Saturday, February 10, 2007

This is somehow related to their project to remove SSANs from their system.

Personal data of students, staff may have been exposed on Web site

GREENVILLE, N.C. East Carolina University administrators are notifying students, former students and employees about a programming error that may have exposed personal data on a university Web site.

About 65-thousand people will receive notification letters from the university giving them tips on how to check for identity theft.

Officials say access to personal information in university files was available for a week last month.

The system was shut down within 15 minutes after the problem was reported and has since been corrected.

University officials say they are working to cut down on the use of Social Security numbers for identification.

On the Net:

Embarrassing, but far less serious than sending all the information to a hacker. (See next article)

26,000 pensioners' bank details sent to wrong addresses

By Martin Beckford Last Updated: 1:53am GMT 10/02/2007

Thousands of pensioners have been put at risk of identity theft after the Government sent their bank details to the wrong addresses, it was disclosed last night.

As many as 26,000 letters containing pensioners' personal account numbers and National Insurance details have been posted to people who were not the intended recipients.

... However, the Department for Work and Pensions admitted that it was unsure whether computer failure or a human mistake was to blame. [Sounds like something to check BEFORE you announce. Bob]

... She added that DWP staff would be able to pinpoint where each letter went and would contact everyone affected.

This is how a hacker does it...

Hacker gets state credit card info

Web site breach affects thousands of Hoosiers, businesses

By Niki Kelly The Journal Gazette Posted on Sat, Feb. 10, 2007

INDIANAPOLIS – State technology officials sent letters Friday to 5,600 people and businesses informing them that a hacker obtained thousands of credit card numbers from the state Web site.

Although numbers are usually encrypted or shortened to the last four digits, the Office of Technology conceded a technical error allowed the full credit card numbers to remain on the system and be viewed by the intruder. [“The computer did it,” is a lousy excuse. It suggests that no one looked at the output of the program to ensure it was working! Bob]

Like thousands of web sites, the state’s web site is constantly under attack from hackers,” the letter said. “To repel these attacks, the state has implemented the highest levels of security and submitted itself to regular independent audits to ensure that data is safeguarded.

Despite these efforts, the state’s web site recently experienced a security breach.”

Chris Cotterill, director of the site,, said the hacking occurred in early January but wasn’t discovered until Jan. 25. [Bad, but still better than TJX. Bob]

The next week was spent undergoing an outside audit, which revealed the credit card numbers had been compromised. That news came 10 minutes into the Super Bowl on Sunday.

It was one thing that the hacker got in and another that they were able to access the info because of our technical mistake,” Cotterill said Friday, noting that no disciplinary action has yet been taken.

... The state has already notified the Secret Service and the credit card companies of those cards that were viewed.

... “We had planned for this but didn’t expect it,” [Better than saying “This was unforeseen.” Bob] Cotterill said. “This has caused a top-to-bottom review of all Web activity.”

... The letter was sent from “the Team” and did not include the name of the person in charge – something Cotterill said he now regrets.

He said he signed his name to the first draft but was advised by staffers that Hoosiers receiving the letter could use his name to find his phone number and harass his family.

Another evil machine out-thinks management!

Social Security Numbers Exposed in CCSU Letters

By Melissa Traynor

News Editor Febuary 7, 2007

Over the past week approximately 750 CCSU students have received mail from the Bursar’s office that revealed their social security numbers in the name and address window of the envelopes. The letters were folded incorrectly by a malfunctioning machine in the office. [And no one looked to see if it was operating correctly? These things can be adjusted, you know. Bob]

The letters mailed were IRS 1098T forms, which are student tuition statements that were meant to be mailed out by January 31. Last Monday, during the preparation of the first batch of 2,300 letters which were being folded by the machine, all were folded incorrectly, but the office was able to catch about 1550 letters and correct them before they were mailed out.

Are we talking 40,000,000 cards?

Date: Tuesday, February 06, 2007

Credit card recall applies to all banks

There is more detailed news to report tonight on the cautionary replacement of credit cards in Belize. Research reveals that the compromising of the Visa and Mastercards was not isolated to one bank but involves virtually all banks that issue those cards worldwide.

Good backgrounder...

How Does The Hacker Economy Work?

It's a murky world of chat rooms, malware factories, and sophisticated phishing schemes. Here's a look inside.

By Larry Greenemeier J. Nicholas Hoover InformationWeek Feb 10, 2007 12:02 AM (From the February 12, 2007 issue)

... Credit card information is mostly sold in bulk. "You don't just buy one Amex card with no limit; you typically buy a set because any one could be canceled or entered into fraud claims," Dagon says. Though some sites have list prices, basic card information can go for as low as $1 a card, and prices often depend on the quality of the data, says Johannes Ullrich, CTO of the SANS Internet Storm Center.

... Despite these successes, the hacker economy continues to flourish. At the RSA Security Conference in San Francisco last week, RSA president Art Coviello told the audience that the market for stolen identities has reached $1 billion, according to IDC research, and that malware has risen by a factor of 10 in the last five years, according to the Yankee Group.

Because we wouldn't want anyone to know they were being scanned? This is another way to offer “personalized” services – your computer confirms your ID without your knowledge, greets you with a hearty “Good morning, Bob,” and records everything you do for future “personalization.”

Stealthy Iris Scanner in the Works

By Bill Christensen posted: 06 February 2007 02:05 pm ET

A public iris scanning device has been proposed in a patent from Samoff Labs in New Jersey. The device is able to scan the iris of the eye without the knowledge or consent of the person being scanned. The device uses multiple cameras, and then combines images to create a single scan.

It is obvious, isn't it?

Elections Officials Try To Defend Their Handling Of E-Voting Machine Testing

from the wasn't-really-that-bad,-they-claim dept

In the ongoing debate we've had with an e-voting company employee in our comments, we were told repeatedly that last month's story that the US Election Assistance Commission had barred the largest testing firm from testing e-voting machines was overblown. Now, it appears that EAC officials are trying to convince more people of that as well, saying that it was nothing out of the ordinary to ban the firm who tested most e-voting machines, after it was determined that they weren't complying with the testing rules. They claim that the press and blogs (such as this one, we assume) got something "lost in the translation." That may be true, but they seem to be missing the point. If there were real transparency in all of this and real security experts were free to do the tests they wanted, then people would feel a lot more comfortable about things. The problem is that there's almost no transparency, other than some "public tests" that are still limited. At the end of the article things get even more bizarre. The EAC folks complains that they haven't been able to do as much as they want because they have "limited resources." In other words, they're admitting that the current resources aren't enough for them to make sure these machines are thoroughly tested. There's a really simple solution to all of this. There is a good group of security experts out there who aren't just willing, but are pretty much begging to help test these machines to make sure they really are secure. Why won't the EAC open up the testing to let them take part? It should be a total win-win solution. The critics can see for themselves what's really going on and if the machines withstand the scrutiny then that should make everyone happy and a lot more comfortable with elections that use the machines.

Le amusement du jour! (Think of it as a way to ensure the President supports the arguments in your thesis.)

President Bush Singing the Hits! This is so funny!

Here are some great videos of President Bush and other politicians singing. A hilarious cleverly dubbed/edited video of Bush singing Sunday Bloody Sunday, Bush singing Imagine and Walk on The Wildside Remix, Bush and Blair singing "Endless Love" together, Colin Powell singing YMCA in front of a live audience, and more....

Complete with annotated illustrations. Quick & easy.

A Guide to Grading Exams

by Daniel J. Solove Associate Professor of Law, The George Washington University Law School

Posted at ConcurringOpinions.Com December 14, 2006

Friday, February 09, 2007

Another case of closing the barn door after the horse escapes?

Laptop Stolen From Hospital Contains Sensitive Information

Hospital Takes Preventative Steps Against Future Thefts

POSTED: 11:13 am EST February 8, 2007 UPDATED: 11:19 am EST February 8, 2007

LEONARDTOWN, Md. -- Hospital administrators at St. Mary's Hospital in Leonardtown, Md., are concerned about the recent theft [Theft makes them look dumb, preventing that theft was not on their radar... Bob] of a laptop that contained identifying information.

Administrators said the laptop contained names, Social Security numbers and birthdates for may of the hospital's patients.

Officials said the hospital is cooperating with law enforcement agencies and have taken steps to prevent such a crime from happening again.

Officials said sensitive data will no longer be accessible on any portable electronic devices. The hospital is also looking into encrypting data on their laptop computers. [No need to do that before a theft? Bob]

Additionally, the missing laptop has been locked out of all hospital systems, officials said.

In the meantime, hospital officials have retained an organization that specializes is situations in which sensitive data have been compromised. [A law firm? Bob] The hospital is also suggesting that patients enroll in a free program to allow National ID Recovery to monitor patients information for potential identity theft.

Closer to home...

The day ski shop fraud showed up on Fox

MARC CARLISLE On the Marc February 7, 2007

The teaser for Tuesday's Fox News at 9 was brief and upsetting. "More than 15,000 customers of this Denver ski shop may become victims of credit card fraud!"

At some point this season, an unknown person or group broke into a Front Range shop's reservation and payment website, built and managed for them by a third party. Once in, a person or persons unknown may or may not have accessed, viewed, and/or downloaded the customer equipment reservation files [“We don't know, because we turned off all the audit logs.” Bob] including credit card numbers of the shop's customers. Once alerted to the web break-in, the shop sent letters to customers alerting them to the possibility that someone may have obtained their credit card information and might use it.

Is TJX the one?

The TJX security breach. This one's different. Way different.

Thursday, February 01, 2007

If you haven’t noticed, there is something different about the security breach disclosed last month by TJX Cos. Some Massachusetts banks have linked fraudulent credit card purchases to the security breach at TJX, during which hackers nabbed possibly millions of credit card numbers.

Not such a big deal, you say? Well, as far as most security experts I have talked to in the past couple of years have said, matching a specific incident of credit card fraud to a specific security breach incident is unprecedented. Has any bank ever been able to prove that a significant number of fraudulent credit card purchases came from a specific corporate security breach? So far, no. But it is exactly this kind of “connecting the dots” that security experts say needs to happen for companies to begin to take information security more seriously.

The Massachusetts Bankers Association (TJX is based in Framingham, Mass.) claims it has connected the dots. A small bank that is an MBA member linked a spike in fraudulent credit card purchases last month to the TJX break in. How did they do it? MBA execs won’t give details [This will come out in the Class Action suits, unless there is an immediate and expensive settlement, right? Bob] and won’t release the name of the bank, but MBA spokesman Bruce Spitzer says that last month that small undisclosed bank noticed 22 incidents of fraudulent credit card purchases on an undisclosed number of their customers’ accounts. That may not sound like a lot, but for the small bank, it represented a big spike in fraudulent purchases. Bank officials contacted the customers and asked if they had shopped at a TJX store. [Would the banks have that information already, or would it stop at the card processor? Bob] All said they had. Spitzer says the MBA, which has 250 member banks, intends to pursue the recovery of any costs from the fraudulent purchases and says it can directly link the credit card misuse to the TJX breach.

If so, that’d be huge. Until now, there has been no smoking gun, and it remains to be seen whether the MBA, or a bank acting on its own, or Visa or Mastercard can make such a connection. It will be difficult to do. To date, more than 100 million identities have been stolen or exposed since February 2005. That's when the Privacy Rights Clearinghouse began tracking security breaches after data collector ChoicePoint announced that 145,000 accounts had been stolen from its databases. Defense attorneys can make the argument that the card numbers could have come from other breaches.

Until Feb. 1, Wall Street hadn’t viewed security breaches as a big financial threat. On Jan. 18, the day the Wall Street Journal reported TJX’s security breach, TJX’s stock price dropped from a little less than $30 a share to a close of about $29.50. By the next day, the stock price had recovered its losses and climbed beyond $30 a share. A week later, another Wall Street Journal article followed by an article in the Boston Globe the next day (both reporting on the widening credit card fraud and possible link to the TJX breach) drove TJX stock back down below $29.50, where it closed Jan. 30.

That 1.7 percent decrease in TJX’s stock price is in line with the percentage price drops for other companies that have announced similar security breaches. A study by Emory University and the Ponemon Institute found that when a company announces a security breach, its stock price drops between 0.6 percent and 2.1 percent. Not a heavy hit.

But on Feb. 1, TJX stock closed down more than $1 – another 3.6 percent – to $28.49 a share, on volume that was three times the daily average. The drop was attributed to a class action lawsuit filed the day before by AmeriFirst Bank in Union Springs, Ala., against TJX, and to a call by U.S. Rep. Ed Markey (D-Mass.) for the Federal Trade Commission to investigate any negligence by TJX. Over a five day period, TJX fell more than 5 percent. Now we’re talking about some serious money. Are investors starting to connect the dots, too? Are they beginning to worry that the damage to TJX’s reputation may be hard to recover from? And are banks no longer willing to shoulder the costs?

If so, that will signal a big shift in past thinking about security breaches. In the past, investors (and company executives) knew banks and credit card companies would cover fraudulent purchases, not the company that experienced the security breach. More important, they knew that law enforcement had yet to pin a specific credit card crime to an individual security breach, making it difficult to bring criminal charges. The cost just has not been there. No wonder that some companies delay announcing a breach, although many company executives explain that they are doing so because law enforcement requested they keep the breach silent until they can investigate.

But the big secret is that a large portion of companies choose not to announce a breach, security experts and lawyers say, because the chance of getting caught is so slim. That fact may help explain why about one in six companies admit to not complying with California’s 4-year-old security breach notification law even if they are require to do so, according to the Global State of Information Security survey conducted by CIO Magazine and PriceWaterhouseCoopers. And why many companies do not adequately protect private data.

The banking industry is becoming exasperated by being the one left holding financial bag, and TJX may be the first to feel the industry’s wrath. We’ll have to wait and see. But without a higher likelihood that a company could get caught for not notifying customers of a security breach or for not following standard, industry-accepted security procedures to protect personal information, the breaches will continue to occur.

Do you view the risk of not notifying customers in case of a data breach, or not deploying strong security measures, worth taking? Or is the tide beginning to turn and you feel you need to bolster your security measures?

A bit too far?

University Professor Chastised For Using Tor

Posted by kdawson on Thursday February 08, @05:12PM from the control-freaks-ascendent dept.

Irongeek_ADC writes with a first-person account from the The Chronicle of Higher Education by a university professor who was asked to stop using Tor. University IT and campus security staffers came knocking on Paul Cesarini's door asking why he was using the anonymizing network. [Possibly to remain anonymous? Bob] They requested that he stop and also that he not teach his students about it. The visitors said it was likely against university policy (a policy they probably were not aware that Cesarini had helped to draft). The professor seems genuinely to appreciate the problems that a campus IT department faces; but in the end he took a stand for academic freedom.

Could be useful...

February 9, 2007

Couple of Updates on BlawgSearch

Filed under: Net-Tech-Blogs, Government-Law

BlawgSearch ( ), a search engine for just legal blogs, is now in beta. It’s added RSS feeds for searches and a “few hundred” more blogs, though there are many more in the pipe to be added. (There are currently over 1600 blogs arranged by category.)

There’s also a new search engine at , which finds only legal blog posts that have video or audio files. [for lawyers who can't read? Bob]) There’s also a directory of almost one hundred podcasts, or blawgcasts as they’re called. In addition to the directory and the search you’ll also see a tag cloud for recent blog posts and recent search terms.

This is the same process that MI5 had so much trouble with. I hope the FBI gets it right – they don't need another computer system screw-up.

February 08, 2007

FBI Launches E-Mail Alerts on Public Website

"The Federal Bureau of Investigation (FBI) has launched a service that sends out electronic mail (e-mail) alerts when new and vital information is posted on the Web site. Subscribers select which topics that they want updates on, such as new electronic scams (e-scams) and warnings, most wanted terrorists, top ten fugitives, and local and national press releases. The alerts are transmitted as soon as updates are posted to the FBI's Web site or published in their daily, weekly, or monthly digests. The FBI views this service as a means of furthering American citizens' safety by keeping them informed. No personal information is required to sign up for this service, just an e-mail address to where the alerts will be sent. To sign up for the service please visit the"

If you mean technically, sure.

Can You Plagiarize A Photograph?

from the questions,-questions dept

We've had a few very interesting articles on rethinking plagiarism lately -- with part of the point being that just about all new creations and ideas are built on the work of those who came before them -- and it seems silly to prevent all of that with overly aggressive worries about copyright and plagiarism. In the Jonathan Lethem article we linked to earlier he discusses (or, rather, he plagiarizes a discussion) on how there were concerns when cameras first came about, as to whether or not taking a photo of a person or a building was stealing from them. Luckily, people realized this was kind of silly... but it seems that the matter isn't totally settled yet. Slate is running an online slideshow questioning whether or not photographs can be plagiarized. Apparently there's a bit of controversy, as an art exhibit includes a bunch of photographs by a pair of photographers that look quite similar to ones taken by a different photographer (who says the pair had asked for advice on "exposures, film, and vantage points"). The photographs are clearly different -- but of the same composition. If anything, they are an homage to the original, and it seems silly to accuse them of plagiarism, especially since they are absolutely different shots. And, if you could claim plagiarism on shots from a similar vantage point, just think of all the fights over family photos at various tourist locations?

Now here's a site that will attract hackers.

Web site verifies disease-free sex partners

Getting interactive: Online service raises concerns about privacy

Katie Rook National Post Thursday, February 08, 2007

In what may be the new frontier of online social networking, a Web site is being launched that purports to help online daters verify the sexual health of prospective partners. will issue a digital stamp of approval to site subscribers who have tested free of any of five sexually transmitted diseases, a level of disclosure that is seen by some as a predictable innovation in Internet use and by others as a move that is potentially troubling from the perspective of personal privacy, sexual behaviour and possibly the privacy of health records.

Yep, we should just kill 'em.

WI: Professors: Tracking Sex Offenders Is Unconstitutional

Thursday, February 08 2007 @ 08:47 PM CST - Contributed by: Lyger - State/Local Govt.

Three University of Wisconsin professors in Madison said a new state law forcing sexual predators to wear tracking devices for the rest of their lives is unconstitutional.

The professors -- Walter Dickey, Byron Lichstein and Meredith Ross -- said that the measure violates privacy rights and amounts to punishment and warrantless surveillance when applied to offenders who aren't on parole or government supervision.

Source - Channel3000

Thursday, February 08, 2007

All personal data needs to be secured. What part of “all” don't you understand?,0,39635.story?track=mostemailedlink

Hopkins notifies 132,000 of data loss

Vital information on workers, patients was misdelivered

By Tricia Bishop Sun Reporter From the Baltimore Sun From Thursday's Sun February 7, 2007, 8:50 PM EST

Johns Hopkins began notifying thousands of university employees and hospital patients Wednesday that backup computer tapes containing personal information about them -- some of it sensitive -- have been missing for seven weeks.

Hopkins officials said they believe the data, which did not include patient medical information, wasn't compromised.

Still, two regulatory agencies that oversee hospitals are discussing whether to investigate Hopkins' security practices amid concerns of identity theft. [Another cost of bad security... Bob]

Eight university computer tapes, routinely sent to a contractor that makes microfiche archives of the data, held Social Security numbers, addresses and direct-deposit bank account information for 52,567 former and current employees.

A separate tape from the hospital had names, dates of birth, sex, race and medical record numbers for 83,000 new hospital patients seen be tween July 4 and Dec. 18, 2006, or those who updated their in formation during that period.

Hopkins officials said an "intensive investigation" by their staff as well as that of the contractor, Anacomp Inc., suggests that the tapes were likely misplaced by a courier, collected as trash and incinerated. [How can you prove that? Bob]

"Our best information is that the tapes have been destroyed. Nevertheless, we are concerned that there was ever even a possibility that the information on them was out of authorized hands," Hopkins University President William R. Brody said in a statement, apologizing for the incident.

"We will review our processes and procedures and make any appropriate changes in an effort to ensure that this does not happen again," he said.

The hospital's relationship with Anacomp, based in San Diego, is also under review, and data shipments have been suspended.

According to Anacomp's Web site, "thousands of businesses and organizations worldwide" as well as the "majority of the Fortune 500" use its services to manage their documents and information technology equipment.

The company declined to comment beyond a statement reiterating Hopkins' findings.

"At no time do we believe the information on the tapes was accessed and we are virtually certain that the tapes were destroyed," Anacomp's statement read.

... At Hopkins Wednesday, employees said they understand that mistakes happen, but they expressed concern over why it took so long for the situation to come to light.

... In a fact sheet distributed to employees, Hopkins officials addressed the question of why the loss wasn't reported sooner. The sheet noted the complexity of having both hospital and university data missing, as well as the time it took to identify affected parties and prepare contact data.

... Privacy laws in seven states [Is that all? Bob] with affected people -- New York, Hawaii, Louisiana, Maine, New Hampshire, New Jersey and North Carolina -- required that Hopkins inform them of the breach.

Also notified were several regulatory bodies.

The state Office of Health Care Quality within the Department of Health and Mental Hygiene, which regulates hospitals and protects consumers, said it was seeking more preliminary information about the records before deciding whether to begin investigating the incident.

The agency has the power to launch, unannounced, an investigation, which could include searching files at Hopkins and in terviewing employees and patients. Its powers range from writing deficiency reports to revoking licenses. More recently, it acquired the power to fine institutions for serious and uncorrected problems. [Fairly impactive... Bob]

... Hopkins officials didn't realize anything was amiss until Jan. 18. [Adequate procedure? Bob] That's when they learned that the eight tapes of information about university employees from all divisions except the Applied Physics Laboratory were never returned. Those tapes were sent out for microfiche processing Dec. 21. On Jan. 26, internal investigators discovered that a ninth tape containing patient names and birth dates was also missing.

Investigators have concluded that the tapes were likely left behind [The shipper off-loaded them? Bob] at a shipping area stop along the courier's route. The site is "generally full of boxes, which are placed in a dumpster," Hopkins said, leading officials to believe the tapes have been discarded. [Not destroyed? Bob]

The tapes require special equipment [a tape drive Bob] to be read, though they weren't encrypted, [Should be routine! Bob] which troubles some privacy rights advocates.

"This breach would be a non-issue if the tape had been encrypted," said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.

"It's the type of information and the type of data that is very sensitive. If this tape got into the wrong hands, they would have a treasure trove of sensitive personal information, enough to commit identity theft on many individuals and also sell the data on the black market," Givens said.

"This is Johns Hopkins, right? A leader in computer technology and education on that subject, so [there's] kind of an irony here."

Interesting twist. Once the data has been “exposed” is it okay to republish it?

Investment group caught in privacy breach

Confidential data mistakenly posted online is exposed

February 08, 2007 Tara Perkins business reporter

After accidentally posting a list of thousands of brokers and the number of complaints against them on the Web, the Investment Dealers Association of Canada is trying to regain control of the information and minimize any damage done.

Lawyers for the IDA have sent a letter to Robert Kyle, who discovered the list on the IDA's website and has since posted it to his own website. Kyle, the former director of the Consumers Council of Canada and the Small Investor Protection Association, has been openly critical of the IDA's ability to adequately regulate the industry. The IDA is a national self-regulatory organization of the securities industry.

"You must immediately remove from your website the information relating to IDA members and brokers," the letter states. "The IDA does not accept any responsibility as a result of your unauthorized and wrongful publication and disclosure of the information in any way and, further, will hold you responsible for any loss or damages incurred as a result of you doing so."

Last month, Kyle discovered that when he double-clicked [There's a technique not many people would know... Bob] on a graph on the IDA's website, up came raw data that was used to make the graph, including a spreadsheet with names of brokers and the number of customer complaints, civil claims, criminal claims, internal investigations, internal disciplinary actions and external disciplinary actions against them.

The data, which includes complaints from late 2002 to mid-2005, was on the IDA's website for more than a year before he came across it.

... The letter from the IDA's lawyers, Borden Ladner Gervais LLP, says "even though it became possible to access such information through charts posted on the IDA website, there ought not to be any such access and, if accessed, information ought not to have been copied. [and I should be good looking and paid more. Bob] The IDA has indicated that the information, as far as it is concerned, remains confidential."

... Jeff Kehoe, the IDA's director of enforcement litigation, said yesterday that the IDA's inadvertent disclosure of the information doesn't negate the fact that it's confidential. [Is that a dumb a statement as I think it is? Bob]

This is the risk you take when you try to “save money” by not spending enough on security.,1759,2091585,00.asp?kc=EWRSS03119TX1K0000594

Massachusetts Leads National TJX Data Probe

February 7, 2007 By Evan Schuman

The Massachusetts Attorney General is heading up a group of more than 30 states [Initial reports hinted at 40 million cards. Could this be an indication that that number is correct? Bob] trying to force answers to how the massive TJX Companies data breach happened.

... "We're going to be looking at appropriate business practices and whether they put consumers at risk." She added that "businesses need to run their businesses, and they need certain amounts of information."

... The Rhode Island probe will continue, and Rhode Island is not—at this time—participating in the multi-state effort led by Massachusetts, said Michael Healy, the public information officer for Rhode Island Attorney General Patrick C. Lynch.

... The TJX incident was announced in mid-January, and according to TJX statements, discovered in mid-December.

That month long delay before public disclosure is a key issue in the Massachusetts probe. TJX has also said that the data problem began in mid-May and hadn't been discovered until mid-December, which is also something the Massachusetts group will likely examine.

... Coakley stressed that her multi-state probe will not be limited to credit- and debit-card transactions, but will look at a wide range of "paperless transactions of financial information," including TJX's retention of driver's license information required to handle in-store receipt-less product returns.

A Security Plan does not stop at the Backup/Recovery Plan. What part of “all” don't you understand?

Official: Data installed as part of drills

By Irwin M. Goldberg Poughkeepsie Journal Thursday, February 8, 2007

Since the Journal first learned of the laptop theft in August, it has had numerous phone conversations and e-mail exchanges with Vassar Brothers Medical Center, most of them through David Ping, the vice president of strategic planning and business development.

Why it was created

Documents obtained by the Journal indicate there was a disaster drill April 18, according to an e-mail from Nick Christiano, vice president and chief information officer. The email said personnel brought backups of the registration and billing systems to an off-site center and then those systems were able to run effectively.

The Journal was told Aug. 2 there was a mock drill held May 21 to see how the hospital functioned without access to its servers, then-hospital spokeswoman Jeanine Agnolet said.

That is why the patient data — including names, Social Security numbers and date of birth — were installed on machines throughout the hospital, officials said.

On Aug. 2, Florie Munroe, the hospital’s chief compliance officer, in response to further questions about why the data was on the laptop, said it was installed for disaster recovery training in May and a June 6 regional disaster training drill. [and never secured or removed? Bob]

... On Jan. 8, Ping, after being asked to clarify when the data was installed on machines and why, said the data was installed for participation in drills and for a planned outage of the system for an upgrade either on April 25 or June 25.

The data wasn’t removed from the machines until two days after the theft of the laptop was reported, documents show.

In Colorado, Identity Theft was far and away number one with 246,035 complaints.

February 07, 2007

FTC Issues Annual List of Top Consumer Complaints

Press release: "The Federal Trade Commission today issued its annual report, “Consumer Fraud and Identity Theft Complaint Data” on complaints consumers have filed with the agency. For the seventh year in a row, identity theft tops the list, accounting for 36 percent of the 674,354 complaints received between January 1 and December 31, 2006. Other categories near the top of the complaint list include shop-at-home/catalog sales; prizes, sweepstakes and lotteries; Internet services and computer complaints; and Internet auction fraud."

This is driving up costs...

ACB Data Breach Survey Highlights Need for Action by Card Networks and Congress

Wednesday, February 07 2007 @ 11:05 AM CST - Contributed by: PrivacyNews - Businesses & Privacy

A just-completed survey by America's Community Bankers reveals that data security continues to be a significant issue for community banks and their customers, and that card network and congressional action is necessary to address this far-reaching problem.

# Of the 181 respondents, more than 96 percent said they issued debit cards, while 19 percent said they issued credit cards.

# In the past 24 months, 70 percent of respondents said their bank had to reissue cards due to data breaches three times or more and 39% said their bank had to reissue cards more than five times.

# Eighty-nine percent of the debit card issuers and 53 percent of the credit card issuers indicated that their customers had been affected by a data breach.

# Of those affected by a data breach, 92 percent had reissued cards to customers.

While not specifically asked in the survey, cumulative data reflect that the average cost for reissuing each debit card is approximately $10-20 per card. Therefore, a bank reissuing 10,000 cards three times at an average cost of $15 per card would incur a cost of $450,000.

Some good points...

How to Respond to a Data Breach, Part 1

By Kelly Shermach CRM Buyer Part of the ECT News Network 02/08/07 4:00 AM PT

"A lot of people think security is expensive, but good security helps decrease the cost of maintenance," says Ira Winkler, vice president of marketing for the Information Systems Security Association and author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day.

As the technology that businesses depend on has diversified, new tools have enabled the capture and storage of minutia from operations and transactions.

However, the wealthier companies become in data assets, the more attractive they become to attackers. This is why data security requires great attention and investment -- to prevent potential breaches.

TJX surely realizes this, given its recent challenges in responding to an unauthorized intrusion of its computer systems that exposed the credit and debit card details of customers in several countries, including the United States. After all, inoculation against a crippling disease such as data theft is less painful to the pocketbook -- as well as the brand -- than the post-crisis cure.

"A lot of people think security is expensive, but good security helps decrease the cost of maintenance," says Ira Winkler, vice president of marketing for the Information Systems Security Association and author of Spies Among Us: How to Stop the Spies, Terrorists, Hackers and Criminals You Don't Even Know You Encounter Every Day.

Additionally, overhead allocations for network utilities are eaten up exponentially faster by nefarious sources, which not only risk data integrity but eat up bandwidth and compromise efficiency.

Policies for Process

Data security policies should preempt any other provision in establishing strong security.

"Outsourcing to a hosting company is good in that the basic physical and technical security that a hosting company will have will easily exceed the majority of companies' [security]," Clive Longbottom, service director of business process analysis at the research firm Quocirca, tells CRM Buyer.

"However, for real levels of security, any outsourcing company will still need guidance and a strategy set by the owning company. ... You cannot depend on outsourcing companies to understand what your security needs are and therefore how to approach them with suitable solutions," he adds.

"We advise that companies take an intellectual-property asset view of security. ... Look at the actual files and data themselves, and ensure that these have security policies applied directly against them," Longbottom advises, so that "any item remains secure, even if copied, even when outside of the company, even when mobile."

Everyone needs some form of certificate that is checked on a constant basis, but this approach does give the highest levels of security within and across company boundaries.

Tactical Measures

After the policy-making, widely available solutions come into play -- including disk-level encryption software, firewalls, intrusion detection and other prevention tools. all PCs should have antivirus, anti-spyware and current software updates installed through automated commands as well as firewalls, according to Winkler.

Encryption follows industry standards such as the Payment Card Industry Data Security Standard. The credit card networks Visa, MasterCard, Discover and American Express cooperate in this initiative, which outlaws the storage of customer credit card data.

Lesson Learned

If TJX hadn't held onto shoppers account numbers, expiration dates and back-of-card security codes, there wouldn't have been assets for hackers to mine [what benefit did this information offer the company? Bob] or automated attacks -- from bots -- to make vulnerable.

"Encrypting data can protect information but can also work towards preserving the corporate reputation by reducing the data breach notification obligations," Rob Scott, managing partner of Scott & Scott, tells CRM Buyer, adding that, of the 23 states that require intrusion disclosure, only five stipulate that breaches of encrypted data must be disclosed to affected parties.

In addition, just as companies must assess the value of the data they collect and keep, they also should evaluate the risk of critical data once exposed.

"There is little point in applying 3DES (triple date encryption standard) encryption on information and data that is already in the public domain," Longbottom explains.

Further, in cases where data vulnerability is low, the financial or brand-equity impact of a breach would be minimal. "In these cases, a company might make a conscious decision not to bother securing certain assets," he adds.

Staff Up

Once a grand plan is established, it needs to be staffed adequately. "Most people think of IT as a cost center," Winkler says. "They are penny smart, Pound foolish."

Instead, he notes, organizations should determine the optimum IT administrator to employee ratio and attempt to meet it.

"Most people are not aware of the threats they face," Winkler claims. However, even small companies in niche industries may be infiltrated.

"The reality is: Anyone is a target. If you don't keep yourself well-maintained, you're a target," he adds.

Hackers who break into an easily penetrated system may do so only to use that network to attack others -- and to leave liability for their crimes with the zombie host.

No Status Quo

Meanwhile, internal and external stakeholders are putting pressure on today's corporations to secure their systems.

"Company-wide security policy development, enforcement and ongoing employee education and training can promote protection and risk mitigation at all levels of the corporation," Scott suggests.

Quocirca's Longbottom congratulates the few who are actually seeing through such policing.

"Whether they know it or not, a lot more companies are getting better at security, as firewalls have morphed to include better content filtering, deep packet inspection, DoS (denial of service) attack identification, IDS/IPS (intrusion detection systems/intrusion protection systems) and so on," he says.

"Also, the security of databases has been much in the news, and newer database versions have much improved data security," Longbottom concludes. "For many companies, updating to the latest version of the database and refreshing the firmware on their firewalls would help a lot. Combined with forcing desktop antivirus/spyware software to be updated on a regular basis takes this even further."

No matter how good the lens, it must be possible to see (have line of sight) your target. As long as the technology does not provide super-human abilities (see through walls, see in the infrared, etc.) why is this an issue?

Cellphone Cameras That Zoom…What would Warren & Brandeis Think?

Posted on Tuesday, February 6th, 2007 at 2:03 pm

MIT’s Technology Review has a brief article about advances in zoom technology for cellphone cameras. This adds a new dimension to the privacy and surveillance threats cellphone cameras pose.

We experienced a major advancement in camera zoom technology around the turn of the century, which spurred Warren & Brandeis to write their seminal article “The Right to Privacy.” As the sophistication of mobile and networked cameras continues to rise, what will our answer be?

Clarification of the First Amendment?

Woman Wins Right to Criticize Surgeon on Website

Posted by samzenpus on Thursday February 08, @12:05AM from the tell-it-like-it-is dept. The Internet

Scoopy writes "The website of a cosmetic surgery patient critical of her Sacramento surgeon's work is protected free speech, an appeals court said in an opinion that could have statewide implications. The website contains before and after photographs of 33-year-old Georgette Gilbert, who said the surgery left her with one eyebrow higher than the other and a surprised look permanently affixed to her face. The website was challenged in a defamation suit filed by surgeon Jonathan Sykes, a prominent professor and television commentator on the subject of cosmetic surgery. Although the Sacramento-based 3rd District Court of Appeal only mentions Sykes, the opinion suggests that others who use 'hot topics' of public interest in their advertisements and promotions may shed protections against defamation afforded to ordinary citizens."

So, what will replace shrink wrap licenses?

Why Software Business Models of the Future Probably Won't Come in a Box

Published: February 07, 2007 in Knowledge@Wharton

Microsoft's Vista operating system should give the company a revenue stream that will run for years, but that doesn't mean the company can rest on its laurels. Experts at Wharton say the January 30 launch of the consumer versions of Microsoft's flagship software may be among the last of its kind -- a product sold for a flat fee in a shrink-wrapped box. Indeed, many wonder if the software business model that has made Microsoft so dominant for the last 20 years may begin to fade in the decade to come as new software business models -- from open source to advertising supported -- gain increasing traction.

... But new models of software pricing and distribution are becoming increasingly popular. "Open source" software relies on voluntary programmers to build applications that can be distributed freely. Ad supported software includes web-based applications that are free as well, but they generate revenue through advertisements. Also on the increase: "on-demand" software where customers rent software applications when they need them and pay only for what they use.

All of these models pose unique threats to Microsoft, although that is hardly news to CEO Steve Ballmer, who clearly sees the challenges ahead. At a Wharton Leadership Lecture this past December, Ballmer noted that the two biggest competitive threats to Microsoft are open source software and advertising supported applications. "Right now, the emblem of the first one is Linux and the emblem of the second one is Google. But it's not the companies, it's the phenomena" that present the greatest challenge to Microsoft, said Ballmer.

Wharton legal studies and business ethics professor Kevin Werbach says Microsoft is right to be concerned. "Ten years from now, Microsoft must be weaned from ... license revenue. But it's a long process, because they justifiably don't want to cannibalize a revenue stream that remains phenomenally lucrative."

Makes perfect sense to me.

Video on Demand From the Public Library

Posted by ScuttleMonkey on Wednesday February 07, @03:32PM from the doing-it-for-free dept. Television Technology

ye oulde library lover writes "In light of the recent story about Wal-Mart and movies on demand, readers should know there is a free service available from some public libraries that lets you download movies and tv shows. The service is just beginning, so selection is pretty mediocre, but the sponsors, Recorded Books and PermissionTV, make some big promises. If your library ponies up the dough for the top service, you will be able to download movies on the same day as their dvd release. All you need is a library card. You can see one of the early adopters — Half Hollow Hills Community Library in the library's blog. Look for MyLibraryDV."

Free is good!

Serence KlipFolio 4.0 Beta B

Posted by Reverend on 07 Feb 2007 - 20:23 GMT

Techzonez Serence KlipFolio is a free information awareness and notification application for Windows. It's quick to install and easy to use. KlipFolio lets you configure and monitor a wide variety of real-time information services on your desktop--like weather, stocks, breaking news, RSS feeds and auctions. These information services are called Klips. [as in Clippings? Bob]

View: Release Notes Download: Serence KlipFolio 4.0 Beta B View: Serence KlipFolio homepage Download: Techzonez Klips

Wednesday, February 07, 2007

Too trivial to mention?

Stolen laptop had personal info of 549 people

People warned to watch credit reports, bank accounts


Vital personal information on more than 500 people has been stolen in Glens Falls.

As a result the New York Department of Labor is warning victims to closely watch their credit reports.

The information was stolen from a Labor Department unemployment auditor. It was taken during a break-in to the auditor's home and car in Glens Falls on Jan. 21.

On Feb. 1 the New York Department of Labor mailed letters to the 549 people whose identities have been compromised.

Unfortunately, yes, it seemed to be a circumstance where their information was part of an audit,” explained Labor Department spokesman Rob Lillpopp.

The Labor Department spokesman says the tax auditor was authorized to carry the information around with him. [At least they knew the risk. Bob] It's needed to make sure businesses are complying with the unemployment laws.

Lillpopp says this is the first time information of this type has been stolen from Labor Department employees. As a result, they're reconsidering whether carrying around the information is necessary and appropriate. [Strong indication they did not do an adequate job in the first place? I would suggest this is not the best method they could come up with, but what were they considering? What about encrypting the data? Bob]

... The Labor Department sent the letters 10 days after the theft occurred. It did not release the information to the media at that time. Instead, NewsChannel 13 learned of the problem when one of the victims contacted us. Then the Department of Labor confirmed it.

A spokesman says they have specific guidelines on the number of victims before they reach out to the media. [“What can we get away with?” Bob] Apparently the compromise of 549 personal identities is not considered large enough.

This should have been big news.

Hackers attack key Net traffic computers

By TED BRIDIS, Associated Press Writer Tue Feb 6, 6:43 PM ET

Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

The motive for the attacks was unclear, said Duane Wessels, a researcher at the Cooperative Association for Internet Data Analysis at the San Diego Supercomputing Center. "Maybe to show off or just be disruptive; it doesn't seem to be extortion or anything like that," Wessels said.

Other experts said the hackers appeared to disguise their origin, but vast amounts of rogue data in the attacks were traced to South Korea. [Because they are the “most wired” nation? Or are the guys in the North testing weapons again? Bob]

... "There was what appears to be some form of attack during the night hours here in California and into the morning," said John Crain, chief technical officer for the Internet Corporation for Assigned Names and Numbers. He said the attack was continuing and so was the hunt for its origin. [What happens if we can “prove” that a particular country was responsible? Bob]

Just a thought: Is this a prelude to war? What would the economic impact be if the Internet was unavailable for a day or a week?

Traffic Graph of the Core Internet DNS Services Being Attacked This Morning

... Here is the graph of the traffic levels on the DNS servers.

More closely related to the previous articles than I'd like.

Information Super Traffic Jam

Phil Kerpen 01.31.07, 6:00 AM ET WASHINGTON, D.C. -

A new assessment from Deloitte & Touche predicts that global traffic will exceed the Internet's capacity as soon as this year. Why? The rapid growth in the number of global Internet users, combined with the rise of online video services and the lack of investment in new infrastructure. If Deloitte's predictions are accurate, the traffic on many Internet backbones could slow to a crawl this year absent substantial new infrastructure investments and deployment.

[I think this points to the reports,1014,sid%253D2283%2526cid%253D142237,00.html Bob]

Well golly gee wilikers, how else would they do it? Every day those cards are in use could cost them money! (or Watch the video)

Customer: TJ Maxx Cancels Credit Card Without Warning

Hacker Caused Security Breach Last December


POSTED: 7:01 pm CST February 5, 2007 UPDATED: 7:20 pm CST February 5, 2007

CHICAGO -- Customers of a popular discount retailer are starting to feel the effects of a massive hacker attack.

... Deerfield resident Penny Robinson had no idea there was a problem with her credit card until hearing that dreaded word while shopping last week: declined.

"I said, 'Put it through again,'" Robinson remembered. "I figured I've often done that and it was just a system error, and they said 'Oh no, it's declined.'"

Embarrassed and confused, Robinson called her credit card issuer.

"They said to me, 'We canceled all the accounts that had shopped at T.J. Maxx over the holidays." [Overreaction? Bob]

"(I said), 'You offer me all sorts of things I don't want for extra money, but you can't call me to say that you're canceling my card?'" Robinson said. "They said, 'No, just didn't have time. We couldn't possibly call (all) our customers.'" [Perhaps something like the “Reverse 911” system? Bob]

A tool TJX could have used?

Privacy Impact Assessments

What are Privacy Impact Assessments (PIAs)?

Privacy Impact Assessments (PIAs) are used to identify the potential privacy risks of new or redesigned federal government programs or services. They also help eliminate or reduce those risks.

Looks like we have to go through this argument again. Must be an election in the near future.

Senator to propose surveillance of illegal images

By Declan McCullagh Story last modified Wed Feb 07 05:26:03 PST 2007

A forthcoming bill in the U.S. Senate lays the groundwork for a national database of illegal images that Internet service providers would use to automatically flag and report suspicious content to police.

The proposal, which Sen. John McCain is planning to introduce on Wednesday, also would require ISPs and perhaps some Web sites to alert the government of any illegal images of real or "cartoon" minors. [and those homosexual TeleTubbys? Bob] Failure to do would be punished by criminal penalties including fines of up to $300,000.

The Arizona Republican claims that his proposal, a draft of which was obtained by CNET, will aid in investigations of child pornographers. It will "enhance the current system for Internet service providers to report online child pornography on their systems, making the failure to report child pornography a federal crime," a statement from his office said.

... The Securing Adolescents from Exploitation-Online Act (PDF) states ISPs that obtain "actual knowledge" of illegal images must make an exhaustive report including the date, time, offending content, any personal information about the user, and his Internet Protocol address. That report is sent to local or federal police by way of the National Center for Missing and Exploited Children.

... Details on how the system would work are missing from McCain's legislation and are left to the center and ISPs. But one method would include ISPs automatically scanning e-mail and instant messaging attachments and flagging any matches. [Matches. Does that mean they have a “sample” of every possible offensive image? Bob]

... Another section of the draft bill says that anyone convicted of certain child exploitation-related offenses who also used the "Internet to commit the violation" will get an extra 10 years in prison.

Wow! Vista must be really, really secure. It took almost a week to copy it!

Pirated Vista dirt cheap on Latin American streets

Tue Feb 6, 2007 3:22 PM ET By Armando Tovar

MEXICO CITY (Reuters) - Days after a beaming Bill Gates unveiled his much-vaunted Windows Vista software at a retail price of $400 for the premium version, Latin American street vendors are hawking pirate copies for under $10.

Shouldn't every organization think it through like this?

February 06, 2007

New York State CIO Issues IT Trust Model Best Practice Guidelines

New York State Office of the CIO: "Identity and Access Management (IAM) provides an effective way to protect computer-based services and data for all state and local agencies from unauthorized access. Organizational business requirements often result in the need to grant external users access to services and data or to achieve multi-organizational system interoperability. Demand has become more prevalent due to legislative mandates and increasing connectivity offered by public and private networks. Issuing the NYS Trust Model as a best practice guideline (G07-001) is the first step in establishing a long term Identity and Access Management (IAM) strategy for the state enterprise. The NYS Trust Model establishes basic standards and processes that govern how identity credentials are issued, protected and managed."

Apparently, Steve thinks he has an alternative.

Steve Jobs Says Record Labels Should Ditch Their DRM

from the preach-it-brother dept

Steve Jobs has been something of a key player in the ongoing debate about the restrictions and copy-protection placed on digital music files sold through download stores. His opinion on the matter seems to have flip-flopped, and it's hard to argue that the labels' insistence on DRM hasn't helped the iPod in some way. However, in a statement posted on Apple's web site, he's now calling for the big four record labels to drop their insistence on DRM. While he does make some questionable points (denying that any lock-in to the iPod exists, and saying that licensing Apple's FairPlay DRM wouldn't be manageable), his underlying point that DRM simply doesn't work, and does more harm than good certainly is a valid one. He points out that while the labels make such a fuss over restricting digital music, the other 90 percent of songs they sell aren't protected at all (try as they might), so to think that DRM will ever stop piracy is foolish. Jobs also points out that the added cost and complexity DRM brings to the music world holds back the number of companies that can create "innovative new stores and players", and dropping it could lead to an influx of investment and interest in digital music and result in the creation of exciting new devices and services for users -- which, he says, can only be a good thing for the music industry. We've called on people like Jobs and Bill Gates to use their influence to try and make Hollywood and content owners understand how they've got so much more to gain by dropping their insistence on copy protection than they stand to lose from piracy. While this note from Jobs isn't likely to create any instant change, it's a nice first step.

It seems the tide has turned.

Court Awards Wrongly Sued Woman Legal Fees From The RIAA; Calls Lawsuits Frivolous And Unreasonable

from the indeed dept

Slowly, but surely, the courts are figuring out that there are some problems with the RIAA's legal strategy of suing thousands upon thousands of people based solely on an IP address where they think infringing material is available. There have been a number of cases lately where the judge has tossed out the case on the flimsy evidence -- but all too often the judges then turn down requests by those who were wrongfully sued to have the RIAA reimburse them for attorney's fees. However, in the latest case, it appears that the judge has taken that next step and told the RIAA it needs to pay up for attorney's fees as well, noting that these lawsuits based only on an IP address are "frivolous and unreasonable." The judge also noted that it was completely unfair to put liability on "an Internet-illiterate parent, who does not know Kazaa from a kazoo." The judge found that the "settlement offers" the RIAA puts forth offer no real way to contest the charges without going to court, and found that such a system does "not advance the aims of the Copyright Act." Indeed.