Making lists of things to remember as I scramble to keep my focus in the face of a lack of sleep. Next thing you know I’ll be putting sticky notes on things. “Coffee cup”, “Door”, “Advil” and “C-61 / bad joke”.

You get the idea.

Click here to subscribe to Liquidmatrix Security Digest!. Welcome to the new subscribers who joined us yesterday! Thanks!

And now, the news…

1. Copyright Bill’s Fine Print Makes For a Disturbing Read | Michael Geist
2. A Week in the Life of the Canadian DMCA: Part Two | Michael Geist
3. DMC-eh? Why Canada’s new Copyright law is a mistake | Mang Bat
4. E-Mail: To Encrypt or Not to Encrypt? | NPR
5. Hazel Blears’s stolen laptop was not encrypted | Information Age
6. Encryption: DLP’s Newest Ingredient | Dark Reading
7. Merchant Securities’ stock broking firm fined for poor data security procedures | RTT News
8. State computers headed for sale had private information | The Topeka Capital-Journal
9. Fed slammed over internal controls | Houston Chronicle

Tags: News, Daily Links, Security Blog, Information Security, Security News

1. On May 16, 2008, notified the Merchant Bank, Bryn Mawr Trust of the potential security breach
2. On May 16, 2008, learned that Bryn Mawr Trust outsources the actual credit card functions of the Merchant Bank to TransFirst.
3. On May 16, 2008, contacted TransFirst and notified it of the potential security breach and was informed that it would notify the three credit card companies, Visa, MasterCard and American Express.
4. On May 16, 2008, Altman Weil independently notified Visa, MasterCard, and American Express of the potential security breach.
5. On Saturday, May 24, 2008, notified all card holders whose cards were current (i.e. the expiration dates had not kicked in yet) by telephone calls placed.
6. Notified all card holders by letter of the situation and the possible risk
7. Notified the following law enforcement agencies:

1. Local police department located in Newton Square, Pennsylvania, where Altman Weil is located on May 23, 2008.
2. Secret Service's ECTF and Electronic Crimes Working Group on May 24, 2008.
3. Every state Attorney General in the states where potentially affected cardholders reside on May 27, 2008.
4. Federal Trade Commission on May 27, 2008.
5. Office of Thrift Supervision on May 27, 2008.
6. Office of the Comptroller of the Currency on May 27, 2008.
7. Federal Deposit Insurance Corporation on May 27, 2008.
8. Board of Governors of the Federal Reserve System on May 27, 2008

8. Assured that the hosting company has preserved logs and electronic evidence, has logged all actions taken, and has not altered or compromised the systems.
9. Retained forensic auditors at are [sic] own expense to undertake a thorough technical investigation of the cause and extent of the breach.
10. Committed to be back in touch with those customers who might be at risk with further information, once we have it.
    

We leave data everywhere we go. It's not just our bank accounts and stock portfolios, or our itemized bills, listing every credit card purchase and telephone call we make. It's automatic road-toll collection systems, supermarket affinity cards, ATMs and so on.

It's also our lives. Our love letters and friendly chat. Our personal e-mails and SMS messages. Our business plans, strategies and offhand conversations. Our political leanings and positions. And this is just the data we interact with. We all have shadow selves living in the data banks of hundreds of corporations' information brokers -- information about us that is both surprisingly personal and uncannily complete -- except for the errors that you can neither see nor correct.

What happens to our data happens to ourselves.

This shadow self doesn't just sit there: It's constantly touched. It's examined and judged. When we apply for a bank loan, it's our data that determines whether or not we get it. When we try to board an airplane, it's our data that determines how thoroughly we get searched -- or whether we get to board at all. If the government wants to investigate us, they're more likely to go through our data than they are to search our homes; for a lot of that data, they don't even need a warrant.

Who controls our data controls our lives.

It's true. Whoever controls our data can decide whether we can get a bank loan, on an airplane or into a country. Or what sort of discount we get from a merchant, or even how we're treated by customer support. A potential employer can, illegally in the U.S., examine our medical data and decide whether or not to offer us a job. The police can mine our data and decide whether or not we're a terrorist risk. If a criminal can get hold of enough of our data, he can open credit cards in our names, siphon money out of our investment accounts, even sell our property. Identity theft is the ultimate proof that control of our data means control of our life.

We need to take back our data.

Our data is a part of us. It's intimate and personal, and we have basic rights to it. It should be protected from unwanted touch.

We need a comprehensive data privacy law. This law should protect all information about us, and not be limited merely to financial or health information. It should limit others' ability to buy and sell our information without our knowledge and consent. It should allow us to see information about us held by others, and correct any inaccuracies we find. It should prevent the government from going after our information without judicial oversight. It should enforce data deletion, and limit data collection, where necessary. And we need more than token penalties for deliberate violations.

This is a tall order, and it will take years for us to get there. It's easy to do nothing and let the market take over. But as we see with things like grocery store club cards and click-through privacy policies on websites, most people either don't realize the extent their privacy is being violated or don't have any real choice. And businesses, of course, are more than happy to collect, buy, and sell our most intimate information. But the long-term effects of this on society are toxic; we give up control of ourselves.

This essay originally appeared on Wired.com.

We leave data everywhere we go. It's not just our bank accounts and stock portfolios, or our itemized bills, listing every credit card purchase and telephone call we make. It's automatic road-toll collection systems, supermarket affinity cards, ATMs and so on.

It's also our lives. Our love letters and friendly chat. Our personal e-mails and SMS messages. Our business plans, strategies and offhand conversations. Our political leanings and positions. And this is just the data we interact with. We all have shadow selves living in the data banks of hundreds of corporations' information brokers -- information about us that is both surprisingly personal and uncannily complete -- except for the errors that you can neither see nor correct.

What happens to our data happens to ourselves.

This shadow self doesn't just sit there: It's constantly touched. It's examined and judged. When we apply for a bank loan, it's our data that determines whether or not we get it. When we try to board an airplane, it's our data that determines how thoroughly we get searched -- or whether we get to board at all. If the government wants to investigate us, they're more likely to go through our data than they are to search our homes; for a lot of that data, they don't even need a warrant.

Who controls our data controls our lives.

It's true. Whoever controls our data can decide whether we can get a bank loan, on an airplane or into a country. Or what sort of discount we get from a merchant, or even how we're treated by customer support. A potential employer can, illegally in the U.S., examine our medical data and decide whether or not to offer us a job. The police can mine our data and decide whether or not we're a terrorist risk. If a criminal can get hold of enough of our data, he can open credit cards in our names, siphon money out of our investment accounts, even sell our property. Identity theft is the ultimate proof that control of our data means control of our life.

We need to take back our data.

Our data is a part of us. It's intimate and personal, and we have basic rights to it. It should be protected from unwanted touch.

We need a comprehensive data privacy law. This law should protect all information about us, and not be limited merely to financial or health information. It should limit others' ability to buy and sell our information without our knowledge and consent. It should allow us to see information about us held by others, and correct any inaccuracies we find. It should prevent the government from going after our information without judicial oversight. It should enforce data deletion, and limit data collection, where necessary. And we need more than token penalties for deliberate violations.

This is a tall order, and it will take years for us to get there. It's easy to do nothing and let the market take over. But as we see with things like grocery store club cards and click-through privacy policies on websites, most people either don't realize the extent their privacy is being violated or don't have any real choice. And businesses, of course, are more than happy to collect, buy, and sell our most intimate information. But the long-term effects of this on society are toxic; we give up control of ourselves.

---

Bruce Schneier is Chief Security Technology Officer of BT, and author of Beyond Fear: Thinking Sensibly About Security in an Uncertain World.

• Passport
• Voting ID card
• PAN card
• Driving License card
• Government issued ID card
• Social Security Card
• Military ID card
• Consular ID card
• Postal ID card
• Government Employee ID Card
• Credit Card
• Debit Card
  

Breach Description:
ACAP Security and affiliated sites are actively marketing a "secure payment system that allows Internet-based businesses to accept secure PIN-debit card payments and transactions at their online store."  The PinPay and SoftCard sign-up pages and account access pages are not adequately secured with encryption, potentially exposing extremely sensitive personal information.

Reference URL:
Merchant 911 Blog

Report Credit:
Tom Mahoney, the Founder and Director of Merchant 911

Response:
From the online source cited above and my own cursory investigation:

Back in January, I had short email dialog with a Kip Long, who claimed to be one of the principles of a company called Softcard out of Huntington Beach, CA. They are not to be confused with SoftCard Systems in Athens, GA. As far as I know, SoftCard Systems is a legitimate company with a legitimate product.

Mr. Long was rather aggressively, but not very successfully, trying to impress me with their product - from what I can make of it, a virtual PIN based card.

The company uses PinPay - to process transactions and both companies are a part of ACAP Security, Inc..

I reviewed their site for possible inclusion in our website’s resource pages, but promptly rejected them.

their insecure sign-up form - was requesting “Identity Card Numbers” and issue dates.
[Evan] The sign-up forms at SoftCard.biz and PinPay.net are not secure.  Neither are their respected login pages.

“Identity cards” are selectable from a drop down menu and include such ID information as Passport, Driver’s license, SSN, and Credit Card.

The form also requires a full name and DOB.

I tried using the HTTPS URL but it appears that they do not have a security certificate tied to their site.

The fact that Mr. Long used a hotmail address to pitch the company made me wonder too, given that at Merchant911 we try to instill in our members that a free email address from a customer is a fraud alert.

If a company official can’t use his company’s domain for email, I’m not going to talk to him.

I called their attention to the insecure web form in January. They still have the form up there, happily collecting this information with an insecure form.
[Evan] I also sent emails and heard nothing in return.

I have to wonder how much information has already been sniffed or otherwise compromised. You probably don’t want to fill out this form.
[Evan] My advice would be to NOT fill out the form and NOT conduct business with a company that has not demonstrated a willingness to secure your information.

Commentary:
Tom informed me about this vulnerability (and potentially a breach for anyone that signed-up/in) a couple of weeks ago.  I've been a little busy lately, but was finally able to check it out.  Let me recap what I found.

First, let's go to www.softcard.biz. This is the site that Tom originally pointed out to me.



The flash home page forwards visitors to a static index (indexaa.html) page.  The first paragraph on the page informs visitors about PinPay.

"The PINPAY SoftCard is a wise way to carry and transfer money. It gives you the ability to purchase products at participating stores throughout the world (as well as at online shopping malls), with the security of a PIN that travels the internet via private encrypted tunnels. It also allows you the ability to load money to your card, pay bills, transfer money to merchants, transfer money between cards, and withdraw cash from your card at the store."



See where the page says, "Register for your FREE card HERE!!"?  This is a link to the sign-up page that Tom was referring to.



No "https" in the URL.  Tom was right on that.  The sign-up form asks for a personal information ranging from name and address to identity card information (even information for a "Second Identity Card").



The "Select Identity Card" drop down menu displays the choices for the prospective customer, including Passport, Voting ID card, PAN card, Drivers License card, Government issued ID card, Social Security card, Military ID card, Consular ID card, Postal ID card, Government Employee ID Card, Credit Card and Debit Card



SoftCard (or PinPay or ACAP Security) are asking for some very sensitive personal information!  First, this is quite a bit more information than they need to approve a person for a "PINPAY SoftCard".  Second, no encryption?!  Third, who is ACAP/SoftCard/PinPay and what will they do to secure my information once they have it supposing it wasn't intercepted on the way to them?

Let's dig a little (public) information about ACAP Security.  According to Entreprenuer.com, ACAP launched "Personal Private Network" (ppn) technology, commercially available under the trade name ppnPRO, which is described as a "highly secure, and highly private" personal private network.  ppnPRO uses "Government approved AES encryption, with strong personalized 256-bit encryption keys, and encrypting all information- network addresses, applications and ports, as well as the confidential data content".  Sounds impressive, but it also sounds like the company should know a thing or two about securing web site transactions with encryption. 

I want to discuss the risk of sending confidential private information over a public network such as the internet without encryption, in particular.  This is not a new topic, but I will take some time to demonstrate the risk.

In order for my information to be compromised, someone (or something) will need to capture the traffic.  In order for someone to capture my traffic, they will need to tap into the communication somewhere between me (my computer) and the destination (the web server).  My information doesn't travel directly from my computer to the server.  There are intermediaries (routers, switches, firewalls, etc.) that have to get (or forward) my information from my computer to the server.



As you can see depicted in the graphic above, there are at least 16 routers (or hops) between this example source and www.softcard.biz.  The final few hops are not reported due to filtering.  So where could my traffic be captured?  At the very least:

• Between my computer and my router (or firewall)
• Between my firewall and the ISP hand-off
• Between all the traversed devices within my ISP's network
• Between all the traversed devices through the internet
• Between all the traversed devices within the destination ISP's network
• Between all the traversed devices within the destination organization's network and the server itself.