Centennial Man

Tuesday, July 14, 2009

Florida strikes again!

http://www.databreaches.net/?p=6140

FL DOE loses loan promissory notes

July 13, 2009 by admin Filed under Breach Incidents, Education Sector, Financial Sector, Lost or Missing, U.S.

Bill Cotterell of the Tallahassee Democrat reports a breach involving the Florida Department of Education’s Office of Student Financial Assistance:

The agency is notifying 475 student-loan borrowers that their financial records have been exposed to identity theft because the OSFA managed to lose 1,186 “promissory notes” that they signed when they were going to school, and have now fallen behind on.

It’s not that the money is lost. There are copies of the promissory notes, so the loans can be collected.

But Jose Blas Lorenzo Jr., director of policy, regulatory compliance and institutional review for the OSFA, said the missing files bear Social Security numbers, names and addresses, birth dates, personal references and lots of other little tidbits that could come in handy for an identity thief.

“While your file was being processed for reassignment during the week of May 25, 2009, your promissory note(s) was lost,” he wrote in the official notice approved by the Federal Trade Commission and sent to borrowers. He added that the OSFA “cannot verify if the record of your promissory note(s) has been tampered with or if the confidentiality of your promissory note(s) was compromised.”

Cotterell reportedly filed a public records request on the incident and discovered that although OSFA’s director of policy, regulatory compliance and institutional review was informed of the breach on June 2, he did not notify the bureau chief until June 23.

The story doesn’t seem to report how the promissory notes were lost.

Lexis as “good citizen?” OR, did this occur before 2004 and Lexis is only learning about it because of the arrest?

http://www.databreaches.net/?p=6146

LexisNexis warns of breach after alleged mafia bust

July 13, 2009 by admin Filed under Business Sector, Insider, Of Note, U.S., Unauthorized Access

Information broker LexisNexis has warned more than 13,000 consumers, saying that a Florida man who is facing charges in an alleged mafia racketeering conspiracy may have accessed some of the same sensitive consumer databases that were once used to track terrorists.

Lee Klein, 39, of Boynton Beach, Florida, was charged by the U.S. Department of Justice in May following an undercover sting operation that netted 11 suspects from an alleged South Florida crew of the Bonanno crime family.

On Friday, the office of the New Hampshire Attorney General posted a letter that LexisNexis sent out to consumers last month, warning that Klein may have used his access to LexisNexis’ Seisint databases “in order to perpetrate certain crimes.”

Read more of Bob McMillan’s report on Network World.

[From the article:

On Friday, the office of the New Hampshire Attorney General posted a letter that LexisNexis sent out to consumers last month, warning that Klein may have used his access to LexisNexis' Seisint databases "in order to perpetrate certain crimes."

… In a statement, LexisNexis said Monday that "the former Seisint customer involved in this matter should have provided notice to potentially affected individuals. However, because the customer is no longer in business we provided the notice."

… Seisint is best known as the creator of the ill-fated MATRIX (Multi-State Anti-Terrorism Information Exchange) terrorist data-mining project, which was shut down in 2005 following privacy concerns. LexisNexis, a division of Reed Elsevier, acquired Seisint in 2004 for US$775 million. It sells two Seisint products: Accurint, which provides information on individuals and their assets, and Securint, a background screening tool.

It takes little effort to steal an ID

http://www.databreaches.net/?p=6150

OK: ID theft attributed to online public records

July 13, 2009 by admin Filed under Breach Incidents, Exposure, Government Sector, ID Theft

Some Pottawatomie County residents claim they are the victims of identity theft, and they believe it is the result of their Social Security numbers being visible online.

[...]

At issue are mortgage and lease documents posted to a publicly accessible Web site. The documents were posted with social security numbers in view.

Pottawatomie County clerk Nancy Bryce said there is no plan currently to remove them from the Web.

Monday, July 13, 2009

We can, therefore we must!

http://www.pogowasright.org/?p=1788

Aussie ‘Big Brother’ hospital plan irks docs

July 12, 2009 by Dissent Filed under Non-U.S., Workplace

The State Government has a secret plan to track the movement of staff around the new Royal Children’s Hospital using radio tags, which has outraged unions and raised fears of setting a precedent in employee surveillance.

Doctors say the plan smacks of Big Brother, and they will refuse to wear the tags when the hospital opens in 2011.

Sunday, July 12, 2009

Interesting. Fodder for the Class Action lawyers? Would submitting the Judge's information be a good move?

http://www.pogowasright.org/?p=1769

Ohio drivers sue over sale of their data

July 11, 2009 by Dissent Filed under Breaches, Court, Govt, U.S.

The Ohio Department of Public Safety and Bureau of Motor Vehicles has been hit with a potentially costly class action lawsuit alleging that two senior employees contravened federal privacy laws when they authorized the sale of information in the state’s databanks. “At this point we don’t know what motivated them to sell the data,” says Charles Lester, an attorney with the Eric Deters law firm in Cincinnati, who represents plaintiffs in the suit. “We just know that the information is out there on the Internet.”

According to documents filed with the US District Court in Ohio, the names, addresses and driver’s license numbers of hundreds of thousands of Ohio drivers were sold to a consumer information aggregating company called PublicData, which in turn sold the information to another company called Shadowsoft. “Anyone can go get that information, all you have to do is pay a fee – there is no vetting process that stops you,” says Lester. “If I wanted to get the information about the judge in the case I could go online and get it!”

The suit, which has yet to be certified, asks that the state of Ohio cease selling data and make an effort to recover the information released into the public domain. “We want the practice stopped and we want damages,” says Lester. “There is a statutory penalty of a minimum amount of $2500 that people are entitled to even if they cannot show any specific harm. The federal law makes it clear this information should not be freely available.”

Saturday, July 11, 2009

Today's theme is “unbelievable statistics” – believe it!

This can't be right, can it? According to Wolfram Alpha, more than 600,000 people died in the UK last year. So something like 96,000 had their identity stolen? Are we seeing this in the US where 2,500,000 people died last year?

http://www.pogowasright.org/?p=1676

Post-mortem ID theft

July 10, 2009 by Dissent Filed under Breaches, Non-U.S.

According to Cifas data analyzed by Halo, if you’re in the UK and die, you apparently have a 16% risk of having your identity stolen after your death.

That makes a somewhat compelling argument for not dying in the UK, doesn’t it?

(Related)

http://www.pogowasright.org/?p=1710

Après HITECH, le déluge (of reports)

July 10, 2009 by Dissent Filed under Breaches, Featured Headlines, Legislation, U.S.

Yesterday on phiprivacy.net, I posted a link to an article in the Journal of AHIMA that discusses how California officials were surprised at how many breach reports they have received since California’s new medical privacy breach reporting law went into effect on Jan. 1.

Under the broadened reporting requirements whereby healthcare organizations in California are now required to report any unauthorized access to a patient’s unsecured personally identifiable health information (PHI) —intentional or otherwise — 823 incidents were reported between Jan. 1 and May 31. According to a spokesperson for the California Department of Public Health, Center for Health Care Quality (CDPH), most of the breaches have been due to errors as opposed to intentional breaches.

In a statement to PogoWasRight.org, Pam Dixon, Executive Director of the World Privacy Forum noted how the high numbers suggest that there is much to be done to ensure privacy and confidentiality:

“What struck me the most about the report is the total number of breaches since January — over 800. This is a substantially higher number than previous breach reports have hinted at. We have always known that the number of actual breaches exceeded the number of breaches that get reported, but these new statistics suggest that the number of actual breaches is staggeringly high. This new data show why there is heightened need for stronger protections for electronic health records, and especially for electronic health records that are exchanged among a variety of providers and health information exchanges. Ensuring patient privacy and confidentiality has not been adequately addressed yet, or we would not be seeing these high breach numbers.”

If that is the case, as it appears to be, then what should we expect to see nationwide when the HITECH Act is implemented? Under the new law, there is a broader definition of what constitutes a breach and what triggers notification. Although notification is only required in the case of unsecured PHI, given how many incidents we read about on a daily basis involving unsecured records, and in light of preliminary data from California, it seems likely that we are about to have a mind-boggling experience when we see how often unintended disclosure of PHI really occurs.

As Dixon points out, and as the reports from Alberta Health Services in Canada and the NHS in the UK clearly remind us, as we move towards more records online, we run greater risks of not only hacks but viruses infecting databases and either endangering the accuracy of patient records or stealing sensitive health and personal information. The California data serve as a useful wake-up call and call to action even before HITECH Act provisions go into effect.

I hope they are notifying users and pointing them to a “cure” but I don't see that in the article. Just means the user will re-connect with a new account and the same old malware – and assume Twitter is poorly managed.

http://www.pcworld.com/businesscenter/article/168201/twitter_suspends_accounts_of_users_with_infected_computers.html

Twitter Suspends Accounts of Users With Infected Computers

Jeremy Kirk, IDG News Service Friday, July 10, 2009 5:00 AM PDT

Twitter is suspending the accounts of some users whose computers have fallen victim to a well-known piece of malicious software that has targeted other sites such as Facebook and MySpace.

The malware, Koobface, is designed to spread itself by checking to see if person is logged into a social network. It will then post fraudulent messages on the person's Twitter account trying to entice friends to click the link, which then leads to a malicious Web site that tries to infect the PC.

