Centennial Man

Did this even make the local news?

http://www.campussafetymagazine.com/News/?newsID=1137

May 24, 2007

Personal Data of Nearly 45,000 CU Boulder Students Exposed

BOULDER, Colo. – The University of Colorado (CU) College of Arts and Sciences is the latest college to experience a computer breach. In all, the personal information of 44,998 students was exposed.

According to a statement by CU, on May 12, investigators discovered a worm that had entered the server because its security settings were not properly configured by the Academic Advising Center’s IT staff.

As a result, a hacker was able to obtain the names and Social Security numbers of nearly 45,000 students. According to the Associated Press, however, the perpetrator was not seeking [If I'm prospecting for copper, I won't ignore a vein of gold... Bob] personal information. Instead, the hacker wanted to infiltrate other computers.

... In response to the breach, all Arts and Sciences Advising Center IT operations may be placed under the supervision of the school’s IT services department.

Who do you trust with your data?

http://www.scmagazine.com/uk/news/article/659729/plusnet-admits-email-security-breach/

PlusNet admits email security breach

Fiona Raisbeck May 24 2007 14:25

Email and internet service provider PlusNet has admitted a security breach in which spammers hacked into the company mail server to steal customer account details and spread junk mail. [see Pew study, below Bob]

PlusNet urged its customers, via a message on its website, to change their email passwords following the security breach earlier this month.

The attackers took control of the firm’s mail server and stole a list of email addresses. The hackers then used these details to send spam.

The ISP confirmed that some users may also have been exposed to a Trojan horse. But, the firm said that no financial information, such as credit and debit card details, had been snatched.

According to PlusNet, a third party was responsible for the attack, which was discovered by the company on 9 May. After the breach an undisclosed number of customers began to receive vast amounts of spam, including offers for discounted pharmaceuticals.

“After a full security audit, PlusNet’s webmail service was taken offline permanently at midday Wednesday, 16 May, as a precaution against a number of minor potential security vulnerabilities that had not been exploited,” [Translation: The security was lousy... Bob] Neil Armstrong, products director at the ISP, said in a statement.

A replacement email service has now been set up for customers to access their accounts.

Unrelated, but similar...

http://www.theregister.co.uk/2007/05/24/brinkster_password_compromise/

Brinkster.com battens down the hatches

By Dan Goodin in San Francisco Published Thursday 24th May 2007 18:08 GMT

Web host Brinkster.com is requiring customers to change their account passwords because some of them may have been compromised, according to people who say they've received security bulletins. If confirmed, the breach is the latest example of sensitive information being lost en masse as a result of security lapses by a large service provider.

"Brinkster has reason to believe some User Names and Passwords may have been Compromised," the company warned in an email sent recently to its customers. "To ensure website security, we mandate that you change your password for your account. If you do not change your password, Brinkster will automatically change it for you."

Another version of the email informs customers that their account has already been changed, according to this blog entry. Officials at Brinkster, which claims to be a top hosting provider in the US that serves customers in 175 countries, didn't respond to requests for comment.

... Credit card numbers for Brinkster customers haven't been accessed, according to the email. But the email doesn't vouch for the security of shopping-cart programs and databases that may have been hosted on Brinkster servers. The lack of information is prompting anxiety among some customers.

... Brinkster's warning is part of a trend of security scares that seem to result from breaches not by individual users but by the service providers they hire.

... And according to a story on Security Fix, as much as a third of the sites hosted by IPOWER included code designed to install malware on the machines of those who visited them. Security Fix went on to report that IPOWER's virtual servers, which run scores of sites on a single machine, were running woefully insecure versions of Apache and PHP. That means there's a decent chance at least some of the naughty sites were the result of lapses at IPOWER rather than the fault of the host's customers.

Another indicator that the MasterCard breach was BIG! How is this escaping the disclosure laws?

http://www.bransondailynews.com/story.php?storyID=3870

Fraud strikes banks

By Brandon Cone BDN Staff Writer bcone@bransondailynews.com

Local banks have taken measures this week in reaction to their customers being victims of identity theft and debit card fraud.

Ozark Mountain Bank officials reported on Wednesday that their customers, whose accounts have shown signs of being compromised in recent weeks, have been contacted to make them aware that their debit cards were deactivated as of 8 p.m. Monday.

“What these people are doing is they have stolen numbers, they are counterfeiting cards and they are going to places like Best Buy and Circuit City, and they just keep going and going and going,” Ozark Mountain Bank President Craig Richards said Wednesday morning at the Branson/Lakes Area Chamber of Commerce Board of Directors meeting. “Our system was not compromised. It was an independent service provider that processes credit cards.”

