Saturday, February 17, 2007

Overreaction or political a** covering?

http://www.airforcetimes.com/news/2007/02/TNSvaresearch070216/

After data loss, VA research centers closed

By Rick Maze - rmaze@militarytimes.com Posted : Friday Feb 16, 2007 15:00:16 EST

The secretary of the Veterans Affairs Department has ordered seven research centers to cease activity until it is clear that all electronically stored personal data is protected by encryption.

The order, which applies to VA Research Enhancement Awards Program (REAP) sites, comes after the loss of a hard drive in Birmingham, Ala., that contained personal information on more than 500,000 veterans and 1.3 million non-VA physicians. Although the VA had issued instructions last year that personal data was supposed to be encrypted, investigators found that the external hard drive lost in Alabama was not secured.

... VA Secretary R. James Nicholson said he did not know why the data was not encrypted but has ordered the other research centers to cease all research activity until each site is inspected by the VA’s office of information technology.



The Internet as a tool for political control.

http://www.ifex.org/en/content/view/full/81156/

Decree obliges Internet cafe owners to report customers visiting illegal websites to police, record navigations

Français: Des cybercafés transformés en auxiliaires de police

Country/Topic: Belarus Date: 16 February 2007 Source: Reporters Without Borders (RSF)

Person(s): Target(s): web dissident(s) Type(s) of violation(s): legal action

Urgency: Threat

(RSF/IFEX) - RSF has condemned a decree adopted by the council of ministers which forces owners of cybercafés and Internet clubs to report Internet users looking at illegal websites to the police.

The new law, approved on 10 February 2007, also obliges proprietors to record the last year of Internet navigation on their computers.

"On the pretext of wanting to monitor pornographic or violent websites, the Belarus authorities are really seeking to censor opposition websites and independent media, "the worldwide press freedom organisation said.

"The decree will force cybercafé proprietors to turn themselves into police officers. Internet users will be pushed into self-censorship and none of them will dare to go on to websites which displease the authorities."



Ooo, it's not fair!

http://www.eweek.com/article2/0,1759,2096252,00.asp?kc=EWRSS03119TX1K0000594

YouTube Anti-Piracy Software Policy Draws Fire

February 16, 2007 By Kenneth Li, Reuters

NEW YORK (Reuters)—The media industry is clashing with YouTube over its proposal to offer anti-piracy tools only to companies that have distribution deals [Everyone else can buy their own! Bob] with the top online video-sharing service, media insiders said.

YouTube, owned by Google, plans to introduce technology to help media companies identify pirated videos uploaded by users. But the tools are currently being offered as part of broader negotiations on licensing deals, they said. [So is cash. Will they want that next? Bob]

The move contrasts with YouTube's biggest rival, News Corp.'s, popular Internet social network, MySpace, which said on Feb. 12 it would offer its own version of copyright protection services for free.

... Viacom has become the poster child of dissent against YouTube, trying to prevent the site from turning into the Apple Inc. of online video.

... Some legal experts said YouTube has no obligation to invest heavily in leading-edge technology only to give it away. [Only some? Bob]

... (For more coverage of the story, visit Reuters MediaFile blog http://blogs.reuters.com/category/themes/mediafile/ )



Registration required.

http://www.computerworld.com/action/whitepapers.do?command=viewWhitePaperDetail&contentId=9011216&intsrc=wp_li_latest

Next Generation Data Auditing for Data Breach Detection and Risk Mitigation

February 16, 2007

Get this white paper now! http://reg.itworld.com/servlet/Frs.frs?Context=LOGENTRY&Source=cwlp&Source_BC=11&Script=/LP/4150/reg

Abstract:

(Source: Tizor) This white paper reviews cases of mass data theft from the data source and provides a best practices approach for protecting your organization's sensitive data and valuable brand equity from a major data breach. Find out how to effectively secure valuable company data and download this whitepaper.



Since I have the artistic ability of a turnip, this looks interesting...

http://www.researchbuzz.org/wp/2007/02/17/get-color-schemes-from-pictures/

February 17, 2007

Get Color Schemes from Pictures

Filed under: Multimedia-Images

Fun color tools! Ever seen a picture from which you wanted to extract the colors? There’s a nifty tool for doing so at http://www.pic2color.com/ .

Is very simple. Go to the site and enter the URL of an image. (You can also click on the Flickr logo and get a random picture from Flickr.) To test the site I went to Dooce.com and got a picture of her dog, Chuck, with a Dora the Explorer balanced on his head. (At http://www.dooce.com/photos/dailyphoto/02_16_2007.jpg if you want.)

After a few moments (it’s a bit of a slow loader) I got a page with a smaller version of the picture and a color palette underneath. Click on a color for the color’s hex value. Clicking on the Finetune button gives you a popup with palette suggestions and tools for adjusting the color.

Friday, February 16, 2007

Whenever there is a bunch of (probable) identity theft stories I can't help thinking: 1) People will start ignoring them as “crying wolf” and 2) How much money the Credit Notification companies are going to make...



Wow! What a workload! One Kaiser doctor treats 22,000 patients?

http://cbs5.com/consumer/local_story_045212622.html

Feb 14, 2007 8:50 pm US/Pacific

Laptop Stolen With 22,000 Kaiser Patients' Data

Sherry Hu Reporting

(CBS 5) OAKLAND In yet another instance of laptop theft potentially endangering personal data, Kaiser Permanente is in the process of notifying as many as 22,000 patients of a possible breach of their private medical information.

The personal information was located on a doctor's laptop computer stolen from the Medical Center in Oakland at the end of last November.

There were no details provided about where or how the laptop was taken, but a Kaiser spokesman said it was likely a random and isolated crime of opportunity.

Kaiser said the majority of patients had only limited information listed on the laptop, but 500 of them included social security numbers.

Kaiser officials said they are implementing a new systemwide policy that prohibits storage of member data on the hard drive of any desktop, laptop or mobile device. A spokesman also said information on all electronic devices will now be encrypted. [“Now that we see what happens when we have no security, perhaps we will think about considering a study to develop recommendations for future consideration...” Bob]


Does Kaiser think this security failure won't come back to bite them in other areas?

http://www.contracostatimes.com/mld/cctimes/living/science/16703921.htm

Kaiser asks patients to donate DNA

Scientists will pair survey on environmental factors with genetic material in quest to find root of diseases

By Rebecca Vesely MEDIANEWS STAFF



Mailrooms are where you start your entry-level people. Are you relying on them to catch things like this?

http://www.twincities.com/mld/twincities/business/16647381.htm

Posted on Thu, Feb. 08, 2007

Piper Jaffray apologizes to employees for W-2 goof

Oops.

The W-2s Piper Jaffray sent to current and former employees in January included employees' Social Security numbers on the outside of the envelope.

The numbers were not identified as Social Security numbers, but followed the standard XXX-XX-XXXX format. The incident affected more than the 1,000 employees the company employs today, since about 2,600 people worked for Piper before the sale of its brokerage unit last year.

... Executives indicated the mishap was an error by a third-party vendor, the name of which was not disclosed. The mailing didn't involve any customer data.



Very quick notification!

http://www.radioiowa.com/gestalt/go.cfm?objectid=C62EC2FD-D6CA-6148-ECA10EFC215AB72D

Department of Education records hacked

Thursday, February 15, 2007, 10:13 AM By Darwin Danielson

The Department of Education is warning Iowans that someone gained access to personal information in records that were in what was supposed to be a protected area on the department's website. [Consider this a “Security Oxymoron” -- records that are not supposed to be public should not be located on servers with public information. Bob] Department spokesperson, Elaine Watkins-Miller, says the records contained names, addresses, dates of birth and social security numbers of individuals who obtained a G.E.D. from Iowa between 1965 and 2002.

Watkins-Miller says they want people to be aware of this and have information on their website at:www.iowa.gov/educate so they can take action and check their credit report.

... Watkins says they believe someone hacked into the records on Sunday. Watkins-Miller says they can't say how the records were access and that's being investigated by the DCI and the FBI. There were some 160-thousand records in the file, but she says it's believe only about 600 may have been viewed.



Very, Very quick notification!

http://www.ccsf.edu/News/Security/index.htm

February 8, 2007

Dear Current and Former CCSF Students,

On Tuesday, February 6, 2007 City College of San Francisco’s (CCSF) Information Technology Department learned that a computer file created in May 2000, containing the names, addresses and social security numbers of approximately eleven thousand students was potentially viewable via the Internet. The file did not include any driver’s license numbers, credit card or banking information. The College took immediate steps to remove the file and ensure that it could no longer be viewed.



I'd expect a statement like: “This only works if you speak Korean.”

http://news.mk.co.kr/newsReadEnglish.php?sc=30800005&cm=General&year=2007&no=83542&selFlag=sc&relatedcode=&wonNo=&sID=308

Citibank Customer Data Hacked, Purchases Made

Personal data on the Citibank e-payment system, used for e-commerce, has been hacked, allowing illegal transactions on bank users' credit cards.

According to the banking industry, 20 credit cards issued by Citibank of Korea have been illegally settled from Feb. 1 to 6, worth 50 million won.

Citibank Korea has requested an investigation from the National Policy Agency's Cyber Terror Center after finding the company's e-payment system was hacked to garner dates on the customers' credit card information and passwords in order to make charges.

Hackers targeted under-300,000 won financial transactions of companies with weak e-payment security.

That method was used, as below-300,000 won financial transactions can be made by inserting basic personal information, such as credit card numbers and passwords without official certificates.

"Unlike other banks, Citibank has omitted the process of inserting the Card Validation Code (CVC) when executing e-payments, allowing the culprits to take illegal actions," said an official from the Financial Supervisory Service (FSS).

[Figure 940 Won to the dollar, so 50 million Won is a mere $53,000 Bob]



The Brits call it like they see it! Can't wait 'till this catches on here...

http://www.theargus.co.uk/news/localnews/display.var.1197042.0.bank_in_security_breach.php

Bank in security breach

By Rachel Fitch 4:48pm Thursday 15th February 2007

A bungling bank sent a customer the details of almost 30 other account holders in a shocking breach of security that will fuel fears of identity fraud.

Matt Carr, 25, wrote to HSBC to demand a refund of £500 in overdraft charges after watching BBC2 documentary Bank Robbery.

But he was stunned to receive 29 responses to similar requests from across the country including the account holder's name, address, account number and sort code.

One letter contained the account holder's bank statements which they had provided in backing up their claim for a refund of their overdraft charges.

... "If I was so inclined, which thankfully I'm not, I could easily make an absolute fortune using their bank details or selling them on the black market.

"How do I know one of these people have not got my details and are using them for ulterior things. There's 29 separate accounts, it's a massive error."

... All the letters are signed by Senior Service Quality Officer.

... HSBC said in a statement: "We send millions of items of correspondence to customers each year and we have stringent procedures in place to guard against administrative errors such as this.



I don't think I get this one...

http://www.nytimes.com/2007/02/16/nyregion/16police.html?_r=2&ref=nyregion&oref=slogin&oref=slogin

February 16, 2007

Judge Limits New York Police Taping

By JIM DWYER

In a rebuke of a surveillance practice greatly expanded by the New York Police Department after the Sept. 11 attacks, a federal judge ruled yesterday that the police must stop the routine videotaping of people at public gatherings unless there is an indication that unlawful activity may occur.

Four years ago, at the request of the city, the same judge, Charles S. Haight Jr., gave the police greater authority to investigate political, social and religious groups.

In yesterday’s ruling, Judge Haight, of United States District Court in Manhattan, found that by videotaping people who were exercising their right to free speech and breaking no laws, the Police Department had ignored the milder limits he had imposed on it in 2003.

... While he called the police conduct “egregious,” Judge Haight also offered an unusual judicial mea culpa, taking responsibility for his own words in a 2003 order that he conceded had not been “a model of clarity.”

[Would it be unreasonable for the Police to tape their handling of large crowds in order to analyze and improve their methods? And I assume if something “potentially illegal” did occur, they could swing the cameras around. Bob]



One of my students found this. Looks like there might be a viable market for “independent hackers” to test “suspect” organizations. Should we gang up on TJX?

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9011283&intsrc=hm_list

Security analyst wins $4.3M in suit against Sandia Labs

Jaikumar Vijayan

February 14, 2007 (Computerworld) Shawn Carpenter, a network security analyst at Sandia National Laboratories who was fired in January 2005 for his independent probe of a network security breach at the agency, has been awarded $4.3 million by a New Mexico jury for wrongful termination.

In announcing its decision yesterday, the jury also awarded Carpenter $350,000 for emotional distress and more than $36,000 for lost wages, benefits and other costs.

A spokesman from Sandia expressed "disappointment" with the verdict and said the lab will consider whether to appeal it or not.

The highly publicized case involved Carpenter's investigation of a network break-in at Sandia in 2003.

After initially telling superiors about the incident, Carpenter launched an independent, months-long investigation during which he used hacking techniques of his own to eventually trace the attacks back to a Chinese cyberespionage group. The group called Titan Rain by federal authorities was believed responsible for carrying out similar attacks against a large number of U.S. government, military and commercial interests.

Carpenter shared information from his investigation, initially with individuals at the Army Counterintelligence Group and later with the FBI.

When Sandia officials learned of the investigation and of his sharing information with the FBI and other outside agencies, they terminated him for inappropriate use of confidential information that he had gathered in his role as a network security manager for the laboratory.

Yesterday's verdict is a "vindication of his decision to do the right thing and turn over the information he obtained to the proper federal authorities in the interests of national security," said Philip Davis, one of the attorneys who represented Carpenter in his lawsuit.

The verdict highlights "the jury's belief that Shawn Carpenter is a patriot and did what he did to protect the national interest," Davis said. "That was more important than Sandia's own interest in taking care of itself."

The size of the punitive damages at $4.3 million is more than twice of what was sought and sends an "unambiguous message that national security comes first," he said. [or that it is always worth hiring the best lawyer you can find... Bob]

Ira Winkler, an independent security consultant and author of Spies Among Us who has also written for Computerworld, said the verdict was "incredibly justified. Frankly, I think people [at Sandia] should go to jail" for ignoring some of the security issues that Carpenter was trying to highlight with his investigation. [Ditto! Bob]

After Carpenter's termination, the investigations into the Titan Rain group appear to have gone nowhere, said Winkler, a former National Security Agency analyst. He added that while the Carpenter award is welcome, it would ultimately be paid with taxpayer money.

"This whole thing is costing them nothing," [Making it risk free to management. Bob] Winkler said. "Whatever legal fees they are running up is just being passed back to the U.S. government," he said.



Yep, that ought to fix it. That, and jailing the HP Board...

http://www.bespacific.com/mt/archives/013959.html

February 15, 2007

FTC Asks Court to Order Permanent Halt to Telephone Record Pretexting

Press release: "The Federal Trade Commission has asked a U.S. district court to order a permanent halt to operations that deceptively obtained and sold consumers’ confidential phone records without their knowledge or consent. The agency alleges the practice is not only unfair and deceptive in violation of federal law, but could endanger consumers’ safety. The agency also will ask the court to order the defendants to give up their ill-gotten gains."



