Another case of closing the barn door after the horse escapes?

http://www.nbc4.com/news/10962978/detail.html

Laptop Stolen From Hospital Contains Sensitive Information

Hospital Takes Preventative Steps Against Future Thefts

POSTED: 11:13 am EST February 8, 2007 UPDATED: 11:19 am EST February 8, 2007

LEONARDTOWN, Md. -- Hospital administrators at St. Mary's Hospital in Leonardtown, Md., are concerned about the recent theft [Theft makes them look dumb, preventing that theft was not on their radar... Bob] of a laptop that contained identifying information.

Administrators said the laptop contained names, Social Security numbers and birthdates for may of the hospital's patients.

Officials said the hospital is cooperating with law enforcement agencies and have taken steps to prevent such a crime from happening again.

Officials said sensitive data will no longer be accessible on any portable electronic devices. The hospital is also looking into encrypting data on their laptop computers. [No need to do that before a theft? Bob]

Additionally, the missing laptop has been locked out of all hospital systems, officials said.

In the meantime, hospital officials have retained an organization that specializes is situations in which sensitive data have been compromised. [A law firm? Bob] The hospital is also suggesting that patients enroll in a free program to allow National ID Recovery to monitor patients information for potential identity theft.

Closer to home...

http://www.summitdaily.com/article/20070207/COLUMNS/102070059

The day ski shop fraud showed up on Fox

MARC CARLISLE On the Marc February 7, 2007

The teaser for Tuesday's Fox News at 9 was brief and upsetting. "More than 15,000 customers of this Denver ski shop may become victims of credit card fraud!"

At some point this season, an unknown person or group broke into a Front Range shop's reservation and payment website, built and managed for them by a third party. Once in, a person or persons unknown may or may not have accessed, viewed, and/or downloaded the customer equipment reservation files [“We don't know, because we turned off all the audit logs.” Bob] including credit card numbers of the shop's customers. Once alerted to the web break-in, the shop sent letters to customers alerting them to the possibility that someone may have obtained their credit card information and might use it.

Is TJX the one?

http://blogs.cio.com/node/681?source=nlt_cioleader

The TJX security breach. This one's different. Way different.

Thursday, February 01, 2007

If you haven’t noticed, there is something different about the security breach disclosed last month by TJX Cos. Some Massachusetts banks have linked fraudulent credit card purchases to the security breach at TJX, during which hackers nabbed possibly millions of credit card numbers.

Not such a big deal, you say? Well, as far as most security experts I have talked to in the past couple of years have said, matching a specific incident of credit card fraud to a specific security breach incident is unprecedented. Has any bank ever been able to prove that a significant number of fraudulent credit card purchases came from a specific corporate security breach? So far, no. But it is exactly this kind of “connecting the dots” that security experts say needs to happen for companies to begin to take information security more seriously.

The Massachusetts Bankers Association (TJX is based in Framingham, Mass.) claims it has connected the dots. A small bank that is an MBA member linked a spike in fraudulent credit card purchases last month to the TJX break in. How did they do it? MBA execs won’t give details [This will come out in the Class Action suits, unless there is an immediate and expensive settlement, right? Bob] and won’t release the name of the bank, but MBA spokesman Bruce Spitzer says that last month that small undisclosed bank noticed 22 incidents of fraudulent credit card purchases on an undisclosed number of their customers’ accounts. That may not sound like a lot, but for the small bank, it represented a big spike in fraudulent purchases. Bank officials contacted the customers and asked if they had shopped at a TJX store. [Would the banks have that information already, or would it stop at the card processor? Bob] All said they had. Spitzer says the MBA, which has 250 member banks, intends to pursue the recovery of any costs from the fraudulent purchases and says it can directly link the credit card misuse to the TJX breach.

If so, that’d be huge. Until now, there has been no smoking gun, and it remains to be seen whether the MBA, or a bank acting on its own, or Visa or Mastercard can make such a connection. It will be difficult to do. To date, more than 100 million identities have been stolen or exposed since February 2005. That's when the Privacy Rights Clearinghouse began tracking security breaches after data collector ChoicePoint announced that 145,000 accounts had been stolen from its databases. Defense attorneys can make the argument that the card numbers could have come from other breaches.

Until Feb. 1, Wall Street hadn’t viewed security breaches as a big financial threat. On Jan. 18, the day the Wall Street Journal reported TJX’s security breach, TJX’s stock price dropped from a little less than $30 a share to a close of about $29.50. By the next day, the stock price had recovered its losses and climbed beyond $30 a share. A week later, another Wall Street Journal article followed by an article in the Boston Globe the next day (both reporting on the widening credit card fraud and possible link to the TJX breach) drove TJX stock back down below $29.50, where it closed Jan. 30.

That 1.7 percent decrease in TJX’s stock price is in line with the percentage price drops for other companies that have announced similar security breaches. A study by Emory University and the Ponemon Institute found that when a company announces a security breach, its stock price drops between 0.6 percent and 2.1 percent. Not a heavy hit.

But on Feb. 1, TJX stock closed down more than $1 – another 3.6 percent – to $28.49 a share, on volume that was three times the daily average. The drop was attributed to a class action lawsuit filed the day before by AmeriFirst Bank in Union Springs, Ala., against TJX, and to a call by U.S. Rep. Ed Markey (D-Mass.) for the Federal Trade Commission to investigate any negligence by TJX. Over a five day period, TJX fell more than 5 percent. Now we’re talking about some serious money. Are investors starting to connect the dots, too? Are they beginning to worry that the damage to TJX’s reputation may be hard to recover from? And are banks no longer willing to shoulder the costs?

If so, that will signal a big shift in past thinking about security breaches. In the past, investors (and company executives) knew banks and credit card companies would cover fraudulent purchases, not the company that experienced the security breach. More important, they knew that law enforcement had yet to pin a specific credit card crime to an individual security breach, making it difficult to bring criminal charges. The cost just has not been there. No wonder that some companies delay announcing a breach, although many company executives explain that they are doing so because law enforcement requested they keep the breach silent until they can investigate.

But the big secret is that a large portion of companies choose not to announce a breach, security experts and lawyers say, because the chance of getting caught is so slim. That fact may help explain why about one in six companies admit to not complying with California’s 4-year-old security breach notification law even if they are require to do so, according to the Global State of Information Security survey conducted by CIO Magazine and PriceWaterhouseCoopers. And why many companies do not adequately protect private data.

The banking industry is becoming exasperated by being the one left holding financial bag, and TJX may be the first to feel the industry’s wrath. We’ll have to wait and see. But without a higher likelihood that a company could get caught for not notifying customers of a security breach or for not following standard, industry-accepted security procedures to protect personal information, the breaches will continue to occur.

Do you view the risk of not notifying customers in case of a data breach, or not deploying strong security measures, worth taking? Or is the tide beginning to turn and you feel you need to bolster your security measures?

A bit too far?

http://politics.slashdot.org/article.pl?sid=07/02/08/2112258&from=rss

University Professor Chastised For Using Tor

Posted by kdawson on Thursday February 08, @05:12PM from the control-freaks-ascendent dept.

Irongeek_ADC writes with a first-person account from the The Chronicle of Higher Education by a university professor who was asked to stop using Tor. University IT and campus security staffers came knocking on Paul Cesarini's door asking why he was using the anonymizing network. [Possibly to remain anonymous? Bob] They requested that he stop and also that he not teach his students about it. The visitors said it was likely against university policy (a policy they probably were not aware that Cesarini had helped to draft). The professor seems genuinely to appreciate the problems that a campus IT department faces; but in the end he took a stand for academic freedom.

Could be useful...

http://www.researchbuzz.org/wp/2007/02/09/couple-of-updates-on-blawgsearch/

February 9, 2007

Couple of Updates on BlawgSearch

Filed under: Net-Tech-Blogs, Government-Law

BlawgSearch ( http://blawgsearch.justia.com/ ), a search engine for just legal blogs, is now in beta. It’s added RSS feeds for searches and a “few hundred” more blogs, though there are many more in the pipe to be added. (There are currently over 1600 blogs arranged by category.)

There’s also a new search engine at http://www.Blawgs.fm , which finds only legal blog posts that have video or audio files. [for lawyers who can't read? Bob]) There’s also a directory of almost one hundred podcasts, or blawgcasts as they’re called. In addition to the directory and the search you’ll also see a tag cloud for recent blog posts and recent search terms.

This is the same process that MI5 had so much trouble with. I hope the FBI gets it right – they don't need another computer system screw-up.

http://www.bespacific.com/mt/archives/013902.html

February 08, 2007

FBI Launches E-Mail Alerts on Public Website

"The Federal Bureau of Investigation (FBI) has launched a service that sends out electronic mail (e-mail) alerts when new and vital information is posted on the FBI.gov Web site. Subscribers select which topics that they want updates on, such as new electronic scams (e-scams) and warnings, most wanted terrorists, top ten fugitives, and local and national press releases. The alerts are transmitted as soon as updates are posted to the FBI's Web site or published in their daily, weekly, or monthly digests. The FBI views this service as a means of furthering American citizens' safety by keeping them informed. No personal information is required to sign up for this service, just an e-mail address to where the alerts will be sent. To sign up for the service please visit the www.FBI.gov."

If you mean technically, sure.

http://techdirt.com/articles/20070208/011954.shtml

Can You Plagiarize A Photograph?

from the questions,-questions dept

We've had a few very interesting articles on rethinking plagiarism lately -- with part of the point being that just about all new creations and ideas are built on the work of those who came before them -- and it seems silly to prevent all of that with overly aggressive worries about copyright and plagiarism. In the Jonathan Lethem article we linked to earlier he discusses (or, rather, he plagiarizes a discussion) on how there were concerns when cameras first came about, as to whether or not taking a photo of a person or a building was stealing from them. Luckily, people realized this was kind of silly... but it seems that the matter isn't totally settled yet. Slate is running an online slideshow questioning whether or not photographs can be plagiarized. Apparently there's a bit of controversy, as an art exhibit includes a bunch of photographs by a pair of photographers that look quite similar to ones taken by a different photographer (who says the pair had asked for advice on "exposures, film, and vantage points"). The photographs are clearly different -- but of the same composition. If anything, they are an homage to the original, and it seems silly to accuse them of plagiarism, especially since they are absolutely different shots. And, if you could claim plagiarism on shots from a similar vantage point, just think of all the fights over family photos at various tourist locations?

Now here's a site that will attract hackers.

http://www.canada.com/nationalpost/story.html?id=58f796f4-554e-4bc3-8691-2a63bef88669

Web site verifies disease-free sex partners

Getting interactive: Online service raises concerns about privacy

Katie Rook National Post Thursday, February 08, 2007

In what may be the new frontier of online social networking, a Web site is being launched that purports to help online daters verify the sexual health of prospective partners.

Checktonight.com will issue a digital stamp of approval to site subscribers who have tested free of any of five sexually transmitted diseases, a level of disclosure that is seen by some as a predictable innovation in Internet use and by others as a move that is potentially troubling from the perspective of personal privacy, sexual behaviour and possibly the privacy of health records.

Yep, we should just kill 'em.

http://www.pogowasright.org/article.php?story=20070208204718930

WI: Professors: Tracking Sex Offenders Is Unconstitutional

Thursday, February 08 2007 @ 08:47 PM CST - Contributed by: Lyger - State/Local Govt.

Three University of Wisconsin professors in Madison said a new state law forcing sexual predators to wear tracking devices for the rest of their lives is unconstitutional.

The professors -- Walter Dickey, Byron Lichstein and Meredith Ross -- said that the measure violates privacy rights and amounts to punishment and warrantless surveillance when applied to offenders who aren't on parole or government supervision.

Source - Channel3000