2007.02.002 computers & security 26 (2007) 100–108 Security views 1. Malware Update theycompromised,andthattheywentthroughthesystems attemptingtofindpasswordsforothersystems.TheUSAttor- Apersonallyownedcomputerinfectedwithavirusappearsto ney’sOfficehasestimatedthatthebreak-instoNASAsystems havecausedinformationrelatedtomilitaryoperationsinIraq, aloneresultedinalossofatleastUSD1.4million.Ifconvicted Kuwait,andothercountriestobedistributedovertheInter- ofthechargesagainsthim,Faurcouldfaceamaximumprison net.Japaneselawenforcementconfiscatedacomputerowned sentenceof54years. byanofficerintheJapaneseAirSelf-DefenseForcesbelieved AcompanyhassettledwiththestateofWashingtoncon- tobethesourceofthedatacompromise.Thevirusreportedly cerningallegationsthatit offerednocostspywarescanning workedthroughWinny,afile-sharingprogram.Allinforma- services, but then without exception found spyware that tionthatwascompromisedinthismannerwasunclassified. neededtobeeradicatedforacharge.Withoutadmittingguilt The Big Yellow worm (called the ‘‘Sagevo worm’’ by or wrongdoing, SecureComputer hasconsentedto pay USD Symantec)exploitsabuginSymantecAnti-virusandSyman- 200,000 in civil penalties, USD 75,000 in compensation to tecClientSecurity.Thiswormturnsinfectedcomputersinto consumers,andUSD725,000instateattorneys’feesandcosts. bots that belong to a botnet. Although Symantec released John Bombard of Florida pleaded guilty to two counts of apatchfor thisbug last year, manyorganizations havestill deliberatelygainingaccesstoaprotectedcomputingsystem notinstalledit. withoutauthorization.Bombardbrokeintocomputersystems SeveralnewWindowswormsthatconveyseason’sgreet- atBucknellUniversityandColumbiaUniversitynearlythree ingssurfacedrecently.Luder(alsocalled‘‘Mixor,’’‘‘Nuwar,’’ years ago in a ploy to perpetrate a distributed denial-of- or ‘‘Draf’’) arrives as a message with a subject line such as service (DDoS)attackagainst Akamai Technologies.He may ‘‘HappyNewYear’’andcontainsanattachmentthatappears be sentenced to a maximum of two years of imprisonment tobeaholidaygreetingcard.Userswhoopentheattachment andmayhavetopayafineofuptoUSD100,000. infecttheircomputers.Anotherworm,avariantoftheWare- ThroughapleabargainNavyPettyOfficerThirdClassAriel zovTrojanhorse,spreadsitselfthroughanattachment,post- J.Weinmannreceivedasentenceof12yearsofimprisonment card.zipor postcard.exe, whichif opened infectscomputing forpilferingalaptopcomputerandthengivingclassifiedin- systems. Once a machine is infected, it spews messages formationtoaforeigngovernment.Withoutthepleabargain, withinfectedattachmentstoothercomputingsystems. hefacedasentenceoflifeinprison.Additionally,Weinmann It seems as if increasingly fewer news items regarding receivedadishonorabledischarge. malware are showing up in Security Views. The trend thus MichaelMraz,Jr.,astudentattheUniversityofWisconsin- continuesdfewer highly noticeable, widely spread viruses Whitewater,hasbeenarrestedonchargesthathegainedun- andworms,andmoresurreptitiousanddeadlymalware.Things authorizedaccesstofouruniversitystaffmembers’computing arethusbynomeans‘‘quietontheWesternfront’’asfarasmal- systemsandtheninstalledkeystrokeloggerstogleansensitive ware goes. This trend should continue into the foreseeable information. He allegedly used his flash drive to install the future. keystroke loggers. The sensitive information was allegedly collected over a period of nearly two months last year; this informationincludeddialoguesregardingstudentdisciplinary 2. Update in the war against cybercrime cases,answerstoanexamination,andinformationaboutalaw enforcement investigation. He faces two felony counts; if VictorFaurofRomaniahasbeenarrestedonthegroundsthat convicted of all charges, he will receive a maximum prison he allegedly intruded into more than 150 US government sentenceof19years. computing systems, including those at the NASA Goddard AteenagerinNewZealandsentencedtoattendacomputer Space Flight Center, the Jet Propulsion Laboratory, the trainingcoursetoremedyanti-socialbehavioracknowledged DepartmentofEnergy(DOE),andtheUSNavalObservatory. thatheusedwhathelearnedtogainunauthorizedaccessto Faur’sindictmentallegesthatheledateamthatrepeatedly people’s bank accounts and to pilfer almost NZD 45,000. attemptedtointrudeintoUSgovernmentcomputingsystems, Aggravated robbery, threatening behavior, and kidnapping that this team hosted IRC chat rooms on the systems that areamonghisoffenses. computers & security 26 (2007) 100–108 101 Threeindividuals,MirzaandSameenaAliofCaliforniaand company had furnished addresses of individuals who had KeithGriffenofOregon,havebeenconvictedforparticipating notagreedtoreceivedirectmarketingemailandalsothatit in a ploy in which they bought Microsoft software at the had encouraged those who bought these addresses to send heavily discounted educator’s rate and then resold it at emailstothoseindividuals. muchhigherprices.Asaresult,Microsoftwasswindledout Spanishlawenforcementhasarrestedsixindividualswho ofmorethanUSD60million.TheAli’swereconvictedon30 allegedly pilfered financial information pertaining to more counts of conspiracy, wire fraud, money laundering, and than20,000individuals.Theaccusedallegedlypostedphish- mail fraud, whereas Griffen was convicted on nine related ingWebpagesdesignedtogleancreditcardandbankaccount counts. Sentencing is imminent; each individual is likely to informationtheyallegedlyusedlaterinunauthorizedfinan- besentencedtoalongprisonsentenceandalargefine. cial transactions. Law enforcement confiscated more than JeremyHammondofIllinoishasreceivedasentenceoftwo 500fraudulentcreditcards. years of imprisonment for pilfering credit card information Numerous music labels, including Arista, Capitol, and fromaWebsiterunbyaconservativepoliticalactivistorgani- Warner Bros. as well as the British Phonographic Industry, zation. He gained unauthorized access to this site and then havesuedRussianmusicWebsiteAllofmp3.com,whichsells downloaded credit card information pertaining to roughly complete albums for roughly USD 1 each. Allofmp3.com is, 5000individualswhohadusedthesitetomakepurchasesor according to the plaintiffs, profiting by selling copyrighted donations.Hammondhadoriginallyintendedtousethecredit musicwithouthavingobtainedproperpermission.Allofmp3. cardinformationtomakedonationstoleftwingorganizations com has countered that it hascompliedwith Russian copy- againstwhichthesitewasopposed,butlaterdecidednotto. rightlawbecauseitpaysroyaltiestoaRussianlicensinggroup HemustalsopayfinesandrestitutiontotalingUSD5250. calledRoms.Theplaintiffsassert,however,thatRomshasno Robert Schofield, a US Department of Homeland Security authoritytocollectandallocateroyalties. (DHS)supervisorandemployeeofUSCitizenshipandImmigra- AUSgrandjuryhasindictedYung-HsunLinofNewJersey tionServices,hasbeenarrestedonthegroundsthathecom- onchargesthatheplantedalogicbombinoneofhisformer mitted naturalization fraud. He allegedly sold citizenship to employer’s computing systems. Lin allegedly installed this hundredsofAsianimmigrantsovera10yearperiodandmay code because he was afraid that he would be laid off from havetakeninasmuchasUSD600,000inbribes.Heisaccused his job at Medco Health Solutions, which was spinning off ofworkinginconnectionwithQimingYe,animmigrationbro- from Merck. The code could have impaired more than 70 ker,tocreatefalsepaperworkforimmigrants.Yehaspleaded serversanderasedbothcustomerprescriptionandpayrollin- guilty;Schofieldfacesaprisonsentenceofupto25years. formation,butitwasdetectedbeforeitcouldtrigger.Linwas RyanC.ShrouderofFloridahasbeenarrestedoncharges indictedontwochargesofintendingtocausefraudulent,un- thatheintrudedintooneofhishighschool’scomputingsys- authorizedchangestocomputersystems.Ifheisconvicted, temsandthenmodifiedstudents’grades.Shrouder,asenior he could be sentenced to a maximum of 10 years in prison andclasspresidentatthehighschool,allegedlyusedthepass- foreverycountaswellasfinedUSD250,000. wordofaschoolboardemployeetobreakintothesystem.He GarylTanJiaLuoofSingapore,whois17yearsold,pleaded facessuspensionandhasbeenrecommendedforexpulsion. guiltytopiggybackingonthewirelessnetworkofaneighbor. Two other students involved in the incident have already Thiscrimeispunishablebyamaximumjailsentenceofthree been suspended. In a separate but similar case, two New yearsandafineofuptoSD10,000.BecauseTanwouldhave Jerseyteenagers,one18yearsoldandoneyounger,alsoface acriminalrecordifheservedjailtime,thejudgeinthiscase chargesofgainingunauthorizedaccesstoahighschoolcom- is leaning instead towards putting Tan on probation and puter system and then modifying grades. If convicted, the also having Tan serve in Singapore’s obligatory national olderofthepaircouldbesentencedtoupto10yearsofimpris- serviceearlierthanusual.AnotherSingaporemanhasbeen onment;theother could getdetentionuntilhe turns 21.An charged with accessing a wireless network and using that auditofgradereportsandschooltranscriptsledtothediscov- connection to post a bomb threat on-line. Lin Zhenghuang eryofthisincident. of Singapore also faces charges of illegal wireless network Symantechasfiledalawsuitagainstsoftwaredistributors piggybacking,butheallegedlywentfartherthanTanbyusing SILI, GT Micro, and ANYI and their affiliates, claiming they hisaccesstomakeabombthreat.Linalsofacesanadditional havebeensellingillegalcopiesofSymantecproducts,includ- prisontermofuptosevenyearsandamaximumfineofSD ing Norton AntiVirus, Norton Internet Security, Norton 50,000ifheisconvictedonthebombthreatcharges. SystemWorks, Veritas Backup Exec, and pcAnywhere. The TwounnamedGermanmenhavebeensentencedtoprison lawsuitrequestsUSD15millionbecauseofcopyrightinfringe- fortheirparticipationinaploytocausePCstodialpremium ment, fraud, false advertising, engaging in trademark rate telephone numbers. They both belong to a gang that infringement, and unfair competition. Symantec conducted took in roughly 12 million Euros in a 14-month interval be- aninvestigationthatculminatedintheconfiscationofmore tween2002and2003byinstallingmaliciouscodethatdialed than100,000diskswithpiratedsoftwareonthem. thenumbersinmorethan100,000computingsystems. AUKcourtmadeasummaryjudgmentagainstPaulMartin Eric McCarty of California has been sentenced to six McDonald,whosoldemailaddressestobeusedinconnection monthsofhomedetentionandtwoandonehalfyearsofpro- withspammingploys.MicrosoftsuedMcDonaldonthebasis bation for gaining unauthorized access to a University of thathissellingaddressesviolatedthePrivacyandElectronic SouthernCaliforniacomputer.Hebrokeintotheuniversity’s CommunicationsRegulations.Thejudgecametotheconclu- on-line application system nearly two years ago, causing it sion that the evidence clearly showed that McDonald’s tobeoff-linefor10days.Hislawyersassertedthathebroke 102 computers & security 26 (2007) 100–108 into the computer to show how bad its security was. The Owusu has been sentenced to four years of imprisonment. database on the compromised system stored information Heconcededthathehadinstalledkeystrokeloggersonstu- pertaining to 275,000 university admission applicants. The dent-usecomputersin theVCUlibraryand in somescience detentionispartofMcCarty’sthree-yearprobation;hemust labstoobtainstudentandfacultylogininformation.Healso alsomakearestitutionpaymentofalmostUSD38,000tothe changed his grades and downloaded a female student’s university.Whileheisonprobation,McCartywillberestricted photos and email. Finally, he logged in as another student in his use of Internet-connected devices; only job-related anddroppedseveralofthatstudent’scourses. activitywillbeallowed. PRCcitizenLuoZhiguohasadmittedincourtthathemade Sohu.comofthePeople’sRepublicofChinamustpay1.085 moneybyoperatinganillegalon-linegameandchargedhis million yuan in damages as the result of a court ruling. His customers well below the charge for the genuine version. company was charged with making movie files available to LuoandtwoothersallegedlyduplicatedMir3andmadeitper- bedownloadedwithoutobtainingpermissionfromthecopy- manentlyaccessibleforonly300yuan.Luosaidthathedidnot right holders. Sohu.com must also publish an admission of realize thathewas engagingin criminalactivitybecauseso guilt and pledge that he will not infringe on copyrights in many others were making games available in this manner. thefuture.TheMotionPictureAssociation,theinternational Ye Weilong, an accomplice,turned himself in to authorities branchoftheMotionPictureAssociationofAmerica(MPAA), ayearago,buthejumpedbail.YouTangcun,anotheraccom- initiatedthelawsuit. plice, was arrested last spring and was sentenced to three Acountyemployeerespondingtoaphishingmessageand yearsofhousearrest.Theploywasdiscoveredwhenaninves- providing information necessary for accessing the bank ac- tigation triggered by the game’s legitimate operator’s com- countsofOceanaCounty,Michiganmayhavebeenthecause plaints that he was losing millions of yuan monthly due to of money being stolen from these accounts. The fact that theunauthorizedoperationofthegamewaslaunched. moneywasmissingfromtheseaccountswasdiscoveredlast Computercrimecontinuestomanifestitselfinawideva- November.Theaffectedaccountswereclosed,givennewnum- riety of ways, everything from gaining unauthorized access bers, and then reopenedtwo days later. The Oceana county to systems to engaging in piracy schemes to causing com- treasurerandclerkarebothputtingnewsecurityprocedures puter-controlledtrafficlightstomalfunction.Thepossibilities in place. TheFBI is conducting an investigation. The county are becoming almost limitless. Fortunately, despite having staffwascautionedaboutphishingthreatstwicelastfall. resources that are too often insufficient, law enforcement TheUSSecuritiesandExchangeCommission(SEC)hasfiled around the world seems to be doing increasingly better in chargesagainstEvgenyGashichev,aRussianwhoownsGrand identifyingcomputercrimeandensuringthatthosewhoen- LogisticsSA,forallegedlyintrudingintopeople’scomputing gageinitarebroughttojustice.Unfortunately,toomanyorga- systems and then using their on-line brokerage accounts to nizationsandindividualsstillleavetheirsystems,networks, pumpupstockprices.Gashichev’scompanymay,according applications,anddatabasesunprotected,makingcommitting totheSEC,havemademorethanUSD350,000fromtheploy. computercrimemucheasierthanitshouldbe. Heallegedlyboughtstockinroughly20companiesandthen usedthecompromisedbrokerageaccountstoboosttheprice of his holdings. Gashichev allegedly then sold the stock at 3. More compromises of personal and artificiallyhighvalues.TheSEChassuccessfullyinitiatedan financial information occur emergencyassetfreezeagainstGashichev’scompany. Two Los Angeles transportation engineers face charges Datasecuritybreachesinvolvingpersonalandfinancialinfor- thattheyengagedinillegalactivityinconnectionwithatraffic mationshownosignswhatsoeverofslowingdown.Computer controlsystem.Onefacesonecountofunauthorizedaccessto theftandlossofcomputersremainoneofthemostcommon a computing system and identity theft. The other faces one types of such compromises, as explained in the following count of unlawful access to a computing system and four newsitems: counts of unlawful disruption/denial-of-computer services. Thetwoallegedlygainedunauthorizedaccesstodisconnect (cid:2) Pennsylvaniastateofficialshaveannouncedthattwocom- traffic lights at four busy intersections before a labor union putingsystemspilferedfromadriver’slicenseofficehave strikelastAugust.Noaccidentresulted,althoughgettingthe personally identifiable information pertaining to over trafficcontrolsystembacktonormalrequireddaysofeffort. 11,000persons.Thestoleninformationincludesnames,ad- Bothpleadednotguiltytothecharges. dresses, Social Security numbers (SSNs), driver’s license A16-year-oldNorwegianyouthcouldbesentencedtojail numbers,andbirthdates.Thethievesalsostoleequipment timeof60daysandafineofNOK4000forallegedlyoperating and materials needed to fabricate bogus driver’s licenses. afile-sharingsiteinwhichsongs,moviesandvideosweredis- TheStatewillinformaffectedindividualsvialetter. tributedforfreeontheInternet.HeallegedlyusedtheDirect (cid:2) AlaptopofamemberoftheWestVirginiaArmyNational Connect P2P file-sharing program. His parents could also be Guard 130th Airlift Wing has been stolen. This computer required to pay a hefty fine to compensate the music and contained personal information, including names, SSNs movieindustriesforlostincome. and birthdates, pertaining to members of this unit. Each GeorgeNkansahOwusuofVirginiapleadedguiltytocom- member of this unit has been notified of the incident, as puterfraudandaggravatedidentitytheftinconnectionwith hastheFBIandtwomilitaryinvestigativeagencies. hisusingcomputingsystemstopilferpersonaldatapertain- (cid:2) AlaptopsystempilferedfromaBoeingCo.employee’scar ing to Virginia Commonwealth University (VCU) students. stored personally identifiable informationd home computers & security 26 (2007) 100–108 103 addresses, SSNs, birthdates, and moredpertaining to (cid:2) Thenames,SSNsandotherpersonalinformationofroughly roughly 382,000 current and prior employees of this com- 15,000UtahValleyStateCollege(UVSC)studentsandfaculty pany.Boeingisnotifyingcurrentemployeesoftheincident becameaccessiblebymistakeonYahooforaboutsixweeks byemail,whereasprioremployeeswillreceiveletters.This latelastyear.Theinformationpertainstostudentsandfac- laptoptheftisoneof250suchincidentsatBoeingduringthe ulty who took part in the college’s distance learning pro- lastyear. gram from January 2002 to January 2005. UVSC staff (cid:2) Deaconess Hospital in Indiana has mailed letters to 128 removed the files containing this information from its patientstoinformthemthattheirpersonalinformation(in- serversassoonasitlearnedofthisincident,andhasbeen cludingSSNs)wasstoredinalaptopsystemthathasbeen informingeveryonewhowaspotentiallyaffected. missingsincelatelastyear.Noevidencethattheinforma- (cid:2) Personal information pertaining to Rocky Rapids, Alberta tionhasbeenmisusedexists.Thehospitalisnowconsider- Area residents was accessible on the Alberta Energy and ing improving its security through measures such as UtilitiesBoardWebsiteforuptosixmonths.Theinforma- encryptingdatastoredoncomputers. tion, which includes legal land descriptions, telephone numbers, work hours, and times when children would be Othercompromisesweretheresultofunauthorizedaccess homebythemselves,wascollectedforemergencyplanning tosystems,asdescribedbelow. purposes. Alberta’s Office of the Information and Privacy Commissionerislookingintothisproblem. (cid:2) A data security breach at the University of California, Los Angeles (UCLA) has potentially affected 800,000 current Afewdatacompromisesinvolvedmissingorstolenmedia: andpriorstudents,staff,andfacultyaswellasapplicants for admission and financial aid, and even some parents. (cid:2) ComputertapestakenduringaburglaryinMassachusettsin The information includes names, addresses, SSNs, and all likelihood contain personal information, including birthdates.UCLAcomputersecuritystaffdetectedtheinci- namesandSSNs,ofover40,000NewYorkCityemployees. dentlastNovember21onthebasisofaplethoraofsuspi- TheburglaryoccurredattheofficesofConcentraPreferred cious database queries. A follow-up investigation showed Systems,avendorthatworkswithGroupHealthInsurance, thatattackershadbeenattemptingtogainaccesstothein- Inc.andalsoprovidesauditingservicesforAetna.Roughly formationsincethefallof2005andthattheyweretryingto 130,000AetnacustomersacrosstheUSwerealsoprobably find SSNs. University staff has reconstructed the compro- affectedbytheincident. miseddatabaseandhasadoptedmeasurestotightenitsse- (cid:2) AharddrivethatdisappearedfromamedicalofficeinSom- curity.Universitystaffhasbegunnotifyingaffectedpersons; erset, Pennsylvania has presumably been stolen. Because theFBIhasalsobeennotified. onlytheharddrivewastaken,whoevertookitappearsto (cid:2) Personalinformationpertainingtoupto600St.VrainVal- have wanted the information on the device. The medical ley, Colorado School District students was put at risk office provided no information concerning the data that whenalaptopsystemwasstolenfromthecarofaschool mayhavebeenstoredontheharddrive. nurse.Thestolenlaptopcontainsnoinformationaboutstu- dents,butitcanbeusedtoremotelyaccesssuchinforma- Othernewsrelatedtodatasecuritybreachesincludes: tion. The information includes names, parents’ names, Medicaidnumbers,birthdates,theschooleachstudentat- (cid:2) TheUSFederalTradeCommission(FTC)hasmailedrepara- tends, and the grade level of each student. School district tion forms to 1400 persons who had financial expenses technicalstaffchangedthepasswordofthecomputercon- resulting from the data security breach at ChoicePoint tainingthisinformation.Theschooldistricthasnotifiedstu- overtwoyearsago.AthirdoftheUSD15millionsettlement dentswhowerepotentiallyaffected. arrivedatearlylastyearhasbeensetasideforcompensat- (cid:2) Nissanhasadmittedthatinformationinitscustomerdata- ingaffectedindividuals.Theclaimshadtobepostmarked basemayhavebeencompromised.Nissanisinformingover byFebruary4,2007iftheyweretobeconsidered. fivemillionpotentiallyaffectedcustomers,andwillimple- (cid:2) AperpetratorobtainedlogininformationforArizona-based mentadditionalsecuritysafeguardsthisyear.Amongthese TransUnionCreditBureaufromacourthouseinKingman, measures will be physical security monitoring in secure Arizona and then stole personally identifiable credit data, areasandmonitoringofdatabaseassess. includingSSNs,pertainingtomorethan1700persons.Tran- sUnionisinformingaffectedindividuals. Additional personal data exposure incidents were due to (cid:2) CustomerinformationpilferedfromvariousRussianbanks poorprotectionofpersonalinformationonWebsites,asde- isbeingsoldontheInternetatapriceof2000–4000Rubles. scribedbelow: This information, however, pertains to customers who have defaulted on loans, something that substantially (cid:2) ThenamesandSSNsofhundredsofVermonthealthcare reduces its prospective attractiveness to potential providers were accidentally exposed on a public Web site perpetrators. at which the state of Vermont had posted a request for (cid:2) Texas Woman’s University (TWU) has mailed letters to bids for being Vermont’s health insurance administrator. roughly 15,000 of its students to inform them that their Thestateacknowledgesthattheinformationwasavailable personal information was compromised when an Internal onthesiteforslightlyoveramonthlastyear,butananon- RevenueService(IRS)tuitiondatadocumentwastransmit- ymousdoctorsaidthatherSSNwasstillonthesite. ted to a vendor over an unsecured channel. The incident 104 computers & security 26 (2007) 100–108 has potentially affected every TWU student who was PRChasanestimated123millionusers,anumberthatissecond enrolledattheschoolin2005. onlytotheUS.ThefourassociationsthatsignedtheMOUin- cludetheMPAA,PublishersAssociationoftheUK,Association Newsitemsconcerningdatasecuritybreachescontinueto of American Publishers, and the Business Software Alliance. compriseasignificantportionofeachSecurityViewscolumn. Thepercentageofillegalsoftwareinthe PRCisestimated to Negative consequences such as loss of reputation and class be86%,resultinginanestimatedUSD3billionlosstothesoft- action lawsuits resulting from experiencing such incidents wareindustry in2005.The MOU alsoincludesprovisionsfor continuetooccur,butapparentlytheyareinsufficienttomo- promoting public awareness between the PRC government tivate most organizations into boosting data security. Addi- andtheassociationsaswellascooperativetrainingefforts. tionally, with customer and other information stored in so AllsignsappeartoindicatethatthePRCisseriousabout manyplaces,includingcomputersusedbythirdpartyservice cracking down on piracy of all typesdsoftware, music, and providers,thelikelihoodthatperpetratorswillbeabletofind movies. The MOU described in this news item will not by andgleanpersonalandfinancialinformationismuchhigher any means solve the problem, but it represents another big than the average person might suspect. As I have said so stepforwardindoingso.Iparticularlyliketheprovisionsfor many times before, data protection legislation that requires trainingandawarenessintheMOU.Usinglawenforcement adequatelevelsofprotectionforsuchdataappearstobethe tocrackdownonpiracywilldosomegood,butthisapproach onlytrulyviablesolution. doesnotgofarenoughinthatthereisahugehumandimen- siontothepiracyproblem.Trainingandawarenesswillthus addressthehumandimensionbetter. 4. USD 50 million class action settlement for privacy violation 6. Sony BMG continues out-of-court AUSDistrictCourtjudgehasokayedaclassactionsettlement settlements thatawardsUSD50milliontocompensateFloridamotorists whosepersonalinformationthestatesoldtoFidelityFederal Shortly after agreeing on settlements with California and BankandTrustoveraperiodofthreeyearsforonecentper Texas concerning its use of what has widely been regarded name. The bank used the information to send brochures asarootkittoconcealdigitalrightsmanagement(DRM)soft- thatadvertisedloanstoindividualswhohadrecentlybought ware,SonyBMGsettledalawsuitwith39otherstates(includ- automobiles. Under the terms of the settlement, every af- ing Pennsylvania, Wisconsin, Oregon, New York, and fectedmotoristwillgetUSD160.Attorneysfortheplaintiffs Michigan,NewYork)andtheDistrictofColumbia(DC).Sony successfullyarguedthatthebankviolatedtheDriver’sPrivacy BMG, which is a joint venture between Sony Corporation ProtectionAct,whichforbidscompaniesfrombuyingrecords and Bertelsmann AG, will pay more than USD 4.25 million. about drivers from states, when it obtained the motorists’ EachofthestatesthatinitiatedthelawsuitwillreceiveUSD names. This law, which allows for a penalty of up to USD 316,000, whereas the other states and DC will each receive 2500foreachviolation,waspassedtodetercriminals’ability USD 5000. According to the terms of the settlement, Sony to stalk individuals; TV actress Rebecca Schaeffer was mur- willpaypersonswhospentmoneytoeradicatethesoftware deredafterastalkerwasabletofindwhereshelivedthrough fromtheircomputersuptoUSD175each,thesameamount motorvehiclerecords. paid in Sony BMG’s settlements with California and Texas. Thiswholecaseisunbelievable.Itisdifficulttounderstand SonyBMGhascreatedaWebsitethatdescribesthetermsof howastategovernmentcouldsellpersonaldatatoabankin thesettlementaswellastheproceduresforfilingaclaim. thefirstplace.Onewouldthinkthatstateofficialswouldhave Sony BMG continues to suffer negative consequences re- at a minimum realized that there was something improper lated to its ill-advised Digital Rights Management (DRM) and unethical about doing so. Furthermore, doing so was scheme. Most significantly, Sony BMG’s public image has against the law. Then, after Fidelity Federal Bank and Trust takenabighit;itwilltakeyearsforthiscompanytorecover boughtandusedthedata,thisbankhas‘‘takenthefall,’’so its loss of reputation. Surprisingly, however, Sony BMG ap- tospeak,whilethestateofFloridaappearstohavecomeout pears to have largely gotten off the hook when it comes to unscathed. Common sense should dictate that the bulk of bothfinesandfinancialremunerationtothosewhoweread- thepunishmentshouldinsteadfallontheFloridagovernment verselyaffectedbyitsDRMsoftware.Havingtopayafineof officials who broke the law and made this privacy violation USD4.25millionistrivialforacompanysuchasSonyBMG. possibleinthefirstplace. The real question, therefore, is whether the consequences that Sony BMG experienced are sufficiently distasteful that theywillserveasadeterrenttothiscompanyaswellasothers 5. People’s Republic of China signs on-line whentheyconsiderimplementingfutureDRMschemes. copyright memorandum The PRC government has signed a memorandum of under- 7. Judge turns down request for access to standing(MOU)withfourUSandUKindustryassociationsto e-Voting machine source code booston-linecopyrightprotection.Theassociationswillpro- videthePRCwithlistsofproductstheydeemneedingprotection AFloridajudgehasturnedtherequestofUSDemocraticcon- andwillprovideinformationconcerningsuspectedpiracy.The gressional candidate Christine Jennings to have the source computers & security 26 (2007) 100–108 105 codeofe-VotingmachinesusedinlastNovember’selectionin 9. Gathering of information about air Floridaexaminedbyoutsideexperts.Thesuitbroughtagainst travelers continues to stir controversy SarasotaCountyvotingofficialsallegesthattherewereirreg- ularities in the vote counting method. Jennings lost by only The US Congress has asked for greater information sharing 369 votes in the 13th Congressional District election, but within government and law enforcement circles. Concerns morethan18,000voterswhocastballotsinotherdistrictraces about privacy have caused the Office of the Director of Na- hadnovotesrecordedinthecongressionalrace.Roughly4000 tionalIntelligencetofurnishguidelinesforstateagenciesin morevoteswererecordedinSarasotaCounty’sSouthernDis- handingindividuals’data.TheguidelinescallforUSgovern- trictHospitalBoardracethaninthecongressionalrace,forex- mentorganizationstomakesurethatinformationisgathered ample.Jenningsanddistrictvotersfiledthelawsuit.Thebasis legallyandthatsharingthisinformationwithotherorganiza- forthejudge’sdenyingtherequesttoexaminethesourcecode tions is done in a lawful manner. The information may be wasthatthesourcecodewasruledtobeatradesecret.Jen- shared only if it concerns national security, terrorism, or nings has indicated that she will appeal the ruling, saying law enforcement. The guidelines mandatethat each agency thatitisoutrageousthatconcernaboutdefendingacompa- createinternalpoliciesandprocedurestoguaranteethatac- ny’sprofitsoutweighedtheintegrityofthevotingprocess. cess to and use of protected information obtained through I find the reasoning behind this ruling (by Judge William the Information Sharing Environment is in accordance with GaryofFlorida’sSecondJudicialCircuit)appalling.Thejudge thereasonthatitwasauthorized.Meanwhile,theUShasan in this case has said that the economic interests of the e- agreementwiththeEuropeanCommissionforairlinestofur- Voting industry outweigh the need for integrity in voting, nish34piecesofinformationtoUSauthoritieseachtimean something that by all appearances demonstrates disregard EUcitizenfliestotheUS.TheUSgovernmentusestheAuto- forthedemocraticprocess.Whatisperhapsevenmoredis- matic Targeting Scheme (ATS), a program that gathers the tressing is that Judge Gary is in all likelihood only one of informationabouttravelers,whetherornottheyareUSciti- many judges in the US who would come to such a decision zens,aswellascargocomingintooroutoftheUS,putsthe inacasesuchasthisone.E-Votingisalreadyverymuchindis- information into a database, and determines the risk or repute;JudgeGary’srulejustaddedfueltothisproverbialfire. threatposedbyaperson.Theairlinedatathataregathered have prompted numerous protests by European privacy advocates. 8. AIB customers to use Special Signature AccordingtoareportbytheUSDepartmentofHomeland Devices Security’s(DHS’s)privacyoffice,SecureFlight,agovernment program that screens domestic air passengers on the basis Irish bank AIB has begun to furnish corporate and business of terrorist watch lists, broke federal law during the time on-linebankingclientsinIrelandandtheUKwithalphanu- this program was being tested. By obtaining passenger data meric Digipass 550 transaction signature devices in an at- fromcommercialbrokersin2004withoutinformingpassen- tempttopreventboguslargecashtransactions.Thedevices gers, this program violated a 1974 Privacy Act requirement providecustomerswithone-timepasscodes,hostauthentica- thatthepublicbeinformedofchangesinanyfederalprogram tion, and transaction data signatures to boost security in that infringes upon US citizens’ privacy. Additionally, the banking transactions. When they access their accounts, cli- TransportationSecurityAgency(TSA)stored100millioncom- entswilluseaone-timepasswordcreatedbyDigipass.Trans- mercialpersonalpassengerdatarecordsimproperlyafterthis actionswillbeprotectedusingacombinationoftheaccount agencyannouncedthattherewouldbenodatastorage.The numberandthepaymentbeneficiary’ssortcode.TheDigipass objective is establishing the Secure Flight program by 2008, 550devicewillthenusethisinformationtocreateatransac- butifspecificguidelinesarenotobserved,moreviolationsof tion data signature that users must input for validation by thelawarelikelytooccur.TheUSCongresshashaltedtheSe- Vasco’s Vacman server. Both the Digipass-generated one- cureFlightprogramintheinterimuntilprivacyandsecurity timepasswordandtransactionsignaturewillhelpsafeguard concerns are adequately addressed, although testing may against phishing and man-in-the-middle attacks. AIB is the continue. firstbankanywheretousetheparticulardevicesinquestion. I,likeEuropeanprivacyadvocates,amconcernedaboutthe Europeanbanks(andtoalesserdegree,USbanks)aremov- gatheringofinformationaboutindividualsthatisoccurringin ingforwardinprovidingstrongerauthenticationandauthori- theUSinthenameofgreaterairtravelsecurity.Sofarthere- zationinbankingtransactionsinreactiontolevelsofbanking cordoftheUSgovernmentconcerningprotectionofpersonal transactionfraudthataregrowingatanalarmingpace.The informationhasbeensosubparthatthereareseriousdoubts approachthattheAIBbankhaschosenisparticularlyappro- concerningitsabilitytoprotectinformationabouttravelers.I priate in that it uses one-time authentication credentials predictthatitisonlyamatteroftimebeforeaseriousdatase- that greatly reduce security-related risk from sniffing and curitybreachinvolvingthisinformationoccurs.Additionally, man-in-the middle attacks. I would be curious to find out theUSgovernmenthasnotalwaysoperatedwithinthecon- howmuchtheDigipass550devicedeploymentcost.Addition- finesofthelaw.Enoughisenoughditiswellpasttimethat ally,Iwonderwhetherextensiveusertestingwasconducted. theUSgovernmenteitheractmoreresponsiblyinobtaining, Hopefully,theAIBbankconductedthoroughusertestingwith handlingandsafeguardinginformationaboutairtravelersor theDigipass550deviceandfoundthatuserscouldreadilyuse abandon this approachand instead go with other measures thisdevicewithminimumtraining. thatdonotthreatenpersonalprivacyasmuch.