Other banks in the area have also had to deal with this problem.

... Ozark Mountain Bank officials were unable to release the number of customers who have been affected, due to an ongoing investigation by federal authorities. [How is keeping the total number secret any help to the feds? Bob] But they did confirm that all affected customers would receive new debit cards in the mail within five to seven business days.

All fraudulent charges would also be refunded to the customers.

“Thankfully, if unauthorized transactions do happen to post to our customers’ accounts, MasterCard’s Zero Liability Policy will protect them against any losses if we are notified in a timely manner,” Richards said.

Related? Tools & Techniques for hackers...

http://it.slashdot.org/it/07/05/24/136207.shtml

Why Are CC Numbers Still So Easy To Find?

Posted by kdawson on Thursday May 24, @09:11AM from the years'-old-hole dept.

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Why do managers choose to claim ignorance? Because it seems to work!

http://www.wacotrib.com/news/content/news/stories/2007/05/23/05232007wacwisdhack.html

WISD officials investigating reported student hacking of district computers

Wednesday, May 23, 2007 By David Doerr Tribune-Herald staff writer

Waco Independent School District police are investigating whether sensitive student and staff personal information was compromised when two high school seniors recently hacked into the district’s computer network.

Waco ISD spokesman Dale Caffey said district police have executed a search warrant and seized the seniors’ personal computers and electronic storage devices.

He said it was not known whether the district’s 15,400 students’ and 2,000 employees’ personal information was compromised, [Translation: We don't (keep/know how to read) the security logs. Bob] possibly leaving them vulnerable to identity theft. However, student Social Security numbers were on the server that was accessed by the hackers, he said.

... Caffey said he did not know when the incident occurred. He said he was notified of the investigation last week.

Movies for people interested in Privacy

http://www.pogowasright.org/article.php?story=20070524170016727

Reasonable Expectation of Privacy Workshop Movies

Thursday, May 24 2007 @ 05:00 PM CDT - Contributed by: PrivacyNews - Other Privacy News

The IDTrail Team produced two short films exploring the "reasonable expectations of privacy". They were used at the Computers, Freedom, and Privacy (CFP) 2007 conference in Montreal, Canada. The short films were produced and directed by Max Binnie, Katie Black and Jeremy Hessing-Lewis with contributions from Daniel Albahary, Ian Kerr, and Jane Bailey.

They are available for download under a Creative Commons Attribution 2.5 license.

Source - blog*on*nymity

A hacker's guide to FBI computers. No hurry, it will be months before they fix this.

http://it.slashdot.org/article.pl?sid=07/05/25/0357230&from=rss

Govt. Report Slams FBI's Internal Network Security

Posted by CowboyNeal on Friday May 25, @02:44AM from the uncle-sam's-open-doors dept. Security United States

An anonymous reader writes "The Government Accountability Office, the federal government's watchdog agency, Thursday released a report critical of the FBI's internal network, asserting it lacks security controls adequate to thwart an insider attack. Among its other findings, the GAO said the FBI did not adequately "identify and authenticate users to prevent unauthorized access." The GAO report also criticized FBI network security in other regards, saying that there was a lack of encryption to protect sensitive data and patch management wasn't being done in a timely manner."

The report: “Information Security: FBI Needs to Address Weaknesses in Critical Network,”

It's not just the FBI

http://techdirt.com/articles/20070524/090153.shtml

Have No Fear, Federal Government Issues Data Leak Prevention Guidelines

from the see,-it-looks-like-we're-doing-something dept

Following a spate of data leaks and breaches at federal agencies, the Office of Management and Budget has now issued a set of guidelines for agencies to reduce the chances of data losses, while giving them 120 days to come up with breach-notification policies. The guidelines sound useful, particularly the advice that agencies should reduce the amount of information they collect and store to a minimum. However, it's hardly surprising to see that overall, the document is pretty toothless. What happens if agencies don't meet the 120-day deadline? Nothing, apparently, but maybe they'll be sent another memo. Furthermore, the "Rules and Consequences Policy" doesn't actually spell out any consequences should an agency lose data, rather it just says agency heads need to come up with a policy outlining behavior standards and the repercussions of breaking them. It's this sort of hands-off attitude that's the real problem here: nobody is ever forced to accept any sort of personal responsibility for these breaches, [AMEN! Bob] so there's little motivation -- beyond acting out of selflessness -- for government employees or businesses to take the situation seriously. Memos directing people to take some action, with no real followthrough, isn't the same thing as actually taking action. Until that happens, expect the data leaks to continue at the federal government, and elsewhere.

For the full memo, click here (.pdf).

Interesting. Can the New Jersey Turnpike Authority copyright their surveillance tapes? Can any government agency?

http://www.eweek.com/article2/0,1759,2136081,00.asp?kc=EWRSS03119TX1K0000594

N.J. Sues YouTube over Deadly Crash Footage

May 24, 2007 By Steve Bryant

The New Jersey Turnpike Authority is suing several video sites, including YouTube, for infringing on the copyright of car crash footage recorded on the turnpike, eWEEK has learned.

The footage in question was recorded by a NJTA video camera. The video depicts a car traveling southbound on the New Jersey Turnpike and crashing into the Great Egg Harbor toll plaza on May 10. The driver, a 52-year-old New Jersey resident, was killed.

The NJTA is also suing NextPoint LLC, the owner of video-sharing site break.com. The complaint names UK-based LiveLeak.com as a defendant as well, though according to LiveLeak the NJTA has voluntarily removed them from the lawsuit after they removed the video.

The NJTA is suing for direct copyright infringement by public performance, public display and reproduction, as well as inducement, contributory and vicarious copyright infringement.

"The video serves no worthwhile purpose and shows a tremendous lack of common human decency towards the family of the victim," the complaint reads. "Nevertheless, defendants have either refused or failed to remove the video from their Web sites."

According to the complaint, the NJTA requested the video's removal from YouTube upon learning of its existence. YouTube complied, but the video had already been copied by other users and remains on the site.

"YouTube did not try to prevent the very same video from being uploaded again by users immediately after it was purportedly removed," the complaint reads.

A Youtube spokesperson said the company removed the video "because it violated our terms of services. Because our removal also complied with our obligations under the Digital Millenium Copyright Act, we see no legal basis for a claim." Last month Google CEO Eric Schmidt said YouTube would soon launch an automated system that would help copyright holders detect and deter abuse.

LiveLeak removed the video after receiving a formal court request, according to co-founder Hayden Hewitt.

Hewitt said the lawsuit is guaranteed to bring more publicity to the video.

"To be honest I think it's kind of a strange situation," he said. "Usually you just file a nice, low level, discrete DMCA takedown... And usually these lawsuits are around entertainment video, where there's a financial stake. I don't understand it."

According to the complaint, the offending video has been viewed 19,833 times on YouTube, 189,037 times on LiveLeak.com and 6,933 times on break.com as of May 21. Less than 24 hours later, on May 22, the videos had been viewed 24,346 times, 213,295 times and 16,812 times, respectively.

The NJTA also is suing unnamed corporations and individuals who may have helped distribute the stolen video.

It's not to late to suggest your own “law” of unintended technology consequences. File this one with the “Streisand Effect”

http://www.techliberation.com/archives/042394.php

May 23, 2007 Posted by Jim Harper on May. 23, 2007

Announcing: Harper’s Law

Mine is a simple - dumb, even - adaptation of Metcalfe’s Law.

“The security and privacy risks increase proportionally to the square of the number of users of the data.” - first quoted in this eWeek article about the electronic employment verification system included in the current immigration bill.

I actually suspect that Briscoe’s et al’s refinement of Metcalfe’s law is more accurate, but that’s just so complicated.

Good on ya, Connecticut! No doubt management will claim ignorance – an excuse which seems to fool the Board of Directors every time.

http://techdirt.com/articles/20070524/142045.shtml

Connecticut AG Sues Best Buy Over Phony Version Of Company Website

from the bait-and-switched dept

Earlier this year, Best Buy was embarrassed when it was discovered that the store had a special version of its website for in-store use, which didn't display the sales and special offers that its actual site did. The result was a bait-and-switch situation, whereby customers would come into a store thinking they could get a deal that they found on the site, only to be told (and shown) that whatever deal they thought they saw was no longer being offered. While the company initially denied the existence of the site, it eventually admitted its existence to the Connecticut Attorney General, although it didn't offer an explanation. Apparently, the Connecticut AG, Richard Blumenthal, believes the company intentionally sought to mislead customers, and has filed a lawsuit against the company, seeking customer refunds and other penalties against the company. It's hard to judge the merits of the case before more details emerge, but it definitely looks bad for Best Buy, and it's doubtful that the issue is just contained to Connecticut (where it was discovered), so the company could have a PR mess on its hands if other states want in on the action.

Texas Looking To Ban Speed Cameras?

from the making-the-roads-richer,-not-safer dept

There are all sorts of problems with things like speed cameras and red light cameras, starting with technical problems and moving on to the more serious questions about whether or not they make the roads any safer. Since they're usually offered in combination with private companies who receive a large percentage of the fines, it's often pointed out that these cameras are more about making private companies and government coffers money, rather than any real attempt at increasing safety. Still, they've only become more and more popular recently, with a new speed camera catching over a thousand speeders in a single day. However, it looks like Texas may actually be heading in the other direction. Jeff Nolan points us to the news that Texas lawmakers have approved a ban on speed cameras. The law also requires signs warning about red light cameras -- though, it's unclear if that will help, since studies have shown red light cameras often increase accidents, as drivers are more likely to slam on their brakes.

So maybe Enron wasn't so bad?

http://techdirt.com/articles/20070524/071409.shtml

Who Are The Losers In SEC's SarbOx Rule Change?

from the sorting-it-out dept

Over the years, there have been a lot of complaints about the high cost of Sarbanes-Oxley compliance, although some have argued that these costs have tapered off as companies have gotten used to the requirements. Still, many are relieved about a new SEC decision to ease audit requirements, which should have the effect of reducing compliance costs. [Translation: There will be less to comply with Bob] Not all companies may be enthusiastic, however. Offering tools and services to aide in compliance has itself become a big business, particularly for a number of software firms. Some are now wondering, then, whether easing the regulations will result in a serious hit to profits at these companies. One analyst believes that the rule change could result in a 7% hit to US IT spending, which comes at a time when there's already concern about corporate tech spending. Of course, the fact that there may be some losers from the rule change doesn't mean that the rule change is a bad thing. To the contrary, money spent just to be in compliance with some regulation is pretty much a deadweight loss to the economy. [True. By definition, this is a cost society accepts. Bob] Furthermore, while IT vendors may see a short-term hit on account of the rule change, they should benefit from a less risk-averse climate and customers with more money to spend on productive investments.

Cumbersome, but interesting. Another database to link your “tech attributes” into a single dossier...

http://news.com.com/8301-10784_3-9722832-7.html?part=rss&subj=news&tag=2547-1_3-0-5

May 24, 2007 3:09 PM PDT

Dial by email

Posted by Marguerite Reardon

A company called Jangl launched a service this week that promises to provide free and low cost phone calls over the Internet to any phone and from any phone anywhere in the world.

Sound familiar? Well, it should in the wake of Skype's success everyone and his brother are trying to use the Web to provide cheap phone calls. Jajah, Jaxtr, GrandCentral Communications?they all make similar promises.

Jangl's twist is that it claims all that is needed for its service to work is an email address of the person you want to call. And voila you'll be making calls for free to any kind of phone your friend is using regardless of where he is. (Of course, the free part is only for a limited time while the service is in beta. After that Jangl will be charging to connect calls.)

... During that first call, you leave a voicemail message, because at this point there's no way to route your call to an actual phone number. The voicemail is sent to your friend's email inbox. Then he has to listen to the voicemail and click on a link that takes him to the Jangl Web site where he now has to register his own phone number as well as his email address. Then he gets a phone number that is local to him, which he uses to call me back.

If we start ignoring SPAM (or other malware) are we telling congress they can ignore it too? (Of course we are)

http://www.bespacific.com/mt/archives/014891.html

May 23, 2007

Pew Research Survey on Spam 2007

Press release: "The volume of spam is growing in Americans' personal and workplace emailaccounts, but email users are less bothered by it.
Spam continues to plague the internet as more Americans than ever say they are getting more spam than in the past. But while American internet users report increasing volumes of spam, they also indicate that they are less bothered by it than before. Users have become more sophisticated about dealing with spam; fully 71% of email users use filters offered by their email provider or employer to block spam... Spam has not become a significant deterrent to the use of email, as some observers speculated it might when unsolicited email first began flooding users' inboxes several years ago. But it continues to degrade the integrity of email. Some 55% of email users say they have lost trust in email because of spam."

Here is a link to the complete report.

If you breath, I can capture your DNA? (Guidelines for CPOs?)

http://www.bespacific.com/mt/archives/014903.html

May 24, 2007

World Privacy Forum Files Public Comments and Recommendations on Pharmacogenomics Privacy

"The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals' privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of "privacy advocate" so as to provide oversight in this area. Read the comments (PDF). For more information, see the genetic section of the WPF Medical Privacy Page."

Centennial Man

Friday, May 25, 2007

No comments:

Search This Blog

Followers

Blog Archive

Links

About Me