Sunday, May 27, 2007

Again and again.

http://www.theinquirer.net/default.aspx?article=39883

register.com customers' credit cards compromised

Notebook stolen

By INQUIRER staff: Saturday 26 May 2007, 14:17

BIG HOSTING and domain name firm register.com sent an email to its customers saying a notebook containing credit card information was stolen.

The firm said that around two per cent of its customers were affected. The data on the laptop was password protected and the credit card number encrypted. In a letter it said: "We also believe that the laptop was stolen for its inherent value and not the data itself."

The firm said the notebook was stolen last Thursday but didn't say from where. It said that it had reported the theft to the cops.



Shifting costs to those responsible for the breach will change the risk assessment and almost certainly result in larger (but not necessarily smarter) security budgets.

http://www.privsecblog.com/archives/security-breaches-state-laws-to-shift-some-data-breach-costs-to-businesses-with-weak-security.html

State Laws to Shift Some Data Breach Costs to Businesses with Weak Security

Posted by Randy Gainer

As of May 25, 2007, one state has adopted and five are considering important new data breach laws. The laws will require businesses that fail to implement adequate security to pay some of the costs that others incur if the first business’s failure to implement security measures contributes to the theft of consumers’ personal information.



Another case of truly bad reporting (or am I being too picky?) Was the school intending to charge the students with a crime? Was the teacher disciplined? (I suggest that the teacher gave the students access so they could do non-student work for the teacher – why else would they need access to that system?) Another case of poor security training and poor security planning (if all types of information were available once the signon password was entered.)

http://www.pennlive.com/news/patriotnews/index.ssf?/base/news/118005090311140.xml&coll=1

Students cleared in data breach

Students get pass on health info breach

Friday, May 25, 2007 BY CARRIE CASSIDY Of The Patriot-News

Criminal charges will not be filed against two students who police said viewed confidential health information of Susquehanna Twp. High School students.

Yesterday, township police Chief Rob Martin said both students were inadvertently [deliberately Bob] given access to a restricted computer account, [seen next paragraph Bob] which contains confidential heath information, by a member of the school staff. [Almost certainly a teacher – see below Bob]

The unidentified staff member apparently gave his or her password to the students to "get legitimate school work done," unknowingly giving them access to the restricted portion of the computer system, Martin said.

Martin said evidence supports the information provided by the two students that the information was not disseminated or [“Nor?” Okay, that's picky. Bob] that others had access to the secured areas.

The students told their parents about the access, and their parents logged on to confirm the breach, Martin said, adding that the parents immediately notified the school district of the breach.

Martin said the evidence shows that the restricted account was accessed by unauthorized users [more likely, the evidence shows that an authorized user – the teacher – logged on from the students computers. Bob] via two computers outside the high school, which fits with the students' account.

"These students should be commended because they immediately brought it to their parents' attention that they had essentially stumbled on a secured area where they were able to access information they were not authorized to access," Martin said.

District officials knew about the breach May 17 when a student showed high school Principal Judy Baumgardner. The technology staff thought it had solved the problem, Superintendent David Volkman said.

The problem, however, was not corrected until last Friday, when the parents alerted district that the information was still accessible.

The technology staff then cut all links to the medical information and had all of the high school teachers change their passwords, Volkman said.

Although confidential, Volkman said the health information viewed by the two students was information about students' allergies and other medical information that teachers need to know should an emergency arise in the classroom.

The district is reviewing its policies and procedures to make sure this type of breach does not happen again, he said.



Ve have zis informazion, citizen. Zerefore, ve vill inspect!” (We can, therefore we must!)

http://www.mapleridgenews.com/portals-code/list.cgi?paper=46&cat=23&id=992133&more=0

An invasion of privacy

By Monisha Martins Staff Reporter May 26 2007

Pacing around his living room Wednesday, Richard Pitt can't believe the city's safety inspection team is late.

He points to an inspection notice delivered to his home on 119 B Avenue in Pitt Meadows.

The team was to arrive at 10:30 a.m. It is 45 minutes late.

When two police cars, a fire department pick-up and bylaws truck pulled up in front of the house to check for an illegal marijuana grow operation, Pitt was ready.

"It's an invasion of privacy," he said.

"It has taken two hours out of my day."

Pitt's home was flagged as a potential public safety hazard by the City of Pitt Meadows this week because of its high electricity consumption.

A computer specialist who started Canada's first commercial Internet Service Provider – Wimsey – he now dedicates his time to birds, mainly bald eagles and video camera feeds of their nests.

Last month's bill from B.C. Hydro showed that Pitt used 3,100 kilowatt hours of electricity. The month before he clocked 3,700 kWh after installing cameras in Esquimalt to spy on an osprey nest.

He's had a business licence from the City of Pitt Meadows for 14 years. He has about 10 computers in his home, with accompanying hard drives, monitors, servers and wires.

"They are comparing me to a typical suburbanite not someone whose business is computers," Pitt said.

He received a 24-hour notice of inspection from the city on Tuesday.

He asked the police officer and bylaw official to come inside that day and see the computers for themselves. They refused.

On Wednesday, the Pitt Meadows safety inspection team searched his home.

Pitt, his wife Shirley, a visitor and his son were told to wait outside while three armed police officers, a bylaw enforcement officer, an assistant fire chief and a building inspector checked for the unusual spike in electricity and for the tell-tale signs of a pot growing operation – faulty wiring and building code violations.

If the Pitts refused to let the team inside, they were warned B.C. Hydro could cut off their power.

"I was just not given an option," Pitt said.

No marijuana or deficiencies were found at Pitt's home.

... The report showed that the number of marijuana cases in Maple Ridge and Pitt Meadows since 1997 had risen 375 per cent, including 152 cases in 2003 – representing 3.4 per cent of all those in B.C. that year. [No doubt that justifies these actions! Bob]

... A residence has abnormal consumption if it uses more than 93 kilowatt-hours (kWh) of electricity per day, or three-times the average. An average home uses 31 kWh a day.

... RCMP officers accompany the team on all inspections and clear the house if a grow-op is found.

A no-occupancy notice is posted at the house if an electrical bypass, mould or furnace modifications are found. Homeowners bear the cost of the inspection which can total more than $3,000.

... "We do a thorough work-up of every single property before we knock on the door and ask for an inspection."

... The inspection team also drives by the house and snaps photographs.

All the vehicles parked on the property are run through a database by police.

The City of Pitt Meadows has inspected 34 houses since it started the pilot project.

Of those, "deficiencies" like faulty wiring, plumbing and building alterations were found in 25.

Evidence of a marijuana grow operation was found in just one of the properties, Elchuk added.

... According to the Surrey fire department, a house with a grow op is 24 times more likely than one without to go up in smoke. [Interesting statistic. (bad pun?) How would you calculate that? Bob]

... The B.C. Civil Liberties Association, opposes such bylaws and the legislative scheme that brought in the partnership with B.C. Hydro.

"You shouldn't be doing through the back door what you can't do through the front door," said Micheal Vonn, policy director for the civil liberties association.

"This is clearly a means of circumventing the proper warrant procedure."



Nice little summary of Big Brotherly “Tools & Techniques” I've selected a few for your next cocktail party...

http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article1843030.ece

They know everything about you and didn’t even have to ask

Big Brother really is watching you. Of course, there’s nothing sinister about this because it’s all being done to make life easier. But for whom?

Rhys Blakely May 26, 2007

... Welcome to Big Brother Britain, version 2.0, a surveillance society where every imaginable piece of digital data – web-browsing histories, e-mails, even genetic records –is gathered and processed by organisations determined to know you better than you know yourself.

... On the more prosaic side of the industry sits the humble supermarket loyalty card.

... According to Ian Brown, a senior research fellow at University College, London, who specialises in computer privacy issues, the boffins behind these schemes boast that now they can predict significant life events – a marriage, even a pregnancy – before card carriers are themselves aware.

If a shopping basket can deliver such insights, online data is an even richer seam. “People don’t realise how easily companies can build up a picture of them, based on their interactions with the web,” he says. “Services are improved, but companies are helping themselves.”

... Genealogy sites can deliver the mother’s maiden name of anyone born in England and Wales between 1837 and 2004.

... Even the jocks are getting geeky. Last year the University of Nevada’s football coach sent prospective players an e-mail resembling a web page. He monitored the links that they clicked on to help to determine their interests and how best to interview them.

... Asked about the possibility of a user with a family history of cancer finding herself refused a mortgage on the basis of that data, Mr Ellison replies as if this type of sophisticated manipulation of personal information should be accepted as a basic, everyday occurence.



Something to follow. No doubt someone will construct a national (global?) database and become the leading authority on all (consumer impacting) security breaches... Maybe I'll have my Database Programming students tackle this one.

http://www.emergentchaos.com/archives/2007/05/venn_and_the_art_of_empir.html

Venn and the art of empirical breach research

(Posted by cwalsh)

As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws.

This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send me (for a quarter each), so the scanner and the checkbook will be busy in June. North Carolina sent a printout from their "Breach Notification Log". Interested readers may obtain a PDF copy, which covers breaches from December 2005 until April 2007.



Several points. This article suggests that MySpace had a database to “share information” with law enforcement before the AGs asked for it. It also suggests that MySpace wants to expand that database to other countries. Since Australia seems not to have a sex offender database, they want it to create one...

Is MySpace getting into the Sex Offender database business? Is there big money in ads targeting sex offenders? I guess I just don't see the strategy yet.

http://www.smh.com.au/news/security/myspace-calls-for-australian-sexoffender-database/2007/05/24/1179601539117.html

MySpace calls for Australian sex-offender database

May 24, 2007 - 11:24AM

MySpace is pressing Australian authorities to establish a system that would allow it to share information about sex offenders using the social networking site.

The company has already created a similar system in the US, where attorneys general from eight states recently demanded the company provide data on how many registered sex offenders were using the site and where they lived.

... "We have sought meetings with the commonwealth justice minister and the states' attorneys general and police ministers and we are proposing the creation in this country of a sex offender database," he said.



Interesting arguments? Think of the value of trust (no known security problems) in this debate.

http://www.technewsworld.com/rsstory/57498.html

Opposite Sides of the Software Tracks

By Frank Hayes Computerworld 05/26/07 4:00 AM PT

Software is becoming a commodity, and prices will collapse. MIT professor Michael A. Cusumano thinks the only way software companies can survive is through services -- either selling software as a service or offering add-on services along with their software products. So we'll still get squeezed, but for services instead of for software itself.

"Software prices will eventually fall to zero. The open source software movement has already started that commoditization." That pronouncement came last week from MIT professor Michael A. Cusumano at a one-day Silicon Valley conference called "The New Software Industry."

If that sounds too good to be true to corporate IT shops that are forever squeezed by software costs, well, yeah, it is.

About a week earlier, I had dinner with open source deep-thinker Eric S. Raymond, author of The Cathedral and the Bazaar. Raymond told me about the essay he's working on now. His conclusion, put simply: Software can't be commoditized.

Software as a Commodity

... Cusumano thinks the only way software companies can survive is through services -- either selling software as a service or offering add-on services along with their software products.

... Modularizing Software

Across town in the open source neighborhood, Raymond says no. Open source isn't commoditizing software, he argues -- just modularizing it.

Software isn't like hardware. After 200 years of industrialization, we understand the value of commodity hardware. We want standard nuts that fit on standard bolts, standard tires that fit on standard wheels and standard memory that fits in standard motherboard sockets. Interchangeable parts introduce manufacturing economies of scale, while custom pieces don't add enough value to be worth the trouble.

However, software is far easier to adjust than hardware. Small tweaks can suddenly make software far more useful to some customers, but without the expensive retooling that hardware requires. The cost of differentiation is small, the value high. That makes software nearly commoditization-proof. [“Nearly” is the key term here. Bob]

... Modules don't have to be identical -- just act alike. So as long as the interfaces are standard and the functionality matches up, an open source module can replace one that's proprietary.

Unlike hardware, software modules don't have to be physically in the same place to connect up. You don't need Google's software on your servers to create a Google Maps mashup. You don't need to know where Google's software is, and the mashup benefits from Google's ability to update the maps and the engine -- so long as the module keeps the same interface.

No comments: