Hushmail.com hijacked, Network Solutions security breech?

Here is the hushmail.com notice on their website, dated midnight (Saturday night/Sunday morning):

In recent hours we have been made aware that security was compromised at the domain registrar responsible for the hushmail.com domain. For a brief period, this domain was forwarded to a server belonging to an unidentified party, which resulted in our web page being unavailable or appearing defaced.

There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com will not have been delivered.

Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available.

Network Solutions breeched? Hushmail phished on April 23, 2005

Strange how I don't see anything in the news, but Hushmail, the secure mail service, is reporting that it's registrar was hacked on Saturday and the hushmail.com domain was redirected for several hours. Hushmail doesn't name the registrar, but a whois check shows it to be Network Solutions.

This is scary stuff, because Hushmail is a 2048 bit strong encryption email service, used internationally for secure, private email. If the site was phished, it is possible that the hackers collected passphrases for hushmail accounts from users who didn't notice the phishing webpage was any different from a "regular" hushmail login.

Perhaps most odd is that I didn't see anything on slashdot, or anywhere else in the news about a security breech at Network Solutions (?)

From the hushmail.com website:

On April 23rd, an unauthorized party gained access to our customer account at our domain registrar. A domain registrar is a company that is responsible for controlling which website actually gets displayed when you enter an address (such as www.hushmail.com) in your web browser. Therefore, by breaching security at our domain registrar, the unauthorized party was able to control which website would be displayed when users entered the address www.hushmail.com.

The unauthorized party altered the domain settings so that users entering www.hushmail.com in their web browser were no longer directed to our real website. Instead, users were redirected to a different website at a different location. Soon that website was shut down, and users simply received an error page.

We are following up with our domain registrar to determine how the unauthorized party was able to gain access to their system.

There was no unauthorized access to any of the Hush servers. Data managed by Hush was not compromised. During this period, email sent to hushmail.com may not have been delivered.

Please accept our sincerest apologies for the inconvenience this has caused. We take this incident very seriously, and will continue to update this page as more information becomes available.

AIM privacy - AOL instant messenger privacy

Wow. eweek is reporting on AOL's new AIM Terms of Service, which require users of AIM to hand over all rights to whatever passes through IM to AOL.

It includes the language:

"You waive any right to privacy. You waive any right to inspect or approve uses of the content or to be compensated for any such uses"

but the strangest part is this :

In addition, by posting content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this content in any medium

 

They quote the Macslash editor who summarizes the wierdness of it:

"They're encouraging businesses to use AIM to discuss details of their business correspondence, even to sync their Outlook contact and calendar files, which, according to their TOS, AOL then has the right to publish in any way they see fit, including, among other things, providing that information to business competitors. I'd be pretty damn leery of using AIM@Work for any kind of business"

It is the AIM TOS that users have to accept when they download the AOL client. Iwonder how that effects AIM users who use thrid-party AIM clients like Trilian?

Choicepoint stops selling consumer social security number market?

Choicepoint has released a statement that it will be exiting the sensitive consumer social security number market.

Already some users of Choicepoint's AutotrackXP system are reporting that the last 4 digits of social security numbers are removed from consumer reports.

According to Choicepoint:

".. the company will discontinue the sale of information products that contain sensitive consumer data, including Social Security and driver's license numbers, except where there is a specific consumer-driven transaction or benefit, or where the products support federal, state or local government and criminal justice purposes.. "

The company admits that the chage is a direct result of

".. the recent fraud activity, our review over the past few weeks of our experience and products, and the response of consumers who have made it clear to us that they do not approve of sensitive personal data being used without a direct benefit to them.."

They went on to apologize

"..We apologize again to those consumers who may be affected by the fraudulent activity. We remain committed to helping them take active steps to protect their personal data and to assisting law enforcement officials who are investigating the attacks on consumer's identities.."

According to Choicepoint, products and services that contain sensitive personal information will have to meet one of three tests:

• Support consumer-driven transactions where the data is needed to complete or maintain relationships such as insurance, employment and tenant screening or to provide access to their own data;
• Provide authentication or fraud prevention tools to large, accredited corporate customers where consumers have existing relationships. For example, information tools for identity verification, customer enrollment and insurance claims; or
• Assist federal, state and local government and criminal justice agencies in their important missions.

 

Anonimizer Privacy Notes

Anonymizer noted some recent privacy news:

Companies offer ID theft coverage as perk (AP Wire)
A growing number of companies are offering identity theft coverage as an employee benefit, in part to reduce lost time when a worker becomes a victim. On average, a consumer whose identity has been stolen spends about 200 hours restoring his or her good name. The coverage is offered as kind of a stress reducer, so individuals can be more productive at work.

Complete credit card receipts found in trash of West Palm restaurant (Sun-Sentinel.com)
Hundreds of old receipts from Outback Steakhouse were tucked into bank envelopes, stuffed into small boxes and restaurant to-go bags, and tossed atop the trash bin. Some of the receipts contain complete credit card account numbers, expiration dates and names of the customers. The State Attorney's Office said the Outback manager may have acted irresponsibly but did not break the law. Unlike California, Colorado and Georgia, Florida has no law requiring businesses to properly destroy receipts containing credit card information. Federal law is mute on the issue.

More on email privacy and the Panix hijacking

According to the Panix website:

We believe the administrators of the incorrect mail server to be an innocent third party, but if there was any sensitive data mailed to you during this period of time, it may be prudent to consider it compromised.

George Mason University Hacked

Names, social security numbers, n and photos of more than 28,000 students and 4,000 staff members at George Mason Univeristy were stolen sometime between November 2004 and January 2, 2005.

According to the COmputrWorld report (print edition, January 17, 2005), the only reason we know abou tthis is an audit of system files uncovered it.

The University explained that they have 60,000 registered users and 25,000 servers, as if that would explain why it might be hard to maintain security. Huh?

All that does is underline the stupidity of putting unencrypted personal information onto the network. If you know you can't secure it, why did you put the data there?

The world needs to change this mindset of acceptance of error in the face of challenges. It doesn't matter how hard it is to secure a large network. What matters is security, and security requires you to refrain from placing your constituents at risk if you cannot protect them.

Academic Personal Information Hacks

October 2004: University of California, Berkeley. Theft of the records of 1.4 million individuals in the California Department of Social Services program.

June 2004: UCLA reports a singlelaptop missing, with a database containing the personal informaiton of 145,000 blood donors.

March 2003: Georgia Institute of Technology reports a computer in its Arts and Theatre program was breached, and used to steal the personal information of 57,000 students, faculty and staff.

March 2003: University of Texas at Austin reports hackers stole information on more than 55,000 students, faculty and staff.

(source: Computer world print edition, Jan 17, 2005)

Blackberry Privacy: PIN messaging not private

Are there any "private" messages anymore?

Regulatory Compliance has become such a burden on the fiancial and health industries (think Sarbanes Oxley and HIPAA) that any form of "off the record" messaging is welcomed by insiders. Sure it's not in compliance, but it is out of earshot of the compliance manager, right?

Not so fast, especially if you've been direct messaging your buddis using Blackberry's PIN messaging (direct messaging between Blackberry devices, without a server in the middle).

A recent lawsuit presented PIN message records between executives working with CIBC in Toronto. CIBC filed the lawsuit against Genuity Capital Management, and the messages were sent between Genuity execs when they were still CIBS execs. Apparently, CIBC had deployed software which allowed CIBC to capture PIN messages as they traversed the cell towers. Security experts have also shown that the Blackberry devices themselves can retain PIN message data on board unless the user purposefully cleans the memory.

Logging of PIN messages was not thought to be possible, according to the reporter at ComputerWorld (print) who wrote the article "Lawsuit Reveals Open BlackBerry" (KJanuary 17, 2004 print edition). I fnd that odd but not surprising. Technologists understand that data can be logged, but ther are still technology users who think they can operate devices anonymously without anonymizing proxy servers and other security safeguards.

If you think education is expensive, just try ignorance.

Restroom Privacy - Not?

This is hardly a test for restroom privacy, and perhaps a testament to stupidity.

CNN is reporting on a "couple" who entered a convenience store restoom together and refused to answer knocks from police. Eventually they came out, allegedly looking like they had been rather busy inside.

It was only after going back in that the police arrested one of them. Geesh. Of course that led to a challenge of privacy in public bathrooms, but it was dropped.

As reported on newsmax:

"The FourthAmendment protects people and not places,'' Judge Donald Lay wrote for the three-judge 8th Circuit panel. In Hill's case, ``it was not a single person using the single toilet restroom but two persons of opposite gender and, under the circumstances, we hold that they had a diminished expectation of privacy which had expired by the time the officers arrived.''