Copy-wrongers? Clever girl! She proves her point with a demonstration that costs her nothing!

http://techdirt.com/articles/20070214/154327.shtml

DMCA Takedown For Professor Showing How Copyright Owners Exaggerate Their Rights

from the ah,-irony dept

We've covered way too many bogus DMCA takedown notices, but sometimes new ones stand out for being extra special. Wendy Seltzer, a law professor who used to work for the EFF and who founded the awesome Chilling Effects clearinghouse for providing an archive of various takedown notices, has apparently received her very own first DMCA takedown notice (found via Boing Boing). Seltzer posted a snippet from the Superbowl for her students to see. Not just any snippet, mind you, but the snippet where its announced: "This telecast is copyrighted by the NFL for the private use of our audience. Any other use of this telecast or of any pictures, descriptions, or accounts of the game without the NFL's consent, is prohibited." She posted it as an example of a copyright holder exaggerating its rights -- as the NFL cannot ban all of the things they ban in that statement. Yes, this is getting more and more ironic. Take a moment to think this through for the layer upon layer of absurdity. A law professor puts up a short clip for educational purposes (fair use allows both short clips and educational uses of content) for the sake of showing how the NFL exaggerates its copyright control -- and the NFL responds by then sending a DMCA takedown notice to better highlight how they not only exaggerate their claims, but then misuse the law to shut down fair use as well. Somehow, though, I doubt the NFL planned to help Seltzer demonstrate how the law is abused by trying to takedown her example of how they were abusing the law (got that?). Either way, it seems that the NFL is helping prove Seltzer's point.



I can already hear the lobbyists pushing for a new law...

http://www.wired.com/news/technology/0,72742-0.html?tw=rss.index

$82 For E-Voting Secrets

By Kim Zetter 02:00 AM Feb, 16, 2007

For a mere $82 a computer scientist and electronic voting critic managed to purchase five $5,000 Sequoia electronic voting machines over the internet last month from a government auction site. And now he's taking them apart.

Princeton computer science professor Andrew Appel and his students have begun reverse-engineering the software embedded in the machines' ROM chips to determine if it has any security holes. But Appel says the ease with which he and his students opened the machines and removed the chips already demonstrates that the voting machines are vulnerable to unauthorized modification.

Their analysis appears to mark the first time that someone who hasn't signed a non-disclosure agreement with Sequoia Voting Systems has examined one of its machine's internals.

Appel bought the machines from election officials in Buncombe County, North Carolina, who offered them for sale at GovDeals.com, a site for government agencies to buy and sell surplus and confiscated equipment. The county sold 144 machines in lots of varying amounts. It paid $5,200 for each machine in 1997. To buy the machines, Appel had to pay $82 and only needed to provide a name, address, phone number and e-mail address.

Sequoia and other voting machine companies have long resisted calls from voting activists to make their proprietary software transparent to the public, because they say it would allow hackers to study the software and devise ways to plant malicious code in it. But Appel says his purchase of the machines shows how easy it is for hackers to obtain and study the software anyway.

... Appel says he opened the machines with a key that came with them, and was able to easily access the machines' motherboards and memory chips to swap them out. But even without the key, a student of his was able to pick the lock in seven seconds. He says that even seals wouldn't thwart a hacker because they're easily counterfeited, and many counties fail to use and track them properly -- as evidenced by recent reports out of Cuyahoga County, Ohio.



Are you paranoid enough?

http://lauren.vortex.com/archive/000213.html

February 15, 2007

New Short Video: "Is Your Cell Phone Bugged?"

Greetings. I've been getting lots of continuing interest and queries in the wake of my blog item from late last year:

How To Tell If Your Cell Phone Is Bugged

In an effort to explain this issue in a more demonstrative and somewhat less technical manner, I'm pleased to announce a short free video (under six minutes):

"Is Your Cell Phone Bugged?"

While I'll admit that the production values are much closer to those of Ed Wood than of Cecil B. DeMille, I hope you'll still find this video to be interesting, or at least amusing.

"Is Your Cell Phone Bugged?" Video Access Pages:

Streaming Via YouTube

Streaming or Download Via Google Video


Paranoid yet?

http://www.bespacific.com/mt/archives/013958.html

February 15, 2007

PBS NOW Reports on Alleged Domestic E-Mail Surveillance Program

Via PBS: Airing on Friday, February 16, 2007 (check for time in your area), "NOW reports on new evidence suggesting the existence of a secret government program that intercepts millions of private e-mails each day in the name of terrorist surveillance. News about the alleged program came to light when a former AT&T employee, Mark Klein, blew the whistle on what he believes to be a large-scale installation of secret Internet monitoring equipment deep inside AT&T's San Francisco office. The equipment, he contends, was created at the request of the U.S. government to spy on e-mail traffic across the entire Internet. Though the government and AT&T refuse to address the issue directly, Klein backs up his charges with internal company documents and personal photos."


Paranoider? No good deed goes unpunished?

http://www.theregister.co.uk/2007/02/15/smoke_ban_hack_risk/

Workplace smoke ban a 'gift' for hackers

When is a backdoor really a backdoor?

By John Leyden Published Thursday 15th February 2007 16:46 GMT

Workplace smoking bans may be good for workers' health, but could open the back door to hackers.

