Saturday, October 20, 2007

Clear evidence that management is incompetent? 1) They don't know what is happening on their own system, 2) They keep unencrypted passwords (I thought this practice ended in 347BC)

http://www.pogowasright.org/article.php?story=20071019093053391

Banking data fears over Fasthosts intruder

Friday, October 19 2007 @ 09:30 AM EDT Contributed by: PrivacyNews News Section: Breaches

Investigators are racing to establish whether banking information was stolen by the intruder who hacked into a server at Gloucester-based web host Fasthosts.

The breach was revealed yesterday. Fasthosts has told customers to change all their passwords, which were not encrypted.

Source - The Register



Notification seems to have taken quite a while... How could they not notice all that data being sent out? (Why was that computer even configured to allow that?)

http://www.pogowasright.org/article.php?story=20071020070610412

Data on Saint Vincent's patients goes astray

Saturday, October 20 2007 @ 07:19 AM EDT Contributed by: PrivacyNews News Section: Breaches

Saint Vincent Catholic Medical Centers of New York has warned 100,000 current and former patients that databases holding some of their personal information and insurance policy numbers were breached earlier this year.

... Compromised data included patients' names, dates of birth and, in 40 percent of the cases, Social Security numbers, along with insurance carrier and claim information, Fagan said yesterday.

Source - silive.com

[From the article: None of the data, which a former employee transmitted to his home computer in February, appears to have been misused beyond that unauthorized act, Michael Calder, a Saint Vincent's official, said in the letter, a copy of which was obtained by the Advance.

However, Calder added, there was a possibility the employee may have sent the databases to another person not associated with Saint Vincent's.

... Saint Vincent's first learned of the breach in June and reported it to authorities, including the Manhattan district attorney's office, said Calder.



The comments in the AZ paper suggest this isn't over yet. Questioning the DA's control of his office!

http://techdirt.com/articles/20071019/154053.shtml

Don't Click On This Link Unless You Don't Mind A Grand Jury Knowing What You Read

from the privacy?-schmivacy dept

Apparently two executives from Village Voice Media (publishers of The Village Voice and other independent newspapers) were arrested yesterday for revealing grand jury information that was supposed to be private. Specifically, they had published an article in one of its publications, the Phoenix New Times, accusing a grand jury of unconstitutional behavior in issuing a subpoena for all sorts of information about the Phoenix New Times and its readership. Now, before you click on the link to the article, it's worth noting that the subpoena in question demands that the newspaper hand over incredibly detailed log information on every visitor to that website since January 2004. This is because someone is upset about four articles dealing with a local sheriff. Yet, though the supposed problem is with the four articles, the subpoena demands information on every visitor to the site, including such things as their IP address, which articles they read, any information obtained by cookies, the referral links that got them to the website, their type of browser and their type of operating system. In other words, all the info typically found in a log file -- but it's unclear why this information could possibly be necessary in a complaint about 4 specific articles. Update: As pointed out in the comments, just as we were writing up this story, the original lawsuit was dropped and the special prosecutor was fired.



You can be in compliance, you just have to do a few things you should be doing already!

http://www.eweek.com/article2/0,1759,2203288,00.asp

Compliance Can Be a Bumpy Ride

October 19, 2007 By Cameron Sturdevant

Denver International Airport is among the busiest airports in the world and boasts one of the longest runways in the United States. The airport also conducts a lot of business using credit cards. DIA recently completed its Level 1 (more than 6 million transactions per year) PCI DSS (Payment Card Industry Data Security Standard) audit, a journey which had its fair share of turbulence.

However, as DIA CIO Robert Kastelitz recounted to eWEEK Labs, noncompliance was not an option. "You really don't have a choice but to do it," Kastelitz said. "The bottom line is if you don't do it, then the hammer [the PCI member companies] hold over your head is that they won't let you take credit cards anymore."

In January 2006, when DIA's effort to become PCI- compliant began in earnest, the airport's IT organization found that many of the elements required for compliance had been satisfied by a recently completed project to implement network best practices throughout the airport. [YES! If you do one thing correctly, you don't need to revisit it for each application! Bob]

As Kastelitz explained, "When we started looking at PCI, many parts were already in place. We perfected some of it and initiated some of it." For instance, Kastelitz's team was already conducting network audits, which included penetration tests and vulnerability assessments, to ensure their network was secure.

... However, DIA's compliance program didn't come without pain. For Level 1 organizations, PCI mandates that network audit information be made available on a quarterly basis for perusal by an outside audit company. [I wonder if the “outside auditors” cross check these logs to detect subtle attacks? Bob]

... In light of PCI requirement 3, which governs the protection of stored cardholder data, the airport decided to retain no information at all. Kastelitz worked with other airport stakeholders to resolve business operations issues around not having the cardholder information on hand.



Thank you for blocking the Bible. I'm sure everyone will understand that you are just “protecting” our children and not interfering with freedom of religion. Way to go, Osama!

http://techdirt.com/articles/20071019/115242.shtml

Associated Press Confirms That Comcast Blocks Some BitTorrent Traffic; Despite Comcast Denials

from the someone's-not-being-totally-honest-here... dept

Back in August, there was a report that Comcast was throttling certain types of BitTorrent traffic making it difficult to impossible to seed a download. In response, Comcast vehemently denied this was happening, despite many people saying they were experiencing it. Specifically, Comcast said: "the company doesn't actively look at the applications or content that its customers download over the network. But Comcast does reserve the right to cut off service to customers who abuse the network by using too much bandwidth." The EFF went and spoke with Comcast and got the same story. However, with so many people reporting the same thing, some were wondering how truthful Comcast was. Now the Associated Press has done their own investigation (trying to transfer the Bible since it's in the public domain) and found that Comcast is clearly blocking the ability to upload completed files via BitTorrent, inserting a message to a computer trying to upload a file pretending to be from the downloading computer, telling it to stop sending. This seems to go against what Comcast originally said, though when the AP asked for a comment, Comcast subtly changed it's story. Rather than saying it doesn't look at applications or content, now it says: "Comcast does not block access to any applications, including BitTorrent." No, it doesn't block "access" but it does limit the functionality greatly (including perfectly legitimate uses of BitTorrent) without letting people know about it.



Who's (buying) who

http://www.bespacific.com/mt/archives/016297.html

October 18, 2007

Nationwide Study Grades and Ranks Campaign Disclosure

Press release: "Access to state-level candidate campaign disclosure data continued to improve in states across the country, according to Grading State Disclosure 2007, a comprehensive evaluation of campaign finance disclosure laws and programs in the 50 states. The 2007 study, released today by the California Voter Foundation, found that Washington State ranks first in the nation in campaign disclosure, while Oregon ranked as the most improved state in 2007. The study is the fourth in a series, which was first conducted in 2003."

[From the web site: Colorado was one of the five most improved states in the 2007 study. The Secretary of State’s adoption of mandatory electronic filing for statewide and legislative candidates in 2007 pushed Colorado into the B range, a remarkable improvement over the D+ the state received in Grading State Disclosure 2005.



This is already quite common: We purchase a tool that uses us to provide the vendor with information they can sell to others – including other users of the tool. If they make more money selling our input, they can give the initial tool away free.

http://hardware.slashdot.org/article.pl?sid=07/10/20/0611226&from=rss

New GPS Navigator Relies On 'Wisdom of the Crowds'

Posted by Zonk on Saturday October 20, @05:34AM from the you're-always-guided-using-renraku-gridguide-system dept. Communications Hardware Technology

Hugh Pickens writes "The New York Times is running an article on Dash Express, a new navigation system for automobiles that not only receives GPS location data, but broadcasts information about its travels. Information is passed back to Dash over a cellular data network, where it is shared with other users to let them know if there are slowdowns or traffic jams on the road ahead. The real benefit of the system isn't apparent until enough units are collecting data in a given area - so Dash distributed over 2,000 prototype units to test drivers in 25 large cities."



I have to agree with Bruce Schneier (as I usually do) but if there are simple tools available, I wonder if we couldn't use them for other purposes (watermarking for example)

http://it.slashdot.org/article.pl?sid=07/10/20/0616220&from=rss

Evidence of Steganography in Real Criminal Cases

Posted by Zonk on Saturday October 20, @07:14AM from the not-just-a-numb3rs-plot dept. Security The Internet IT Technology

ancientribe writes "Researchers at Purdue University have found proof that criminals are making use of steganography in the field. Steganography is the stealth technique of hiding text or images within image files. Experts say that the wide availability of free point-and-click steganography tools is making the method of hiding illicit images and text easier to use. Not everyone is convinced; some security experts such as Bruce Schneier have dismissed steganography as too complex and conspicuous for the bad guys to bother using, especially for inside corporate espionage: 'It doesn't make sense that someone selling out the company can't just leave with a USB.'"



In a variation of the “Streisand Effect,” the comments on this article include a host (pun intended) of sites that offer similar links.

http://yro.slashdot.org/article.pl?sid=07/10/19/1846236&from=rss

TV Links Raided, Operator Arrested

Posted by Zonk on Friday October 19, @03:23PM from the there-goes-the-neighborhood dept. Media The Internet Businesses Politics

NetDanzr writes "TV Links, a Web site that provided links to hundreds of movies, documentaries, TV shows and cartoons hosted on streaming media sites such as Google Video and YouTube, has been raided by UK authorities. The Site's operator was also arrested, The Guardian reports. Even though the site has not hosted any pirated content, [like the RIAA case, perhaps “making available” is sufficient? Bob] it was a thorn in the side of movie and TV studios, thanks to having links to newest movies and TV shows. As the largest site of its kind, it showcased the power of user-driven Internet, with the site's visitors helping to keep links to content constantly updated."

No comments: