Another Day, Another Big Data Breach

from the do-people-even-pay-attention? dept

These days, it's probably best to just assume that any private data you've ever provided to a company is public. Given the pace at which the data you've entrusted to companies is leaked, whether via malicious hackers or via company carelessness, it's almost as if the exception to the rule is a company that's actually been able to keep your data safe. So it's hardly surprising that Express Scripts, the massive medical benefits management company, has said that its records appear to have been compromised. Apparently, the company was sent a note, detailing the medical records of about 75 people, with an extortion threat telling the company to pay up or face the exposure of millions of patient records. The FBI is now investigating. Still, we're reminded once again that companies have very little incentive to really keep your records straight. It's almost reached the point where these stories are barely worth commenting on, since they're so common. There's something quite depressing when you realize that these sorts of data breaches are barely even newsworthy any more.

Filed Under: data breach, extortion, fbi, medical benefits
Companies: express scripts, fbi

FBI Wants More Power To Monitor Internet Activity

from the because-they're-so-trustworthy dept

The FBI, which still can't even get its own computer network working properly, would rather just have more widespread access to spy on the computer network everyone else uses: the internet. Talking to Congress today, the FBI proposed a few different things, including the right to more widely spy on internet activity as well as legislation to force ISPs to retain log file data for an extended period of time. While the Congressional reps in attendance seemed to respond by saying "sure, sounds great" to both of these suggestion, both should actually be looked at much more closely.

More freedom to spy on internet usage potentially violates the 4th Amendment as well as federal wiretap laws. Given the evidence that the FBI has widely abused its ability to wiretap, this should be a major concern. As for data retention, problems with such an idea have been chronicled for years. It tends to put a tremendous expense on ISPs for no real reason -- and it tends to make it even harder to find the type of data authorities actually need to deal with criminal activities. If you're in the FBI, it's no surprise that you'd want both things in place, but that hardly means Congress should roll over and give them to the FBI.

Filed Under: congress, data retention, fbi, internet, monitoring, wiretap
Companies: congress, fbi

No, The FBI Probably Isn't Looking Into Your March Madness Brackets On Facebook

from the a-little-march-madness-exaggeration dept

Every year around this time, you can be sure of two types of stories: the first will be about how much productivity is lost thanks to March Madness (NCAA basketball tournament, for those who don't know) and the second is about how the customary March Madness pools are probably illegal gambling. This year, it's been turned up a notch, thanks to reports like this one in PC World claiming that the FBI is looking into the brackets available on Facebook thanks to a CBS Sportsline app. From reading the article, you'd think that the FBI is spending valuable resources trying to track down your office pool or the pool among your college buddies. Except... the article doesn't quote anyone at the FBI or even indicate that it tried to get the FBI to comment on the matter. It merely points to a Chicago Tribune article that says Facebook may face "scrutiny," but also provides no proof. That one at least has an FBI quote, but it's clearly in response to a question from the reporter over whether or not such pools violate the law -- not about whether the FBI is actually investigating Facebook.

The PC World report also points to a blog post saying that Facebook is coming under FBI scrutiny, but again provides no proof, other than some unsourced conjecture about the FBI "loitering" around Facebook -- and another link. This one goes to a report at a site called Online Casino Reports, which also gets a quote from the FBI -- but again, it appears to be in response to a question about the legality of betting pools, but not claiming that there's any sort of ongoing investigation. While there's a chance it's happening, there seems to be a bunch of folks reporting on this with no actual evidence that the FBI is looking at this. The only quote from the FBI came from the Chicago Tribune and was clearly in response to a question about the legality of betting on March Madness, not about any investigation into Facebook. So, chances are, the FBI isn't going to burst in on Mark Zuckerberg for putting a couple bucks on North Carolina to win it all -- or on you for picking Cornell (go Big Red) to beat Stanford this Thursday in the opening round, but if you want to be safe, maybe don't bet any money on it in the first place.

Filed Under: basketball, betting, brackets, fbi, march madness, ncaa, office pool, social networks
Companies: facebook, fbi

FBI Wants To Build Huge Biometric Database

from the you-have-no-privacy dept

We just found out that the White House has chosen not to staff the official "Privacy Board" that is supposed to make sure gov't surveillance doesn't infringe on American citizens' privacy. That came right after National Intelligence Director, Mike McConnell, announced that he's hoping to get the rights to monitor all internet traffic. Since news tends to come in threes (well, so says the urban legend) now comes the news that the FBI is looking to put together a huge biometric database containing info on fingerprints, palm prints, iris recognition mug shots and scars of anyone they can gather this info on. This seems like a typical reaction from a gov't agency, and with the announcement comes all the typical political doubletalk about how this is for safety, claiming that the database is "important to protect the borders to keep the terrorists out, protect our citizens, our neighbors, our children so they can have good jobs, and have a safe country to live in."

However, as has been made clear countless times, these types of databases always get abused. Much more importantly, as Tim pointed out recently, violating peoples' privacy doesn't provide more security. In fact, it often does the opposite. It makes it easier for important data to get lost in the pile, and it also means that that data is now that much less secure. The database itself suddenly becomes a huge target. So, in an effort to make the country "more secure," an effort like this can actually do the opposite.

Filed Under: biometric database, fbi, privacy, security
Companies: fbi

FBI Not Good At Paying Wiretap Bills

from the a-near-total-mess dept

While the FBI has regularly decided that court orders aren't necessary for wiretaps, it is a bit surprising to find out that it seems to feel the same way about paying the bills for wiretaps. Newly released info show that the FBI often failed to pay its wiretapping bills, leading one telco to cut off the FBI's wiretaps until it finally paid up. Given how screwed up the FBI's computer systems are, perhaps it's not surprising that they don't have an acceptable accounts payable system either.

Filed Under: fbi, payment, wiretaps
Companies: fbi

FBI Apparently Believes That Court Orders Are For Suckers

from the data-mining-the-FBI dept

Wired's invaluable Ryan Singel has been panning for gold in the muddy stream of FBI e-mails and other documents recently obtained by the Electronic Frontier Foundation under a Freedom of Information Act request, and has already hit a couple of intriguing nuggets, such as overeager agents' willingness to bypass court-order requirements when seeking cell phone records. The documents reveal how this caused tension and dispute even within the Bureau.

One e-mail, from a tech specialist in the FBI's Minneapolis office, complained that other agents would even pose as that specialist when calling telecom carriers, hoping to persuade them to turn over cell records without a judge's order. The cell information would apparently then be used as part of a high-tech tracking program that allowed agents to pinpoint a cell user's location.

Equally intriguing is the report that the Bureau's national-security wiretapping software recorded almost 28 million "session" intercepts in 2006. While it's not clear precisely what counts as a "session," this is obviously vastly more than the 2,176 FISA warrants (pdf) obtained by the government that year, at least some of which only covered physical searches. Unless terror suspects talk on the phone far more than the average teenager, the discrepancy hints that each warrant may have covered a very large number of individuals.

Filed Under: domestic spying, fbi, warrants
Companies: fbi

Hushmail Turns Out To Not Be Quite So Hush Hush

from the privacy-is-an-illusion dept

Many people are familiar with the company Hushmail, who provides encrypted web-based email that the company claims is completely private. In fact, the company makes it clear: "not even a Hushmail employee with access to our servers can read your encrypted e-mail, since each message is uniquely encoded before it leaves your computer." It turns out that isn't quite true. Wired reports that Hushmail handed the feds 12 CDs worth of plain text emails from the service following a court order. The Wired piece goes into great detail concerning what happened here -- and the folks at Hushmail were quite honest about how their service works. Hushmail has two different versions, one which requires a java app to be downloaded, which handles all the encryption locally. The other, more popular one, is entirely web-based, meaning that your passphrase is stored on the server ever so briefly -- and that's how Hushmail was able to access the accounts required in the court order. So, while it's true that Hushmail is mostly secure outside of a court order, the marketing material on the site is at least a little misleading, implying that even in such cases, your email will be encrypted.

Filed Under: drug dealers, email, encryption, fbi, privacy
Companies: fbi, hushmail

FBI Investigating Unisys For Not Preventing US Gov't Computers From Getting Hacked

from the intrusion-prevention-is-supposed-to,-you-know,-prevent-intrusions dept

Following the stories of Chinese hackers breaking into US Defense Department computers, it appears that the FBI is investigating Unisys for its inability to prevent those and other hacks. Apparently, the government is paying Unisys $1 billion to manage the computer systems for the Department of Homeland Security -- which would include preventing them from being hacked. Unisys, for its part, claims that its intrusion protection system worked and it reported the security incidents. Of course, from the sound of things, the hacks still occurred so whatever "warnings" Unisys sent didn't quite do the job. Of course, the FBI isn't really one to talk about the inability to keep computer systems working.

Filed Under: government contracts, intrusion prevention
Companies: fbi, unisys

Spying Goes All 2.0

from the pssst,-slip-me-some-ajax-in-the-dead-drop dept

While the US intelligence community has a long history of expensively botched computer systems, it does seem like they've suddenly became Web 2.0 believers. Last year we wrote about the internal Wikipedia-like offering called Intellipedia, that would let members from different agencies in the intelligence community share information more easily. It appears that things have progressed beyond that as well. They now have a social networking app just for the intelligence community, called A-Space, along with a del.icio.us clone and internal blogs. Of course, it seems like some in the intelligence arena (especially those who happen to be undercover) aren't entirely thrilled with the concept -- but it will be interesting to find out how it develops (as if we'll ever find out). What would be really nice to know is how much these efforts are costing compared to the $600 million that was thrown away on useless computer systems.

Filed Under: cia, fbi, intelligence community, social networking, web 2.0
Companies: cia, facebook, fbi, myspace

How Does The FBI's Spyware Get Around Security Software?

from the cloak-and-dagger-or-point-and-click dept

A teenager in Washington state got sentenced to 90 days in juvenile detention this week, after he plead guilty to making some bomb threats via e-mail to a high school. It turns out that the FBI nabbed him with a piece of spyware called the Computer and Internet Protocol Address Verifier, or CIPAV. The FBI used the spyware after it had obtained server logs from Google and MySpace, which gave them an IP address that led to an infected computer in Italy. This isn't too surprising, really, but what makes it a little more intriguing is that it's not clear how the FBI slipped the program onto the kid's computer, nor how it evaded detection by anti-virus software. The most likely possibility is that they took advantage of some unpatched vulnerability on the kid's PC, with a browser or plug-in hole exploited by a MySpace web message. The question of evading security software looms larger, though, with CNet's Declan McCullagh wondering if the government persuaded security software vendors to whitelist CIPAV. He said that some vendors said they'd comply with court orders to ignore government or police spyware, and that McAfee and Microsoft wouldn't say if that's what had, in fact, happened here. Meanwhile, Kevin Poulsen over at Wired says that a more likely (and less controversial) explanation is that without ever seeing CIPAV, security software vendors can't make a signature for it, so their systems can detect it.

Filed Under: government, law enforcement, spyware
Companies: fbi, mcafee, microsoft