Technology Info

One in three information technology professionals abuses administrative passwords to access confidential data such as colleagues’ salary details, personal emails or board-meeting minutes, according to a survey.

U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role.

“All you need is access to the right passwords or privileged accounts and you’re privy to everything that’s going on within your company,” Mark Fullbrook, Cyber-Ark’s UK director, said in a statement released along with the survey results on Thursday.

“For most people, administrative passwords are a seemingly innocuous tool used by the IT department to update or amend systems. To those ‘in the know’ they are the keys to the kingdom,” he added. (link)

A federal judge today sided with the Bush administration in a Freedom of Information Act (FOIA) lawsuit related to missing White House e-mails. Judge Colleen Kollar-Kotelly, who is probably most familiar to Ars readers for her role in the Microsoft antitrust case, held that the White House’s Office of Administration was not a federal agency as that term is defined by the FOIA and was therefore not obligated to respond to FOIA requests.

The ruling represents a setback for the plaintiff, Citizens for Responsibility and Ethics in Washington (CREW), which was also behind the White House e-mail lawsuit we covered in April. That lawsuit was heard by a different judge, was directed at a different federal agency, and was filed under different federal statutes: the Federal Records Act and the Presidential Records Act. The White House has denied wrongdoing in that case, and the case is still being litigated. (link)

Over the past five years, 43 US states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the US Federal Trade Commission (FTC).

“There doesn’t seem to be any evidence that the laws actually reduce identity theft,” said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper’s authors.

Romanosky’s team took a state-by-state look at FTC identity theft complaints filed between 2002 and 2006 to see whether there was a noticeable impact on complaints in states that had adopted data breach notification laws such as California’s SB 1386, which compels companies and institutions to notify state residents when their personal information has been lost or stolen. Their paper is set to be presented at a conference on Information Security Economics held at Dartmouth College later this month.

Since 1999 the FTC has invited identity theft victims to log information about their cases on its Web site. The data are then made accessible to law enforcement, which uses the information to help analyze crime trends. A lot of people complain, but it represents only a subsection of all identity theft cases. In 2006, for example, the FTC logged 246,035 identity theft complaints, while a Javelin Strategy survey estimated that there were 8.9 million ID theft victims that year. (link)

A new survey shows that data retention laws influence the actual behavior of citizens in Germany. 11% had already abstained from single telecommunication acts, 52% would not use phone or e-mail for confidential contacts.

The problem with surveillance is not primarily that some bored officer might learn about some embarrassing private detail (although this is a problem as well). The fundamental problem with surveillance is that it changes people. People under surveillance behave differently than people who are not monitored - differently than free people.

Unfortunately, this fundamental problem has just been proven in Germany. Since the beginning of this year, communication providers are required to record who communicated with whom and when (but not the content of the communication). This data is stored for six months and available to law enforcement in cases related to certain forms of crime. (link)

Facebook is the focus of a new complaint in Canada over its privacy policies and practices. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed the complaint this morning, asking the Privacy Commissioner of Canada to review what the CIPPIC believes are various violations of Canadian privacy law. There are 22 violations in all, says CIPPIC, making Facebook “a minefield of privacy invasion.”

Facebook’s policies and practices were analyzed by a “team of law students” over the winter, resulting in their discovery of what they believe to be numerous violations of the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). Some of the issues raised in the complaint are a little benign: for example, CIPPIC takes issue with the fact that all of a user’s friends can see Wall posts (comments) left by other friends, and that it’s not easy to simply delete all Wall posts with a single click. Other issues, however, are more serious, like a user’s inability to easily delete his or her account and all the data associated with it. (Instead, users can choose to suspend their accounts, leaving their data dormant with Facebook—for potential reactivation—for an unspecified amount of time.) (ArsTechnica)

The files, including patient names and medicare numbers, were being transferred from New Brunswick to British Columbia under a reciprocal billing agreement for residents of one province who use the health system of another.

The tapes have never been found and the information wasn’t protected by encryption.

In one of two reports released concurrently, New Brunswick ombudsman Bernard Richard said the provincial Health Department failed to ensure the information was protected.

“I’m satisfied, however, that the department has taken proper steps to ensure this doesn’t happen again,” he said.

David Loukidelis, B.C.’s information and privacy commissioner, also released his report into the incident.

“B.C.’s Health Ministry should not have been couriering around unprotected tapes of personal health information like this,” he said. “It doesn’t matter that the tapes can only be read using technology that’s not commonly available.

“Proper encryption is the basic standard for portable data storage like this.” (link)

While current browser share estimates for Apple’s Safari web browser hover somewhere in the 4.5 percent range, Safari is attracting some unwanted attention from PayPal, the eBay-owned payment company. PayPal is urging its users to ditch Safari and instead use alternative browsers such as Internet Explorer 7, IE 8, Firefox 2, Firefox 3, or even Opera.

The reason for the warning is Safari’s lack of anti-phishing technology. Currently the Apple browser does not alert users to sites that could be phishing for your info, and it lacks support for Extended Validation. PayPal is, of course, a popular site among phishers in their neverending search for personal information, user IDs, and passwords. (link)

According to Infosecurity Europe, 10% of men — but 45% of women — were willing to give personally identifiable information to a complete stranger when approached outside Liverpool Street Station in London.

But, wait, it gets worse: The fake researchers asking for the information were offering chocolate bars as an incentive to participate.

‘This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy. The researchers also asked the office workers for their dates of birth to validate that they had carried out the survey; here the workers were very naïve with 61% revealing their date of birth.’ (link)

In the expanding world of cyber-information, Alberta needs to pull up its socks or risk having confidential data exposed, the provincial auditor general reported Wednesday.

Fred Dunn said government wide safeguards and benchmarks are needed to keep the system safe and cost effective. “The government departments as a whole need to do a better job identifying the risks,” said Dunn in his semi-annual report.

He said information technology programs are a patchwork quilt, varying from department to department. (news alert)

As reported in the February State of Spam report, we have observed spammers disguising themselves as the IRS and dangling an offer of a tax refund to unwitting recipients. That is, a refund made available once you input your credit card information into their site. A site that does not bear the IRS URL. A site that is fraudulent and nothing more than a collection tool for credit card and other personal information. And while we are still seeing this, we have recently observed a few new types of spam in relation to tax season. This spam being of a more sinister type as it directs you to download a virus.

In one example, the spammer indicates that a new law requires you to download tax software. Well, that in itself is ridiculous because taxes are traditionally done on paper and there is no existing law stating that you need a computer for your taxes in the first place. If that wasn’t a red flag, the site that you actually download the “software” from is not a government site. Instead, it is merely an IP address. (symantec)