Saturday, February 26, 2011

Lawsuits Challenge U.S. Online Data Brokers

A Reuters newswire article by Terry Baynes reports:

Two lawsuits in federal court in California that challenge the way a popular online data-mining company does business could give consumers more privacy protection from firms that sell personal information on the Web.

In the most recent complaint, filed last week in the Central District of California, plaintiff Thomas Robins alleged that Spokeo Inc. violated the Fair Credit Reporting Act by offering false data about individuals without giving them the chance to correct or remove inaccurate reports.

The suit alleged that Robins' Spokeo profile was rife with misinformation, stating that he was in his 50s, married with children and employed in a professional field. Robins is actually in his 20s, single and has no children. He argued that such false representations have hurt his employment prospects, causing him anxiety and lost earnings.

In a similar suit filed in September in the Northern District of California, plaintiff Jennifer Purcell alleged that Spokeo marketed her personal information in violation of the FCRA, which restricts who can access personal information. Both Robins and Purcell are seeking class-action status for their cases.

More here.

Thursday, February 24, 2011

Mark Fiore: State TV

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

EU Refuses to Reveal Bank Data Transfers to U.S.

Jennifer Baker writes on NetworkWorld:

The European Commission and Europol have once again refused to reveal any information about how the Terrorist Finance Tracking Agreement between the European Union and the U.S. is working six months after it came into force.

The so-called 'Swift' accord, which allows the bulk transfer of European citizens' financial data to the U.S. authorities, came into force on Aug. 1 last year. In December, German representatives revealed that questions from the German data protection commissioner about how many requests the U.S. has made for data and how many, if any, have been approved, were not answered.

Europol said that questions could only be answered by the Commission. But the Commission said that 'neither the Commission nor Europol nor the member states have the power to bindingly interpret the agreement." Europol further indicated that such sensitive information is in any case top secret. The German delegation to the Council of Europe said that repeatedly sidestepping the questions is not helpful and will lead to growing public mistrust.

More here.

Wednesday, February 23, 2011

Belarus Man Pleads Guilty to Running Identity Theft Site

Robert McMillan writes on PC World:

A 26-year-old Belarusian man has admitted to running an identity theft website designed to thwart the antifraud measures used by many banks.

Until he was arrested in April 2010, Dmitry Naskovetz had been the mastermind behind, a website that helped more than 2,000 identity thieves commit fraud. CallService employed a network of English and German speakers who would call up banks, pretending to be ID theft victims, and confirm fraudulent transactions rung up by the criminals.

This business neatly skirted antifraud measures put in place by many U.S. banks, which often ask cardholders to phone in to confirm suspicious transactions.

Naskovets would make sure his callers were the correct gender, and then tell them exactly what to say to ensure that the bogus purchases went through. He'd give his callers a dossier on the victim, including the name, e-mail address, Social Security number and answers to security questions such as "What city were you married in?" and "What is the name of your oldest sibling?"

More here.

Updated U.S. Cyber Security Bill Draws Continued Criticism

Angela Moscaritolo writes on SC Magazine:

In light of the former Egyptian regime's move to cut off internet access as means to silence protesters, critics of a U.S. Senate proposal worry it would give the president the same type of authority in the United States, even in the legislation's revised form.

The Cybersecurity and Internet Freedom Act [.pdf], introduced last week by Sens. Joe Lieberman, I-Conn.; Susan Collins, R-Maine; and Tom Carper, D-Del, aims to secure the nation's most sensitive critical cyber infrastructures.

The legislation is a revised version of a highly contested bill first introduced last year as The Protecting Cyberspace as a National Asset Act of 2010. The original bill drew harsh criticism for a provision that critics said would give the president kill-switch-like power to shut down the internet.

The newly updated legislation contains no such provision, the senators said in a statement released late last week. Moreover, it contains "explicit" language prohibiting the president or any other U.S. government employee from shutting down the internet, they said.

More here.

Tuesday, February 22, 2011

Fraudsters Escape as Laws Bind AusCERT

Darren Pauli writes on

Efforts by security sleuths AusCERT to inform victims of fraud and identity theft that their details have been hijacked are being torpedoed by laws preventing the reverse-engineering of passwords.

Logs contained within any malware, such as key loggers or trojans, record which information (such as credit card numbers) has been captured from each victim. This enables investigators to ascertain the identity of victims and the extent of their exposure.

These logs, however, are increasingly protected by passwords, following a trend begun around three years ago. Despite AusCERT's government recognition as a crime-fighting organisation, it is not allowed by law to crack the passwords even though they are set by criminals.

AusCERT head Graham Ingram said the logs were previously viewable in plain text, but are now stored in a protected MySQL format.

"They are encrypted and we can't break that by law," he told an audience at the National Security Australia conference in Sydney yesterday.

"The logs can help identify victims who have had credentials stolen."

More here.