Remember, this is two orders of magnitude better than the last time. Perhaps they have “improved” their security. I'd still like it to reach all the way to “adequate.”
Posted on Sat, Feb. 03, 2007
VA hard drive with personal data missing
WASHINGTON - A portable hard drive that may contain the personal information of up to 48,000 veterans may have been stolen, the Department of Veterans Affairs and a lawmaker said Friday.
An employee at the VA medical center in Birmingham, Ala. reported the external hard drive missing on Jan. 22. The drive was used to back up information on the employee's office computer. [More common for this to be done over the network... Bob] It may have contained data from research projects, the department said.
The employee also said the hard drive may have had personal information on some veterans, although portions of the data were protected. Secretary of Veterans Affairs Jim Nicholson said that the VA and the FBI are investigating.
Rep. Spencer Bachus, R-Ala., said that the personal information of up to 48,000 veterans was on the hard drive and the records of up to 20,000 of them were not encrypted.
Pending results of the investigation, VA is planning to send individual notifications and to provide a year of free credit monitoring to anyone whose information is compromised.
Other than “quick” and “thinking,” this headline seems accurate.
Feb 2, 2007 9:27 pm US/Eastern
Quick Thinking Prevents Massive ID Theft Heist
Documents Containing SS Numbers Appear On Web Site
(CBS/AP) ALBANY The New York Department of State on Friday froze portions of a Web site listing commercial records that identity thieves could have used to access the Social Security Numbers of some New Yorkers -- including billionaire mogul Donald Trump.
It took the department more than three hours [see next article Bob] to block the information from being viewed after The Associated Press alerted officials to the problem.
The New York Department of State's Web site had posted commercial loan documents containing Social Security Numbers that could be viewed with a simple name search.
"Governmental Web sites should not make it easy for identity theft criminals to access personal information," said state Sen. Charles Fuschillo, a sponsor of numerous laws targeting identity theft.
The forms are posted by the department to let lenders know the current financial status of loan recipients. As a prerequisite for loans, many banks first research a debtor's name to ascertain their credit worthiness.
Trump was traveling and could not immediately be reached for comment.
The posted information also included the social security numbers of many farmers who had previously taken out loans for farm equipment and machinery.
Julie Suarez of the New York Farm Bureau said many farmers across New York could have been hurt by the release of the information because some lenders list the private numbers on the forms to track customers.
"We've done a lot of research on this and we are getting increasingly concerned," she said Friday before the information had been removed. "It's an optional part of the form, but not everybody knows this." [No “personal data” inventory exists? Bob]
Earlier this month, the Vermont Secretary of State's office took down similar Internet links [an indication that you should check your own procedures? Bob] to business files that contained the Social Security Numbers of individuals.
... The Social Security Number postings were discovered by B.J. Ostergren, a Virginia privacy rights activist.
It was unclear late Friday how long the information was available on the site, and the Department of State did not immediately return calls seeking clarification.
Management bloopers are all too common in these articles.
Hacker hits MU database
Personal info stored in computer system.
By TERRY GANEY of the Tribune’s staff Published Friday, February 2, 2007
A hacker broke into a University of Missouri system computer server last month and might have gained access to personal information, including Social Security numbers, of 1,220 researchers on four campuses.
The passwords used for the system by more than 2,500 people might have been compromised as well. The university has sent e-mails and registered letters to everyone affected.
... The compromised computer is the university’s Research Board Grant Application System. Technicians have not identified the hacker, but an internal inquiry is under way to find the culprit’s "footprints."
An off-campus computer monitoring system that scans the Internet for crimes first notified the university of the problem at 8:33 a.m. Jan. 16. [Not familiar with this! Bob] The university’s informational technology staff took the system off line an hour later. A more detailed examination showed the system was first hacked at 3:30 p.m. Jan. 14.
The affected system, which is still off line, serves as an electronic clearing house for researchers applying for grants and being paid for them. In the application and payroll process, personal information such as Social Security numbers is often included. In addition, some system users might have substituted their own personal computer passwords for the numeric password generated by the system.
In those cases, it might be possible for an unauthorized third party to gain access to personal information if the system user applied that same password to personal accounts as well as the grant application system.
... A statement posted on the UM system’s Web site said the breach occurred through the system’s Web-based application that was developed several years ago and "did not have safeguards which current applications have to ward off increased threats from the Internet." [Regular review of security procedures might be indicated? Bob]
... The problem in which personal information might have been disclosed affects 820 faculty members on the UM’s systems four campuses, 76 former faculty members and 324 non-university personnel, mostly those who review grant applications, Charton said. In addition, the hacker might have seen 2,579 passwords.
Not that I would pick on poor TJX, but I can't help noticing a series of articles showing how they are dealing with their security breach... First, set aside some cash for future liabilities...
TJX expects fourth-quarter charge for security breach
February 02, 2007
NEW YORK–TJX Cos., which owns several retailers including Winners and HomeSense in Canada, said yesterday it expects to incur a charge related to its recent security breach, but remains comfortable with its fourth-quarter profit forecast.
The company's projected profit from continuing operations of 48 cents (U.S.) to 50 cents per share includes a 1-cent-per-share [ From the 10Q: “The number of shares of Registrant's common stock outstanding as of October;28, 2006: 455,098,947” So we're talking about $4.5 million so far. Bob] charge for costs from the computer systems breach, which analysts have said might have exposed millions of people's personal data.
... Framingham, Mass.-based TJX does not expect to be able to estimate losses from the breach when it releases year-end results Feb. 21. It said losses might stem from exposures to credit- and debit-card companies, banks and legal proceedings.
Then promote a bunch of people to reward them for... What was it again?
Senior executives promoted at TJX
Home Textiles Today By Staff -- 2/1/2007 12:08:00 PM
Framingham, Mass. – Off-price retailer The TJX Companies has made a series of promotions across its senior management team in the immediate aftermath of the elevation of president Carol Meyrowitz to president and ceo.
... * Ann McCauley has been promoted to evp, TJX, general counsel, from her post of svp, general counsel.
Then, take advantage of the depressed stock price... (Down almost a buck since Jan 17th when they announced the breach, sure to be lower still when they figure out what this will cost them.)
TJX to buy back stock
Boston Business Journal - 1:16 PM EST Friday
The TJX Companies Inc. announced Friday its board of directors approved the repurchase of up to $1 billion of TJX common stock.
The current prices would represent about 7.5 percent of the company's outstanding shares.
... The repurchase program has no time limit.
Privacy Rights Clearinghouse: 2006 Breach Analysis
Friday, February 02 2007 @ 04:50 PM CST - Contributed by: PrivacyNews - Breaches
Expected, but still depressing.
Confidential Data Lost Via USB Drives and Other Mobile Devices, New Survey Finds
January 29, 2007 News Release
The results of a new survey conducted by Forrester Consulting entitled Data Loss Prevention and Endpoint Security: Survey Findings was announced today. The report reveals that most companies have lost confidential data through removable media such as USB drives in the past two years.
... Among the key findings:
* More than half of respondents (52 percent) have lost confidential data through removable media such as USB drives in the past two years.
* Currently, organizations rely mainly on paper-based controls such as written policies that information security asks employees to sign (40 percent).
* Downloading confidential data to desktop and laptop PCs is a significant threat: 76 percent of respondents said they are not satisfied with the visibility they have into confidential data being downloaded to PCs.
Is this a case of “We gotta do something?” Sure seems like it hasn't been thought through.
Our View: Meth database should be limited to protect privacy
By the JG/T-C Editorial Board email@example.com Published on Friday, February 2, 2007 11:30 PM CST
The proposal to establish an electronic database on people who buy cold medicine with pseudoephedrine should scare the dickens out of meth makers.
It might also make law-abiding people reluctant to purchase across-the-counter medicines for fear of being monitored by Big Brother.
Currently, Illinois law designed to crack down on meth makers requires retailers keep logs on people who buy cold medicines containing pseudoephedrine.
During a leadership summit Saturday at Eastern Illinois University, Steve Mange, a policy adviser with the Illinois Attorney General’s Office, said the problem with retailers’ written logs is that they are sometimes “barely legible.”
Another problem with current logs, Mange pointed out, is that police cannot always remember names to spot repeat buyers.
“A database is clearly the next thing we need to do,” Mange told the participants in the drug summit. Mange said the database could include a list enabling authorities to determine purchasers of drug ingredients. He said it could also be used as an “authorization system” to prevent people from buying the medicine if they have reached federal or state limits.
Mange revealed Illinois Attorney General Lisa Madigan has met with representatives from other Midwestern states to discuss how a database might function.
Exactly how much and what types of information a database would include is unclear. There should be some specificity as to what authorities can put on the database.
When security procedures become too onerous...
NHS denies privacy risk over smartcard sharing
Connecting for Health admits that smartcards were shared by clinical staff, but plays down fears that patient confidentiality was breached [If a breach is defined as “access by an unauthorized person,” there is no way they have evidence to support this statement. Bob]
NHS Connecting for Health has admitted that smartcards were shared between staff at a Warwickshire hospital, but denied that this compromised the confidentiality of patient data.
Last week reports emerged that smartcards — used by clinical staff to access patient records on the overhauled NHS IT network — were being shared between A&E clinicians at South Warwickshire General Hospitals NHS Trust. This activity, which had been sanctioned by the Trust board, was caused by clinicians trying to avoid lengthy log-in times.
Paul Cundy, a spokesman for the British Medical Association's GP IT subcommittee, told Computer Weekly at the time that this approval "[drove] a coach and horses through the so-called privacy in the new systems".
... "The Trust is aware of the need to revert to the normal policy framework [Translation: We should follow the rules. Bob] for the use of smartcards and, as these early issues relating to the speed of the application are resolved, is it hoped this will happen in the near future," the statement added.
Previous statements from CfH had suggested that the sharing of smartcards would be treated as misconduct, requiring disciplinary procedures. However, Thursday's statement conceded that "responsibility for the security of patient information ultimately lies with individual Trusts, hospitals and NHS organisations".
What happens if access controls are too broad? i.e. Access needs to be more granular... At lest, they tested the security!
Scottish NHS in cervical smear security blunder
By Lucy Sherriff Published Friday 2nd February 2007 00:02 GMT
The Scottish National Health Service has postponed the launch of a new cervical smear screening system, after concerns were raised about the security of the service during a trial of the system.
According to BMA News, the house magazine for British Medical Association members, Scottish Cervical Call-Recall System (SCCRS), allows anyone with password access - including many admin staff at GP practices taking part in the pilot - to access any Scottish woman's cervical screening records.
Forth Valley GP Brian Keighley said: "This is unacceptable and quite possibly illegal and I don't think GPs should co-operate with this."
... NHS NSS says no real records have been compromised because the pilot has been run using "existing board systems", essentially, dummy records.
Interesting legal technique? Another reason to ensure your security is current.
Security pros work to undo teacher's conviction
Robert Lemos, SecurityFocus 2007-02-02
Researchers led by the head of a Florida anti-spyware firm aim to recreate what caused a Connecticut school's classroom computer to start displaying pornographic pop-ups in October 2004, an incident that recently led to four felony convictions for the substitute teacher involved.
On January 5, a six-person jury found former Kelly Middle School substitute teacher Julie Amero guilty of four counts of risk of injury to a minor. The charges stem from an October 19, 2004 incident when the computer in the classroom in which Amero was teaching started displaying pornographic pop-up advertisements. Prosecutors argued that Amero surfed porn sites while in class, causing the pop-up advertisements, while the former teacher's defense attorney argued that spyware installed from a hairstyling Web site caused the deluge of digital smut.
The case has attracted an enormous amount of interest, because the reported details of the trial appear to indicated that a lack of understanding of the technology involved and not solid digital evidence, led the jury to convict the teacher.
Alex Eckelberry, president of anti-spyware firm Sunbelt Software, hopes to put the case to rest. Armed with an image of the disk from the Windows 98 SE computer, the technology expert put out a call to interested security researchers and assigned his own workers to the case.
"We have had huge offerings of support from the security community," Eckelberry said this week. "Other experts in the forensics community--and these are not small players--have come to us and offered to help."
The criminal conviction would not be the first case of misunderstood technology leading to a guilty verdict. In 2002, a 29-year-old network adminstrator was convicted under the Computer Fraud and Abuse Act for sending 5,600 e-mail messages to customers of his former employer--the now-defunct e-mail provider Tornado Development--warning about a security hole in Tornado's service that left private messages vulnerable to unauthorized access. The prosecutors in the case argued, and the judge agreed, that McDanel was guilty of unauthorized access and abused Tornado's e-mail servers to send the messages. The prosecutors have since admitted their mistake and the case was overturned on appeal, but not before McDanel served 16 months in prison.
"In technologically complicated cases, expert testimony is really important--more so then in your normal prosecutions," said Jennifer Granick, executive director of the Center for Internet and Society at Stanford University's School of Law and the attorney that defended McDanel in his appeal. "It is complicated for a normal person--the idea that the computer does something without your agency is not something that they understand."
In the latest case, a regular teacher logged into the classroom computer, because Amero did not have credentials. The substitute teacher was told not to log out or turn off the computer, according to media reports.
What happened after that has become the main point of contention.
A detective on the case using off-the-shelf recovery software argued that Amero clicked on pornographic Web links and caused the computer to display pornographic pop-up advertisements. However, the defense's forensic expert, Herbert Horner, stated that a more complete analysis showed that a harmless hairstyling Web site had actually redirected the PC's browser to pornographic sites, setting off the deluge of offensive ads.
Horner, the principal at Contemporary Computer Consultants, had walked into the courtroom to discuss his analysis but was prevented from doing so in detail because the prosecution argued that they had not had full disclosure of his testimony.
In an interview with SecurityFocus, Horner voiced obvious frustration at his inability to relate all his findings to the jury.
"It is kind of like you have a fire truck and a full tank of water and you can save everybody, but someone said you can't do that because the container you put the water in is against the rules," Horner said.
Prosecutors have also focused on the fact that Amero did not turn off the computer, though she did go for help during a class break, Horner said.
Both the prosecutor in the case, state attorney David J. Smith, and Amero's attorney, John F. Cocheo, declined to comment for this story, prior to the sentencing hearing on March 2. The public filings in the case could not obtained in time for this article.
The team of security professionals analyzing the forensic evidence are not yet ready to release an opinion, but one thing is clear, Eckelberry said: The classroom's machine was infested with spyware and the school did not have adequate protections in place.
It's an issue that has refocused some of the debate on administrators at Kelly Middle School. School officials recently told parents that the incident could never happen today, because the district has installed security software and a filtering system.
"This was a Windows 98 SE machine with IE 5 and an expired antivirus subscription," Eckelberry said. "It hadn't been updated since August, and there was no anti-spyware, no pop-up protection, no firewall and no content filters. Regardless of whatever happened, this machine was a machine that should not have been on the Internet."
He really hammers them.
27B Stroke 6 by Ryan Singel and Kevin Poulsen Friday, 2 February 2007
Identity Theft Not Down, It's Different, Expert Says
Javelin Strategy and Research, an independent research group, this week released a new report -- funded by Visa, Wells Fargo and Checkfree -- that found that in 2006, 8.4 million Americans were hit by identity fraud, a full half a million fewer than in 2005. The study, based on a phone survey of 5,000 American adults, found the total amount lost to identity theft fell 12%, from $55.7 billion to $49.3 billion.
The study was widely reported in the media yesterday -- AP, Reuters, and UPI. But Chris Hoofnagle, an expert in data privacy laws who is also an attorney at the Berkeley Center for Law and Technology, says the study is dead wrong, both in its methodology and its conclusions.
Public polling on identity theft completely misses the biggest modern fraud issue–synthetic identity theft. In synthetic cases, the impostor creates an entirely new identity using information from many different victims. Since this synthetic identity is based on some real information, and sometimes upon artfully created credit histories, it can be used to apply for new credit accounts. This harms consumers because it creates subfiles at the CRAs, and the real owner of the SSN is sometimes targeted by collections efforts.[...]
Hoofnagle also argues that the survey -- which found that more than half of identity theft is perpetrated by a friend or family member -- is skewed because it undercounts identity theft that happens by remote attackers.
First, victims are obviously more likely to know the identity of the victim when it is a family member/friend. They’re much less likely to know when someone far away from them committed the crime (such as the many well documented cases of outsourced data being sold to thieves). Second, existing studies of confirmed victim studies (from police reports and newspaper reports, such as Collins’ report in 2004) shows that the most likely source of data is businesses. Similarly, internal analyses written by the business community itself estimates that identity theft finds its roots in business databases 50-70% of the time. Finally, even if risk behaviors are consistent between the known and unknown victims, certain threats (such as security breaches, outsourcing risk, etc) are not addressed by any consumer action. That is, you are just as likely to become a victim, regardless of whether you shred, etc.
The FTC rejects Javelin's findings as "misleading:" In an email to Wall Street Journal reporter Robin Sidel, obtained under the Freedom of Information Act concerning the Javelin Report, an FTC employee wrote: "Since most surveyed–74 percent–could not identify the person who stole their identity, and half the 26 percent who could identify the thief either didn't personally know the thief or said it was someone other than a friend or relative, it would be misleading to suggest that the 'Culprit is likely a friend or relative.'"
A free copy of the short copy of the report can be downloaded here after you are asked for identifying information.
My tax dollars at work. More of the “We can, therefore we must” strategy?
Why Is The Government Putting DRM On Its Own Public Files?
from the just-wondering dept
Documents released by the US government have no copyright -- yet, apparently that doesn't stop some government officials from acting as if it does. Jerry Brito highlights how in doing some research for a discussion on the 9/11 Commission Report, he was disappointed to find that the government-released PDF has copy protections that stop people from copying and pasting material from inside the document. He notes that, even though the content isn't covered by copyright, circumventing that protection would likely mean he had broken the DMCA's anti-circumvention clause. Doesn't it seem like there's a problem when you could get in trouble for circumventing copy protection on content that is in the public domain?
[NOTE: The comments include methods for easily circumventing this protection. Bob]
Attention Class Action Lawyers! This scenario is likely to be repeated frequently!
The Viacom International Copyright DMCA debacle about YouTube videos--should we counter-sue???
Friday February 02nd 2007, 3:07 pm
I just recieved a notice that a video of mine has been removed from YouTube because of a complaint by Viacom. The video, for the record, is a short home clip, about 30 seconds, of me and several friends having dinner in a ribs place in Somerville. That this is the case should not be confusing to Viacom, given that the video is titled:
Sunday nite dinner at Redbones in Somerville, Mass: http://www.youtube.com/watch?v=QUzOP42dg1I
Here is the email I just got from YouTube. I support YouTube in sending this on to me and taking down the video. What else are they to do? Of course, now they have set up a situation where I perhaps have legal standing to go after Viacom. Of course I can’t afford to do this alone--but perhaps now I am part of a “class”--as in “class action law suit?” Anyone else interested. This blog, by the way, is hosted at Harvard Law School Berkman Center for Internet & Society, so we should be able to get some local talent to help out.
Here is the YouTube notice I just received:
YouTube | Broadcast Yourself™
This is to notify you that we have removed or disabled access to the following material as a result of a third-party notification by Viacom International Inc. claiming that this material is infringing:
Sunday nite dinner at Redbones in Somerville, Mass: http://www.youtube.com/watch?v=QUzOP42dg1I
Please Note: Repeat incidents of copyright infringement will result in the deletion of your account and all videos uploaded to that account. In order to avoid future strikes against your account, please delete any videos to which you do not own the rights, and refrain from uploading additional videos that infringe on the copyrights of others. For more information about YouTube’s copyright policy, please read the Copyright Tips guide.
If you elect to send us a counter notice, to be effective it must be a written communication provided to our designated agent that includes substantially the following (please consult your legal counsel or see 17 U.S.C. Section 512(g)(3) to confirm these requirements):
1. A physical or electronic signature of the subscriber.
2. Identification of the material that has been removed or to which access has been disabled and the location at which the material appeared before it was removed or access to it was disabled.
3. A statement under penalty of perjury that the subscriber has a good faith belief that the material was removed or disabled as a result of mistake or misidentification of the material to be removed or disabled.
4. The subscriber’s name, address, and telephone number, and a statement that the subscriber consents to the jurisdiction of Federal District Court for the judicial district in which the address is located, or if the subscriberis address is outside of the United States, for any judicial district in which the service provider may be found, and that the subscriber will accept service of process from the person who provided notification under subsection (c)(1)(C) or an agent of such person.
Such written notice should be sent to our designated agent as follows:
1000 Cherry Ave.
San Bruno, CA 94066
Please note that under Section 512(f) of the Copyright Act, any person who knowingly materially misrepresents that material or activity was removed or disabled by mistake or misidentification may be subject to liability.
Copyright © 2007 YouTube, Inc.
It looks like what Viacom has done to YouTube is simply search everyViacom trademarked and copyrighted term against every Tube name, and then asked YouTube to pull down the videos, [Could have been a match of “Redbones” to “Leon Redbone.” Just a guess. Bob] under the terms of the onerous and notorious DMCA. YouTube has now pulled the videos. Unfortunately, I suspect that tens of thousands of these videos are completely legitimate.
February 02, 2007
Cornell Law Library Announces Launch of Legal Research Engine
"The Cornell Law Library is pleased to announce its new Legal Research Engine This specialized search engine helps users easily find authoritative online legal research guides on every subject. It searches approximately 20 different web sites that either prolifically publish guides, or index and link to guides."