In a recent social engineering test undertaken by UK-based security consultancy NTA Monitor, a tester was able to easily gain access to a corporate building through a back door that was left open for smokers. Once inside, the penetration tester was able to easily bluff his way into a meeting room, claiming the IT department had sent him. Even without a pass, he gained access unchallenged and was then able to connect his laptop to the firm's VoIP network via a telephone connection point.

NTA Monitor technical director Roy Hills comments: "It used to be that companies 'left the back door open' in terms of internet security. Now they are literally leaving their buildings open to accommodate smokers.


Even more Paranoid?

http://news.com.com/2100-7349_3-6159938.html

Hack lets intruders sneak into home routers

By Joris Evers Story last modified Fri Feb 16 06:09:07 PST 2007

If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

... The attack works on any type of home router, but only if the default router password hasn't been changed, Ramzan said. The malicious JavaScript code embedded on the attacker's Web page logs into the router using the default credentials--often as simple as "admin" and "password"--and changes the settings.



http://news.com.com/2100-1002_3-6159832.html?part=rss&tag=2547-1_3-0-5&subj=news

Palm Treos ring up security flaws

By Dawn Kawamoto Story last modified Thu Feb 15 14:22:32 PST 2007

Some versions of the Palm Treo carry security flaws that could allow a person in possession of the device to access data even when the handheld is locked, Symantec has warned.

The Palm Treo models 700p, 680 and 650 contain the security flaws, according to an advisory on Wednesday from Symantec's SecurityFocus Web site.

The vulnerabilities concern the way data is accessed on the Treo. They could allow anyone in possession of the device to use the "find" feature to locate data, even if the Treo is locked, according to a posting on the SANS Institute's Internet Storm site.

Palm has yet to release a fix to address the problem, SANS noted.

Representatives for Palm were not immediately available for comment on Thursday.



http://www.bespacific.com/mt/archives/013970.html

February 15, 2007

New on LLRX.com for February 2007 - Part I



Imagine getting one of these in answer to a subpoena...

http://www.businessintelligencelowdown.com/2007/02/top_10_largest_.html

February 15, 2007

Top 10 Largest Databases in the World

[Number 10 has:

The WDCC boasts 220 terabytes of data readily accessible on the web including information on climate research and anticipated climatic trends, as well as 110 terabytes (or 24,500 DVD's) worth of climate simulation data. To top it off, six petabytes worth of additional information are stored on magnetic tapes for easy access. How much data is six petabyte you ask? Try 3 times the amount of ALL the U.S. academic research libraries contents combined.



Tools & Techniques

http://lifehacker.com/software/information/screenshot-tour-learn-everything-about-your-pc-with-siw-236760.php

Screenshot Tour: Learn everything about your PC with SIW

If you've ever lost a web password or software license; needed to troubleshoot a hardware problem on your computer but have no idea what model of motherboard you have or what BIOS you're running; or wanted to take a closer look at what kind of activity your network is open to, there's a catchall application for you, and it's called System Information for Windows.

In fact, I was very surprised at just how much information is available through SIW - for example, it came as a bit of a shock to see that all of my saved Firefox and Internet Explorer passwords were only a click away with SIW - so I decided that today I'd step through and highlight some of the most interesting and useful features of SIW. To get started, click through to the gallery below.



Fools & Techniques?

http://digg.com/gaming_news/Calorie_Burning_Soft_Drink_Potentially_Geeks_Drink_Of_2007

Calorie Burning Soft Drink, Potentially Geeks Drink Of 2007

The drink is a traditional soda, available in various flavours including cola and orange, which increases ones metabolism by around 12% for up to three hours. The increased metabolism in turn burns calories.

https://maxvps026.maximumasp.com/V026U35LTQ/1-0_Home.htm

Thursday, February 15, 2007

Is this a new release or reporting on old news? Gets confusing after the 12 billionth time...

http://www.miami.com/mld/miamiherald/16700556.htm

Personal data stolen from health insurer

Associated Press Posted on Wed, Feb. 14, 2007

INDIANAPOLIS - Personal information on nearly 200,000 members of health insurer WellPoint Inc. was stolen from the office of a company vendor, a newspaper reported.

Indianapolis-based WellPoint has received no reports of the information being misused, company spokesman Jim Kappel told The Courier-Journal of Louisville, Ky., for a story in its online edition Wednesday. No arrests have been made, he said.

The data was on backup computer tapes taken in November from the Massachusetts office of Concentra Preferred Systems, a company that audits and analyzes claims data for WellPoint.

The majority of people affected are Anthem Blue Cross and Blue Shield members in Kentucky, Indiana, Ohio and Virginia, Kappel said. People whose information was on the tapes were informed by a recent letter.

The stolen data included Social Security numbers, which are frequently used in identity theft.

Kappel said there is no indication that the WellPoint tapes were the target of the thefts because break-ins occurred at several businesses in the complex where the Concentra office is located.



Didn't TJX assure everyone that Canadian customers weren't impacted? (Yes, they did.)

http://www.cbc.ca/consumer/story/2007/02/13/cards-reissued.html

Questions swirl as BMO, CIBC reissue credit cards

Last Updated: Tuesday, February 13, 2007 | 7:21 PM ET CBC News

Thousands of CIBC and Bank of Montreal customers have been issued new credit cards from their banks along with warnings their old cards may have been used fraudulently, CBC News has learned.

