Friday, February 16, 2007

Whenever there is a bunch of (probable) identity theft stories I can't help thinking: 1) People will start ignoring them as “crying wolf” and 2) How much money the Credit Notification companies are going to make...



Wow! What a workload! One Kaiser doctor treats 22,000 patients?

http://cbs5.com/consumer/local_story_045212622.html

Feb 14, 2007 8:50 pm US/Pacific

Laptop Stolen With 22,000 Kaiser Patients' Data

Sherry Hu Reporting

(CBS 5) OAKLAND In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente is in the process of notifying as many as 22,000 patients of a possible breach of their private medical information.

The personal information was located on a doctor's laptop computer stolen from the Medical Center in Oakland at the end of last November.

There were no details provided about where or how the laptop was taken, but a Kaiser spokesman said it was likely a random and isolated crime of opportunity.

Kaiser said the majority of patients had only limited information listed on the laptop, but 500 of them included social security numbers.

Kaiser officials said they are implementing a new systemwide policy that prohibits storage of member data on the hard drive of any desktop, laptop or mobile device. A spokesman also said information on all electronic devices will now be encrypted. [“Now that we see what happens when we have no security, perhaps we will think about considering a study to develop recommendations for future consideration...” Bob]


Does Kaiser think this security failure won't come back to bite them in other areas?

http://www.contracostatimes.com/mld/cctimes/living/science/16703921.htm

Kaiser asks patients to donate DNA

Scientists will pair survey on environmental factors with genetic material in quest to find root of diseases

By Rebecca Vesely MEDIANEWS STAFF



Mailrooms are where you start your entry-level people. Are you relying on them to catch things like this?

http://www.twincities.com/mld/twincities/business/16647381.htm

Posted on Thu, Feb. 08, 2007

Piper Jaffray apologizes to employees for W-2 goof

Oops.

The W-2s Piper Jaffray sent to current and former employees in January included employees' Social Security numbers on the outside of the envelope.

The numbers were not identified as Social Security numbers, but followed the standard XXX-XX-XXXX format. The incident affected more than the 1,000 employees the company employs today, since about 2,600 people worked for Piper before the sale of its brokerage unit last year.

... Executives indicated the mishap was an error by a third-party vendor, the name of which was not disclosed. The mailing didn't involve any customer data.



Very quick notification!

http://www.radioiowa.com/gestalt/go.cfm?objectid=C62EC2FD-D6CA-6148-ECA10EFC215AB72D

Department of Education records hacked

Thursday, February 15, 2007, 10:13 AM By Darwin Danielson

The Department of Education is warning Iowans that someone gained access to personal information in records that were in what was supposed to be a protected area on the department's website. [Consider this a “Security Oxymoron” -- records that are not supposed to be public should not be located on servers with public information. Bob] Department spokesperson, Elaine Watkins-Miller, says the records contained names, addresses, dates of birth and social security numbers of individuals who obtained a G.E.D. from Iowa between 1965 and 2002.

Watkins-Miller says they want people to be aware of this and have information on their website at:www.iowa.gov/educate so they can take action and check their credit report.

... Watkins says they believe someone hacked into the records on Sunday. Watkins-Miller says they can't say how the records were access and that's being investigated by the DCI and the FBI. There were some 160-thousand records in the file, but she says it's believe only about 600 may have been viewed.



Very, Very quick notification!

http://www.ccsf.edu/News/Security/index.htm

February 8, 2007

Dear Current and Former CCSF Students,

On Tuesday, February 6, 2007 City College of San Francisco’s (CCSF) Information Technology Department learned that a computer file created in May 2000, containing the names, addresses and social security numbers of approximately eleven thousand students was potentially viewable via the Internet. The file did not include any driver’s license numbers, credit card or banking information. The College took immediate steps to remove the file and ensure that it could no longer be viewed.



I'd expect a statement like: “This only works if you speak Korean.”

http://news.mk.co.kr/newsReadEnglish.php?sc=30800005&cm=General&year=2007&no=83542&selFlag=sc&relatedcode=&wonNo=&sID=308

Citibank Customer Data Hacked, Purchases Made

Personal data on the Citibank e-payment system, used for e-commerce, has been hacked, allowing illegal transactions on bank users' credit cards.

According to the banking industry, 20 credit cards issued by Citibank of Korea have been illegally settled from Feb. 1 to 6, worth 50 million won.

Citibank Korea has requested an investigation from the National Policy Agency's Cyber Terror Center after finding the company's e-payment system was hacked to garner dates on the customers' credit card information and passwords in order to make charges.

Hackers targeted under-300,000 won financial transactions of companies with weak e-payment security.

That method was used, as below-300,000 won financial transactions can be made by inserting basic personal information, such as credit card numbers and passwords without official certificates.

