Website invading your privacy? Bookmark it (and alert the FTC)

As part of a new privacy campaign from the Center for Democracy and Technology, a new browser bookmarklet will let you flag privacy problems with a click, then have the reports forwarded to the Federal Trade Commission.

By Nate Anderson

See a website that appears to be misusing your personal information it? Bookmark it—and have the site information fed directly to the Federal Trade Commission.

The bookmarklet privacy tool is one part of a new campaign from the Center for Democracy and Technology, called “Take Back Your Privacy,” which launched today. The campaign comes only days before the FTC launches a new set of discussions on data privacy, and CDT wants to see some rules with real teeth to them.

What are the problems that need solving? According to the CDT, they are legion:

• The United States lacks a comprehensive federal law protecting consumer privacy.
• The most infamous privacy breaches of the past decade may never have come to light, were it not for a seminal California law. In 2002, the State of California passed a law that requires companies to notify consumers in the event that their personal information is compromised by a data breach.
• Even if you delete cookies, your browsing history, and your browser cache from your Web browser, many Web sites can still track you through “flash cookies” they have placed elsewhere on your computer.
• You are almost always carrying a tracking device by your side: your cell phone. Every few seconds, whenever it is turned on, your cell phone sends out a signal registering its location—and your location—with the nearest towers.
• You can still be identified in an “anonymized” data set. In August 2006, AOL publicly released “anonymized” log files containing twenty million search queries for over 650,000 users over a 3-month period; the data included a unique identifier for each user but did not include anything that would traditionally have been considered “Personally Identifiable Information” Nevertheless, several researchers were easily able to identify individuals based on these “anonymous” records. The New York Times even interviewed one of them.
• A 2009 study on behavioral advertising found that 86 percent of young adults reject advertisements that are tailored based on their activities across multiple Web sites. If the advertisements are tailored based on information gathered about their offline behavior, then 90 percent of young adults want nothing to do with these ads.

News this week that law enforcement had asked just one mobile provider, Sprint, for a staggering 8 million bits of cell phone tracking data would seem to have been a fortuitous revelation for CDT, as it makes the privacy issue concrete and immediate. Vague concern about the information that some retailer or website might be collecting about your buying habits doesn’t generate the same level of outrage as do revelations that your phone has actually become a homing beacon.

To collect data on one sort of privacy problem, CDT has also launched a downloadable bookmarklet. Slap it in your browser’s bookmark bar and then hit the bookmark whenever you navigate to a page that seems to be abusing your privacy.

Information will be collected by CDT and forwarded to the FTC in bulk once a month, though of course there’s no guarantee that the feds will act on any of it. If it garners significant usage, the tool could be a nice way to “red flag” the most egregious online privacy abuses, giving the FTC some idea of where to apply its limited investigative resources.

http://arstechnica.com/tech-policy/news/2009/12/website-invading-your-privacy-bookmark-it-and-alert-the-ftc.ars

McAfee uncovers riskiest domains

Red means danger. And orange offers plenty of risk, too. (Credit: McAfee)

by Lance Whitney

You may want to think twice if you hit a site with a .cm extension. That belongs to Cameroon, pegged by McAfee as the world’s riskiest domain.

McAfee’s third annual “Mapping the Mal Web” report, released Wednesday, looks at riskiest and safest domains across the globe. The small nation on the west coast of Africa reached the top spot this year with 36.7 percent of its sites posing a security risk. Because .cm is often a typo for .com, McAfee said, cybercrooks like to use that domain to set up typo-squatted sites to hit you with malware.

The generic and widely used .com domain itself isn’t much safer, according to McAfee, jumping from ninth last year to second this year in riskiness, with 32.2 percent of its sites potentially hazardous to your PC’s health.

(Credit: McAfee)

Romania (.ro) is tagged as the riskiest domain for malicious downloads, with 21 percent of its sites delivering payloads of viruses, spyware, and adware. The information (.info) domain is seen by McAfee as the most “spammy,” with 17.2 percent of its sites generating junk mail.

On the positive side, the government (.gov) is the safest generic domain with essentially 0 percent risk, while Japan (.jp) proved the safest country domain with a rating of only 0.1 percent. Last year’s riskiest domain, Hong Kong (.hk) dropped to 34th place with a risk rating of only 1.1 percent, which McAfee attributed to the country’s aggressive steps to stop scam-related domain registrations.

(Credit: McAfee)

“This report underscores how quickly cybercriminals change tactics to lure in the most victims and avoid being caught. Last year, Hong Kong was the riskiest domain and this year it is dramatically safer,” Mike Gallagher, chief technology officer for McAfee Labs, said in a statement. “Cybercriminals target regions where registering sites is cheap and convenient, and pose the least risk of being caught.”

Overall, looking at 27 million Web sites and 104 top-level domains, McAfee found that 1.5 million sites, or 5.8 percent, were risky. That’s up from 4.1 percent from the past two years, although the comparison is not direct since McAfee said it changed its rating methodology since then.

McAfee noted that cybercriminals who create domains to scam people prefer registrars with cheap prices, volume discounts, and hefty refund policies. Crooks also like registrars with a “no questions asked” policy and that act slowly or not at all when informed of malicious domains.

http://news.cnet.com/8301-1009_3-10407530-83.html?tag=newsEditorsPicksArea.0

EFF sues feds for info on social-network surveillance

by Elinor Mills

The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.

The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.

The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.

The EFF needs access to the information to “help inform Congress and the public about the effect of such uses and purposes on citizens’ privacy rights and associated legal protections,” the lawsuit said.

None of the agencies contacted had complied with the EFF’s Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.

The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.

The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.

Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.

“Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends,” he said. “Governments are using the sites but not in the way [citizens] expect when they sign up.”

The government agencies could not be reached for comment Tuesday afternoon.

Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.

http://news.cnet.com/8301-27080_3-10407224-245.html?tag=newsEditorsPicksArea.0

Threat Level Privacy, Crime and Security Online Restaurants Sue Vendor for Unsecured Card Processor

By Kim Zetter

Seven restaurants have sued the maker of a bank card-processing system for failing to secure the product from a Romanian hacker who breached their systems.

The restaurants, located in Louisiana and Mississippi, filed a class-action suit against Georgia-based Radiant Systems for producing a point-of-sale (POS) system that they say was not compliant with payment card industry security standards and resulted in an undetermined number of customers having their debit and credit card numbers stolen.

The suit alleges that the system stored all the data embedded on the bank card magnetic stripe after the transaction was completed — a violation of industry security standards that made it a high-risk target for hackers.

Also named in the suit is Computer World, a Louisiana-based retailer, which sold and maintained Radiant’s Aloha POS system.

According to plaintiffs, Computer World’s technicians allegedly installed the remote-access program PCAnywhere on the systems to allow its technicians to fix technical problems from off-site. The only problem is, the company failed to secure the program. The suit alleges that the system was not up to date with software patches, and the PCAnywhere remote log-in and password that technicians used to access the POS systems was the same at every one of the 200 Louisiana locations where the system was installed. According to one of the plaintiffs who spoke with Threat Level, the default login was “administrator” and the password was “computer.”

//

As a result, a hacker, believed to be based in Romania, accessed the systems of at least 19 businesses through the PCAnywhere software, and possibly others plaintiffs say. Once inside, the hacker installed malware to grab card data as it was swiped and send it to an e-mail address in Romania. The hack follows a wave of similar attacks that targeted point-of-sale systems at other national retailers and restaurant chains between 2005 and early 2009, including Dave & Busters restaurants, Hannaford Brothers, TJX, Wal-Mart and others.

The suit was filed in March in the U.S. District Court in Louisiana, but the court ruled only last week that the seven plaintiffs could proceed as a group with their case, opening the way for additional plaintiffs to join the litigation.

“We want other restaurants nationally to be aware of the hidden dangers posed by these technology companies and the unfair penalties imposed by the credit card companies,” said plaintiffs attorney Shiel Gallagher in a press release. “These huge companies shouldn’t have the power to destroy these restaurants.”

The plaintiffs include Crawfish Town USA, Don’s Seafood & Steak House, Jone’s Creek Cafe, Mel’s Diner, Picante’s Mexican Restaurant, Sammy’s Grill and a Best Western. Two other restaurants have also sued Radiant Systems and Computer World separately.

The restaurants are seeking millions in damages to recover their costs from the breach. These include fines levied against them from Visa and other credit card companies for failing to be PCI-compliant, the cost of forensic audits to uncover the source of the breach, chargebacks to cover fraudulent charges made on customer accounts and reimbursements to card providers who had to issue new customer cards.

According to the plaintiffs’ court filing (.pdf), Radiant and Computer World were allegedly warned by Visa in April 2007 that the Aloha system, along with POS systems made by five other vendors, were non-compliant because they stored card data. Visa also sent out a bulletin in November 2006 warning that one of the most frequent vectors for hackers to penetrate POS systems was through poorly configured or unpatched remote-access software (.pdf) and default passwords. Nonetheless, the restaurants say, Radiant and Computer World sold them a product that was neither PCI-compliant nor secured against a known attack.

PCI compliance involves 12 requirements that include: installing and maintaining a firewall, changing default vendor passwords, encryption of transaction data while it’s being processed and updated security patches and anti-virus definitions, among other things. Businesses that accept bank card payments from customers are contractually required by the payment card industry to have PCI-compliant architectures and to use only products that are PCI-compliant.

Charles Hoff, general counsel for the Georgia Restaurant Association and one of the plaintiffs’ attorneys, says these kinds of security disputes are becoming more common but rarely garner public attention because vendors tend to settle rather than risk exposure through a court case. He said this suit was filed only after Radiant refused to take responsibility for the breaches.

“Radiant … took a very arrogant attitude about it,” he told Threat Level. “I’ve had other POS vendors who felt they should be accountable, and the end result was that they knew they needed to do the right thing. Radiant I don’t think thought we were serious. Radiant’s website gives customers the greatest assurance that when it comes to their resellers, they monitor and make sure they’re scrutinized and compliant. It really would give you all the confidence in the world if it was actually done.”

Radiant has declined to comment on the details of the suit.

“What we can say is that Radiant takes data security very seriously and that our products are among the most secure in the industry,” Paul Langenbahn, president of Radiant’s hospitality division, told the Atlanta Journal Constitution. “We believe the allegations against Radiant are without merit, and we intend to vigorously defend ourselves.”

Keith Bond, owner of Mel’s Diner in Broussard, Louisiana, told Threat Level that he purchased his Aloha system for $20,000 and installed it around late November 2007. Computer World, he says, convinced him that the system needed to be connected to the internet for faster transaction processing, as opposed to the dial-up modem connection he had been using for processing.

In April 2008, just a few months after installing the system, one of his employees called to tell him that the mouse cursor on one of three Aloha terminals he’d bought seemed to be moving on its own and that employees were unable to take control of it.

After contacting Computer World technicians, the restaurant was told to disconnect its system from the internet. A service tech appeared the next day to replace the hard drive, but didn’t disclose the nature of the problem or indicate that an intruder had breached the system. Bond learned only later that a keystroke logger had been installed on all three of his Aloha terminals, and that the intruder had been siphoning card numbers for about three weeks.

He discovered this only after Visa and Mastercard contacted him in May to tell him his system had been breached. Bond, whose 24-hour diner processes about 60 to 70 card transactions a day, says 669 card numbers were stolen during the three-week period the hacker was in his system.

“If they had accessed the server, they would have got thousands of card numbers,” Bond said.

The credit card companies forced him to hire a forensic team to investigate the breach, which cost him $19,000. Visa then fined his business $5,000 after the forensic investigators found that the Radiant Aloha system was non-compliant. MasterCard levied a $100,000 fine against his restaurant, but opted to waive the fine, due to the circumstances.

Then the chargebacks started arriving. Bond says the thieves racked up $30,000 on 19 card accounts. He had to pay $20,000 and managed to get the remainder dropped. In total, the breach has cost him about $50,000, and he says his fellow plaintiffs have borne similar costs.

Bond said Radiant and Computer World were unresponsive.

“Radiant just basically hung us out to dry,” he says. “It’s quite obvious to me that they’re at fault…. When you buy a system for $20,000, you feel like you’re getting a state-of-the-art sytem. Then three to four months after I bought the system, I’m hacked into.”

Image courtesy California State Controller’s Office

http://www.wired.com/threatlevel/2009/11/pos

Scammers get better tools for tapping social networks

Data could enable more targeted phishing, corporate surveillance

By Jaikumar Vijayan

New tools capable of quickly finding, gathering and correlating information about individuals from social networking sites and other public sources are giving online scammers a powerful new weapon, say security researchers.

The tools allow potential attackers to build detailed profiles of individuals by finding and piecing together bits and pieces of information about them scattered on social sites and other public forums. The information can then be used in highly targeted, “spear-phishing” scams and other attacks against individuals and enterprises, they said.

Two companies providing such tools are Core Security Technologies Inc., with its Exomind application, and Paterva, with its Maltego product. Exomind is designed to find, combine and correlate information on individuals and groups of individuals from across multiple social networking sites. It can be used to build a concise portrait of an individual and to identify key relationships with others on social networks and in the real world, said Ariel Waissbein, head of CoreLabs, the R&D unit of Core Security.

Paterva describes Maltego as an open source intelligence and forensics application that can import and correlate data from almost any publicly available online source, including social networks, search engines and PGP key databases. A community edition of the tool also can be downloaded.

The application can be used to determine relationships and real-world connections between people, groups of people such as those in a social network, companies and Web sites. It can also be used to find links between domains, DNS names, IP addresses and even documents and files on the Internet.

For instance, the tools can be used to develop a list of Gmail users at the National Security Agency, find which NASA employees are using MySpace, or to attach e-mail addresses to phone numbers. A graphical user interface presents the information visually.

Paterva claims more than 5,000 users in the security, forensics and law enforcement industries. Maltego has typically been used in tasks such as mapping corporate and social networks and performing information footprints on corporations.

Exomind can also be used to profile the vocabulary that individuals use in their interactions with others on social networking sites, Waissbein said. The information can be used to impersonate a co-worker, business partner or customer — right down to the particular vocabulary of that person.

“Exomind is a framework that allows us to do open-source intelligence over social networks,” Waissbein said. It is a tool that can be used to understand, and then take advantage of, the trusted relationships that exist within a social networking site, he said. “It does not help anyone to compromise a system, but (it) provides you with tools to leverage trust relationships.”

Article Continues - http://www.computerworld.com/s/article/9141601/Scammers_get_better_tools_for_tapping_social_networks

E-tailers snagged in marketing ’scam’ blame customers

by Greg Sandoval

Mark Goldston, chairman and CEO of United Online, parent company of Classmates.com, which banked $70 million from marketing practices now under investigation by the Senate Commerce committee. (Credit: United Online)

First the good news for consumers: the U.S. government’s investigation into how dozens of well-known online stores worked with controversial marketers to “deceive” customers out of $1.4 billion has prompted some retailers, including Continental Airlines, to sever ties with the marketers.

Now, the bad news: the marketers–Affinion, Vertrue, and Webloyalty–are still in business and judging from the responses of many of the retailers involved, such as Priceline, Classmates.com, FTD, Shutterfly, and Orbitz, it will be business as usual. They see nothing wrong with the marketing practices that millions of angry online shoppers and members of the U.S. Senate have called a “scam,” “robbery” and “theft.”

While the U.S. Senate Commerce committee produced a staggering amount of documentation during a hearing last week that appears to show consumers are misled into signing up for so-called loyalty programs, the retailers continue to suggest it’s their customers who are at fault.

The controversy began last May, when the Commerce committee launched an investigation into the practices employed by Vertrue, Affinion, and Webloyalty. The committee’s investigators found thousands of complaints going back years from people who said they discovered “mysterious charges” on their credit cards and struggled to discover how they got there.

The Senate’s investigators said they learned that the retailers had made an unholy alliance with the marketers. Under most of the agreements between the marketing firms and retailers, an advertising page is presented to a shopper while they complete a transaction at the retailer’s online store. Many shoppers say they entered their e-mail address and pushed a large “Yes” button on the ad because it appears to be a $10 cash-back offer or coupon. Many of those that complain say they thought they were being rewarded by the retailer for making a purchase.

Written in much smaller print within the ad are the full terms of the deal. A customer is notified there that by providing their e-mail address they are joining a membership program and agreeing to pay one of the marketing firms a monthly fee, typically between $10 and $20.

Despite being blasted last week by members of the Commerce committee, most of the retailers involved haven’t done much repenting.

Orbitz “does not pass on any personally identifiable customer information to third party vendors without their permission,” the travel site said in a statement.

United Online, parent company of FTD and Classmates.com, a company that the government said banked $70 million via the three marketers said: “We believe that our marketing practices provide clear disclosure. We do not transfer our customer’s credit or debit card information to third parties without our customer’s consent.”

Priceline said the terms of the deal have “been clearly and fully explained.”

It’s all your fault
The inference is clear: The people complaining about this are the ones who screwed up. The terms of the deal were all in the ad so that means anyone who was charged the monthly fee either wanted it at the time or was negligent.

I can start by listing all the information that the government has found that shows that as many as 30 million consumers were unaware that they were signing up for the loyalty programs. But first, let’s look at the obvious.

Webloyalty, Affinion and Vertrue all say they do their best to make it clear to consumers what they’re signing up for. That’s nonsense of course. If their claim was true, they would simply insert the following graph or something like it high up into their ads:

BY ENTERING YOUR CREDIT CARD NUMBER YOU ARE REGISTERING FOR MEMBERSHIP PROGRAM AND YOUR CREDIT CARD WILL BE CHARGED $12 PER MONTH FOR THIS SERVICE UNTIL YOU CANCEL YOUR MEMBERSHIP. ENTER CARD NUMBER HERE:________. EXPIRATION DATE HERE:________.

Voila. End of confusion.

This simple fact was presented in a Jan. 8, 2007 court filing that was part a class-action lawsuit filed against Webloyalty, one of several suits filed against the three marketing companies over the years. In this case, the attorneys representing plaintiff Joe Kuefler sized up why they believed Webloyalty doesn’t display its terms in this clear way or ask consumers to input their credit card information themselves.

“The answer is nefarious,” the lawyers wrote. “If customers had to retype their credit card numbers, they would know that they were registering for a monthly fee-based service and defendants would not be able to get rich by fooling people into signing up.”

Confusion breeds deception
Here’s the next obvious fact that readers should know: burying important contractual information deep inside big blocks of text isn’t new. Creating confusion around a purchasing experience and then obtaining a consumer’s credit card information from someone other than the owner to make charges isn’t novel. These ideas have been around in some form or another for decades and are outlawed in many parts of the brick-and-mortar world. These tactics won’t fool everyone, but they will mislead enough consumers for the companies to profit.

In the court filing against Webloyalty, Kuefler’s lawyers said that if they could get their hands on the company’s internal documents they could prove Webloyalty knew that most “members” were duped into signing up. Well, the government did obtain documents.

According to the Senate Commerce committee’s report a Vertrue employee once wrote that “cancellation calls represent approximately 98 percent of call volume” to the company’s customer service operations. One Webloyalty employee said in an e-mail that “90 percent of our members don’t know anything about the membership.”

Documents obtained by the government show Affinion estimated that the chances of obtaining money from a consumer would be four times higher if a retailer handed over a customer’s credit-card information to the marketing firm than if the firm had to get it from the actual cardholder.

Prentiss Cox, a former assistant attorney general and now a Minnesota law professor, says that in his decade-long experience studying the marketing practices employed by Affinion, Vertrue and Webloyalty, it’s clear to him that those that voluntarily sign up for the loyalty memberships run by those companies is less than 5 percent.

Since I began writing about this in July, I’ve seen a lot of reader feedback from people who don’t believe they could ever be misled into signing up for the membership programs. But I’ve also read thousands of complaints, which can be found here, here, and here, among those that have claimed to have been duped are lawyers, computer programmers, vice presidents, U.S. Army veterans, and journalists.

The government wrote that more than 35 million people have been enrolled in Affinion, Vertrue, and Webloyalty’s clubs.

Cox says the marketing techniques used by Affinion, Webloyalty, and Vertue work because shoppers have been conditioned to believe that on the Web they can’t be charged without entering their credit card information. He notes the ads that Affinion, Vertrue and Webloyalty stick in the faces of consumers come late in the transaction process, when a consumer might think they need to click the “yes” button and enter their e-mail address to verify their identities. In addition, the ads “are sold as free offers,” Cox said. This lowers a shopper’s guard.

Another effective technique employed by the marketing companies is that they know many people will be embarrassed. Many consumers will hear that they entered their e-mail address and will assume they erred. Some won’t make a stink because they don’t want to admit that they don’t check their bank statements well enough.

By saying, “we never release credit card information without the consumers authorization,” the marketing companies and their retail partners imply that the money their customers lost was caused by their own negligence.

Affinion, Vertrue, Webloyalty, and their retail partners are all profiting from their customers’ shame, when it is they who should be ashamed.

Webloyalty illustrated for potential clients how much easier it is to generate “high revenue” from a consumer when the firm can get their credit card information from a retailer (‘card on file’) instead of the card owner. Members of a Senate committee have called such practices a ’scam.’  (Credit: U.S. Senate Commerce committee)

 

http://news.cnet.com/8301-1009_3-10403286-83.html?tag=newsLeadStoriesArea.1

Self-Policing Cloud Computing

IBM security tool searches for and destroys malicious code in the cloud.

By David Talbot

Cloud computing presents inherent privacy dangers, because the cloud provider can see a customer’s data and leased computational apparatus, known as “virtual machines.” New research suggests that as long as the cloud can see things, it might as well check that its customers aren’t running malicious code, new research suggests.

Researchers at IBM’s Watson Research Center in Yorktown, NY, and IBM’s Zurich Research lab have developed a system for cloud computing “introspection monitoring,” in which elements of the cloud would act as a kind of virtual bouncer. They’d frisk virtual machines to check what operating systems they’re using, whether they are running properly, and whether they contain malicious code, such as root-kits.

“It works by looking inside the virtual machine and trying to infer what it does. You don’t want malicious clients to give you all kinds of malware in their virtual machines that you will run in the cloud,” says Radu Sion, a computer scientist at Stony Brook University, who was not involved in the research. “Today the cloud does not offer privacy, so we might as well use the lack of privacy for introspection.”

The work by IBM was one of several papers presented last Friday at the ACM Cloud Computing Security Workshop, a first-of-its-kind event. The paper extends earlier research on introspection to make it more applicable to cloud settings such as Amazon’s EC2 service. “In clouds, the barrier to entry is lower, and the thing customers are most concerned about is their information. We want to make sure their information is handled in a manner consistent with their expectation of security and privacy,” says J.R. Rao, senior manager for secure software and services for IBM.

One specific way that clouds could present hazards is if hackers figure out how to place their malicious virtual machines on the same physical servers as those of their victims, as recent research has shown is possible. Cloud providers use multiple data centers and many thousands of servers, so finding the right one could be a crucial first step to a cloud computing attack. (Earlier research has shown that hackers using a given operating system can steal data from other users of the same operating system, and that similar vulnerabilities can exist when operating systems share the same servers.)

Story Continues – http://www.technologyreview.com/computing/23988/?a=f

Survey: Hospitals Not Protecting Electronic Health Records

Despite new federal laws to protect the privacy of medical files, many hospitals are ill-prepared to prevent security breaches that may result in patient records being stolen, lost or misused, a new survey shows.

Three in four hospitals and health organizations said medical records of patients had been put at risk of improper disclosure “due to inadequate security controls, policies or procedures,” according to the survey released Thursday at a meeting of government health information planners in Washington.

“This is a call to action,” said Lisa A. Gallagher, a privacy and security expert who conducted the study for the Healthcare Information and Management Systems Society (HIMSS). “We need to get focused on security.”

In the survey, one in three groups said they knew of at least one case of medical identity theft from records under their control–nearly double the number reported in a similar study last year.

Half of those surveyed said they had no plan in place to respond to security threats and many of them indicated that they are spending “little additional resources” to combat the problem.

The report comes as federal officials are launching an ambitious plan to encourage greater use of digital medical records. Officials are planning to spend as much as $45 billion in stimulus funds in the coming years to help doctors and hospitals purchase these systems. The Obama administration is also moving forward with plans to convert an obscure government data collection system into a Health Internet, which would encourage sending sensitive medical information into cyberspace.

“These factors may put health data at a higher risk of exposure in the future, and increase the need for mature security processes and controls,” Gallagher wrote in her report.

Two hospital groups, the American Hospital Association and the Federation of American Hospitals, had no immediate comment on the report.

The stimulus bill contains a series of new provisions to tighten the privacy and security of electronic health data. For instance, the law requires health care providers to notify patients when their personal information falls into the wrong hands.

Yet the survey released on Thursday found that many hospitals lack even basic tools to encrypt health care data as a means to prevent its misuse or theft. Fewer than half said they encrypt records they store, while just two-thirds use encryption techniques when sending health records over the Internet.

“Health care is no different than other industries grappling with the challenges of cyberspace,” said Aneesh Chopra, the White House chief technology officer in response to the survey.

The study, conducted from August to October, questioned about 200 top-level health information technology professionals working in hospitals and other medical institutions. It was run by HIMSS, whose members represent a cross-section of health information technology professionals. The survey’s purpose was to gauge how well these institutions are preparing for the national switch-over to electronic medical records. The administration hopes to create a digital medical file for every American within the next five years.

The findings surprised some members of the government Health Information Technology standards panel, which is aiding federal officials in setting standards for distributing stimulus money to doctors and hospitals that purchase digital records systems.

“I think the survey results show that health care organizations still perceive security to be a compliance issue, not a function critical to their business or providing quality care,” said Dixie Baker, who heads the standards committee’s privacy workgroup.

Committee member Walter Suarez said he was “surprised” that so many hospitals hadn’t even met basic security standards already required under federal law.

“The first question is really: Do we need to have a much larger picture of what is going on across the country,” Suarez said.

http://www.huffingtonpost.com/2009/11/20/survey-hospitals-not-prot_n_365177.html

‘Fingerprinting’ RFID Tags: Researchers Develop Anti-Counterfeiting Technology

Engineering researchers at the University of Arkansas have developed a unique and robust method to prevent cloning of passive radio frequency identification tags. The technology, based on one or more unique physical attributes of individual tags rather than information stored on them, will prevent the production of counterfeit tags and thus greatly enhance both security and privacy for government agencies, businesses and consumers.

“RFID tags embedded in objects will become the standard way to identify objects and link them to the cyberworld,” said Dale R. Thompson, associate professor of computer science and computer engineering. “However, it is easy to clone an RFID tag by copying the contents of its memory and applying them to a new, counterfeit tag, which can then be attached to a counterfeit product — or person, in the case of these new e-passports. What we’ve developed is an electronic fingerprinting system to prevent this from happening.”

Thompson and Jia Di, associate professor of computer science and computer engineering and co-principal investigator on the project, refer to the system as a fingerprint because they discovered that individual tags are unique, not because of the data or memory they contain, but because of radio-frequency and manufacturing differences.

As Thompson mentioned, RFID tags are becoming more prevalent. They have been used in a wide range of applications, including government processes, industry and manufacturing, supply-chain operations, payment and administration systems, and especially retail.

“In spite of this wide deployment, security and privacy issues have to be addressed to make it a dependable technology,” Thompson said.

A passive RFID tag harvests its power from an RFID reader, which sends radio frequency signals to the tag. The tag, which consists of a microchip connected to a radio antenna, modulates the signal and communicates back to the reader. Working with an Avery Dennison M4E testcube designed for determining the best placement of RFID tags on packages, Thompson, Di and students in the Security, Network, Analysis and Privacy Lab measured tags’ minimum power response at multiple frequencies.

