Friday, February 23, 2007

So Far, No Copyright Liability for Lax Network Security

The RIAA is currently in a battle which could have major implications for individuals or organizations which have security practices which allow others to use their equipment to download and distribute copyrighted material. As part of its ongoing campaign to scare people away from filesharing networks by suing individual consumers, the RIAA has asserted that a computer owner is guilty of indirect copyright infringement based on unauthorized downloading of songs by individuals using that person's computer. At present, the RIAA has been unsuccessful with this tactic, and is currently seeking reconsideration of a District Court's decision to award attorney fees to the accused computer owner (the award of attorney's fees is available here). However, if the RIAA continues to press this type of case, and is able to achieve success, it opens up an additional type of liability for people to be concerned with.

More information and related links are available at this blog post from wired.com.

Thursday, February 22, 2007

Security Breach at TJX

Recent news reports reveal that the security breach at TJX, parent company of the discount retailers Home Goods, T.J. Maxx, and Marshalls, in the U.S., and Winners and Home Sense in Canada,involves the possible compromise of more than 40 million records. According to the attached article in the Globe and Post, however, TJX maintains that the breach involves significantly fewer records, describing the number as "significantly less than millions." As further insult, the chairman of TJX sent out a letter to its "valued customers" stating that it would not pay for free credit reports, alleging that such monitoring would not be meaningful based upon the type of records stolen. Certainly such a position is an example of poor planning and damage control, where public perception and controlling media reports is vital. TJX has since amended its original estimates to increase the number of customers affected, and to state that its investigation reveals the breach may have begun as far back as 2005. Not surprisingly, the plaintiff's bar has targeted TJX as vulnerable. A class action lawsuit was filed January 29, 2007 in federal court in Boston against TJX, alleging that it negligently failed to use reasonable care to implement and maintain security procedures in order to prevent security breaches such as occurred. Could this type of negligence claim for security breaches be the wave of the future in class action litigation? Globe and Post

VOIP Threat

As if there weren't sufficient problems to worry about with unsecured computers, routers, hubs, and browsers, with the growing adoption of IP based telephony, security issues are becoming important for phones as well. According to this article from CNET, CISCO has recently discovered flaws in several versions of its IP based phones. Apparently, in many versions of its Unified IP phones, there is an implementation error in the code which prevents the default user account from ever being disabled, or from having its password changed. While the company has promised to release software to address the problem, there is no word on when that software will actually be available.

The bottom line is that, as more devices take advantage of IP technology, they will create more potential vulnerabilities which can be exploited by malicious third parties. Therefore, in addition to concerns about cost and quality, security should be a paramount concerns for any new system implementation.

Friday, February 16, 2007

Do you have a wireless connection in your home? If so, and you haven't changed your default password and login settings on your router, you are vulnerable to an attack by phishers who could redirect you from web sites you want to visit to web sites that steal your data, according to this article at CNET. The attack works by subverting the domain name system (DNS) settings of a router. The article explains that
This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

Happily, there's an easy fix for the problem...change your default settings, something that should be standard practice anyway.

More information on this vulnerability in common wireless routers, as well as recently discovered flaws in Microsoft Word and Apple's Finder and iChat features can be found here.

Thursday, February 15, 2007

There is currently legislation being proposed which would require ISPs to maintain significant data about interet activity. More details can be found in this article in CNET.

Wednesday, February 14, 2007

Real ID Compliance

The "Real ID Project" being promoted by the Department of Homeland Security pursuant to recently enacted legislation is running into opposition in many state legislatures. According to a recent Associate Press report, at least 17 state legislatures have passed or are considering legislation opposing the Real ID bill. Passed by Congress and signed by President Bush as part of a funding package for the Iraq war, it sets a national standard for driver's licenses and requires states to link their records to national databases. States have until 2008 to comply, and failure will render state driver's licenses insufficient as IDs to board a plane, enter a federal building, or open certain kinds of bank accounts. There are also complaints that it is an unfunded mandate, and an invasion of privacy. Perhaps in recognition of the states' opposition, or as a result of the recent change in control of the Congress, Sen. Daniel Akaka (D-Hawaii) and Sen. John Sununu (R-N.H.) have introduced legislation that would add privacy and civil liberties safeguards to the act. Realistically, it will take states substantially more time to comply, and the efforts of the sponsors of this legislation will likely force an extension of time for compliance by the states.
It's official: if you live in a big city, you're more likely to be a victim of identity theft. At least, that's the conclusion reached in a study reported in this article at CNET. Apparently, residents of New York, LA, and Detroit are most likely to be victims of identity theft, while residents of more sparsely populated areas such as Wyoming, Vermont and Montana were least likely to be victimized. So what are the study's practical implications? According to Stephen Coggeshall, ID Analytics chief technology officer, the study shows that "[m]oving is a very dramatic way to reduce your identity risk." However, for those of us not interested in relocating to Wyoming, he cautioned that "[i]t is more appropriate for people to understand the risk of their area and to take the appropriate precautions."

Friday, February 9, 2007

CNET has an interesting article regarding a number of bills in the house designed to protect consumers from spyware, pretexting, and other potentially obnoxious aspects of modern life. Of the bills summarized the Spy Act intorduced by Mary Bono (R-CA) and Edophus Towns (D-NY) particularly caught my eye. The reason is that that bill would prevent resetting of a browser's home page, something which, when it happens by surprise, is tremendously annoying (at least for me).

Wednesday, February 7, 2007

To all U.S. copyright infringers: if you thought the RIAA was tough, you should see what they do to infringers in Russia.
Apparently, Russia has been mounting a high provile crackdown on intellectual property infringers as part of a bid to gain entrance to the WTO. During the crackdown, a school teacher, Alexander Ponosov, has been caught using pirated software in his classroom. Now, Ponosov faces punishments including...wait for it...detention in a Siberian prison camp.

CNN has the details here. Of course, it's still an open question whether Ponosov will be shipped to Siberia. However, in my mind at least, this story raises questions about the measures some people (at the behest of U.S. copyright ownerss) will take to protect intellectual property. While copyright infringement is a problem, detention in a Siberian prison camp for a school teacher using software he likely didn't know was pirated should not be considered an acceptable solution.

Tuesday, February 6, 2007

According to this article in the Washington Post, Congress is once again considering data breach notification laws. The question, of course, is whether any laws passed by Congress will provide an incentive for companies to better protect customer data, or whether they will simply allow Congress to grandstand about consumer rights while actually stripping consumers of rights they already have by pre-empting tougher state legislation. While it's still too early in the process to definitively answer that question, my guess is that whatever eventually emerges from the legislative sausage machine won't have much happy news for the overwhelming majority of Americans.

Sunday, February 4, 2007

Wired.com currently has a very interesting series of articles up on the world or criminal carders (individuals who steal, sell, and use credit card and identify information of others). Largely, the articles are interesting because they provide a fascinating look into a world that most law abiding citizens don't even know exists. However, they also provide some helpful advice for businesses seeking to reduce their vulnerability (e.g., when information is changed on an on-line account, have a substantial waiting period before the assets in the account can be withdrawn).

Bottom line: an interesting read for anyone who uses or issues credit cards.