Here’s a good one, it looks like an agency in the UK has lost two computer discs containing “…the personal details of all families in the UK with a child under 16 have gone missing. The Child Benefit data on them includes name, address, date of birth, National Insurance number and, where relevant, bank details of 25m people. Chancellor Alistair Darling said there was no evidence the data had gone to criminals - but urged people to monitor bank accounts “for unusual activity.” The Conservatives described the incident as a “catastrophic” failure. In an emergency statement to MPs, Mr Darling apologized for what he described as an “extremely serious failure on the part of HMRC to protect sensitive personal data entrusted to it in breach of its own guidelines.” MPs gasped as Mr Darling told them: “The missing information contains details of all Child Benefit recipients: records for 25 million individuals and 7.25 million families.” So that’s a government agency we’re talking about, someone you’d normally trust (perhaps more with your personal information) than companies, since you’d think a government would take extraordinary measures to protect data on its citizens. It’s just so random there’s no way to truly protect yourself from the mistakes of the countless Dilbert’s out there failing to safeguard your data.

Hushmail was always known as a secure, private webmail company that markets itself by saying that “…not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer.” But it turns out that statement seems not to apply to individuals targeted by government agencies that are able to convince a Canadian court to serve a court order on the company.” So while the stored email is protected by the user’s passphrase, if this passphrase is authorized serverside by the user logging in via SSL the user is not using the more secure method with the Java Applet that they provide to have the passphrase encrypted (and I suspect hashed) before it’s sent over the wire. The advantage of the later approach is that the server never has the chance to see the ‘real’ password, but the user(s) gave up the ghost when they used the the SSL practice, which I suspect they never thought would lead to their downfall, especially when you look at how Hushmail markets themselves. So while not having to install that Java Applet is more convenient, it’s clearly less secure, “The rub of that option is that Hushmail has — even if only for a brief moment — a copy of your pass phrase. As they disclose in the technical comparison of the two options, this means that an attacker with access to Hushmail’s servers can get at the passphrase and thus all of the messages.” Continue reading →

While data-mining techniques used for marketing should be viewed with a skewed eye, the fact that AT&T has developed a C language variant called Hancock to mine gigabytes of telephone and Internet records should raise red flags automatically. “…the phone company uses Hancock-coded software to crunch through tens of millions of long distance phone records a night to draw up what AT&T calls “communities of interest” — i.e., calling circles that show who is talking to whom. The system was built in the late 1990s to develop marketing leads, and as a security tool to see if new customers called the same numbers as previously cut-off fraudsters — something the paper refers to as “guilt by association.” [...] recent revelations that the FBI has been requesting “communities of interest” records from phone companies under the USA PATRIOT Act without a warrant. Where the bureau got the idea that phone companies collect such data has, until now, been a mystery. According to a letter from Verizon to a congressional committee earlier this month, the FBI has been asking Verizon for “community of interest” records on some of its customers out to two generations — i.e., not just the people that communicated with an FBI target, but also those who talked to people who talked to an FBI target.” Yep, let’s spread that net far and wide…here’s hoping AT&T is held accountable in it’s current federal court trial on its secret internet spying rooms in its domestic internet switching facilities for the NSA.

During a hearing to review the Foreign Surveillance Intelligence Act, Congress was told by intelligence official Donald Kerr that, “…it is time people in the United States changed their definition of privacy. Privacy no longer can mean anonymity, says Donald Kerr, the principal deputy director of national intelligence. Instead, it should mean that government and businesses properly safeguards people’s private communications and financial information.” Right, because we all know what a great job businesses are doing keeping our data safe! It is unacceptable for an official to declare that our rights need to be usurped and then have us rely on businesses to keep our records safe; they’ve been failing to do that for years, why would there be any difference now? In fact, if Mr. Kerr’s plan went through, these companies would be bigger targets for exploitation as they’d hold a bigger payout for would be attackers. Come on, no more ‘give up your rights to survive’ rhetoric, we’ve had enough.  There’s more good coverage on this at Wired.

Just got wind of a great article, How Do Spammers and Online Stalkers Find Me?  From things as simple as online white and yellow pages to filling out forms with too much personal information to chain letters and hoaxes (you know, when the forwarded email has 100s of addresses from all the past forwards).  This is posted on their site as a way to keep kids safe online, but it’s information that everyone needs to know.  When you go online, you need to think about your privacy, as it can effect your security, and the security of others close to you. Also, note the unsettling fact that even though this article was written in August of 2001 it’s still current.

After seeing an Electronic Frontier Foundation EFF.org Q&A session, and speaking with their staff lawyers last weekend at Defcon15, I become a member. Because of this I’m refocusing ltc to focus on digital privacy, rights and the law. Stand by for new articles later this week.