The researchers did this using an algorithm that repeatedly sent reader-to-tag signals starting at a low power value and increasing the power until the tag responded. Radio frequencies ranged from 903 to 927 megahertz and increased by increments of 2.4 megahertz. These measurements revealed that each tag had a unique minimum power response at multiple radio frequencies. Moreover, power responses were significantly different for same-model tags.

“Repeatedly, our experiments demonstrated that the minimum power response at multiple frequencies is unique for each tag,” Thompson said. “These different responses are just one of several unique physical characteristics that allowed us to create an electronic fingerprint to identify the tag with high probability and to detect counterfeit tags.”

Like other electronics equipment, cost and size have driven development of RFID technology. This emphasis means that most tags have limited computational capabilities; they do not include conventional encryption algorithms and security protocols to prevent cloning and counterfeiting. The electronic fingerprinting system addresses these concerns without increasing the cost or physically modifying the tag, Thompson said. The method can be used along with other security protocols for identification and authentication because it is independent of the computational capabilities and resources of the tag.

Thompson and Di are also developing network circuits that are resistant to side-channel attacks against readers and tags.

Story Source:

Adapted from materials provided by University of Arkansas, Fayetteville, via Newswise.

http://www.sciencedaily.com/releases/2009/11/091118160627.htm

Facial Biometrics System Capable of Creating a Facial ‘DNA’

A new facial biometrics system that is able to recognize the facial “DNA” of every individual by determining his/her most noteworthy facial traits. (Credit: Image courtesy of Universidad Carlos III de Madrid – Oficina de Información Científica)

Research into techniques of facial biometrics, carried out by scientists at Universidad Carlos III de Madrid (UC3M), has resulted in a system that is able to recognize the facial “DNA” of every individual by determining his/her most noteworthy facial traits, with a of 95% rate of precision.

Recognition techniques based on facial features, known as facial biometrics, is usually based on the search for those traits which make one face different from another. The research carried out by this team, in contrast, approaches the issue from a slightly different point of view.

“The difference between our work and the majority of the others that are found in this field is the idea of individualized models,” explains one of the study’s authors, mathematician David Delgado Gomez from the UC3M Statistics Department. “Our objective,” he continued, “is to create a model for each person which highlights the most distinguishing features of each face, as a sort of facial ‘DNA’.”

The researchers had this idea when they were imagining the situation of a crowded room where someone comes in asking for one of them. “Our way to describe a person is through some traits that the others don’t have, such as the tall woman with blue eyes, or the bald guy with a beard. We try to apply this idea to our algorithm,” remarked Professor Delgado, who has been carrying out this research with Federico Sukno, Kaushik Pavani and Alejandro Frangi from the CISTIB Group of Universidad Pompeu Fabra of Barcelona, and Bjarne Ersboll and Jens Fagertun from the mathematical modelling group of Technical University of Denmark, which has recently published an article entitled “Similarity-based Fisherfaces,” with some of their research results appearing in the scientific journal Pattern Recognition Letters.

Basic elements

A facial biometrics system is normally made up of three components. First, a camera is necessary to record an image; secondly, a software program is needed which determines if there is a face in that image, locating among other things, the facial geometry (the placement of the eyes, nose, mouth, etc.); and thirdly, a system that is capable of classifying all those elements to differentiate between them and those of other persons. The most complicated part, according to the researchers was combining the facial geometry and facial texture.

“With only the geometric information, very low classifications are obtained, which is why we combine this information with that of facial texture to obtain a more robust model, and a statistical way of combining them occurred to us, which offered very good results.,” Delgado pointed out. The researchers have shown that when this system is used in a controlled environment, it can achieve a 95% rate of precision.

The main complication occurring when using this type of systems is the lighting, which can change the color of the face. Another challenge is the passage of time, because as a person ages, his/her face undergoes changes as it becomes heavier, thinner, or more wrinkled, which can then fool the classifiers. On the other hand, the researchers add, it does have a significant advantage when compared to other biometric systems: it doesn’t need direct interaction with a person as do fingerprinting or iris recognition, for example.

Story Source:

Adapted from materials provided by Universidad Carlos III de Madrid – Oficina de Información Científica, via AlphaGalileo.

http://www.sciencedaily.com/releases/2009/11/091111121358.htm