Neither bank is releasing details, but some of the customers told the CBC they were told that the cancellations were linked to a major security breach at Winners and HomeSense.

... The letter didn't explain the problem, but a bank clerk later told her it had to do with the Winners and HomeSense breach.

In early February, a spokesman for Winners and Homesense said the hackers did not get information on Canadian debit card transactions.

... The banks wouldn't say how many customers have been affected, what the security breach was or whether any credit cards have actually been misused. They also wouldn't disclose why they have reissued cards when other banks have not. [Is this the right way to handle this? Bob]



We can, therefore we must.

http://www.engadget.com/2007/02/14/smile-youre-on-big-brothers-in-plane-camera/

Smile, you're on Big Brother's in-plane camera!

Posted Feb 14th 2007 12:09PM by Paul Miller

The folks in the UK aren't laissez-faire about this Big Brother thing one bit, them and Germany are throwing £25 million (bout $49 million US) at the "problem" of monitoring airline passengers with small cameras and microphones in every single seat back to monitor for suspicious behavior. [Actually, that should read, “We monitor everyone, looking for suspicious behavior.” Bob] The system will be able to detect rapid eye movements, excessive blinking, twitches, whispers or other symptoms of somebody trying to conceal something, and check the data against individual passenger profiles for alerting the crew to a potential terrorist. Airlines and privacy advocates aren't terribly stoked about the idea, with the airlines saying it'll take 10 years to outfit planes with such systems and the money would be better spent "on preventing terrorists boarding aircraft in the first place." Privacy people figure that "it will put people off flying because they will feel uncomfortable." However, Catherine Neary, the project team leader assures that under the Data Protection Act, all audio and video recordings will be destroyed at the end of each flight. That makes it all better, right?



Probably not, but they seem to have the same (lack of) skills you'd expect. Another government agency that doesn't think it through?

http://blog.wired.com/27bstroke6/2007/02/homeland_securi.html

27B Stroke 6 by Ryan Singel and Kevin Poulsen

Wednesday, 14 February 2007

Homeland Security Website Hacked by Phishers? 15 Signs Say Yes -- UPDATED 3 Times



What would you do if you got this email?

http://www.washingtonpost.com/wp-dyn/content/article/2007/02/13/AR2007021301173.html

Better Business Bureau Tangled in E-Mail Scam

By Annys Shin Washington Post Staff Writer Wednesday, February 14, 2007; Page D03

The Better Business Bureau network was the target of a "spoofing" scam yesterday in which thousands of businesses in the United States and Canada received e-mails encouraging them to download what is thought to be a computer virus.

The e-mails, using the name of the 95-year-old network of nonprofit groups that looks into consumer complaints, told businesses that they were the subject of a complaint and included a link to view related documents. Clicking on the link, however, accessed the address book of an infected computer and distributed the counterfeit e-mail to more recipients, said Steve Cox, spokesman for the Council of Better Business Bureaus.

... BBB members and nonmembers received the e-mail.

Confused business owners began calling the council's offices in Arlington at 6 a.m. yesterday, Cox said. By mid-morning, the organization had confirmed the attack was systemwide.

... The counterfeit e-mails were traced to an advertising firm in Kennesaw, Ga., that had had its computer system hacked into Monday night, Cox said. The agency had no prior affiliation with the BBB.

The Council of Better Business Bureaus warned recipients not to open any e-mail that contains a return address of "operations @ bbb.org" or a link citing a complaint case number, such as "Documents for Case #263621205."



Isn't it analogous to pointing to a quote in a book?

http://www.webtvwire.com/judge-denies-appeal-that-deep-linking-directly-to-video-and-audio-streams-is-not-illegal/

Judge Denies Appeal that Deep Linking Directly to Video and Audio Streams is Not Illegal

Posted in: News and Legal, DRM, Piracy & IP by Chris Tew

A Texas judge ruled last December that SuperCrossLive.com, owned by Robert Davis, was violating copyright laws by directly linking to audiocasts of motorcycle racing that were created, owned and hosted by SFX Motor Sports.

The judge ruled that "the link Davis provides on his Web site is not a ‘fair use’ of copyright material" and ordered all links to the audiocasts to be removed. SFX sued supercrosslive.com because they believed that listeners should only access the audiocasts through the website, in order for logos of sponsors to be seen.

Robert Davis actually represented himself [Oops! Bob] and was against a Baker Botts lawyer who’s listed in The Best Lawyers in America 2007, so it’s no wonder he lost.

SuperCrossLive.com appealed the decision by the Texas court but the appeal was denied on January the 18th. On January the 30th SuperCrossLive.com appealed to the 5th Circuit Court which can overturn the original verdict.

This case is of course far from over and the ruling itself has been heavily criticized as it is considered to undermine the functioning of the web as a whole. The judge has been accused of misunderstanding the technology involved.

I very much doubt that this case will wind up in favor of preventing deep linking and will be overturned in the 5th Circuit Court. However, should the injunction against SuperCrossLive stand up it would have huge implications for the whole internet. It would set precedent that you must get permission from copyright owners to link to anything but the main page of a website. [The cover of a book? Bob]

What SFX should really do if it doesn’t want people to link directly to its streams is put technology in place which prevents it, rather than embarking on a controversial court case to prevent deep linking.



There is no reason why this technology won't eventually be added to credit cards, auto ignitions, door locks, pill bottles, etc..

http://www.infoworld.com/article/07/02/14/HNcellphonebiometrics_1.html?source=rss&url=http://www.infoworld.com/article/07/02/14/HNcellphonebiometrics_1.html

Biometrics to ease CIOs' cell phone concerns

As cell phones begin to carry more productivity apps -- and more sensitive data -- the need for security grows. AuthenTec is pushing biometrics as the solution

By John Blau, IDG News Service February 14, 2007

A biometric systems vendor has a pitch for CIOs nervous about company executives losing their mobile phones and risking the loss of confidential information.



We're not looking for facts, we're looking for quotes!” Interesting debate in the Comments...

http://it.slashdot.org/article.pl?sid=07/02/14/0322253&from=rss

70% of Sites Hackable? $1,000 Says "No Way"

Posted by kdawson on Wednesday February 14, @08:03AM from the money-where-mouth-is dept. Security The Almighty Buck

netbuzz writes "Security vendor Acunetix is flogging a survey that claims 7 out 10 Web sites it checked have vulnerabilities posing a medium- to high-level risk of a breach of personal data. Network World's go-to security guy, Joel Snyder, says that percentage is 'sensationalist nonsense' — and he's willing to back that judgment with $1,000 of his own money. In fact Snyder will pay up if Acunetix can get personal data out of 3 of 10 sites chosen at random from their survey list."



A brief overview...

http://news.com.com/1606-2_3-6159558.html?part=rss&tag=2547-1_3-0-5&subj=news

Video: RSA roundup: Girls gone wild (for security)



It will be interesting to see what politicians do with/to the technology.

http://www.bespacific.com/mt/archives/013947.html

February 13, 2007

Blogs Front And Center in Presidential Fundraising Campaign Efforts

WSJ free feature today: Candidates Find A New Stump In the Blogosphere: "Candidates of both parties are already buying space on search engines, blogs and other Internet sites popular with political junkies and potential donors. With 18 candidates vying for the most open race for the White House in 80 years and front-runners on both sides announcing plans to forgo public financing, the 2008 election promises to be a huge revenue opportunity, not just for TV broadcasters."


Other uses too...

http://www.newassignment.net/blog/david_cohn/feb2007/12/extreme_democrac

Extreme Democracy -- When Wikis Inform Legislation

by Steve Petersen on February 13, 2007 – 9:49am.

... To bolster his new effort at interaction and transparency, Urquhart posted his school voucher bill in its entirety on Politicopia before he distributed it to his colleagues in the Utah House. Soon the page expanded with pro and con sections with findings from states like Vermont and Wisconsin accompanied by a section for comments, as wel as links to news articles about the bill.

“For six years we’ve been chasing our tail on this bill, and today the bill passed in very large part because of Politicopia. When private dialogue was made public, the main area of criticism was publicly revealed to be fictitious [Warning! This is not a “Politician Friendly” site! Bob],” Urquhart told WebProNews in an email.



Interesting set of “unexpected outcomes.”

http://techdirt.com/articles/20070214/082036.shtml

The Perverse Consequences Of Sarbanes-Oxley

from the in-the-dark dept

The long-sluggish IPO market staged a rebound in 2006, leading some to conclude that all of the whining about Sarbanes-Oxley and the cost of being a public company was just that, whining. But there's still plenty of evidence suggesting that Sarbanes-Oxley is a real burden on public companies. In addition to the direct costs of compliance, you can see it in the explosion in private equity and management buyouts, as the smart money realizes that there are advantages to being private. Bloomberg points to another perverse effect of the legislation: companies are realizing that they're best off if they can keep things completely in the dark, as opposed to making them open. The example it cites is the corporate bond market, where there's a flourishing practice of selling unregistered bonds to institutions. Typically, if a company had a bond offering, it would have to register that with the SEC, a process that's become quite burdensome. But, if the bonds are just traded among institutions, with no plans to make them available to the public, then the company doesn't have to file anything. This practice has grown by 50% in the last two years, far outstripping the rest of the market. Of course, unregistered bonds carry a higher degree of risk, but because there's a high demand for bonds these days, it's a risk that buyers are willing to take. This is obviously the opposite of what Sarbanes-Oxley intended, but it's the natural result of a law that imposes higher costs on companies that report publicly.



“Any tactic we can think of,” is not good lawyering strategy...

http://techdirt.com/articles/20070215/001607.shtml

Judge Throws Out Lawsuit Blaming MySpace For Sexual Assault

from the suing-whoever-has-the-money dept

Last summer we were disappointed, but not surprised, to see the family of a 14-year-old girl who claimed she was sexually assaulted by a 19-year-old guy she met on MySpace decide to sue MySpace for allowing it to happen. Such a lawsuit is ridiculous on any number of levels -- both legally and at a common sense level. It's like suing the phone company any time a phone is used as part of a crime. Legally, it's quite clear that MySpace is protected by section 230 of the Communications Decency Act, which makes it clear that a service provider is not responsible for the actions of its users. This makes perfect sense. The law is designed to make sure it's those who are actually responsible for the illegal actions who get in trouble for them. That's why it's good to see that the judge has tossed out this case, pointing to section 230 and noting that if it were allowed, companies like MySpace "would be crippled by lawsuits arising out of third-party communications." The lawyers for the family, of course, plan to appeal -- wasting even more resources on a case that is unlikely to get anywhere. Of course, we're still waiting to hear what the 19-year-old involved in this case is going to do. After the girl's family sued MySpace, his lawyers realized that if MySpace was somehow responsible, then perhaps they could sue as well, and take some of the blame off the guy.



Interesting idea.

http://hosted.ap.org/dynamic/stories/T/TRUSTED_DOWNLOADS?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Group Certifies Programs OK to Download

By ANICK JESDANUN AP Internet Writer Feb 15, 12:11 AM EST

NEW YORK (AP) -- An organization that monitors Web site privacy and e-mail practices for businesses has certified eight computer programs as consumer-friendly and non-invasive.

... Independent technicians hired by TRUSTe review software used for advertising or tracking user behavior. Certified adware and other software must obtain consent before downloading, be easy to uninstall and cannot modify computer settings to cause damage or harm.



Inevitable? (See next article too)

http://www.dfw.com/mld/dfw/news/state/16680431.htm

The next class fits in your pocket

By JOHN AUSTIN STAR-TELEGRAM STAFF WRITER Posted on Mon, Feb. 12, 2007

Distance learning has been around for decades, but thanks to the iPod and other digital music players, higher education is becoming as portable as a pop song.

... MP4 capability adds video to the iPod audio mix. And while it's still relatively rare, students are increasingly plugging in to listen to downloaded books, textbook study guides, and language labs on the go. Books and personal stereos have always been portable, of course, but audiobooks are easier to carry around in digital form.

... Schools including Stanford University and the University of Wisconsin-Madison belong to iTunes U, a year-old Apple Inc. service that lets professors post lectures and students download them for free.

Some libraries, including Swem Library at the College of William & Mary in Virginia, are lending MP3 players to students.

... Davis was surprised at the enthusiastic reception when the university began podcasting this semester.

"We didn't think there'd be four iPods in the whole bunch," Davis said. But the graduate students are "getting paid and they've got the toys."

... Finn said the technology works particularly well for students such as varsity athletes who miss classes because of travel. But Finn quickly learned that she would have to adapt her content to fit the small screen, regardless of whether jocks or nerds were tuning in.

"The lectures were too long," she said. "The students couldn't interact with a podcast."

So "I've now made all the podcasts 15 to 20 minutes," Finn said. And to mix things up, "we are going to have different people showing up on the podcast."


Why it's inevitable?

http://www.businessweek.com/technology/content/feb2007/tc20070214_915949.htm

The Next Big Ad Medium: Podcasts

Advertisers will spend more than $400 million on podcasting by 2011, but they're still not sure who will be listening to them

by Catherine Holahan February 14, 2007, 12:00AM EST

Remember podcasting? While marketers have been busy uploading commercials to YouTube, the once-buzzed-about medium has spent the past two years building its audience and enhancing advertising capability. Now, podcasts are finally poised to grab a larger slice of the multibillion-dollar online advertising pie.

Research firm eMarketer expects that advertisers will spend more than $400 million on podcasting by 2011, up from $80 million last year, according to a report scheduled for release later this week. Fueling the anticipated growth is the expected entrance of Google into the podcasting arena, as well as new podcasting services focused on answering advertisers' most pressing questions: How many people are tuning in to the hundreds of thousands of online podcasts, and who are they?

... The medium isn't waiting for Google, however. On Feb. 14, podcast company Podtrac unveiled a free online service that enables advertisers to research audience information for audio and video podcasts based on demographics, size, and other characteristics. The company, which helps connect roughly 5,000 of the top podcasters to advertisers, includes data for all podcasts in its new service, including those from major media companies with whom Podtrac is not affiliated. It indexes its data to information in Mediamark Research's Survey of the American Consumer.



Think any of this is true?

http://consumerist.com/consumer/hewlett+packard/14-hewlettpackard-company-secrets-from-a-former-employee-236517.php

02 14 2007

14 Hewlett-Packard Company Secrets From A Former Employee

... 1: Many HP Printers, like their laser printers, have a built-in page-count after which they won't work. This resides in the a transpart sometimes called image or drum kit. Rather than get the printer fixed, it's often cheaper to buy a new printer, OR you can do a NV ram reset. It resets everything in the printer, including all the page counts, but it's not without risks.



Where there's a will, there's a hack! See why Security Managers who take their jobs seriously know this as a bigger job that the manager who decided to block a site thinks it is?

http://engtech.wordpress.com/2006/10/04/how-to-access-gmail-when-its-blocked-at-work-or-school/

How to access Gmail when it is blocked at work or school

... If you’re looking for a proxy that will let you access any blocked web page then the comments of this Digg post have a lot of suggestions.