1. When there’s a security issue, they wouldn’t robocall people and ask them to provide personal information. They would robocall people and ask them to call the number on the back of their cards.

2. They would put people’s photographs on their credit cards. Citi used to offer that as a free option, but apparently has discontinued the practice.

1 Comment »

Citibank continues to train its customers to use terrible security processes.

This morning I got a call from a robot that claimed to be from Citibank. When I refused to type in my zip code, and then waited for two minutes of repeated requests to do so, it transferred me to a human who wanted me to give him my name, undoubtedly to be followed by a request for my password. Thus does Citibank train its users to divulge personal information to anyone with an automated phone dialer.

This is the same outfit that no longer offers to put a thumbnail photo of you on your credit card, which is a pretty good way to foil card-grabbing bastards. It also used to embed an image of your signature on the front of the card. Again, a cheap and effective prophylactic measure that it no longer offers.

This is also the same outfit that is very happy to sell us monthly services — $10/month last time I looked — that inform us when Citibank has failed to protect us from identity theft.

3 Comments »

Chris Soghoian reports:

print Nextel provided law enforcement agencies with its customers’ (GPS) location information over 8 million times between September 2008 and October 2009. This massive disclosure of sensitive customer information was made possible due to the roll-out by Sprint of a new, special web portal for law enforcement officers.

The evidence documenting this surveillance program comes in the form of an audio recording of Sprint’s Manager of Electronic Surveillance, who described it during a panel discussion at a wiretapping and interception industry conference, held in Washington DC in October of 2009.

It is unclear if Federal law enforcement agencies’ extensive collection of geolocation data should have been disclosed to Congress pursuant to a 1999 law that requires the publication of certain surveillance statistics — since the Department of Justice simply ignores the law, and has not provided the legally mandated reports to Congress since 2004.

2 Comments »

At the Reagan Airport (would I be jumping the gun to start calling it the Obama Airport already?), Clear has a little square of space right before the security inspection stations. For $200/year, you can skip the long lines and go for the exceedingly short line to Clear. There the uniformed employees will compare some of your body parts (iris and fingerprints) with the information on the Clear card you present. Once you’re through, you can go straight to the Conveyor of Transparencies where you rejoin the hoi polloi so that the TSA can make sure your shoes aren’t on fire.

What I don’t get is why Clear has to give you an extra special biometric scan. Why can’t they just do what the TSA folks do: Look at your drivers license, look at you, and wave you on through? All I can figure is that Clear’s market research showed that people would be more willing to pay to cut in line — which is what Clear is really about — if there’s a pretense that it enhances security.

As far as whether all the fancy-shmancy biometrics — heck, my face is the only biometric I need! — actually increases security, if I were an evil do-er, I’d just bribe a Clear airport employee. They don’t go through security clearances the way TSA folks do, at least according to the Clear employee I asked.

[Tags: airports security tsa terrorism line_cutters ]

June 22, 2009: Clear just went out of business.

8 Comments »

Chris Soghoian has posted an open letter to Google, asking it to make encryption the default. This is in line with the talk he gave recently at the Berkman Center.

[Update later that day: Two hours after releasing the letter, Google agreed to try setting encryption as the default for a subset of users, as a trial. If it works out, they'll consider expanding it.]

Also, Jonathan Zittrain has posted about why the Iranians have problems blocking Twitter. [Tags: google security iran twitter ]

Be the first to comment »

Chris Soghoian is giving a Berkman lunchtime talk called: “Caught in the Cloud: Privacy, Encryption, and Government Back Doors in the Web 2.0 Era,” based on paper he’s just written. In the interest of time, he’s not going to talk about the “miscreants in government” today.

Pew says that “over 69% of Americans use webmail services, store data online, or other use software programs such as word processing applications whose functionality is in the cloud.” Chris’ question: Why have cloud providers failed to provide adequate security for the customers. (“Cloud computing” = users’ data is stored on a company server and the app is delivered through a browser.)

He says that providers are moving to the cloud because they don’t have to worry about privacy. Plus they can lock out troublesome users or countries. It lets them protect patented algorithms. They can do targeted advertising. And they can provide instant updates. Users get cheap/free software, auto revision control, easy collaboration, and worldwide accessibility. Chris refers to “Cloud creep”: the increasing use of cloud computing, its installation on new PCs, etc. Vivek Kundra switched 38,000 DC employees over to Google Docs becore he became Federal CIO. “It’s clear he’s Google-crazy.” Many people may not even know they’ve shifted to the cloud. Many cloud apps now provide offline access as well. HTML 5 (Firefox 3.5) provide offline access without even requiring synchronizers such as Google Gears.

Chris says that using a single browser to access every sort of site — from safe to dangerous — is bad practice. Single-site browsers avoid that. E.g., Mozilla Prism keeps its site in its own space. With Prism, you have an icon on your desktop for, e.g., Google Docs. It opens in a browser that can’t go anywhere else; it doesn’t look like a cloud app. “It’s a really cool technology.” Chris uses it for online banking, etc.

Conclusion of Part 1 of Chris’ talk: Cloud services are being used increasingly, and users don’t always know it.

Part 2

We use encryption routinely. SSl/TLS is used by banks, e-commerce, etc. But the cloud providers don’t use SSL for much other than the login screen. Your documents, your spreadsheets, etc., can easily be packet-sniffed. Your authentication cookies can be intercepted. That lets someone login, modify, delete, or pretend to be you. “This is a big deal.” (The “Cookie Monster” tool lets you hijack authentication cookies. AIMJECT lets you intercept IM sessions; you can even interject your own messages.)

This problem has been wn since August 2007, and all the main cloud providers were notified. It took Google a year to release a fix, and even so it hasn’t been turned on by default. Facebook, Yahoo mail, Microsoft, etc. don’t even offer SSL. Google says it doesn’t turn it on by default because it can slow down your computer, because it has to decrypt your data. But Google does require you to use it for Google Health, because the law requires it. To get SSL for gmail, you have to go 5 levels down to set it.

So, why doesn’t Google provide SSL bu default? Because it takes “vastly more processing power,” and thus is very expensive for Google. SSL isn’t a big deal when done on your computer (the client computer), but for cloud computing, it would all fall on Google’s shoulders. “If 100% of Google’s customers opt to use SSL, it sees no new profits, but higher costs.” “And Google is one of the better ones.” The only better one, in Chris’ view, is Adobe, which turns it on by default for its online image editing service. [Here's a page that tells you how to turn on SSL for a Google Accounts account.]

Chris thinks that cloud computing security may be a type of “shrouded attribute,” i.e. am attribute that isn’t considered when making a buying decision. But, Chris says, defaults matter. E.g., if employees opt employees into a 401K, no one opts out, but if you leave it to employees to opt in, fewer than half do. Facebook, for example, seems to blame the user for not turning privacy features off. “Users should be given safe services by default.”

Part 3: Fixing it

Chris draws analogies to seatbelts and tobacco legislation. He recommends that we go down the cigarette pathway first: Raise publice awareness so that they demand mandatory warnings for insecure apps. E.g., “WARNING: Email messagew that you write can be read, intercepted or stolen. Click here to turn on protection…” [Chris' version was better. Couldn't type fast enough.]

Or, if necessary, we could pass regulations mandating SSL. T he FTC could rule that companies that claim their services are safe are lying.

Q: [me] How much crime does this enable? A: The tools are out there. But there's no data because intercepting packets leaves no traces.

Q: How about OpenID?
A: The issue of authentication cookies is the same.

Q: Should we have a star rating system?
A: Maybe.

Q: The lack of data about the crime is a problem for getting people to act. Maybe you should look at the effect on children: Web sites aimed for children, under 18 year olds using Facebook…
A: Good idea! Although Google’s terms of service don’t allow people under 18 to use any of their services.

Q: People also feel there’s safety in numbers.

Q: How much more processing power would SSL require from Google?
A: Google custom builds its servers. Adding in a new feature would require crypto-co-processor cards. I don’t think they have those. They’d have to deploy them.

Q: There are GreaseMonkey scripts that require FB to use SSL. Worthwhile?
A: FB won’t accept SSL connections.

Q: Google Chrome’s incognito mode? Does it help with anything?
A: It helps with porn. That cleans up your history, but it doesn’t encrypt traffic.

Q: The vast majority of people where I live don’t lock their house doors. And [says someone else] people don’t lock their mailboxes even though they contain confidential docs.
A: Do you walk around with your ATM PIN number on your forehead? Your bank uses SSL because it’s legally responsible for electronic break-ins, whereas Google isn’t.
A: The risk is small if you’re using a wired ethernet connection or a protected wifi connection.

Q: With seatbelts and smoking, your life’s at risk. For Gmail, the risk seems different. There aren’t data, screaming victims, etc. It makes the demand for regulation harder to stimulate.
A: The analogy doesn’t work 100%. But I think the disanalogy works in my favor: It’s hard to have a cigarette that doesn’t harm you, but it’s easy to have a secure SSL connection.

Q: Shouldn’t business care about this?
A: Yes, CIO’s can make that decision and turn on encryption for the entire org. Consumers have to be their own CIOs.

[from the IRC] Maybe the govrnment wants Google to be insecure to enable snooping.
A: Allow me to put on my tin foil hat. Last year the head of DNI said that the gov’t collects vast amounts of traffic. We don’t know how they’re doing it, which networks they’re collecting data from. If Google and AT&T, etc., turned on SSL be default, the gov’t's job would be much harder. Google has other reasons to keep SSL off, but it works out to the gov’t's benefit.

Does Adobe’s online wordprocessor, Buzzword, offer SSL for its docs?
A: Don’t know. [It does] [Tags: security identity_theft google ssl ]

3 Comments »

The Wired.com piece I wrote about Robin Chase prompted Andrew Bochman to send me an email. Andy is an MIT and DC energy tech guy (and, it turns out, a neighbor) who writes two blogs: The Smart Grid Security Blog and the DoD Energy Blog. Neither of these topics would make it into my extended profile under “Interests,” but I found myself sucked into them (confirming my rule of thumb that everything is interesting if look at in sufficient detail). So many things in the world to care about!

[Tags: ecology power military security experts ]

2 Comments »

Researchers have discovered ways to pick up your keystrokes by reading tiny scraps of electromagnetic radiation, or with PS2-connected keyboards, just by plugging into the power grid. It turns out Cryptonomicon wasn’t paranoid enough!

[Tags: security ]

1 Comment »

I got this from FlyClear.com, a quick-pass, iris-scan lane system at some airports. I don’t recall ever applying for membership. For one thing, there’s no FlyClear lane at my local airport. So, this big hunka hunka of steamin’ disclosure is disquieting:

Dear David Weinberger,

We take the protection of your privacy extremely seriously at Clear. That’s why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants’ pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. None of your information was in any way implicated. However, we were prepared to send those applicants and members who were affected the appropriate notice on Tuesday detailing that situation.

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Again, none of your personal information was on the computer in any form, but we nonetheless wanted to give you details of the incident that could have affected others applying for Clear memberships because the incident involves Clear’s privacy and security practices and policies.

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix – and other security enhancements – to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

As you may know, our Privacy Policy states that we will notify you of any compromise of your personal information regardless of whether any state statute requires it. This letter is a good example of our policy: no law requires that we notify you of this incident because our investigation of the recovered laptop revealed no breach and because in any event none of your own information was affected. But we think it’s good practice to err on the side of good communication with all Clear members, especially when, in this case, we did make a mistake by not making sure that limited portion of information was encrypted.

Please call us toll-free with any questions at (866) 848-2415. Again, we apologize for the confusion.

Sincerely,
Steven Brill
Clear CEO

P.S. A reminder: One of Clears unique privacy features is that all members and applicants are given an identity theft protection warranty which provides that, in the unlikely event you become a victim of identity theft as a result of any unauthorized dissemination of your private information by – or theft from – Clear or its subcontractors, we will reimburse you for any otherwise unreimbursable monetary costs directly resulting from the identity theft. In addition, Clear will, at its own expense, offer you assistance in restoring the integrity of your financial or other accounts. So had there been any actual compromise of your personal information, you would have been additionally protected.

If this is intended to counteract the bad publicity the breech has engendered, well, Google News only has one hit reporting the breech in the first place. If it’s not – if FlyClear’s policy is to broadcast every near miss – then, well, I guess it’s admirable for its candor.

It’s also pretty scary example of putting all your irises in one basket. [Tags: flyclear security disclosure pr ]

8 Comments »