Nikon Customer Data Leaks Onto Web
September 15, 2006 By Todd Spangler
Nikon, the $6 billion camera and imaging products manufacturer, on Thursday said that data on 3,235 customers inadvertently became accessible on the Web site of Nikon World, its quarterly customer magazine.
During a nine-hour period, data including customers' names, addresses and credit card numbers could viewed on NikonWorld.com. However, the company said only nine individuals--who were new magazine subscribers--accessed the information and that the only information accessible was that of subscribers who had signed up for the magazine since Jan. 1, according to The Associated Press.
Nikon said the disclosure resulted from a problem with an external vendor, AP reported. Nikon did not respond to Baseline's requests for more information about the incident.
According to AP report, Nikon contacted all the subscribers whose information was revealed as well as the nine new subscribers who were able to view it.
Will they ever find the desktop computer?
Unisys contractor arrested in VA theft
Investigators do not believe 21-year-old suspect sought agency's data
By Robert McMillan, IDG News Service September 15, 2006
Authorities have charged a 21 year-old Unisys Corp. subcontractor with stealing a desktop computer with billing information on as many as 38,000 U.S. Department of Veterans Affairs medical patients.
Khalil Abdulla-Raheem, of Washington, D.C., was charged Wednesday with theft of government property. He is the employee of an unnamed company that "provides temporary labor to Unisys," according to a statement released by the Veterans Affairs (VA) department's Office of Inspector General.
The computer was stolen in late July from Unisys's Reston, Virginia, offices. It contained records on about 16,000 living patients who had received treatment at VA medical centers in Philadelphia and Pittsburgh, as well as information on another 2,000 who are deceased. Data on an additional 20,000 patients may have been stored on the computer, according to the VA.
The VA said that these records may have contained Social Security numbers, addresses, and insurance information. The U.S. Federal Bureau of Investigation (FBI) is now analyzing the computer to determine whether this information has been compromised, but investigators do not believe that Abdulla-Raheem was after the VA data.
This is the second of two major data breaches at the VA this year. In May, personal information on about 26.5 million veterans was compromised when a laptop and external hard drive were stolen from a VA analyst's home. Authorities have arrested two teenagers in connection with that theft and the FBI has concluded that the sensitive information was untouched.
Still, the data in question was unencrypted in both of these incidents, and the VA, which has regularly scored failing grades in the Federal Government's annual computer security scorecard, has been blasted for its handling of the matter.
The department's Inspector General published a report in July citing policy failures and a lack of supervision in the May incident, and called for the VA to adopt a clear policy for safeguarding sensitive data.
With data notification laws pushing data breaches into the public eye, PC encryption has become a priority for many IT departments.
In fact, laptop encryption will top a list of the ten most important security trends for 2007, due to be released on October 1 by the SANS Institute, a computer security training organization.
"Every major organization is moving forward to buy and deploy encryption products," said SANS Director of Research Alan Paller, in an e-mail note sent Thursday. "The reason is that top management is adamant about not facing personal embarrassment because of lost sensitive data." [Imagine how much better it would be if they faced personal jail time! Bob]
Abdulla-Raheem was released on bail Wednesday and is due back in federal court for a preliminary hearing on October 3.
Unisys has offered a US$50,000 reward for information leading to the recovery of the PC. So far, nobody has come forward to claim the money, according to Lisa Meyer, a Unisys spokeswoman.
Unisys had not encrypted the data on the stolen PC because this was not required by the VA, but the company is now taking a second look at this policy, Meyer said. "An event like this caused us to reexamine everything we're doing," she said.
Survey: Data breaches yield few ID thefts
Off-line causes are more likely to result in ID theft and fraud
By Jaikumar Vijayan, Computerworld September 15, 2006
Contrary to popular perception, computer data breaches are less likely to result in identity theft and other fraud than off-line causes such as lost or stolen wallets and checkbooks.
That was the finding of a year-long study of about 5,000 U.S. consumers by Pleasanton, Calif.-based analyst firm Javelin Strategy & Research. Javelin's research showed that despite recent hype, data breaches were responsible for just 6 percent of all known cases of identity theft, compared to 30 percent from incidents like losing one's wallet. [keep in mind that theft of a wallet involves only one potential victim, theft of a laptop can compromise 26 million... Bob] The study also showed that less than 1 percent of all individuals whose data was lost later became victims of ID theft.
Javelin's results are similar to those found by other firms that have looked at the relationship between data breaches and actual instances of ID fraud. In a Gartner study in 2005, for instance, only 18 percent of identity theft victims attributed the cause to computer breaches, while 41 percent cited off-line causes. Similarly, a December 2005 analysis by ID Analytics Inc. of four major online data breaches involving 500,000 customer records showed that less than 1 percent of those affected had their identities stolen.
The numbers are important at a time when a spate of data breach disclosures has heightened consumer concerns and is fueling a debate among lawmakers about the need for more stringent data protection laws, analysts said.
"There is a misperception that there is a one-to-one correlation between a data breach and ID theft," said Thomas Oscherwitz, vice president of government affairs and chief privacy officer at San Diego-based ID Analytics. In reality, "the mere fact that you are part of a data breach doesn't mean that you are a victim of ID theft," he said.
The degree of risk can depend on the type of breach, Oscherwitz said. Data breaches involving a deliberate hacking, for instance, are likely to be much more risky than those involving a lost disk or laptop, he said.
Failing to make such distinctions can push consumers to undertake unnecessary efforts to protect themselves and can impose burdens on corporations, said Mary Monahan, author of the Javelin study.
"Our opinion is that consumers do need to be protected by data breach laws, and we do want to see a federal law to protect all consumers," Monahan said. But given the low risk of ID theft from such breaches, any such law would need to give the breached entity the opportunity to conduct a risk assessment before they are required to disclose it publicly; The absence of such a trigger could result in indiscriminate notifications. [Notice is to alert potential victims of the potential for identity theft, not the certainty. Bob]
"And then all you get is white noise" that few people pay attention to, Monahan said.
Currently, many of the 30-plus states that have breach disclosure laws require companies to notify customers of any data breach involving the potential compromise of personally identifiable information. Several industry groups have been lobbying lawmakers for a preemptive federal law that would add some sort of a breach notification trigger that is based on an assessment of the risk of ID theft or other fraud.
Privacy advocates, on the other hand, have been arguing for broad disclosure, saying that few companies are likely to publicly notify consumers of a breach if they are allowed to make their own risk assessments.
"I think it's always going to be difficult to make a conclusive cause-and-effect relationship between ID theft and data breaches," said Andrew Jacquith, an analyst at Yankee Group Research Inc. in Boston. So the real emphasis of any national legislation has to be on measures that companies need to take to protect sensitive customer data, he said.
Also important is the need to examine issues like the continuing use of Social Security numbers as identifiers by a large number of companies, Jacquith said. "I view nonpublic information as radioactive material that needs to be protected [from leaks]," he said. "It's material that you can use to manufacture identities with."
September 15 2006
Every Web 2.0 Company On One Page
Go2Web20.net is a very nicely designed Flash page with logos and basic information for most web 2.0 companies. Click on a logo to see an overview of the company and links from blogs discussing it. It’s also sortable and searchable. Very nice. The only issue I have with it is that it’s loading a little slowly, possibly due to a very heavy page weight.
Creating something like this is a ton of work. The site is nothing but a reflection of Orli and Eyal’s passion for what’s happening on the web right now…the same passion that is driving the success of this and other blogs dedicated to chronicling this period of web history.
Hacker Discovers Adobe PDF Back Doors
By Ryan Naraine September 15, 2006
A British security researcher has figured out a way to manipulate legitimate features in Adobe PDF files to open back doors for computer attacks.
David Kierznowski, a penetration testing expert specializing in Web application testing, has released proof-of-concept code and rigged PDF files to demonstrate how the Adobe Reader program could be used to launch attacks without any user action.
Overreaction? Perhaps there have been incidents?
Virgin tells travellers to remove Apple, Dell laptop batteries
By Tony Smith 14th September 2006 14:44 GMT
Virgin Atlantic has become the third airline to restrict the use of Apple and Dell laptop batteries on its flights. Passengers who want to take their Inspirons, Lattitudes, iBooks, PowerBooks, MacBooks or MacBook Pros onto the carrier's planes are asked to remove the battery first.
Like Korean Air, which recently instituted its own battery ban, Virgin Atlantic isn't preventing such notebook owners from operating their laptops, but it is limiting them to seat-side power supplies. Flying coach or economy without an in-seat power supply? Then you can't use your Apple or Dell machine.
Should be required viewing at the start of each class...
Don't answer your cell phone is this prof's class
easyfrag submitted by easyfrag 10 hours 25 minutes ago (via http://www.youtube.com/watch?v=hut3VRL5XRE )
T.E.D.D.Y. (Draw in 2D - Outputs in 3D)
lazyrussian submitted by lazyrussian 1 day 4 hours ago (via http://lazyrussian.com/2006/09/15/freaky-friday-episode-3-teddy/ )
Teddy is a Java-Applet Drawing Program that takes the 2D images you draw and renders them in 3D. The alogrithm adds shading according to the strokes and connections between the lines. This is truly a cool program for anyone and everyone! - Video and Software Download Link included in Post.
Hacking 101: Why you should always change the default passwords
Default Password List for Hundred's of WAP's and Routers.
victimofkratina submitted by victimofkratina 16 hours 29 minutes ago (via http://www.phenoelit.de/dpl/dpl.html )
You are entering the lands of packets, brute force and misuse of trust. This is a dark land. Full of problems and choices. Be carefull when you use your knowledge. Be also carefull with your tools and weapons. Never underestimate your enemy. [Never assume you are smarter than a hacker... Bob]