… Koobface gets instructions from a command-and-control server, which tells the malware which messages to send out. Koobface is dangerous on other levels, however, as it can also steal data from a PC or download other malware.

Politics means never having to say you're sorry (or wrong or lying or...)

http://torrentfreak.com/mininova-denied-rectification-from-dutch-government-090709/

Mininova Denied Rectification From Dutch Government

Written by Ernesto on July 09, 2009

Recently a committee of the Dutch Parliament published a report on copyright legislation in which it made several false accusations against the Dutch-based BitTorrent site Mininova. The Mininova team were insulted by the report and demanded a public rectification, which the parliament has now refused. Mininova is now considering legal action.

… Legal threats or not, the committee announced today that it does not intend to rectify their earlier statements, even though they admit to having made a mistake.

(Related) Perhaps we've reached a point where whatever politicians say is assumed to be wrong?

http://torrentfreak.com/eu-commissioner-digital-natives-see-piracy-as-sexy-090710/

EU Commissioner: Digital Natives See Piracy As ‘Sexy’

Written by enigmax on July 10, 2009

EU Commissioner for Telecoms and Media Viviane Reding has joined the debate over Internet piracy. Yesterday she stated that both sides of the conflict are right but their inability to see things from the other’s perspective is holding back progress. In the meantime, she says, piracy is seen by many as increasingly “sexy”.

“enquiring minds want to know”

http://www.pogowasright.org/?p=1731

Terrorist Surveillance Program, unplugged

July 10, 2009 by Dissent Filed under Featured Headlines, Govt, Surveillance

A long-awaited report on the Terrorist Surveillance Program was released today. An unclassified version of the report prepared by the Office of Inspectors General for the Departments of Defense, Justice, the CIA, NSA, and DNI is entitled Unclassified Report on the President’s Surveillance Program (pdf).

The report’s discussion of the President’s Surveillance Program (PSP) makes it clear that the Terrorist Surveillance Program (TSP) that the public became aware of in 2005 following publication by the New York Times was only one part of a much broader program expanded by Bush after 9/11 to include a variety of activities. The other activities, referred to in the report as “Other Intelligence Activities,” remain “highly classified” and are not described in the report, but are also subsumed under “PSP.” The PSP program resulted in “unprecedented” collection of data.

According to the report, although John Yoo reportedly prepared several preliminary opinions relating to hypothetical events in September and October of 2001, the first formal Office of Legal Counsel (OLC) opinion on the legality of PSP was not drafted until after President Bush formally authorized the program in October 2001. According to the report:

The first OLC opinion directly supporting the legality of PSP was dated November 2, 2001, and was drafted by Yoo. As discussed in Section IV of this report, deficiencies in Yoo’s memorandum identified by his successors in the Office of Legal Counsel and the Office of the Deputy Attorney General later became critical to DOJ’s decision to reassess the legality of the program in 2003.

[...]

As the only OLC official read into the PSP through early 2003, Yoo consulted directly with White House officials about the PSP during this period. Because the DOJ OIG was unable to interview Yoo, it could not determine the exact nature and extent of these consultations. The DOJ OIG was also unable to determine whether Attorney General Ashcroft was fully aware of the advice Yoo was providing directly to the White House about the PSP.

Of course, much that the public would want to know is omitted from the unclassified version of the report, but there is a significant amount of criticism that is left for the public to mull over. One such aspect concerns the DOJ’s handling of PSP-collected information as it related to DOJ’s discovery obligations in international terrorist prosecutions. The DOJ OIG recommended that DOJ reviews its obligations, but also that the DOJ

carefully consider whether it must re-examine past cases to see whether potentially discoverable but undisclosed Rule 16 or Brady material was collected under the PSP, and take appropriate steps to ensure that it has complied with its discovery obligations in such cases.

That Yoo was pretty much the sole source of legal justification memos for PSP seems pretty evident from reviewing the report. It also seems clear that as more people in OLC were read into the program, the OLC began seriously questioning Yoo’s memoranda and the legality of the program, while Gonzales and others in the White House kept trying to persuade Yoo’s successors that the program was legal.

Perhaps some of the greatest drama in the report is provided in the detailed description of the conflict between the White House and DOJ counsel in March 2004, which included the scene in Ashcroft’s hospital room where, having disregarded his wife’s request that her husband was too ill, White House Chief of Staff Andy Card and White House counsel Alberto Gonzales still tried to pressure Ashcroft into signing a reauthorization of the program.

Later in the report, the DOJ OIG concluded that

the White House’s strict controls over DOJ access to the PSP undermined DOJ’s ability to perform its critical legal function over the PSP’s early phase of operation.

The report also indicated that because Ashcroft would not be interviewed, it was unclear whether he had aggressively pursued getting more staff read into the program when the White House did not approve of Ashcroft’s chief of staff, David Ayres, and Deputy Attorney General Larry Thompson being read in.

