Monday, January 22, 2007

It continues to grow (fester?)

http://www.computerworld.com.au/index.php/id;1436854886;fp;4194304;fpid;1

TJX breach shows IT security lacks in retail industry

Breach shows why it's so vital to purge the Track 2 data from POS and other systems

Jaikumar Vijayan 22/01/2007 09:36:08

... In addition, the MBA spokesman said some of the banks affected by the breach have confirmed through credit card companies that the information stolen in the breach includes so-called Track 2 data taken from the magnetic stripes on the back of credit and debit cards.

... Track 2 data includes account numbers, expiration dates and encrypted personal identification numbers, plus other information that card-issuing banks can include at their discretion. Its apparent inclusion in the breach at TJX provides fresh evidence that IT security remains fragile at some large retailers despite efforts by credit card companies to get them to better protect customer data.

Retailers are forbidden from storing such information under the Payment Card Industry (PCI) Data Security Standard being pushed by Visa, MasterCard International Inc. and other credit card companies. But many retailers continue to do so, often because their point-of-sale systems capture and store the data by default.

... In a statement released yesterday, Daniel Forte, CEO of the Boston-based MBA, criticized what he said was TJX's characterization of itself as a victim of the data breach, "when what it appears they may have been doing is capturing data that is unnecessary."



What, voting irregularities in Chicago? Never!

http://www.suntimes.com/news/politics/222892,CST-NWS-data22.article

City loses voters' vital information

Social Security data, birth dates, addresses on discs

January 22, 2007 BY ART GOLAB Staff Reporter

About 100 computer discs with 1.3 million Chicago voters' Social Security numbers have been distributed to aldermen and ward committeemen, and the whereabouts of at least an additional six CDs with the same information are unknown, according to the Chicago Board of Elections.

This follows another security lapse in October 2006, when voters' Social Security numbers were available through the board's Web site. But unlike the Web site flaw, which was fixed in a few minutes, it will be difficult, if not impossible, for the Board of Elections to retrieve sensitive data physically scattered on more than 100 discs throughout the area.

The discs also contain voters' birth dates and addresses -- information that along with Social Security numbers can be used to commit identity theft.

... The latest leak of sensitive voter information was uncovered by 43rd Ward aldermanic candidate and technology expert Peter Zelchenko, who also discovered the Web site security hole last October.

"This information must be on campaign computers and in desk drawers all over the city," said Zelchenko.

Zelchenko discovered voters' Social Security numbers on a so-called "Ward Work" CD, which is supposed to contain voter names and addresses and is given on request to anyone affiliated with an aldermanic campaign. [Run for office now, steal identities later... Bob]

'Grave doubts'

The board claims that only Zelchenko and one other aldermanic candidate mistakenly received the sensitive data since 2003. But in investigating queries from the Chicago Sun-Times, board officials found out about the other 100-plus CDs, [another case of not knowing where your data is... Bob] spokesman Tom Leach said. Social Security numbers were inadvertently included on those discs, [I doubt “inadvertently” Bob] which were created by the board in the wake of the 2003 fire at 69 W. Washington, where it maintained computers with voter records.

"We couldn't maintain our voter-registration system, [This, I believe! Bob] so they downloaded the whole file for committeemen and aldermen," Leach said.

Records on the CDs contain information about 2.2 million active and inactive voters, but only 1.3 million of the records contain Social Security numbers.

... And it worries Furst that the lapses occurred at an agency responsible for counting votes.

"It would, in my mind, cast grave doubts on electronic voting," he said. "My sense is that these are people with the best of intentions, but [they] don't know enough about the possible consequences of using technology and so are making mistakes."



Even Google screws up...

http://www.prnewswire.co.uk/cgi/news/release?id=188440

Monday 22 January 2007, 8:00 GMT

Finjan Reconfirms Google's Anti-Phishing BlackList Exposed Confidential User Information

SAN JOSE, California, January 22 /PRNewswire/ -- Finjan Inc., the global provider of best-of-breed proactive web security solutions for businesses and organizations, today announced that it reconfirms recent reports that Google have unwittingly exposed private user names and passwords on the Google anti-phishing blacklist, which did not use any access protection. Such sensitive information could potentially have been used to compromise user privacy, and could even have been used for identity theft or financial profit (as users generally have a single "web" password for most of their online accounts).

... Google has fixed the problem, and it is assumed that Google has notified all affected users. Recent tests conducted by Finjan confirm that there is no data leakage on the current Google anti-phishing blacklist.



I think I missed this one... So did they, apparently.

http://www.myrtlebeachonline.com/mld/myrtlebeachonline/news/local/16508366.htm

School district leaves personnel records behind during renovations

Associated Press Posted on Sat, Jan. 20, 2007

GREENVILLE, S.C. - Boxes of personnel records - including the Social Security numbers of thousands of teachers - were accidentally left behind by the Greenville County school district when it vacated its office for renovations, officials say.

The 10 boxes held lists of every teacher employed by the district between 1972 and 1990, as well as their Social Security numbers, district spokeswoman Oby Lyles said Friday. Several other boxes contained personnel records as recent as 1998, Lyles said.

"While it seems apparent the records were left behind because they were essentially hidden and inaccessible, the district is investigating to determine responsibility and will take appropriate action," he said.

There was no evidence the records had been duplicated, Lyles said. [Another self serving comment. “What happened to the other boxes, Mr Lyles?” Bob]

District officials and police searched the empty building Thursday night after The Greenville News told the district it had received an anonymous call about the boxes, which had not been located during a walkthrough of the building before it was vacated, according to an incident report.

A rear door of the building was also found to be "unsecure, due to screws keeping the locking mechanism from locking the door," the report said.

District officials will question employees and workers at the site, Lyles said.

The finding comes just two months after it was discovered that the district had sold computers containing Social Security numbers and birthdates for roughly 100,000 students and at least 1,000 employees.

The two buyers never released the information found in computers they bought at a dozen school district auctions between 1999 and last March but decided to go public with their findings after the district ignored their warnings about the information, their attorney has said.

Last month, Circuit Judge Diane S. Goodstein ordered the men and their company, WH Group, to return the computers, saying both sides had agreed to let an independent computer expert document all of the data.



Welcome to Colorado! In order to find you after the avalanche, you need this chip. (Are you paranoid enough?)

http://www.rockymountainnews.com/drmn/government/article/0,2777,DRMN_23906_5286748,00.html

Bill would nip chips in humans

By Alan Gathright, Rocky Mountain News January 18, 2007

For years, people have been implanting tiny microchips under their pet's skin so that if Rover's collar slips off, there's still a way to find him if he wanders away.

Now a state lawmaker has added a twist to that concept with a bill that would make it a misdemeanor for anyone to require two-legged critters to have a microchip implanted under their skin.

Under the bill, employers could not track workers' movements, for example.

Rep. Mary Hodge, D-Brighton, said she introduced House Bill 1082 as a "proactive measure" at the urging of Adams County's head librarian. He fears that "microchipping" people could become the next Big Brother tactic of a federal government whose use of warrantless telephone eavesdropping and the Patriot Act in the war on terror has alarmed civil libertarians.

The bill is cracking up some Capitol pols.

"Is this a problem? Do we have gangs of post-apocalyptic Terminator-style cyborgs roaming the streets of Colorado implanting citizens with microchips?" wisecracked Rob Fairbank, a former-representative-turned-political-consultant, in an e-mail to statehouse pals.

"One of my legislator friends said, 'If we can't implant microchips on people, how will we know when the black helicopters arrive?' " joked Fairbank, a Littleton Republican.

Michael Sawyer isn't laughing.

He's the library director for the Rangeview Library District in Adams County who urged Hodge to nip the microchipping in the bud.

"I think it's a very scary thing," Sawyer said Wednesday. "I have been very concerned about the direction our government is going. I see the secret courts and I see the Patriot Act and the advocating of putting microchips in people."

Sawyer was referring to Tommy Thompson, the former Wisconsin governor and Bush administration Health and Human Services secretary, who became an advocate of the implants after joining the board of device maker VeriChip Corp.

Supporters like Thompson say implanting the rice-grain-size gadgets in patients could allow doctors to quickly retrieve vital information from someone who has dementia, or is unconscious or unable to speak during medical emergencies.

The tiny glass capsule, called a radio frequency identification device or RFID, can be injected into the upper arm or hand and sits passively until it's read by a scanner.

The fear is that employers could use the chips to track workers as they pass through security-door scanners - like internal versions of the electronic pass-keys many employees use to get around the office.

In fact, the president of Colombia suggested using implants to track migrant workers entering the U.S. And a Wisconsin lawmaker unsuccessfully pushed for using them to track sex offenders - or kids "at the direction of their parents," according to a Wisconsin legislative report.

Last May, Wisconsin became the first state to ban forced implantation of the chips on humans, imposing a $10,000 fine for each day of violation. At least 17 other states have introduced or are considering microchip implant laws.



They may have been overwhelmed... Sounds like a good tool for learning new languages.

http://developers.slashdot.org/article.pl?sid=07/01/21/1410208&from=rss

Building a Programmer's Rosetta Stone

Journal written by Short Circuit (52384) and posted by CmdrTaco on Sunday January 21, @10:09AM

from the still-waiting-for-programmer's-tower-of-babel dept.

Did you ever run into the problem where you knew how to do something in one programming language, but really needed to do it in another? That's what Rosetta Code is all about. A variety of programming tasks are solved using as many languages as possible. You can examine existing tasks, or create your own.



Interesting question. Do you suppose there are hints at a viable answer in the comments? Is there a viable answer? It would be nice to think organizations have that much control over their data, but if they can't tell how much has been stolen, how would they find “all” of your data?

http://yro.slashdot.org/article.pl?sid=07/01/20/0425221&from=rss

Deleting Personal Data from Private Institutions?

Posted by Cliff on Saturday January 20, @12:45PM from the static-on-your-digital-paper-trail dept. Privacy Data Storage

An anonymous reader asks: "This site has many readers who are familiar with the liabilities of personal data being stored on servers owned by private institutions. Bank records, phone records, credit records, flight records, basically any type of digital transaction can be (and likely are) stored indefinitely for whatever reason. Are there processes by which one can request a removal of personal data, or by signing contracts with these companies, do they own the rights to the information? If you have attempted such an erasure, have you encountered resistance?"

No comments: