User: Password:
|
|
Subscribe / Log in / New account

Security

The Personal Data Privacy and Security Act

July 13, 2005

This article was contributed by Joe 'Zonker' Brockmeier.

The good news is that the U.S. Congress is turning its attention to identity theft. The bad news is that Congress is unlikely to produce truly effective legislation. The Personal Data Privacy and Security Act of 2005 is one bill that attempts to address ID theft and misuse of personal information. It was introduced at the end of June by Senators Arlen Specter and Patrick Leahy. Text of the bill is available from thomas.loc.gov.

The bill's summary sounds good:

To prevent and mitigate identity theft; to ensure privacy; and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information.

The bill does have some sensible provisions. It would specifically prevent companies from selling social security numbers, for example, without explicit consent of the individual. The bill would also require notification to individuals that their personal information had been compromised, and would require "data collectors" to disclose information being collected upon request. The bill would also beef up penalties for identity theft, and for concealing security breaches.

While there is a lot to like about the bill, it has more than its share of flaws. Section 422 of the act requires "any business entity or agency engaged in interstate commerce that involves collecting, accessing, using, transmitting, storing, or disposing of personally identifiable information" to provide written notification of an information compromise or, if the address is unknown, notification by phone. The problem with requiring a written notice or phone call is that many sites that would be required to comply with the law do not necessarily collect addresses or phone numbers. Forcing them to start gathering that information would be burdensome, intrusive on the privacy of the people who are allegedly being protected, and would add to the amount of data that can be stolen in the event of a successful attack.

The act also provides for a posting on the affected site, if more than 1,000 residents of the U.S. have been affected, and notice to "major media outlets serving that State or jurisdiction" if more than 5,000 residents of a state or jurisdiction are affected. However, these seem to be aggregate requirements -- so if a company has been affected, it seems to require that they notify all individuals by phone or mail, and post a notice, and send notice to "major media outlets."

There are a few flaws of omission in the bill as well. For example, as Jon Oltsik points out, there's no provision for monitoring compliance with the bill. While the bill prescribes heavy penalties for failing to comply, the only way that non-compliance will come to light, in the bill's present form, is once it's too late and a breach has occurred. This is of little comfort to those who have already had their information stolen and misused. Penalties for misuse and theft of data are fine, but prevention would be much better.

While the bill requires data collectors to disclose information upon request, it does not require any notification of collection. It's unlikely that the average person even knows what organizations are collecting data in the first place. To really "ensure privacy" the bill should prevent unauthorized data collection altogether.

Also, the bill protects social security numbers, which in and of itself is a good thing, but too specific. To be truly effective, now and in the future, the bill should cover any government-issued IDs. For example, it would be prudent to include IDs that fall under the Real ID Act.

It would be nice to see a national data security law that would provide notifications to individuals in the event that their information has been stolen, and give additional control to individuals over the aggregation and dissemination of personal data such as social security numbers. The proposed Personal Data Privacy and Security Act of 2005 takes some tentative steps in the right direction; hopefully its weaker points will be addressed as the bill moves forward.

Comments (6 posted)

New vulnerabilities

acroread: arbitrary code execution

Package(s):acroread CVE #(s):CAN-2005-1625 CAN-2005-1841
Created:July 8, 2005 Updated:July 14, 2005
Description: Adobe Acrobat Reader (acroread) has a buffer overflow vulnerability. If a user is tricked into opening a specially crafted PDF file, arbitrary code can be executed.
Alerts:
SuSE SUSE-SA:2005:042 acroread 2005-07-14
Gentoo 200507-09 acroread 2005-07-11
Red Hat RHSA-2005:575-01 acroread 2005-07-08

Comments (none posted)

centericq: temporary file vulnerability

Package(s):centericq CVE #(s):CAN-2005-1914
Created:July 13, 2005 Updated:July 13, 2005
Description: The centericq messaging client suffers from a classic temporary file vulnerability which could, conceivably, be exploited by a local user to overwrite files.
Alerts:
Debian DSA-754-1 centericq 2005-07-13

Comments (none posted)

dhcpcd: denial of service

Package(s):dhcpcd CVE #(s):CAN-2005-1848
Created:July 13, 2005 Updated:September 13, 2005
Description: The dhcpcd DHCP client can be tricked into reading past the end of a buffer, causing it to crash.
Alerts:
Slackware SSA:2005-255-01 dhcpcd 2005-09-13
Red Hat RHSA-2005:603-01 dhcpcd 2005-07-27
Gentoo 200507-16 dhcpcd 2005-07-15
Mandriva MDKSA-2005:117 dhcpcd 2005-07-12
Debian DSA-750-1 dhcpcd 2005-07-11

Comments (none posted)

FUSE: information disclosure

Package(s):fuse CVE #(s):CAN-2005-1858
Created:July 13, 2005 Updated:July 13, 2005
Description: The filesystems in user space (FUSE) subsystem (not yet part of the mainline kernel) has an information disclosure vulnerability exploitable by local users.
Alerts:
Debian DSA-744-1 fuse 2005-07-08

Comments (none posted)

ht: arbitrary code execution

Package(s):ht CVE #(s):CAN-2005-1545 CAN-2005-1546
Created:July 8, 2005 Updated:July 13, 2005
Description: The utility ht, an executable file viewer, editor and analyzer, has buffer and integer overflows that can be exploited for the purpose of executing arbitrary code.
Alerts:
Debian DSA-743-1 ht 2005-07-08

Comments (none posted)

krb5: double-free flaw

Package(s):krb5 CVE #(s):CAN-2004-0175 CAN-2005-0488 CAN-2005-1175 CAN-2005-1689
Created:July 12, 2005 Updated:December 6, 2005
Description: The krb5 authentication has a double-free flaw which may be initiated by a remote unauthenticated attacker. Also, a single byte heap overflow in the krb5_unparse_name() function can lead to a denial of service and an information disclosure may be caused by a malicious telnet server. See This report for more information.
Alerts:
Ubuntu USN-224-1 krb4, krb5 2005-12-06
Debian DSA-757-1 krb5 2005-07-17
Trustix TSLSA-2005-0036 kerberos5, 2005-07-14
Mandriva MDKSA-2005:119 krb5 2005-07-13
SuSE SUSE-SR:2005:017 multiple packages 2005-07-13
Gentoo 200507-11 mit-krb5 2005-07-12
Fedora FEDORA-2005-553 krb5 2005-07-12
Red Hat RHSA-2005:562-01 krb5 2005-07-12
Fedora FEDORA-2005-552 krb5 2005-07-12
Red Hat RHSA-2005:567-02 krb5 2005-07-12

Comments (none posted)

leafnode: fetchnews vulnerabilities

Package(s):leafnode CVE #(s):CAN-2004-2068 CAN-2005-1453 CAN-2005-1911
Created:July 12, 2005 Updated:July 13, 2005
Description: The fetchnews program from the leafnode NNTP server has a number of vulnerabilities involving corruption of data from the upstream server. The system can hang indefinitely or crash.
Alerts:
Mandriva MDKSA-2005:114 leafnode 2005-07-11

Comments (none posted)

sharutils: temporary file vulnerability

Package(s):sharutils CVE #(s):CAN-2005-0990
Created:July 13, 2005 Updated:July 13, 2005
Description: Sharutils (and unshar in particular) creates temporary files in an unsafe way, making local file overwrite attacks possible.
Alerts:
Fedora-Legacy FLSA:154991 sharutils 2005-07-10

Comments (none posted)

Events

USENIX Security Symposium

The USENIX Security Symposium is happening starting July 31 in Baltimore. Click below for the details.

Full Story (comments: none)

Page editor: Jonathan Corbet
Next page: Kernel development>>


Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds