Hushmail.com hijacked, Network Solutions security breech?

Here is the hushmail.com notice on their website, dated midnight (Saturday night/Sunday morning):

In recent hours we have been made aware that security was compromised at the domain registrar responsible for the hushmail.com domain. For a brief period, this domain was forwarded to a server belonging to an unidentified party, which resulted in our web page being unavailable or appearing defaced.

There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com will not have been delivered.

Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available.

Network Solutions breeched? Hushmail phished on April 23, 2005

Strange how I don't see anything in the news, but Hushmail, the secure mail service, is reporting that it's registrar was hacked on Saturday and the hushmail.com domain was redirected for several hours. Hushmail doesn't name the registrar, but a whois check shows it to be Network Solutions.

This is scary stuff, because Hushmail is a 2048 bit strong encryption email service, used internationally for secure, private email. If the site was phished, it is possible that the hackers collected passphrases for hushmail accounts from users who didn't notice the phishing webpage was any different from a "regular" hushmail login.

Perhaps most odd is that I didn't see anything on slashdot, or anywhere else in the news about a security breech at Network Solutions (?)

From the hushmail.com website:

On April 23rd, an unauthorized party gained access to our customer account at our domain registrar. A domain registrar is a company that is responsible for controlling which website actually gets displayed when you enter an address (such as www.hushmail.com) in your web browser. Therefore, by breaching security at our domain registrar, the unauthorized party was able to control which website would be displayed when users entered the address www.hushmail.com.

The unauthorized party altered the domain settings so that users entering www.hushmail.com in their web browser were no longer directed to our real website. Instead, users were redirected to a different website at a different location. Soon that website was shut down, and users simply received an error page.

We are following up with our domain registrar to determine how the unauthorized party was able to gain access to their system.

There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com may not have been delivered.

Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available.

AIM privacy - AOL instant messenger privacy

Wow. eweek is reporting on AOL's new AIM Terms of Service, which require users of AIM to hand over all rights to whatever passes through IM to AOL.

It includes the language:

"You waive any right to privacy. You waive any right to inspect or approve uses of the content or to be compensated for any such uses"

but the strangest part is this :

In addition, by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium

 

They quote the Macslash editor who summarizes the wierdness of it:

"They're encouraging businesses to use AIM to discuss details of their business correspondence, even to sync their Outlook contact and calendar files, which, according to their TOS, AOL then has the right to publish in any way they see fit, including, among other things, providing that information to business competitors. I'd be pretty damn leery of using AIM@Work for any kind of business"

It is the AIM TOS that users have to accept when they download the AOL client. Iwonder how that effects AIM users who use thrid-party AIM clients like Trilian?

Choicepoint stops selling consumer social security number market?

Choicepoint has released a statement that it will be exiting the sensitive consumer social security number market.

Already some users of Choicepoint's AutotrackXP system are reporting that the last 4 digits of social security numbers are removed from consumer reports.

According to Choicepoint:

".. the company will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes.. "

The company admits that the chage is a direct result of

".. the recent fraud activity, our review over the past few weeks of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them.."

They went on to apologize

"..We apologize again to those consumers who may be affected by the fraudulent activity. We remain committed to helping them take active steps to protect their personal data and to assisting law enforcement officials who are investigating the attacks on consumer's identities.."

According to Choicepoint, products and services that contain sensitive personal information will have to meet one of three tests:

• Support consumer-driven transactions where the data is needed to complete or maintain relationships such as insurance, employment and tenant screening or to provide access to their own data;
• Provide authentication or fraud prevention tools to large, accredited corporate customers where consumers have existing relationships. For example, information tools for identity verification, customer enrollment and insurance claims; or
• Assist federal, state and local government and criminal justice agencies in their important missions.

 

Anonimizer Privacy Notes

Anonymizer noted some recent privacy news:

Companies offer ID theft coverage as perk (AP Wire)
A growing number of companies are offering identity theft coverage as an employee benefit, in part to reduce lost time when a worker becomes a victim. On average, a consumer whose identity has been stolen spends about 200 hours restoring his or her good name. The coverage is offered as kind of a stress reducer, so individuals can be more productive at work.

Complete credit card receipts found in trash of West Palm restaurant (Sun-Sentinel.com)
Hundreds of old receipts from Outback Steakhouse were tucked into bank envelopes, stuffed into small boxes and restaurant to-go bags, and tossed atop the trash bin. Some of the receipts contain complete credit card account numbers, expiration dates and names of the customers. The State Attorney's Office said the Outback manager may have acted irresponsibly but did not break the law. Unlike California, Colorado and Georgia, Florida has no law requiring businesses to properly destroy receipts containing credit card information. Federal law is mute on the issue.

More on email privacy and the Panix hijacking

According to the Panix website:

We believe the administrators of the incorrect mail server to be an innocent third party, but if there was any sensitive data mailed to you during this period of time, it may be prudent to consider it compromised.

George Mason University Hacked

Names, social security numbers, n and photos of more than 28,000 students and 4,000 staff members at George Mason Univeristy were stolen sometime between November 2004 and January 2, 2005.

According to the COmputrWorld report (print edition, January 17, 2005), the only reason we know abou tthis is an audit of system files uncovered it.

The University explained that they have 60,000 registered users and 25,000 servers, as if that would explain why it might be hard to maintain security. Huh?

All that does is underline the stupidity of putting unencrypted personal information onto the network. If you know you can't secure it, why did you put the data there?

The world needs to change this mindset of acceptance of error in the face of challenges. It doesn't matter how hard it is to secure a large network. What matters is security, and security requires you to refrain from placing your constituents at risk if you cannot protect them.

Academic Personal Information Hacks

October 2004: University of California, Berkeley. Theft of the records of 1.4 million individuals in the California Department of Social Services program.

June 2004: UCLA reports a singlelaptop missing, with a database containing the personal informaiton of 145,000 blood donors.

March 2003: Georgia Institute of Technology reports a computer in its Arts and Theatre program was breached, and used to steal the personal information of 57,000 students, faculty and staff.

March 2003: University of Texas at Austin reports hackers stole information on more than 55,000 students, faculty and staff.

(source: Computer world print edition, Jan 17, 2005)

Blackberry Privacy: PIN messaging not private

Are there any "private" messages anymore?

Regulatory Compliance has become such a burden on the fiancial and health industries (think Sarbanes Oxley and HIPAA) that any form of "off the record" messaging is welcomed by insiders. Sure it's not in compliance, but it is out of earshot of the compliance manager, right?

Not so fast, especially if you've been direct messaging your buddis using Blackberry's PIN messaging (direct messaging between Blackberry devices, without a server in the middle).

A recent lawsuit presented PIN message records between executives working with CIBC in Toronto. CIBC filed the lawsuit against Genuity Capital Management, and the messages were sent between Genuity execs when they were still CIBS execs. Apparently, CIBC had deployed software which allowed CIBC to capture PIN messages as they traversed the cell towers. Security experts have also shown that the Blackberry devices themselves can retain PIN message data on board unless the user purposefully cleans the memory.

Logging of PIN messages was not thought to be possible, according to the reporter at ComputerWorld (print) who wrote the article "Lawsuit Reveals Open BlackBerry" (KJanuary 17, 2004 print edition). I fnd that odd but not surprising. Technologists understand that data can be logged, but ther are still technology users who think they can operate devices anonymously without anonymizing proxy servers and other security safeguards.

If you think education is expensive, just try ignorance.

Restroom Privacy - Not?

This is hardly a test for restroom privacy, and perhaps a testament to stupidity.

CNN is reporting on a "couple" who entered a convenience store restoom together and refused to answer knocks from police. Eventually they came out, allegedly looking like they had been rather busy inside.

It was only after going back in that the police arrested one of them. Geesh. Of course that led to a challenge of privacy in public bathrooms, but it was dropped.

As reported on newsmax:

"The FourthAmendment protects people and not places,'' Judge Donald Lay wrote for the three-judge 8th Circuit panel. In Hill's case, ``it was not a single person using the single toilet restroom but two persons of opposite gender and, under the circumstances, we hold that they had a diminished expectation of privacy which had expired by the time the officers arrived.''

Axciom Security (Acxiom)

Axciom is a big player in the consumer personal database industry. Whether you know it or not, your ra eprobably trusting Axciom with your personal financial information, because "Acxiom clients include 14 of the 15 biggest credit card companies, seven of the top ten auto manufacturers and five of the top six retail banks. The company also analyses consumer databases for multinationals such as Microsoft, IBM, AT&T and General Electric" (theRegister).

So naturally, with billions entrusted, Acxiom must be quite a secure place. Sounds like the Fort Knox of consumer data. I guess that is why Acxiom has been hacked and that entrusted data has been stolen. Of course Acxiom says they take security very seriously... reminds me of the "on hold" voice that says "your call is important to us" while the company puts you into a massive queue to speak to one of very few low-wage customer service reps assigned to the phones. Is it all BS?

Verizon blocks Europe

Reports are flowing that Verizon, in an attempt to reduce spam, has blocked all incoming emails from European servers. Supposedly it took them two days to implement it. I have been told it is still in effect, 3 days later.

The Register originally reported:

Paul Wood, chief information analyst at email security firm MessageLabs, said it took Verizon two days to whitelist the IP addresses of its European messaging servers from the time it first complained its international users were having problems sending email to customers of the US ISP.

Another example of the "latent" monopolostic commercial power that has been given to these companies as a result of consumer ignorance. Had the digital knowledge gap NOT been so wide, a  bozo move like this would cost a company half of its subscribers. In today's world, Verizon execs are probably  looking forward to  the bonus they'll receive for beating this quarter's Wall Street estimates, due to reduced bandwidth costs.

Why I will never use Gmail

Gmail is a wonderful product. No argument there. Excellent interface, fun to use, amazing efficiency, and almost all of the benefits of outlook without the hassles.

But I will never use Gmail.

There were many privacy discussions related to Gmail when it was announced. California protested it for its potential privacy invasion. Anti-commercialists spoke of how Gmail would result in the exploitation of any covert preferences we might have, as revealed by meta-analysis of all of our communications.

I will never use Gmail for the same reason I will never really use a social network like Orkutz, Friendster, or LinkedIn. And for the same reason I won't submit to personality testing, or other forms of psychological evaluation to satisfy the curiosities of a prospective employer  or the government. Because the information will most likely be mis-used, and is easily abused.

Let's imagine that I meet "Bob" at a party. Now Bob is there because he knows Jim, and I am there because I know Jack, and it turns out that Jack knows Jim. hence, according to the social networks, Bob and I are "related".

Now I met Bob and we exchanged emails, because we both have MyFi radios from XM and are both experiencing antenna issues. We're gonna commiserate.

Imagine also that we both have Gmail. Now behind the scenes, unknown to me, Google knows that Bob is a big time adult webmaster in San Diego. They know that for many reasons - he regularly sends and receives email from adult domains, from Internext organizing committee, and he subscribes to many wonderfully explicit adult websites. He receives email forwarded to him, originally addressed to "webmaster" at various adult domains.

That's not all Google knows. Bob is a webmaster, so he plays Google Adwords to get customers, and he buys placements on a whole slew of adult-ish keywords on the Google AdSense system. Google knows him well because Bob walks a fine line of 'adult content" that Google watches carefully.

I know none of this about Bob. To me, he's just a guy I met at Tom's party, who has a MyFi and with whom I have vollied a few emails.

But Google knows still far more about Bob. Bob browses the web with Microsoft's Internet Exploder, and has the Google Toolbar installed. Google keeps track of every website Bob visits, via the toolbar.Google knows how long he has stayed, what pages he clicked thru, the anchor text that successfully attracted him to click, and the frequency at which Bob's clicks have converted to a sale.

Google also keeps track of every "sponsored listing" and every "Ad by Goooogle" that Bob has ever clicked. In fact, because Bob is CEO of his small but voluminous adult media company, and uses his credit card for just about every company purchase on the Internet, Google sees the activities of every one of Bob's staff (all 8 of them) as "Bob". Every time a business associate visits Bob in San Diego, Bob sends him off to a local massage parlor for a VIP session -- on Bob's credit card,of course. 

Yes, Google knows quite a bit about "Bob". Certainly more than I do.

And now I am emailing with Bob, and because we use Gmail Google gets to see every word, every email, the time it was sent, the time it as read, how long before a reply was generated, whether it was forwarded, to whom it was  forwarded....phew this is getting tiresome.

The sheer magnitude of information available to Google, but not to me or Bob, but purportedly "about" both me and Bob *and* "me and Bob" is overwhelming. And misleading.

So you say nobody would ever use that. Really? Then why is it saved?
So you think it would be too hard to figure out all those connections? Really? How did Axciom get to be such a big company so fast? (it figured out how to make such connections, and BINGO. Massive revenue enables just about anything you can imagine).

Do I have something to hide? I didn't think so, but I didn't know myself as well as Google did. Did anyone else see "Code 46"? Kinda of a silly movie, but the Sphinx did know better than the people. It's was all in the data.

Gmail, and Google in general, are all about eliminating the individual consumer's ability to obfuscate his character, whether it is overt or covert character, true or false. I believe I should be able to defend my character if it is questioned. I don't believe that anyone should be able to quietly infer my associations behind my back, without a social structure in place to discount such nonsense (like those who gossip, or prejudge, or slander). These systems not only make character assumptions for you, but prevent you from knowing what has been assumed.

There is nothing god to come to me from using Gmail, and plenty of bad.

No privacy with private webcam

now someone has discovered a search engine hack that reveals security cameras that may have been considered to be "private". That is, the owners are most likely unaware that the cameras are actually real-time viewable by the general public, over the internet. If the images were intended to be displayd on a web page, perhaps surrounded by disclaimers, or advertisements, the images are now viewable directly, "for free".

I can just think of all of those privacy violations taking place hrough negligence.... oh, sorry. I forgot that we no longer have any privacy. Anyway, there will still probably be lawsuits.

So if the voyeur in you is interested, follow these steps to peruse the private cameras until the owners update their camera software, or re-configure their security settings, or get sued in a privacy violation lawsuit, or whatever:

1. Prepare for a long, arduous hacking session of slashes and dots and crazy code, to hack these state-of-the-art security cameras. You may want to get some coffee. Okay, ready?

2. Search Google here: web camera hack

3. That's it. Sorry it wasn't more complicated for you. But hey, this way you get to spend your time spying on unsuspecting store customers and such, instead of complicated computer codes. In the first few pages of results I found theinterior of a datacenter, a convenience store, two people's own desks, a few waiting areas, many yard security cams, and a few adult webcam sites.

16 million social security numbers for sale

Anybody want social security numbers and related contact/credit information for 16 million plus Amercans? Anybody of course meaning anybody anywhere... including Russia, China, North Korea, Iran.

Has the IRS ben hacked? Where did these come from?

From a large private company, of course. Since our economic system here in the US requires us to give up all of our credit card historical data to every company who requests it, in order to be able to simply buy stuff, the data is out there. And because the US government is relying on private companies like Axciom to aggregate our information and sell it to them for security reasons (like spying, for example), why would they work to change the system?

We've seen before that the government cannot legally collect alot of private information on its citizens. The Patriot Act changed most of that, but it is still safer and easier to buy the information than collect and store it.

And this story tells of a hacker who had access to t-mobile's company servers for a year, and distributed such information, and offered it for sale. That's 16 million, folks.

And if the soft language of the law on notifying citizens of compromise dinfo doesn't scare you, the fact that t-mobile knew about it for 6 months should:

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Carnivore is dead. Long live internet monitoring!

The other day I read that the FBI admitted it hadn't used Carnivore at all in 2003. It was a big waste of money. Then I read that the FBI is retiring Carnivore. Why?

Do you think they don't need nor want to monitor "everything" that passes along the Internet? Well, actually, they have simply discovered that there are better ways to find out more, using private companies. But of course!

COTS at work. RAND was right.... you can't do certain things because you are the government, and it is ilegal for the government to do certain rights-violating things. But it is NOT illegal for private companies to do those same things, and sell the information to the government. After all, civilians are voluntarily handing over all sorts of data to credit card and mortgage companies every day, while balking at the idea of giving that same info to the government. Why would the government care that the people complain they can't navigate the system without giving up their data, when that is precidely where the government gets its data from third-hand?

Communist Russia made spies of its citizens by imposing fear and oppressing. The United States is capitalist. Why not pay the people to give it up? Smart government. Stupid people.

How private is your email?

The oldest ISP in New York, Panix, had its domain name hijacked over the weekend. While normally such a thing would be solely of geek interest, worthy only of coverage on a geek web site like slashdot, it is also a big warning flag for YOU. Why? Because as a large ISP, Panix moved millions of email messages through its systems, and manages the email accounts of its customers.

Those emails have been secretly redirected to places unknown since the hijacking. That's right, if you had an email address whatever@panix.com then your email has been delivered to whomever hijacked he domain, and there is little anyone can do about it.

It also means that the persons-unknown may have been sending email from your acount all this time, without yur permission or knowledge.

Now at first you might be thinking big deal, I have nothing to hide. But maybe you will come back online Monday, after Panix tech magicians have recovered their domain name, and discover that you have been signed up to every spam list in the world. Or worse, perhaps your account was used to SEND spam, andis now on a blacklist so any mal you send will be dumped into the spam bin.

How did something as important as a domainname get hijacked? Could the technical people at New York's oldest ISP really have slipped up?

No. The domain name system is poorly managed, and appears to have become a political football on an international scale. Recent regulation changes have created opportunities for hijacking, and it is not a loophole. It was known from the start that the changes could lead to hijacking, yet they were put through anyway. And now we are seeing the start of the consequences.

This weekend Panix got hijacked. What about citibank? What if someone hijacked the citibank website and sarted using it to collect your information and steal your money? Everyone uses the same Internet, withthe same rules and the same registrar regulations.

Privacy is not dead. Privacy is suffering, and being mercilessly tortured! Do we need to fight for euthenasia for privacy? Here's a tip for you -- security is the little brother of privacy. If you don't protect privacy, guess who is left exposed to the twice-left-behind class bully?

Your Supreme Court thinks it's ok for the FBI to evesdrop on your car

This report from 2003 tells me the 9th circuit says the FBI can't secretly listen in on your car conversations via the accommodating OnStar service, even though OnStar's so-called "privacy policy" seems to allow it.

Interesting concept... that I would be driving a car that had OnStar in it for my personal safety and protection,  and not know that someone was using it to listen in on my conversations. I never thought of that, but the FBI apparently did,  and even successfully did it with OnStar's assistance.

NH Woman Loses Insurance Coverage for Her Politics

Well, that's how it's being reported anyway. Too bad, because the idea that insurance carriers can drop someone without providing an opportunity to replace the coverage is the real story. Here the lady is a doctor, and has insurance up to a million dollars for everything else not covered by her other insurance policies. But now retied, she started political work. In politics, people are sometimes sued for libel and slander. The insurance company finds out about her new avocation and says that's not what the umbrella policy is for, and won't renew her policy. They probably can show that the risk of libel/slander lawsuits is too high for that policy to be worthwhile for their commercial enterprise. Did they leave her stranded without insurance because they don't offer libel/slander protection? Did they provide advance notice of their intent not to renew? Did their actions cause her hardship? We will never know, because the world is too busy distorting the issue to make it sensational, and too lazy to pay atention to the real important details. Now that politicians know they can't use their regular insurance as free coverage for libel/slander associated with their political jobs, they'll probably make new laws to mess things up even more. Great solution.

Patriot Act Bars US Woman From Driver's License

At least that is how it is being reported. She was driving for 26 years, and she didn't know that her social security card still had her maiden name on it. Now that her state (like most) is linking driver licenses to social security numbers, her local motor vehicle office denied her a license since the names on her social security record and her existing driver's license don't match.

Well, rather than it really being the Patriot Act denying her a driver's license, which is clearly an  inflammatory way to report the event, it is her local DMV system failing to do a prper job of implementing changes. I repeat: the local MV office is doing a lousy job. Is that news worthy?

She needs to correct the discrepancy, and the system should allow that to take time and perhaps even try and facilitate it. The motor vehical office should have been ready to handle this, and should have hendled it nicely.

Now why can't we keep clarity of thought and discuss the truly important facts hiding behind the story -- that the social security number is now being linked, with the support of new state laws and the Patriot Act, to your driver's license?  There are so many reasons why that is a bad idea, and invades privacy and removes civil rights and hinders civilian oversight of givernment, and we can't seem to get to the point because we are so quick to sensationalize everything.

Wake up people, before it's too late.