"Unlike other banks, Citibank has omitted the process of inserting the Card Validation Code (CVC) when executing e-payments, allowing the culprits to take illegal actions," said an official from the Financial Supervisory Service (FSS).

[Figure 940 Won to the dollar, so 50 million Won is a mere $53,000 Bob]



The Brits call it like they see it! Can't wait 'till this catches on here...

http://www.theargus.co.uk/news/localnews/display.var.1197042.0.bank_in_security_breach.php

Bank in security breach

By Rachel Fitch 4:48pm Thursday 15th February 2007

A bungling bank sent a customer the details of almost 30 other account holders in a shocking breach of security that will fuel fears of identity fraud.

Matt Carr, 25, wrote to HSBC to demand a refund of £500 in overdraft charges after watching BBC2 documentary Bank Robbery.

But he was stunned to receive 29 responses to similar requests from across the country including the account holder's name, address, account number and sort code.

One letter contained the account holder's bank statements which they had provided in backing up their claim for a refund of their overdraft charges.

... "If I was so inclined, which thankfully I'm not, I could easily make an absolute fortune using their bank details or selling them on the black market.

"How do I know one of these people have not got my details and are using them for ulterior things. There's 29 separate accounts, it's a massive error."

... All the letters are signed by Senior Service Quality Officer.

... HSBC said in a statement: "We send millions of items of correspondence to customers each year and we have stringent procedures in place to guard against administrative errors such as this.



I don't think I get this one...

http://www.nytimes.com/2007/02/16/nyregion/16police.html?_r=2&ref=nyregion&oref=slogin&oref=slogin

February 16, 2007

Judge Limits New York Police Taping

By JIM DWYER

In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled yesterday that the police must stop the routine videotaping of people at public gatherings unless there is an indication that unlawful activity may occur.

Four years ago, at the request of the city, the same judge, Charles S. Haight Jr., gave the police greater authority to investigate political, social and religious groups.

In yesterday’s ruling, Judge Haight, of United States District Court in Manhattan, found that by videotaping people who were exercising their right to free speech and breaking no laws, the Police Department had ignored the milder limits he had imposed on it in 2003.

... While he called the police conduct “egregious,” Judge Haight also offered an unusual judicial mea culpa, taking responsibility for his own words in a 2003 order that he conceded had not been “a model of clarity.”

[Would it be unreasonable for the Police to tape their handling of large crowds in order to analyze and improve their methods? And I assume if something “potentially illegal” did occur, they could swing the cameras around. Bob]



One of my students found this. Looks like there might be a viable market for “independent hackers” to test “suspect” organizations. Should we gang up on TJX?

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011283&intsrc=hm_list

Security analyst wins $4.3M in suit against Sandia Labs

Jaikumar Vijayan

February 14, 2007 (Computerworld) Shawn Carpenter, a network security analyst at Sandia National Laboratories who was fired in January 2005 for his independent probe of a network security breach at the agency, has been awarded $4.3 million by a New Mexico jury for wrongful termination.

In announcing its decision yesterday, the jury also awarded Carpenter $350,000 for emotional distress and more than $36,000 for lost wages, benefits and other costs.

A spokesman from Sandia expressed "disappointment" with the verdict and said the lab will consider whether to appeal it or not.

The highly publicized case involved Carpenter's investigation of a network break-in at Sandia in 2003.

After initially telling superiors about the incident, Carpenter launched an independent, months-long investigation during which he used hacking techniques of his own to eventually trace the attacks back to a Chinese cyberespionage group. The group called Titan Rain by federal authorities was believed responsible for carrying out similar attacks against a large number of U.S. government, military and commercial interests.

Carpenter shared information from his investigation, initially with individuals at the Army Counterintelligence Group and later with the FBI.

When Sandia officials learned of the investigation and of his sharing information with the FBI and other outside agencies, they terminated him for inappropriate use of confidential information that he had gathered in his role as a network security manager for the laboratory.

Yesterday's verdict is a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security," said Philip Davis, one of the attorneys who represented Carpenter in his lawsuit.

The verdict highlights "the jury's belief that Shawn Carpenter is a patriot and did what he did to protect the national interest," Davis said. "That was more important than Sandia's own interest in taking care of itself."

The size of the punitive damages at $4.3 million is more than twice of what was sought and sends an "unambiguous message that national security comes first," he said. [or that it is always worth hiring the best lawyer you can find... Bob]

Ira Winkler, an independent security consultant and author of Spies Among Us who has also written for Computerworld, said the verdict was "incredibly justified. Frankly, I think people [at Sandia] should go to jail" for ignoring some of the security issues that Carpenter was trying to highlight with his investigation. [Ditto! Bob]

After Carpenter's termination, the investigations into the Titan Rain group appear to have gone nowhere, said Winkler, a former National Security Agency analyst. He added that while the Carpenter award is welcome, it would ultimately be paid with taxpayer money.

"This whole thing is costing them nothing," [Making it risk free to management. Bob] Winkler said. "Whatever legal fees they are running up is just being passed back to the U.S. government," he said.



Yep, that ought to fix it. That, and jailing the HP Board...

http://www.bespacific.com/mt/archives/013959.html

February 15, 2007

FTC Asks Court to Order Permanent Halt to Telephone Record Pretexting

Press release: "The Federal Trade Commission has asked a U.S. district court to order a permanent halt to operations that deceptively obtained and sold consumers’ confidential phone records without their knowledge or consent. The agency alleges the practice is not only unfair and deceptive in violation of federal law, but could endanger consumers’ safety. The agency also will ask the court to order the defendants to give up their ill-gotten gains."



Copy-wrongers? Clever girl! She proves her point with a demonstration that costs her nothing!

http://techdirt.com/articles/20070214/154327.shtml

DMCA Takedown For Professor Showing How Copyright Owners Exaggerate Their Rights

from the ah,-irony dept

We've covered way too many bogus DMCA takedown notices, but sometimes new ones stand out for being extra special. Wendy Seltzer, a law professor who used to work for the EFF and who founded the awesome Chilling Effects clearinghouse for providing an archive of various takedown notices, has apparently received her very own first DMCA takedown notice (found via Boing Boing). Seltzer posted a snippet from the Superbowl for her students to see. Not just any snippet, mind you, but the snippet where its announced: "This telecast is copyrighted by the NFL for the private use of our audience. Any other use of this telecast or of any pictures, descriptions, or accounts of the game without the NFL's consent, is prohibited." She posted it as an example of a copyright holder exaggerating its rights -- as the NFL cannot ban all of the things they ban in that statement. Yes, this is getting more and more ironic. Take a moment to think this through for the layer upon layer of absurdity. A law professor puts up a short clip for educational purposes (fair use allows both short clips and educational uses of content) for the sake of showing how the NFL exaggerates its copyright control -- and the NFL responds by then sending a DMCA takedown notice to better highlight how they not only exaggerate their claims, but then misuse the law to shut down fair use as well. Somehow, though, I doubt the NFL planned to help Seltzer demonstrate how the law is abused by trying to takedown her example of how they were abusing the law (got that?). Either way, it seems that the NFL is helping prove Seltzer's point.



I can already hear the lobbyists pushing for a new law...

http://www.wired.com/news/technology/0,72742-0.html?tw=rss.index

$82 For E-Voting Secrets

By Kim Zetter 02:00 AM Feb, 16, 2007

For a mere $82 a computer scientist and electronic voting critic managed to purchase five $5,000 Sequoia electronic voting machines over the internet last month from a government auction site. And now he's taking them apart.

Princeton computer science professor Andrew Appel and his students have begun reverse-engineering the software embedded in the machines' ROM chips to determine if it has any security holes. But Appel says the ease with which he and his students opened the machines and removed the chips already demonstrates that the voting machines are vulnerable to unauthorized modification.

Their analysis appears to mark the first time that someone who hasn't signed a non-disclosure agreement with Sequoia Voting Systems has examined one of its machine's internals.

Appel bought the machines from election officials in Buncombe County, North Carolina, who offered them for sale at GovDeals.com, a site for government agencies to buy and sell surplus and confiscated equipment. The county sold 144 machines in lots of varying amounts. It paid $5,200 for each machine in 1997. To buy the machines, Appel had to pay $82 and only needed to provide a name, address, phone number and e-mail address.

Sequoia and other voting machine companies have long resisted calls from voting activists to make their proprietary software transparent to the public, because they say it would allow hackers to study the software and devise ways to plant malicious code in it. But Appel says his purchase of the machines shows how easy it is for hackers to obtain and study the software anyway.

... Appel says he opened the machines with a key that came with them, and was able to easily access the machines' motherboards and memory chips to swap them out. But even without the key, a student of his was able to pick the lock in seven seconds. He says that even seals wouldn't thwart a hacker because they're easily counterfeited, and many counties fail to use and track them properly -- as evidenced by recent reports out of Cuyahoga County, Ohio.



Are you paranoid enough?

http://lauren.vortex.com/archive/000213.html

February 15, 2007

New Short Video: "Is Your Cell Phone Bugged?"

Greetings. I've been getting lots of continuing interest and queries in the wake of my blog item from late last year:

How To Tell If Your Cell Phone Is Bugged

In an effort to explain this issue in a more demonstrative and somewhat less technical manner, I'm pleased to announce a short free video (under six minutes):

"Is Your Cell Phone Bugged?"

While I'll admit that the production values are much closer to those of Ed Wood than of Cecil B. DeMille, I hope you'll still find this video to be interesting, or at least amusing.

"Is Your Cell Phone Bugged?" Video Access Pages:

Streaming Via YouTube

Streaming or Download Via Google Video


Paranoid yet?

http://www.bespacific.com/mt/archives/013958.html

February 15, 2007

PBS NOW Reports on Alleged Domestic E-Mail Surveillance Program

Via PBS: Airing on Friday, February 16, 2007 (check for time in your area), "NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private e-mails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the U.S. government to spy on e-mail traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos."


Paranoider? No good deed goes unpunished?

http://www.theregister.co.uk/2007/02/15/smoke_ban_hack_risk/

Workplace smoke ban a 'gift' for hackers

When is a backdoor really a backdoor?

By John Leyden Published Thursday 15th February 2007 16:46 GMT

Workplace smoking bans may be good for workers' health, but could open the back door to hackers.

In a recent social engineering test undertaken by UK-based security consultancy NTA Monitor, a tester was able to easily gain access to a corporate building through a back door that was left open for smokers. Once inside, the penetration tester was able to easily bluff his way into a meeting room, claiming the IT department had sent him. Even without a pass, he gained access unchallenged and was then able to connect his laptop to the firm's VoIP network via a telephone connection point.

NTA Monitor technical director Roy Hills comments: "It used to be that companies 'left the back door open' in terms of internet security. Now they are literally leaving their buildings open to accommodate smokers.


Even more Paranoid?

http://news.com.com/2100-7349_3-6159938.html

Hack lets intruders sneak into home routers

By Joris Evers Story last modified Fri Feb 16 06:09:07 PST 2007

If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

... The attack works on any type of home router, but only if the default router password hasn't been changed, Ramzan said. The malicious JavaScript code embedded on the attacker's Web page logs into the router using the default credentials--often as simple as "admin" and "password"--and changes the settings.



http://news.com.com/2100-1002_3-6159832.html?part=rss&tag=2547-1_3-0-5&subj=news

Palm Treos ring up security flaws

By Dawn Kawamoto Story last modified Thu Feb 15 14:22:32 PST 2007

Some versions of the Palm Treo carry security flaws that could allow a person in possession of the device to access data even when the handheld is locked, Symantec has warned.

The Palm Treo models 700p, 680 and 650 contain the security flaws, according to an advisory on Wednesday from Symantec's SecurityFocus Web site.

The vulnerabilities concern the way data is accessed on the Treo. They could allow anyone in possession of the device to use the "find" feature to locate data, even if the Treo is locked, according to a posting on the SANS Institute's Internet Storm site.

Palm has yet to release a fix to address the problem, SANS noted.

Representatives for Palm were not immediately available for comment on Thursday.



http://www.bespacific.com/mt/archives/013970.html

February 15, 2007

New on LLRX.com for February 2007 - Part I



Imagine getting one of these in answer to a subpoena...

http://www.businessintelligencelowdown.com/2007/02/top_10_largest_.html

February 15, 2007

Top 10 Largest Databases in the World

[Number 10 has:

The WDCC boasts 220 terabytes of data readily accessible on the web including information on climate research and anticipated climatic trends, as well as 110 terabytes (or 24,500 DVD's) worth of climate simulation data. To top it off, six petabytes worth of additional information are stored on magnetic tapes for easy access. How much data is six petabyte you ask? Try 3 times the amount of ALL the U.S. academic research libraries contents combined.



Tools & Techniques

http://lifehacker.com/software/information/screenshot-tour-learn-everything-about-your-pc-with-siw-236760.php

Screenshot Tour: Learn everything about your PC with SIW

If you've ever lost a web password or software license; needed to troubleshoot a hardware problem on your computer but have no idea what model of motherboard you have or what BIOS you're running; or wanted to take a closer look at what kind of activity your network is open to, there's a catchall application for you, and it's called System Information for Windows.

In fact, I was very surprised at just how much information is available through SIW - for example, it came as a bit of a shock to see that all of my saved Firefox and Internet Explorer passwords were only a click away with SIW - so I decided that today I'd step through and highlight some of the most interesting and useful features of SIW. To get started, click through to the gallery below.



Fools & Techniques?

http://digg.com/gaming_news/Calorie_Burning_Soft_Drink_Potentially_Geeks_Drink_Of_2007

Calorie Burning Soft Drink, Potentially Geeks Drink Of 2007

The drink is a traditional soda, available in various flavours including cola and orange, which increases ones metabolism by around 12% for up to three hours. The increased metabolism in turn burns calories.

https://maxvps026.maximumasp.com/V026U35LTQ/1-0_Home.htm

No comments: