Bank sues Google for ID of Gmail user

A bank that inadvertently sent confidential account information on 1,325 of its customers to the wrong Gmail address is suing Google for the identity of the Gmail account holder. According to court documents, the bank in August received a request from one of its customers asking for certain loan statements to be sent to a third-party. The case, filed in the U.S. District Court for the Northern District of California, involves Rocky Mountain Bank of Wyoming.

An employee of the bank, responding to the request, sent the documents to the wrong Gmail address. When it discovered the error, the bank immediately sent an e-mail to the Gmail address asking the recipient to delete the previous email and the attachment. In addition to the requested loan information, the bank employee also inadvertently attached a file containing names, addresses, tax identification numbers and other details on 1,325 account holders to the same address. The bank also asked the recipient to contact the bank to discuss what actions had been taken to comply with the bank's request. When Google refused to provide any information on the account without a formal subpoena or court order, the bank filed a complaint asking the court to force Google to identify the account holder. When it received no reply, the bank sent an e-mail to Google asking whether the Gmail account was active or dormant and also what it could do to prevent unauthorized disclosure of the inadvertently leaked information.

Rocky Mountain Bank also requested that its complaint and all of the pleadings and filings in the case be sealed. U.S. District Court Judge Ronald Whyte dismissed that request, saying there was no need for the proceedings to be sealed. "An attempt by a bank to shield information about an unauthorized disclosure of confidential customer information until it can determine whether or not that information has been further disclosed and/or misused does not constitute a compelling reason," Whyte wrote last week. The bank said it hopd to prevent unnecessary panic among its customers and a "surge of inquiry from its customers." The bank argued that if the complaint and motion papers are not sealed, all of its customers would learn of the inadvertent disclosure. This is the third time in recent weeks that Google has faced a similar issue. The man alleged that the contributors to the paper had unfairly linked him to government corruption. Earlier this month, the Associated Press reported that a resort developer in Miami had obtained a court order requiring Google to disclose the identities of anonymous contributors to an online newspaper in the Turks and Caicos Islands.

In that case, Google indicated that it would disclose the data only after first informing the paper about the request and giving it a chance to appeal for the court order to be quashed. In the other incident, a court in New York compelled Google to disclose the identity of a blogger who had made disparaging comments about a Vogue model in her blog "Skanks in NYC."

Windows Bug Enables PC Hijacking, Microsoft Warns

Microsoft Corp. last week confirmed that a bug in Windows Vista, Windows Server 2008, and the release candidates of Windows 7 and Windows Server 2008 R2 could be used to hijack PCs. The vulnerability in the Server Message Block (SMB) 2 network file- and print-sharing protocol that ships with those versions of the Windows operating system was first disclosed late last Monday, when a researcher posted exploit code. Microsoft recommended that users either disable SMB 2 by editing the Windows Registry - a task too daunting for most consumers - or block TCP Ports 139 and 445 at the firewall until a patch is available. The next day, Microsoft issued a security advisory confirming the bug and the fact that it could be used to "take complete control of an affected system." Microsoft did note that the release to manufacturing, or RTM, editions of Windows 7 and Windows Server 2008 R2 are not affected, along with earlier versions of the operating system, including Windows 2000, XP and Server 2003. However, the vulnerable release candidates have been widely distributed, with millions of users downloading Windows 7 RC when it was publicly available from early May through mid-August. However, the company acknowledged that blocking those ports would cripple several services and applications.

As expected, a patch for the recently revealed vulnerability in its Internet Information Services Web server wasn't ready in time for the monthly update. The Windows bug was disclosed the same day Microsoft delivered five critical updates that patched eight vulnerabilities in Windows, including one in the JavaScript engine that ships with every supported version of the operating system. This version of the story originally appeared in Computerworld 's print edition.

HP to focus on services with new print division

Hewlett-Packard on Monday formed a new print services division with a focus on managing print and imaging hardware and software in enterprises. The unit will also provide services and software that put scanned or printed documents in workflow systems to make document management easier. The division, called Managed Enterprise Solutions, aims to unify disparate hardware such as copiers, printers and scanners in order to cut hardware and printing costs, said Vyomesh Joshi, executive vice president of HP's imaging and printing group. The company's attention has been geared toward hardware and supplies, but software and services surrounding printing and imaging are a growing opportunity, Joshi said.

There is more to printing than just hitting the print button, said Roger Douglas, director of managed print services at HP. For example, software provided with the managed services could enable an invoice to be scanned, which can automatically be put into a company's payroll system. The company sees a US$121 billion annual opportunity in the printing market, of which $64 billion is for hardware and $57 billion for software and services. The automation reduces the number of steps and cost required to manage the document, Douglas said. The documents can also be secured through a service by establishing a status to ensure documents aren't appended, Douglas said. It also reduces the chance for error through manual transcription.

For example, if a marketing logo is finalized on a particular document, its status can be appended to ensure no one changes it. The company is also changing printer designs to build in more services-related functionality. This approach is particularly helpful when editing legal documents, he said. For example, a touch screen on multifunction printers can be used to input or check the job status of scanned documents like patient records. "A lot of times customers have treated imaging and printing like an afterthought," Douglas said. The company has also expanded the availability of a program that guarantees savings for customers who sign up for its print services outside the U.S. Under the plan, HP assesses a company's imaging and printing environment and calculates the possible savings a company can realize using HP's managed services.

Managed print is all about stepping back and taking a more strategic and methodical look at how those documents are managed, he said. If customers haven't realized the savings in a year, HP will make up the difference with a credit that can be used for their next printing services contract. The unit will be a part of the company's imaging and printing division, Joshi said. The company has already signed up 100 customers since it launched that program, Joshi said. The company has pulled some personnel from the existing services division and has seen its services customer base expand since acquiring EDS. HP has a strong presence in the printer market, and the expansion of services could help the company capture a larger share in the printer space, said Edward Crowley, CEO of Photizo Group, who was at HP's press briefing Monday.

The increased level of focus on services could also benefit HP's enterprise customers, he said.

Researchers slam fickle iPhone anti-fraud feature

The iPhone's new defense - meant to prevent users from reaching phishing sites - is inconsistent at best, a security researcher said today, with some users getting warnings about dangerous links, while others are allowed to blithely surf to criminal URLs. Other experts said that the fickle feature is worse than no defense at all. But according to Michael Sutton, the vice president of security research at Sunnyvale, Calif.-based Zscaler, the new protection is "clearly having issues." At first, said Sutton, the anti-phishing feature was simply not working. "It was blocking nothing," Sutton claimed after testing iPhone 3.1's new tool Wednesday against a list of known fraudulent sites. Apple quietly added an anti-fraud feature to the iPhone's Safari browser with the update to iPhone 3.1 , released Wednesday.

By Thursday, things had improved, but just barely. "Yesterday, it started blocking some sites, for some users, but it was inconsistent. Apple relies on Google 's SafeBrowsing API (application programming interface) for the underlying data used to build anti-phishing and anti-malware blocking lists for the desktop edition of its Safari browser. Some sites are being blocked, others are not." That led Sutton to believe that the feature's functionality wasn't the issue, but how Apple updates users with a "blacklist" of malicious sites. Other browser makers, including Google and Mozilla, also use SafeBrowsing. "It appears some iPhones are getting timely updates [from Apple], but others are not, or are getting different [block list] feeds," Sutton said. "I'm feeling better about the feature than I was Wednesday, but clearly Apple is still have issues. URLs that are blocked by Safari in Mac OS X open and direct users to malicious pages [on the iPhone]." Like Sutton, James reported inconsistencies in the anti-fraud feature's effectiveness. "All we've come up with is that sometimes it works and sometimes it doesn't," said James. "This is clearly more dangerous than no protection at all, because if users think they are protected, they are less careful about which links they click." The new feature is turned on by default in iPhone 3.1; the option to turn it off is in Settings/Safari/Security, and is listed as "Fraud Warning." Sutton, although willing to concede that Apple overall is improving its security track record, bemoaned the state of mobile security in general, and the iPhone's in particular. "The greater concern to me is that we're making the same mistakes in mobile that we made on the desktop," he said. "On the desktop, security has gotten slowly better, but [with mobile] we have a fresh start. With the [media] coverage of the problem, maybe they're resolving it, or trying to." On Thursday, researchers at Intego, a Mac-only antivirus vendor, echoed Sutton's findings. "This feature should warn users that they may be visiting a known malicious Web site and ask if they wish to continue," said Peter James, a spokesman for Intego who writes the company's Mac security blog . "However, we have extensively tested this feature, tossing dozens of phishing URLs at it, and it simply does not seem to work.

I would have thought we would have learned from our mistakes, but there's virtually no protection in mobile browsers." According to research conducted by NSS Labs, which was hired by Microsoft to benchmark different desktop browsers' ability to block malware-laden sites, Safari in Mac OS X and Windows blocked only one-in-five malicious sites . Internet Explorer and Firefox, meanwhile, blocked 80% and 27%, respectively. Last month, NSS Labs attributed the disparities between Firefox, Safari and Google - all which use SafeBrowsing as the basis for their blacklists, to differences in how each browser tweaked, then applied, the lists. Google's Chrome blocked a paltry 7% of the sites.