Security Bullet In
Communiques from the security front, sir
Tuesday 31 July 2007, 4:50 PM
PNR data not reduced, just squashed
The reduction of the number of data fields handed to US security services announced by the European Union was achieved by squeezing almost the same amount of data on to fewer lines, according to Out-Law.com.
Not really much of a concession by the US then.
According to Out-Law.com:
"A new passenger name records (PNR) deal was announced this week by the EU and the US. It covers how much information can be handed to US authorities about passengers on flights from Europe to the US and the conditions on which it was kept.
The US won major concessions from the EU, winning its demands to keep data for far longer and the ability to pass it on to other US agencies. The EU appeared to win one argument, reducing the amount of data transferred.
But the number of actual pieces of data asked for only reduced by two, to 32, and some extra information was asked for. The new PNR deal lists 19 data fields which will be collected on every passenger. Many of the fields include multiple pieces of information."
Virtually the same amount of data will be sent to the US, to do with as it likes.
Not really much of a concession by the US then.
According to Out-Law.com:
"A new passenger name records (PNR) deal was announced this week by the EU and the US. It covers how much information can be handed to US authorities about passengers on flights from Europe to the US and the conditions on which it was kept.
The US won major concessions from the EU, winning its demands to keep data for far longer and the ability to pass it on to other US agencies. The EU appeared to win one argument, reducing the amount of data transferred.
But the number of actual pieces of data asked for only reduced by two, to 32, and some extra information was asked for. The new PNR deal lists 19 data fields which will be collected on every passenger. Many of the fields include multiple pieces of information."
Virtually the same amount of data will be sent to the US, to do with as it likes.
Thursday 26 July 2007, 4:02 PM
US to keep EU passenger data for 15 years
The US will now keep European Union passenger name records (PNR) data for fifteen years -- far longer than the the three and a half years it kept it previously, reports Out-Law.com.
The sensitive data kept on passengers can include racial or ethnic origin, political or religious views, and health details of travellers.
And the EU is concerned that Google keeps its server log data for 18 to 24 months before it is anonymised!
PNR data can be used by the Department of Homeland Security "in exceptional circumstances," according to the European Commission letter which sells our passenger data down the river.
The letter goes on to say that EU and US privacy laws are broadly similar, and don't lets worry about a little thing like differences in how the laws are implemented:
"RECOGNISING that U.S. and European privacy law and policy share a common basis and that any differences in the implementation of these principles should not present an obstacle to cooperation between the U.S. and the European Union (EU)," says the letter.
I just have two words to say about how privacy laws are implemented in the US: extraordinary rendition. Privacy laws or indeed, laws concerning human rights, don't really seem to make much of a difference to the US intelligence services. Guantanamo Bay, anyone? Or maybe you can be transported without trial to a country that feels more positive about torturing people...
As well as the US being able to do whatever it likes with our data, the DHS can also share it with other countries outside the EU:
"For the application of this Agreement, DHS is deemed to ensure an adequate level of protection for PNR data transferred from the European Union. Concomitantly, the EU will not interfere with relationships between the United States and third countries for the exchange of passenger information on data protection grounds."
Yes, don't lets worry about exactly who will get to see or use this data.
The best bit is, the DHS will get the European Union to be the enforcer in Europe of the DHS's data collection policy:
"NOTING that the European Union should ensure that air carriers with reservation systems located within the European Union make available PNR data to DHS and comply with the technical requirements for such transfers as detailed by DHS."
This is a great day for democracy, folks.
The sensitive data kept on passengers can include racial or ethnic origin, political or religious views, and health details of travellers.
And the EU is concerned that Google keeps its server log data for 18 to 24 months before it is anonymised!
PNR data can be used by the Department of Homeland Security "in exceptional circumstances," according to the European Commission letter which sells our passenger data down the river.
The letter goes on to say that EU and US privacy laws are broadly similar, and don't lets worry about a little thing like differences in how the laws are implemented:
"RECOGNISING that U.S. and European privacy law and policy share a common basis and that any differences in the implementation of these principles should not present an obstacle to cooperation between the U.S. and the European Union (EU)," says the letter.
I just have two words to say about how privacy laws are implemented in the US: extraordinary rendition. Privacy laws or indeed, laws concerning human rights, don't really seem to make much of a difference to the US intelligence services. Guantanamo Bay, anyone? Or maybe you can be transported without trial to a country that feels more positive about torturing people...
As well as the US being able to do whatever it likes with our data, the DHS can also share it with other countries outside the EU:
"For the application of this Agreement, DHS is deemed to ensure an adequate level of protection for PNR data transferred from the European Union. Concomitantly, the EU will not interfere with relationships between the United States and third countries for the exchange of passenger information on data protection grounds."
Yes, don't lets worry about exactly who will get to see or use this data.
The best bit is, the DHS will get the European Union to be the enforcer in Europe of the DHS's data collection policy:
"NOTING that the European Union should ensure that air carriers with reservation systems located within the European Union make available PNR data to DHS and comply with the technical requirements for such transfers as detailed by DHS."
This is a great day for democracy, folks.
Wednesday 25 July 2007, 6:10 PM
Junior doctor loses confidential patient data
Apparently junior doctors are toting unencrypted confidential data around on USB sticks, according to an article in E-Health Insider.
One of the sticks, which contained highly confidential patient data, was stolen at Nottingham University Hospitals Trust recently. The trust now faces a compensation claim from the affected patient.
Says E-Health Insider:
"Around a third of junior doctors currently use universal serial bus (USB) sticks as a means of saving and storing patient data, to pass on to other members of the clinical team at the end of a shift.
These should be stored on secure sticks which use at least 129-bit encryption protection, to be used solely on the trust’s computers but E-Health Insider has been told that this is far from the case.
Matthew Daunt, a foundation year one doctor, at the Nottingham trust, told E-Health Insider: “Many junior doctors do not use encrypted USB sticks, but instead tend to use the ones provided by drug companies free of charge. These records are not protected and can be viewed on any computer using software such as Excel, Word or Access.
In research for the British Medical Journal, Daunt asked 50 junior doctors about their electronic storage of patient data. Thirty six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive.
None of the 20 USB sticks had 128-bit encryption, and only three had password protection – even this was still insufficient for the trust’s requirements. Four doctors used the same device on their personal computer, two of which had patient data stored on them.
Daunt told EHI that the trust had turned a blind eye to this use, until they had to inform a patient that his data was potentially in the public domain.”
Calum Macleod, European Director for Cyber-Ark, a company which sells data protection products, said that the practice of storing patient data on an encrypted USB stick is fine in theory, but a potential nightmare to administer.
"Enforcing a policy of encrypting patient data stored on USB sticks is almost impossible, so it's hardly surprising that there should be a security scare over the theft of a stick from a junior doctor," he said.
Macleod said the Hospitals Trust should consider using an encrypted digital vault, accessed over a secure computer network, to maximise patient privacy.
One of the sticks, which contained highly confidential patient data, was stolen at Nottingham University Hospitals Trust recently. The trust now faces a compensation claim from the affected patient.
Says E-Health Insider:
"Around a third of junior doctors currently use universal serial bus (USB) sticks as a means of saving and storing patient data, to pass on to other members of the clinical team at the end of a shift.
These should be stored on secure sticks which use at least 129-bit encryption protection, to be used solely on the trust’s computers but E-Health Insider has been told that this is far from the case.
Matthew Daunt, a foundation year one doctor, at the Nottingham trust, told E-Health Insider: “Many junior doctors do not use encrypted USB sticks, but instead tend to use the ones provided by drug companies free of charge. These records are not protected and can be viewed on any computer using software such as Excel, Word or Access.
In research for the British Medical Journal, Daunt asked 50 junior doctors about their electronic storage of patient data. Thirty six of them stored patient data electronically, 20 using a USB stick, three a floppy disk, and 13 a hospital computer hard drive.
None of the 20 USB sticks had 128-bit encryption, and only three had password protection – even this was still insufficient for the trust’s requirements. Four doctors used the same device on their personal computer, two of which had patient data stored on them.
Daunt told EHI that the trust had turned a blind eye to this use, until they had to inform a patient that his data was potentially in the public domain.”
Calum Macleod, European Director for Cyber-Ark, a company which sells data protection products, said that the practice of storing patient data on an encrypted USB stick is fine in theory, but a potential nightmare to administer.
"Enforcing a policy of encrypting patient data stored on USB sticks is almost impossible, so it's hardly surprising that there should be a security scare over the theft of a stick from a junior doctor," he said.
Macleod said the Hospitals Trust should consider using an encrypted digital vault, accessed over a secure computer network, to maximise patient privacy.
Monday 16 July 2007, 12:27 PM
Sony BMG sues over DRM debacle
Music giant Sony BMG is to sue one of the companies involved in creating its digital rights management software for damages.
According to an article on Out-Law.com, Sony BMG has started a lawsuit against Amergence Group, previously called SunnComm International.
Out-Law.com explains:
"In 2005 software from SunnComm called MediaMax was included on some Sony BMG CDs. Designed to limit the number of copies of a disc that were made, it reportedly caused widespread problems with users' computers.
Security experts said that the MediaMax software created a directory on computers which could allow hackers to hijack a computer.
Sony BMG now says that the Amergence Group violated its deal with Sony because its software did not perform as it was meant to. The lawsuit accuses it of negligence and unfair business practices."
No mention was made in the article as to whether Sony BMG would similarly go after UK firm First 4 Internet. The company provided software called XCP, which was found to install a rootkit-like application on systems, and caused widespread dismay.
According to an article on Out-Law.com, Sony BMG has started a lawsuit against Amergence Group, previously called SunnComm International.
Out-Law.com explains:
"In 2005 software from SunnComm called MediaMax was included on some Sony BMG CDs. Designed to limit the number of copies of a disc that were made, it reportedly caused widespread problems with users' computers.
Security experts said that the MediaMax software created a directory on computers which could allow hackers to hijack a computer.
Sony BMG now says that the Amergence Group violated its deal with Sony because its software did not perform as it was meant to. The lawsuit accuses it of negligence and unfair business practices."
No mention was made in the article as to whether Sony BMG would similarly go after UK firm First 4 Internet. The company provided software called XCP, which was found to install a rootkit-like application on systems, and caused widespread dismay.
Tuesday 3 July 2007, 5:19 PM
Kaspersky on the evolution of self-defense technologies in malware
Here's an interesting and quite lengthy article from Kaspersky about how malware self-defense technologies have evolved, which goes into the ins and outs of packers and rootkits.