The report also criticized Alberto Gonzales for providing testimony to Congress that was

confusing, inaccurate, and had the effect of misleading those who were not knowledgeable about the program.

Overall, the impression given is that by restricting details of the program to one and only one person in the OLC who would be likely to be sympathetic to the President’s views, the White House was able to produce “paper” justifying the program until March 2004 by which time others who had been read into the program raised serious doubts about the legality of the program.

Unfortunately, the public still has no court ruling on important issues such as whether the President’s Article II powers trumps FISA. If the courts would stop tossing out lawsuits based on “state secrets” defense, maybe we’d get an answer. If we don’t, then eventually we may find ourselves in a similar situation.

Update/Related: See NY Times coverage, as well as Washington Post. I’m sure everyone will have something to say on the report.

This could get interesting, or Facebook could back away immediately.

http://www.pogowasright.org/?p=1692

Power.com gets in Facebook’s face

July 10, 2009 by Dissent Filed under Businesses, Court, Featured Headlines, Internet

Power.com is fighting back against Facebook’s lawsuit (pdf). Today, Power.com filed a response and countersuit (pdf).

In the filing, Power.com claims that some of the actions attributed to Power.com by Facebook, such as sending out emails to contacts, actually were the doing of Facebook itself and that it was Facebook itself which inserts the Facebook email address and “team” sig line. The filing also claims that Facebook is essentially complaining about Power.com doing exactly what Facebook does. Facebook allows users to import contacts from other email accounts but is seemingly trying to block Power.com from also serving an aggregator function.

Dismissing Facebook’s copyright and trademark infringement claims in relatively short order by pointing out that Facebook does not provide even one element to support its claims, Power.com focuses on user ownership of and control of data, and asserts that everything it is doing is done with the content owner’s consent — unlike Facebook, it says, which is allegedly trying to stop its users from exerting such control if they wish to use Power.com’s service.

Jason Kincaid of TechCrunch provides a recap of the lawsuits to date and his perspective on the lawsuits.

Facebook did not respond to a request for a comment on Power.com’s filing or lawsuit by the time of publication.

(Related) I don't see much new...

http://www.bespacific.com/mt/archives/021786.html

July 10, 2009

Research Institute Releases Primer on Internet Privacy

News release: "The Pacific Research Institute (PRI) announced the release of a new report on Internet privacy and security. Click Confidential: A Privacy Primer for the Social Web, authored by Daniel Ballon, Ph.D., PRI senior fellow in technology studies, outlines the detrimental affects of government regulated privacy policy on emerging online businesses. He also provides effective strategies for empowering consumers while promoting choice and competition."

Another “nothing new”

http://www.bespacific.com/mt/archives/021785.html

July 10, 2009

National Security Inspectors General Release Critique of Warrantless Surveillance Program

News release: Today’s release of a report by several agency inspectors general reinforces the National Security Archive’s argument in our Freedom of Information Act lawsuit that the Justice Department should declassify and release the legal justifications for the surveillance program authorized by President Bush after the terrorist attacks of September 11, 2001. The new report from the inspectors general of the Department of Defense, Department of Justice, Central Intelligence Agency, National Security Agency, and Office of the Director of National Intelligence, criticizes the OLC memoranda that were used to justify warrantless surveillance of US citizens, several of which remain secret and are subject to the Archive’s lawsuit. The IGs state that there were “deficiencies” in the OLC memos, drafted by Deputy Assistant Attorney General John Yoo, and that the memos “raise[d] serious concerns” at DOJ because they omitted analysis of key cases and legal provisions and were not subject to the ordinary “rigorous peer review process.”

Sometimes I just like to remind you that I do have a great grasp of the obvious. I've been saying for years that there is no need to own media if the cost (buying, storing, upgrading) is greater than the cost of viewing movies (songs, archives) 'on demand'

http://www.bespacific.com/mt/archives/021788.html

July 10, 2009

Has the Swan Song of the DVD Begun?

The Economist: "TEN years ago DVDs rejuvenated the film business, encouraging people to own films rather than simply watch them. But sales, which began declining gradually in 2006, are now falling more steeply. Around a third of the drop in the first quarter was counteracted by rising sales of high-definition Blu-ray discs, which are more profitable. Meanwhile, rentals are booming. Redbox, which rents films cheaply from self-service kiosks, has been adding machines at the rate of more than 500 per month. For the studios it is much more profitable to stream a film digitally or sell it through a cable operator as a video-on-demand (VOD)."

(Related?) A business model the RIAA will absolutely hate.

http://news.cnet.com/8301-13505_3-10283886-16.html?part=rss&subj=news&tag=2547-1_3-0-5

Trent Reznor: 'So you want to make money on the Web'

by Matt Asay July 10, 2009 8:04 AM PDT

For those who have yet to grok the Open Core business model, Trent Reznor of Nine Inch Nails fame will sing it to you. In a series of forum entries, Reznor explains exactly how to build a music business on the Web and, in the process, classically defines Open Core, the primary business model for open-source software, too.

Reznor writes:

Forget thinking you are going to make any real money from record sales. Make your record cheaply (but great) and GIVE IT AWAY. As an artist you want as many people as possible to hear your work. Word of mouth is the only true marketing that matters.

… Then, offer a variety of premium packages for sale and make them limited editions/scarce goods. Base the price and amount available on what you think you can sell. Make the packages special--make them by hand, sign them, make them unique, make them something YOU would want to have as a fan.

For my website students (Get a “.INFO” domain name for $0.99)

http://www.domparison.com/domain-name-price-comparison/index.php

Domparison

Domparison is a domain name price comparison search engine. We search domain registrars to find the cheapest domain prices so that you don't have to. Simply select which domain extension you want and the type of price you want (e.g. register, renew or transfer) and the lowest domain name prices for registration, renewal or transfers will be displayed.

Have I listed this one before?

http://www.makeuseof.com/dir/jdsupra/

JDSupra: Database of Legal Documents Shared By Lawyers

JDSupra is a database of legal documents shared by lawyers. For legal professionals its a platform to reach wider audience by uploading their work and get credited for their expertise and experience. For consumers it’s a way to find a lawyer to represent them in court who has worked on similar cases with a proven record of success.

http://www.jdsupra.com/

Labels: Identity theft, law, Privacy, security

Friday, July 10, 2009

Is this good news or bad news?

http://www.wired.com/threatlevel/2009/07/health-breaches/

New Law Floods California With Medical Data Breach Reports

By Kim Zetter July 9, 2009 3:24 pm

California officials have received more than 800 reports of health data breaches in the first five months after a new state law went into effect January 1.

The law requires health care organizations in California to report suspected incidents of intentional and unintentional unauthorized breaches of a patient’s personally identifiable health information to the California Department of Public Health.

The agency, however, says it was surprised by the large number of reports it received in such a short period, according to the Journal of the American Health Information Management Association, and expects that number to increase dramatically as organizations become more familiar with the reporting procedures.

Follow-up

http://infoseccompliance.com/2009/07/09/johnson-et-al-v-microsoft-court-docs-on-motion-ruling-ip-address-not-pii/

Johnson, et al. v Microsoft: Court Docs on Motion Ruling IP Address Does Not Equal PII

Posted on July 9th, 2009 by David Navetta Filed under: IP address, PII, personally identifiable information, priavcy

For those interested in digging deeper into the recent ruling in the UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF WASHINGTON, SEATTLE DIVISION that IP addresses do not constitute “personally identifiable information,” I have complied all of the relevant pleadings, motions, and response/reply/surreply briefs for your viewing pleasure….

Everyone does it, but unless they publish how would we know?

http://www.pogowasright.org/?p=1652

UK police won’t reopen phonetap case

July 9, 2009 by Dissent Filed under Businesses, Non-U.S.

British police said on Thursday they would not reopen investigations into the interception of celebrities’ mobile phone voicemails by journalists, despite new allegations against a Rupert Murdoch newspaper.

[...]

Assistant Commissioner John Yates of the Metropolitan Police said the original probe had concluded that phone tapping had occurred in only a minority of cases. All those victims had been informed, he said.

‘Their potential targets may have run into hundreds of people, but our inquiries showed that they only used the tactic against a far smaller number of individuals,’ Yates said.

‘No additional evidence has come to light since this case has concluded. I therefore consider that no further investigation is required.’

Source: LSE.co.uk

Times Online has the full text of John Yates’ statement.

(Related) We call it “pretexting”

http://www.pogowasright.org/?p=1668

ICO statement about media blagging

July 10, 2009 by Dissent Filed under Non-U.S.

This is the full text of the statement by Mick Gorrill, Assistant Information Commissioner, yesterday:

“People care about their personal privacy and have a right to expect that their personal details remain confidential. Who they are, where they live, who their friends and family are, how they run their lives: these are all private matters. Individuals may choose to divulge such information to others, but information about them held confidentially should not be available to anyone prepared to pay the right price.

“The Information Commissioner’s Office (ICO) exposed the widespread media involvement in illegally obtaining personal information in its reports What Price Privacy? and What Price Privacy Now? The ICO named some of the UK’s newspapers and magazines which bought people’s personal information in search of a story.

“Following a court order in 2008 we made available a copy of some information, from our investigation into the buying and selling of personal information, to lawyers acting on behalf of Gordon Taylor. This included material that showed that 31 journalists working for The News of the World and The Sun had acquired people’s personal information through blagging.”

The links below take you to two reports, What Price Privacy? and What Price Privacy Now? which set out more information.

http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/what_price_privacy_low_resolution.pdf
http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/ico-wppnow-0602.pdf

All politicians lie.

http://www.pogowasright.org/?p=1627#respond

Jewel v. NSA back in court next week

July 9, 2009 by Dissent Filed under Court, Govt, Surveillance, U.S.

Thursday, July 09, 2009

Something to consider as all our health records go online.

http://www.databreaches.net/?p=6042

Alberta Health records hit by virus

July 8, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Malware, Non-U.S., Of Note

The Office of the Information and Privacy Commissioner has been notified by Alberta Health Services that a virus was present on the Alberta Health Services network in Edmonton. The virus impacted the network and Netcare, Alberta’s electronic health record, before it was discovered and removed.

The virus is a new variant of a Trojan horse program called coreflood and is designed to steal data from an infected computer and send it to a server controlled by a hacker. Coreflood captures passwords and data the user of the computer accesses. The virus was active from May 15 to 29 before it was detected and removed.

AHS identified two groups who are potentially at risk. Patients whose health information was accessed in Netcare through an infected computer and employees who accessed personal banking and email accounts from work using an infected computer. AHS is sending letters to the 11,582 patients whose information may have been exposed and has notified all affected employees.

Commissioner Frank Work says this does not necessarily mean Netcare itself has been infected by the virus; rather the virus may have captured patient data accessed through Netcare from an infected computer and sent it to an external party. [Important distinction. The application can be very secure, but if the entire processing environment isn't as secure, someone can tap in ant the weakest point. Bob] “While it appears the risk to patients is low, viruses don’t discriminate and this is an important message to everyone about the need to run up to date anti virus software”, says the Commissioner.

The Commissioner’s office is investigating. In the meantime Work is expecting a full forensic report from Alberta Health Services on how this happened and what steps will be taken to prevent future breaches. Work says “AHS responded quickly when the virus was detected and that steps have been taken to notify users and patients with advice on what they should do to protect personal and health information”.

Source: Office of the Information and Privacy Commissioner of Alberta

No statement appears on the Alberta Health Service site as of the time of this posting

The legal side is outlined. Is that all there is?

http://infoseccompliance.com/2009/07/08/pci-dss-incident-response-the-legal-perspective/

PCI DSS Incident Response: The Legal Perspective

Posted on July 8th, 2009 by David Navetta Filed under: TJX, breach notice, credit cards

The SANS Institute InfoSec Reading Room recently published an article by Christian J. Moldes entitled PCI DSS and Incident Handling: What is required before, during and after an incident. Moldes’ whitepaper is a good starting point for developing an incident response plan to address payment card security breaches. The paper hits upon the key aspects of payment card security breach handling from an information security professional’s point of view. The paper, however, speaks little of the legal implications of a payment card security breach, and the incident response considerations that arise out of those implications.

Does Microsoft have a “duty to disclose” bugs in its software? (Ask a Class Action lawyer?)

http://www.computerworld.com/s/article/9135259/Microsoft_may_have_known_about_critical_IE_bug_for_months

Microsoft may have known about critical IE bug for months

Researchers uncovered latest bug in 2007; Microsoft mum on timing

By Gregg Keizer July 7, 2009 02:31 PM ET

Computerworld - The vulnerability that sent Microsoft scrambling yesterday and is being used by hackers now to attack Internet Explorer (IE) users may have been reported 18 months ago or more.

… The CVE (Common Vulnerabilities and Exposures) number for the vulnerability -- CVE-2008-0015 -- points to a possible early 2008 reporting date. According to the database, the CVE number was reserved on Dec. 13, 2007.

Remember, North Korea has a division of hackers in its army. And since they still consider pigeons high-tech communications, how can we retaliate – short of Nuking them?

http://news.cnet.com/Cyberattacks-hit-U.S.-and-South-Korean-Web-sites/2100-7349_3-6249857.html?tag=newsLatestHeadlinesArea.0

Cyberattacks hit U.S. and South Korean Web sites

By Choe Sang-Hun The New York Times July 8, 2009 5:50 AM PDT

SEOUL, South Korea--Cyberattacks that have crippled the Web sites of several major American and South Korean government agencies since the July 4th holiday weekend appear to have been launched by a hostile group or government, South Korea's main government spy agency said on Wednesday.

Although the National Intelligence Service did not identify whom they believed responsible, the South Korean news agency Yonhap reported that the spy agency had implicated North Korea or pro-North Korea groups. [There are pro-North Korea groups? Bob]

… In the attack, an army of thousands of "zombie computers" infected by the hackers' program were ordered to request access to these Web sites simultaneously, causing an overload that caused the sites' servers to crash, South Korean officials said.

Although most of the North Korean military's hardware is decrepit, the South Korean authorities have recently voiced their concern over possible cyberattacks from the North. In May, South Korean media reported that North Korea was running a cyberwarfare unit that operates through the Chinese Internet network and tries to hack into American and South Korean military networks.

Surprise! Surprise! Surprise!

http://www.databreaches.net/?p=6051

State Dept lost track of its laptops

July 8, 2009 by admin Filed under Commentaries and Analyses, Of Note

The State Department does not have an accurate accounting of its laptop computers, including ones meant for classified use, and has failed to encrypt machines [Deadline was July 1 last year! Bob] as it is supposed to do to protect sensitive information, according to a new report by the department’s inspector general.

Inspectors found that 27 laptops, worth $55,000 were missing out of a sample of 334 from four State Department bureaus.

“Because the content and the encryption status of the missing laptop computers are unknown, there is a risk that PII (Personally Identifiable Information) and other sensitive Department information may be susceptible to unauthorized access and use,” it says.

Wednesday, July 08, 2009

Today's theme seems to be the increasing sophistication of hacker gangs.

http://www.databreaches.net/?p=6030

Hackers Decrypt Encrypted Data?

July 8, 2009 by admin Filed under Business Sector, Hack, ID Theft, Non-U.S.

Meanwhile, in Manila, the Manila Bulletin Publishing Corp. reports:

The National Bureau of Investigation (NBI) started expanding its probe into the credit card fraud after uncovering that the arrested Nigerians who managed to hack the merchant website to get vital information of the credit card holders.

[...]

Last Friday, agents of the National Bureau of Investigation (NBI) arrested four Nigerians engaged in purchasing plane tickets through fraudulently acquired credit cards in an operation in Cavite.

[...]

Mallari said the arrested Nigerians and other syndicates engaged in the credit card fraud were able to hack the merchant website.

“Information in the merchant website is encrypted and the internet hackers managed to decrypt the info. Of course not all info in the merchant web can easily accessed by syndicates like the big companies, because they have measures to protect their clients but in some instances; the syndicates succeed in decrypting the info,” said Palmer.

The remainder of the story is a bit difficult for me to understand. If anyone would like to read the whole thing and then summarize, that would be nice

Small, but interesting. Sounds like an amusing project for my Math students... Identify the range of numbers your bank (any card issuer) uses and then generate a few dozen valid numbers. My usual 10% guarantees an “A” Best Practice would be a truly random number, but with hundreds of issuers, that could cause duplicates...

http://www.databreaches.net/?p=6021

ID Theft Case in Japan

July 7, 2009 by admin Filed under ID Theft, Malware, Non-U.S., Other

It’s unusual for me to see an ID theft report coming out of Japan. There was the report last year involving Yahoo! Japan, but other than that, I’m hard-pressed to think of any cases offhand. Today’s Yomiuri Shimbun, however, reports one such case:

The Metropolitan Police Department arrested Chizuru Asahi, 21….. She allegedly used other people’s credit card numbers she illicitly obtained through card-generation malware called CreditMaster. [Another useful crook-tool! Bob]

[...]

During a search of her house, the police seized eight credit cards issued under other people’s names.

Asahi was quoted by the police as saying, “We identified credit card numbers [originally issued] for more than 60 people based on these [eight] credit cards.”

[...]

This is the first time in Japan that a person has been charged in connection with a CreditMaster scheme, the Japan Credit Card Association said.

According to the association, credit card numbers are basically set sequentially based on a specific protocol created by individual credit companies.

The CreditMaster fraud scheme allows existing credit card numbers to be illicitly identified with computer software based on an existing number by making calculations based on the numb ter of the base card, excluding a specific set of numerals with which the credit card company can be identified.

(Related?) What do you bet that they also generate account numbers based on a simple algorithm...

http://www.databreaches.net/?p=6014

eMoney Transfer Customer Data Accessed

July 7, 2009 by admin Filed under Breach Incidents, Financial Sector, Of Note, U.S., Unauthorized Access

MoneyGram International has notified the Vermont Attorney General’s Office of a breach affecting some customers using MoneyGram Payment System’s eMoney Transfer system.

According to the letter dated June 29, during routine security checks, the company discovered that some customers’ accounts had been accessed by unauthorized individuals. The company insists, however, that there was no security breach on their end. The letter from Debra Guertin, MoneyGram’s Privacy Officer, said:

The access was not a result of breakdown in MoneyGram’s security controls. Although we have investigated thoroughly and contacted law enforcement, we do not know how the criminals obtained the customers’ login information.

The unauthorized access may have exposed the customers’ names, addresses, phone numbers, transaction history, and last four digits of a masked credit card number. As a preventive measure, the company blocked access to those accounts and wrote to affected customers to ask them to call in and change their password to unblock their accounts. Customers were also offered a discounted rate on a subscription to services through Equifax.

Three Vermont residents were notified of the breach. The total number affected was not reported.

Very slick. By routing through the victim's link, the bank would see the correct IP address of their customer.

http://it.slashdot.org/story/09/07/07/2051238/PC-Invader-Costs-a-Kentucky-County-415000?from=rss

PC Invader Costs a Kentucky County $415,000

Posted by kdawson on Tuesday July 07, @07:26PM from the don't-be-stupid-out-there dept.

plover recommends a detailed account by Brian Krebs in the Washington Post's Security Fix column of a complex hack and con job resulting in the theft of $415,000 from Bullitt County, Kentucky.

"The crooks were aided by more than two dozen co-conspirators in the United States, as well as a strain of malicious software capable of defeating online security measures put in place by many banks. ...the trouble began on June 22, when someone started making unauthorized wire transfers of $10,000 or less from the county's payroll to accounts belonging to at least 25 individuals around the country... [T]he criminals stole the money using a custom variant of a keystroke logging Trojan known as 'Zeus' (a.k.a. 'Zbot') that included two new features. The first is that stolen credentials are sent immediately via instant message to the attackers. But the second, more interesting feature of this malware... is that it creates a direct connection between the infected Microsoft Windows system and the attackers, allowing the bad guys to log in to the victim's bank account using the victim's own Internet connection."

Why would the cellphone companies need to know where you are? They could count the number of calls at each cell (without identifying users) if they needed to determine the load on their system. What business purpose is served by knowing who is where?

http://news.slashdot.org/story/09/07/07/2331254/Cellphones-Increasingly-Used-As-Evidence-In-Court

Cellphones Increasingly Used As Evidence In Court

Posted by kdawson on Wednesday July 08, @09:02AM from the we-know-where-you-were-last-summer dept. court privacy

Hugh Pickens writes

"The NY Times reports that the case of Mikhail Mallayev, who was convicted in March of murder after data from his cellphone disproved his alibi, highlights the surge in law enforcement's use of increasingly sophisticated cellular tracking techniques to keep tabs on suspects before they are arrested and build criminal cases against them by mapping their past movements. But cellphone tracking is raising concerns about civil liberties in a debate that pits public safety against privacy rights. Investigators seeking warrants must provide a judge with probable cause that a crime has been committed, but investigators often obtain cell-tracking records under lower standards of judicial review — through subpoenas, which are granted routinely, or through an intermediate type of court order based on an argument that the information requested would be relevant to an investigation. 'Cell phone providers store an increasing amount of sensitive data about where you are and when, based on which cell towers your phone uses when making a call. Until now, the government has routinely seized these records without search warrants,' said EFF Senior Staff Attorney Kevin Bankston. Last year the Federal District Court in Pittsburgh ruled that a search warrant is required even for historical phone location records, but the Justice Department has appealed the ruling. 'The cost of carrying a cellphone should not include the loss of one's personal privacy,' said Catherine Crump, a lawyer for the ACLU."

Reenforces a lots of my views. Politicians can't understand everything so they rely on the bureaucrats to tell them what their policy should be. (Presidents may change but bureaucracies live forever.)

http://www.pogowasright.org/?p=1552

Obama’s cyber plan raises privacy hackles

July 8, 2009 by Dissent Filed under Govt, Internet, Surveillance, U.S.

Andy Greenberg of Forbes discusses the initial concerns and reactions of privacy advocates to Obama’s cybersecurity plan. Concerns kicked into higher gear last week with news about NSA involvement in monitoring government traffic on private sectors and the Einstein 3 program. Greenberg reports:

While the concerns over privacy and the NSA are valid, they could hamper the progress of the Obama administration’s cyber plan, says James Lewis, director of the Center for Strategic and International Studies, which authored an influential paper aimed at shaping the president’s thinking on cyber issues. “We have technologies that would greatly improve cybersecurity, but their use wouldn’t be consistent with our laws on surveillance and privacy,” Lewis says, pointing to statutes such as the Electronic Communications Privacy Act of 1986, which disallows wiretaps without a warrant.

Lewis says these laws may need to be amended to allow effective government monitoring systems, but he notes that the scandal surrounding the Bush administration’s warrantless wiretapping practices may have precluded that kind of legislation.

Centennial Man

Tuesday, July 14, 2009

Monday, July 13, 2009

Sunday, July 12, 2009

Saturday, July 11, 2009

Friday, July 10, 2009

Thursday, July 09, 2009

Wednesday, July 08, 2009

About Me

Links

Previous Posts

Archives