Hundreds of HIV-positive patients have their identities revealed in e-mail error

Anna Hodgekiss reports on the Mail Online that a sexual health clinic in London’s Soho has revealed the names of up to 780 HIV positive patients in an e-mail error.

The error involved patients who had signed up to the Clinic’s Option E service when a monthly newsletter was sent out. It appears to have occurred when the newsletter was sent out using an open group circulation list rather than as a blind copy.

The clinic tried to recall the message using Microsoft Outlook’s recall function and then sent another e-mail apologising for the error and asking recipients to delete the message.

Comment from the Newsblog Editor:

A mistake like this is easy to make on an e-mail client like Microsoft’s Outlook, where an e-mail list can easily be mistakenly copied into the wrong field and sent out as a CC (carbon copy) to all recipients, rather than as a BCC (Blind Carbon Copy).  Indeed instances of private information being accidentally distributed on CC lists have happened a number of times before.  A much more secure method would be to use an e-mail list management application such as Mailman or MailChimp.

Smartphone encryption will help cops more than it hurts them

In a very interesting article on the Slate website Kevin Bankston highlights that despite claims by some law enforcement officials that encryption is a tool that will allow criminals to evade justice, the use of strong encryption actually helps to reduce crime.

Bankston points out that although it is true that criminals will make use of encryption technology to shield their activities, the use of the technology will overall prevent millions of crimes.  For example smartphone theft is at epidemic proportions, with millions being stolen annually which often involves robberies which are by definition violent crimes.  However, strong encryption will block the criminals from using the commonly available tools to unlock a smartphone, rendering it useless to them.

The article also highlights that criminals are increasingly not just interested in the phone, but also the personal and other data contained on it which can for example, allow them to commit fraud or identity theft.  It is not just personal data that is at risk, but also corporate data as people increasingly use mobile devices to access work e-mails and data.  Strong encryption can prevent access to phone data and thus crimes associated with data theft.

Finally, it is worth noting that the FBI itself recommends encrypting your phone – this is despite the fact that FBI Director James Comey has joined in the anti-encryption crusade!

EFF Release Privacy Badger Browser Plug-in to Stop Online Tracking

The Electronic Frontier Foundation (EFF) has released a tool called Privacy Badger to allow web users to block tracking cookies and spying adverts which ignore the Do Not Track setting in browsers.  Privacy Badger is not an ad blocker and adverts which do not contain tracking functionality, or respect Do Not Track settings are not blocked.

Privacy badger also offers some protection against browser fingerprinting (see Panopticlick) by blocking third-party domains that use the technique, although it is not totally effective against what is a very sophisticated and subtle form of tracking.

The plug-in is currently available for Chrome and Firefox and can be found and downloaded here.

HTC Phone Stored Fingerprints as Clear Text

Darren Pauli reports on The Register website that security researchers have discovered that the HTC One Max phone stored user fingerprints as clear text in a “world readable” folder that could be accessed by  other Apps.  The Samsung Galaxy S5 was also found to have similar vulnerabilities.

The revelation was made by researchers presenting at the Black Hat security conference in Las Vegas earlier this month.  It was one of four situations in which biometric data on an Android phone could be accessed by hackers.  In one scenario they showed how attackers could have money transfers authenticated by getting a user scan their fingerprints on a fake login screen to unlock the device.

A link to the original research paper can be found here.