Saturday, February 24, 2007

Same old same old.

http://www.worcesternews.co.uk/display.var.1216931.0.security_alert_as_thousands_told_bank_details_have_been_stolen.php

Security alert as thousands told bank details have been stolen

THOUSANDS of county council staff are at risk of identity theft after their highly confidential bank and national insurance details were stolen.

A lap top computer containing the personal information of up to 19,000 staff - complete with names and addresses - was taken in a street robbery.

... "We will be raising issues about the council's practices and policies and asking if they will be looking at how this sort of thing is done in the future," he added. [Suggests there was no problem with this employee having all those records on his personal computer... Bob]



Can you hear me now?”

http://www.chron.com/disp/story.mpl/metropolitan/4578104.html

Feb. 23, 2007, 10:30PM

County clerks could face jail, fine in privacy breaches

By POLLY ROSS HUGHES Austin Bureau

AUSTIN — County clerks could spend six months in jail and be fined $1,000 for releasing records historically accessible to the public that contain Social Security numbers, according to the state attorney general.

Representatives of county officials statewide called the ruling "huge" in its implications, saying compliance could cost local taxpayers millions of dollars, including countless extra hours of labor.

... Attorney General Greg Abbott, responding to questions raised by Fort Bend County officials, said it is mandatory for county clerks and other government officials to remove Social Security numbers before distributing public documents.

The question arose because state public information law was amended two years ago to say county clerks "may" remove Social Security numbers on documents they archive and distribute to the public.

Abbott, citing other portions of state law and federal law, said Texans have a right to keep their Social Security numbers private. Therefore, county officials are required to delete them before releasing documents to the public.

... Abbott's opinion warns that disclosure of confidential information such as Social Security numbers is a criminal offense under the Texas Public Information Act, and that applies to all county clerk records.

Clerks are not required to redact Social Security numbers from original, certified documents, but are they required to remove the numbers and note they have done so when releasing them to the public, the opinion says.

... Even so, it will cost local taxpayers at least $17.4 million for new software and servers to remove Social Security numbers from the electronic documents, he said. [Nonsense! What are they trying to do? Store LESS information in exactly the same applications. No new software or hardware needed. Bob]

... "The direction the attorney general gives is very expensive in some cases, impractical in other cases and impossible in the rest," Lee said. [In other words, you don't know how to manage it. Bob]



Is there a good way to tell your customers/patients/whoever that you “lost” their data? Perhaps not, but some efforts are better than others.

http://blog.washingtonpost.com/securityfix/2007/02/johns_hopkins_data_breach_stri_1.html

Data Breach Hits Close to Home

I took some time off work last fall to spend with my wife, who had just been diagnosed with a golf-ball-sized tumor in her brain that needed to be removed. With the help of a few well-connected friends, we were privileged to have her seen by one of the top neurosurgeons in the world, a surgical ninja at The Johns Hopkins Hospital in Baltimore.

The surgery was a great success, and the wife is just fine now. She carries nary a lingering symptom, visible scar or traumatic memory from the ordeal, save perhaps for the seemingly endless stream of bills and letters from our health insurance provider.

That is, until last week, when she returned from the mailbox with a letter from the hospital alerting us that she was among some 83,000 Hopkins patients whose hospital records may have been compromised on account of a lost backup tape.

According the letter, the lost tape contained data on new patients seen between July 4 and Dec. 18, 2006, or who had changes to their demographic information during that time. Among the data stored on the tape was the patient's name, mother's maiden name, father's name, race, sex, birth and medical record number. However, Hopkins was emphatic that there was no medical or Social Security data on the tapes.

I must have read the letter three times in all, and at first I was pretty alarmed. But looking back now, I must say I don't think I've ever read a more thorough breach notification. The letter explained in detail what they thought happened to the backup tape and listed a number of reasons why Hopkins believed the risk to patient privacy was low in this case (many other medical data breach notifications I've read ask you simply to accept their pat answer that there is little chance of the data being misused). The hospital created a very informative Web site for affected patients, and listed a toll-free number for people who don't have Internet access.

More importantly, the letter took the time to clearly explain what steps patients can take to protect themselves. Rather than stating merely that patients have the right to a free copy of their credit reports, the letter lists the steps consumers need to go through to get a copy of their credit report, what a fraud alert means, and how it may affect patients who later seek to obtain new lines of credit. In addition, the notification suggests patients stagger the ordering of their free credit reports from each of the credit bureaus over an entire year. Finally, the letter reminds recipients that scam artists may try to call victims pretending to offer "assistance," and that the hospital will not contact patients by telephone, e-mail or ask for personal information related to the incident.

The approach Hopkins took in response to this incident stands in stark contrast to the way some other health care providers have handled patient data losses of late. Two different Kaiser Permanente hospitals had lost laptops over the past nine months that endangered patient data, but I could find no Web site set up to alert affected patients about either incident, nor could I find any mention of either incident on Kaiser's news releases page.

Maybe the company was still reeling from a fine last year by the California Department of Managed Health Care, which found that that Kaiser created a systems diagram Web site used as a testing portal by its IT staff that contained confidential patient information, including names, addresses, telephone numbers and lab results.

The phone number Kaiser set up for affected patients leads to a voice mailbox asking the caller to leave a message; the message promises a call back at some point. The Hopkins line explains pretty much everything in the letter, and then allows callers to speak with a real, live person at Hopkins' "identity safeguards" division.

Kaiser executives also were quoted in the press downplaying one of the incidents without any information to back up their claims. Of a stolen laptop containing patient medical records for patients in Colorado, company officials were quoted as saying that the still-missing laptop was stolen merely for its "street value," not for the data contained within it.

How reassuring.



Always amusing...

http://www.washingtontechnology.com/online/1_1/30169-1.html

02/23/07 -- 04:06 PM

Skinner: DHS needs to shield personal information

By Alice Lipowicz Staff Writer

The Homeland Security Department is not doing enough to protect personal identifying information within its computer systems, according to a new report from DHS Inspector General Richard L. Skinner.



Lots of interesting comments. My favorite: “$100 says this guy has a huge short on ebay stock.”

http://it.slashdot.org/article.pl?sid=07/02/23/2113238&from=rss

Hacker May Be Exposing eBay Back Door

Posted by Zonk on Friday February 23, @04:30PM from the maybe-buy-a-hackerproof-door dept. Security The Internet

pacopico writes "A hacker specializing in eBay cracks has once again managed to masquerade as a company official on the site's message boards, according to The Register. A company spokesman denies that 'Vladuz's' repeated assaults on eBay point to a larger problem with the site's security. Of course, eBay two days ago claimed to have found a way to block Vladuz altogether, only to see him pop up again. The hacker himself made comments indicating that the company's email servers are connected somehow to the financial information eBay hosts."



Interesting and useful read...

http://www.csoonline.com.au/index.php?id=1031237888&rid=-302

What would you do as chief information security officer

Ellen Messmer, Network World 19/02/2007 14:38:52

Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, "chief security officer," which might include physical security as well -- isn't either. The four security professionals who share their priorities with us make it clear there's nothing cookie-cutter about the top IT security job.



Technical backgrounder...

http://www.eweek.com/article2/0,1759,2098139,00.asp?kc=EWRSS03119TX1K0000594

The Dissection of a Rootkit

February 23, 2007 By Lisa Vaas

... F-Secure researcher Kimmo Kasslin has made the findings available in a paper titled "Kernel Malware: The Attack from Within" (a PDF) as well as in a slide show (also a PDF).

Kasslin explains in detail what kernel malware is, how it works, and what makes its detection and removal so challenging. He also details two malware cases that use kernel-mode techniques to escape detection and to bypass personal firewalls.



If we make the firefighters do it, then we can convince the kids that they “can be just like a real firefighter!” and eventually all second class citizens will be chipped, just like a heard of cows...”

http://www.nypost.com/seven/02242007/news/regionalnews/fdny_tracking_chip_a_bravest_new_world_regionalnews_david_seifman__city_hall_bureau_chief.htm

FDNY TRACKING CHIP A BRAVEST NEW WORLD

By DAVID SEIFMAN, City Hall Bureau Chief

February 24, 2007 -- If a new Fire Department plan works out, every firefighter will have a chip on his shoulder - or near some other body part - capable of transmitting data to a firetruck [not the “few inches” the industry claims? Bob] and eventually to FDNY headquarters.

The high-tech plan is aimed at insuring that no firefighter ever goes missing, as occurred when off-duty and former firefighters rushed to the World Trade Center on 9/11.

... The FDNY already has the capability of displaying the schematics of virtually every building in the city.

Scoppetta said the idea is to "see the figures actually in the building. You'd know what floor they're on. How many are on the floor. You'd be able to communicate, warn them of conditions developing. That's what we're shooting for."

... The FDNY has already installed GPS devices in its ambulance fleet and on many firetrucks.

"We can now see over 57 of the engines as they move back and forth," Scoppetta said.

"Once we have computer-aided dispatch for fire, [What do they use now, homing pigeons? Bob] police and EMS, we can avoid multiple dispatches."

Scoppetta said privacy objections would be misplaced in this case.



They asked the wrong question. They should have asked for evidence that any vote was recorded as cast.

http://news.wired.com/dynamic/stories/V/VOTING_MACHINES_FLORIDA?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT

Audit: Fla. Voting Machines Didn't Err

Feb 23, 6:08 PM EST updated Sat, Feb 24, 2007

By STEPHEN MAJORS Associated Press Writer

TALLAHASSEE, Fla. (AP) -- An audit of touch-screen voting machines at the center of a dispute in a congressional election found no evidence of malfunction, [They ripped off the election just like they were supposed to... Bob] the Florida secretary of state said Friday.

... The audit report released Friday said an independent study of the source code of the machines used in the election found no evidence of malfunction.



Tips on text message security from your friendly police department spokesperson...

http://hosted.ap.org/dynamic/stories/T/TEXT_MESSAGE_ARREST?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Feb 24, 6:24 AM EST

Text Messages Land Teacher in Hot Water

MURRAY, Ky. (AP) -- A middle school teacher trying to buy pot was arrested after she sent text messages to state trooper instead of a dealer, police said.

... "She learned her lesson. Program your dealers into your phone, [We'd like the evidence stored neatly... Bob]" Meadows said.



Dilbert sums up the RIAA, MPAA and many others.

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2007026109124.gif

Friday, February 23, 2007

Nope.

http://www.enterprisestorageforum.com/continuity/features/article.php/3661476

Data Breaches Keep Piling Up. Does Anyone Care?

February 22, 2007 By Drew Robb

Leaks, spills and hacker attacks — It seems hardly a day goes by without some major data loss incident affecting the IT community.

According to Fred Moore, an analyst at Horizon Information Strategies in Boulder, Colo., more than 54 million identities have been stolen to date and an estimated 19,000 more identities are stolen each day. Companies on average are spending 1,500 hours per incident at a cost of $40,000 to $90,000 per victim, he says.

... For a real eye-opener, take a look at the roster of data loss incidents at www.attrition.org/dataloss. This list gives the specifics of the millions of stolen identities Moore mentions. And the pace of these incidents seems to be accelerating, if the start of this year is any indication. According to Attrition.org, about 2.2 identities were compromised in January 2007. That included more than a million by the Chicago Board of Elections.

... "Data protection has become the most critical piece of most IT strategies," says Moore. "This will make the data security business much larger than the disk and tape industry combined by 2008."



You never know what straw will break the camel's back

http://www.sanluisobispo.com/mld/sanluisobispo/news/world/16759331.htm

Posted on Thu, Feb. 22, 2007

Britons up in arms over 'Bin Brother'

By Liz Ruskin McClatchy Newspapers

LONDON - The British tolerate millions of surveillance cameras watching their every public move. They agreed to let roadside cameras record their vehicular movements and store the information for two years. But when they discovered that their garbage is being bugged, they howled that Big Brother had gone too far.

Local governments have attached microchips to some 500,000 "wheelie bins," the trashcans that residents wheel to the curb for collection. The aim, they say, is to help monitor collections and boost the national recycling rate, now among the lowest in Europe.

The public has reacted with suspicion and fury.

"Germans Plant Bugs in Our Wheelie Bins," a Daily Mail headline announced in August. Two of the bin manufacturers are German. Newspaper letter writers have taken to calling it "Bin Brother."

A Member of Parliament from London's Croydon neighborhood denounced the chip as "the spy in your bin."

"The Stasi or the KGB could never have dreamed of getting a spying device in every household," said Andrew Pelling, a Conservative, referring to the former East German and Soviet spy agencies.

Small-scale revolts have erupted across the United Kingdom for months, as different localities adopt the technology. Some towns failed to mention the new feature, which is concealed under coin-sized plugs under the rims of their garbage cans.

In the coastal city of Bournemouth, 72-year-old Cyril Baker ripped the chip off his new bin the day he discovered it, then went on national television to show how he did it. Thousands of his neighbors followed his example. "It was a very emotional issue. The whole town was in an uproar," he said.

It's a wonder that the tiny dustbin attachment has provoked such a response in Britain, home of the most monitored people in the Western world. An estimated 4.2 million closed-circuit TV cameras - one for every 14 residents - are trained on British streets and schools, parks and churches. Cameras are planted in phone booths, on vending machines, at gas stations and inside every double-decker bus in London. An Englishman may be captured on cameras 300 times in a typical day, surveillance experts say.

Yet the microchips in the wheelie bins struck a nerve.

"I think people really see this as an intrusion into their personal space," said Bournemouth councilman Nick King, a champion of the anti-chip cause.

Residents also fear that the little bug will nip them in the wallet. The microchips - radio frequency identification transmitters known as RFID tags - can't actually spy on the contents of a bin. They're more like tiny digital nametags, but they hold lots of information and can be scanned from yards away.

In parts of Germany and Belgium, garbage trucks equipped with scales and scanners lift the tagged bins. The bins are weighed as they're emptied, and residents are charged for each pound they send to the landfill.

Bournemouth administrators swear that they intend only to monitor trash trends and return lost bins to their assigned homes. Other cities said they wanted to identify heavy heapers to advise them on better rubbish management.

But residents suspect a plan to levy charges for garbage hauling, and some local officials have acknowledged that's their long-term aim.

The Orwellian aspect has been blown out of proportion, chip supporters say. "People think it's Big Brother watching them, and it's not. It's a system for weighing rubbish," said David Peel, the communications manager for South Norfolk Council, which has a bin chip project under way.

Civil libertarians worry about a day when every object has an embedded RFID tag, and people don't know who's tracking their trash.

Put this technology in the hands of sanitation workers and it won't stop at just weighing the garbage, predicts Chris McDermott, an anti-RFID activist.

"Before you know it, they'll be scanning the actual products, wrappers and other detritus that you throw away inside the bin, as these are also scheduled to be RFID-enabled in the near future," he warns on his Web site, www.notags.co.uk.

Not likely, said Andy Shaw, the business manager of Cambridge Auto-ID Lab, a university research center that's developing new uses for radio frequency tags.

The lab, according to its Web site, is creating a system that will enable computers to identify "any object anywhere in the world instantly." But Shaw thinks, "nobody is going to pay to put readers onto garbage trucks that can read everything. It's just too expensive."

Anyway, Big Brother doesn't have to resort to scanning your garbage to know what you own, not with store loyalty cards and credit cards so abundant, Shaw joked.

As the furor grows over microchips in rubbish barrels, cameras are proliferating.

In Bournemouth, Liberal Democrats battle Conservatives over who's done more to expand camera surveillance. The city, with a population of 164,000, operates more than 75 cameras in the town center. Jim Klegg, Bournemouth's street enforcement manager, announced this month that film footage will be used to help prosecute for littering, "which includes dropping cigarette butts and chewing gum," he said.

How to explain the enthusiasm for a vast and expanding network of cameras? King, the Bournemouth representative, said the experience of being monitored is rather British.

"Inherently, we're quite happy to be watched when we're out and about, because we feel if someone is watching us they can help us," he said. "But there's a line we draw around the home."

Kate Fox, a London anthropologist who studies the English, sees it that way, too.

Surveillance may seem futuristic, but she maintains that it re-creates, in the English mind, the modern equivalent of the pre-industrial hamlet, where neighbors knew one another's business.

"We rather like that sense that we're being looked after," she said. "It makes us feel secure."

Yet when it concerns the home, the English are obsessed with privacy, she said, and microchipping the wheelie bins must seem like a breach of the moat.

"The Englishman's home really is his castle, and I guess our rubbish bin is part of it," she said.



Screw ye not with the court, lest ye be screwed” (Old e-discovery mantra I just made up)

http://ralphlosey.wordpress.com/2007/02/21/court-disapproves-defendant%e2%80%99s-%e2%80%9chide-the-ball%e2%80%9d-discovery-gamesmanship/

Court Disapproves Defendant’s “Hide the Ball” Discovery Gamesmanship

A recent case in Ohio illustrates a poor electronic discovery strategy by a defendant employer in a wrongful termination case. May v. Pilot Travel Centers,LLC, 2006 WL 3827511 (S.D. Ohio December 28, 2006). The defense here has seriously annoyed the presiding district court judge, [Always a source of great quotes, if not great law Bob] who, right or wrong, is now convinced that missing electronic records are evidence that the defense has engaged in “hide the ball gamesmanship and deception.”

... After the discovery period ended in nine months, apparently with no discovery disputes, the defendant moved for summary judgment. The plaintiff responded with a motion for sanctions for spoliation, alleging that defendant had destroyed evidence, namely some of the computer records at issue in the case. The defendant employer responded vigorously to the sanctions motion. It moved to strike the affidavit supporting the motion, and to be awarded attorney fees because it alleged the sanctions motion was meritless and filed in bad faith.

Defendant first made a procedural argument, correctly pointing out that there had been no motion to compel, not even a phone call from plaintiff’s counsel. Defendant argued that because of these omissions there was no basis for a sanctions motion. The court disagreed with this procedural argument. Aside from parsing a construction of the local discovery rules involved, the court was strongly influenced by the fact that defendant produced new evidence after the plaintiff filed his motion for sanctions. The court referred to this as a “curiously belated supplementation” and held:

... The Court was also disturbed by defendant’s arguments that some of the documents were not previously produced because they were not specifically requested, pointing out the mandated initial disclosure requirement under Rule 26(a)(1)(B).

The Court was also disturbed by what it called the defendant’s “coy avoidance” of whether it had destroyed computer records as plaintiff alleged. Apparently the defense responded to the spoliation accusations by stating that the “documents might have been lost when defendant converted to a new computer system.” That response did not go over well. The court stated:

If the records exist, then Defendant should know this [Yes! Bob] and must produce them. If the records no longer exist in any form, then Defendant should be able to provide this answer and an explanation as to how and why the records were destroyed-and by whom. To avoid the answer by blaming Plaintiff at this juncture creates an inference of gamesmanship that disturbs this Court.



You must learn patience. (See next article)

http://www.healthcareitnews.com/story.cms?id=6553

Federal privacy panel leader resigns, raps standards

Healthcare IT News By Diana Manos, Senior Editor 02/22/07

WASHINGTON – The leader of a federal panel charged with providing privacy recommendations for the national health information network resigned Wednesday, thwarted, he said, in efforts to develop adequate standards.

The resignation comes amid complaints from others about the speed with which standards are being written.



O Boy! I can't wait!

http://blog.wired.com/27bstroke6/2007/02/airline_screeni.html

27B Stroke 6

by Ryan Singel and Kevin Poulsen Thursday, 22 February 2007

Airline Screening Update Delayed Three More Years

A key homeland security official says that a long-delayed change in how airline passengers are checked against watch lists won't come to pass until 2010, two years after the end of the Bush Administration's tenure. Transportation Security Administration chief Kip Hawley told Times reporter Eric Lipton that "after spending a year re-examining Secure Flight, officials had come up with a way to reduce mistakes, protect privacy rights and achieve the reliability needed to screen about two million passengers that fly each day."

But it will cost about $80 million more in the next year and a half to develop the enhanced system, which will then require more than a year of testing, resulting in the estimate that it will be in full use sometime in 2010. Officials would not make public an estimate of how much they expect to spend before the system is complete.

Currently, the TSA gathers a list of suspected terrorists, South American presidents, and unruly passengers and sends it to the airlines, which then check names of passengers against the list. That process has snagged Senators, a Senator's wife, a prominent nun, every David Nelson in the country and more than a handful of government employees with high-level security clearances.



Patently obvious?

http://techdirt.com/articles/20070222/133532.shtml

Jury Tells Microsoft To Pay $1.5 Billion To Alcatel-Lucent Over MP3 Patents

from the mp3-tech-to-get-more-expensive dept

Jury trials over patent disputes quite often turn out in favor of the patent holder, so it's no surprise to see that a jury in San Diego hasn't just sided with Alcatel-Lucent in its patent dispute with Microsoft, but also has ordered that Microsoft pay $1.5 billion for supposedly violating patents having to do with MP3 technology. The details of the case are a little bit complex. Back in the late 80s, AT&T's Bell Labs teamed up with the Fraunhofer Institute to develop the MP3 standard. Fraunhofer ended up with a bunch of patents, and most companies that make use of MP3 technology pay Fraunhofer for the privilege. However, AT&T's Bell Labs claimed some patents related to the standard as well. Microsoft, however, claims the company had a patent reissued and backdated to make it look like it came before the Fraunhofer patents and that the two patents in question are invalid. Of course, since then, Bell Labs was spun off to become Lucent, which later merged with Alcatel. Somewhere along the line, Lucent's management realized how much money people were making off these patent things, and decided to make a big splash demanding that everyone using MP3 technology shouldn't just be paying Fraunhofer, but Lucent as well. Lucent went after Microsoft, but if it wins this suit (and the subsequent appeals), you can bet that just about everyone else who uses MP3 technology will be subject to similar claims as well -- perhaps making MP3 technology a lot more expensive. About the only good thing in the ruling is that the award of $1.5 billion is that it's less than the $4.6 billion Alcatel-Lucent has mentioned in the past. Microsoft will obviously appeal, and it will take some time to get this all sorted out -- but it seems like MP3 technology may be getting a bit more expensive thanks to patents. In the meantime, if all of this sounds familiar, perhaps that's because it mirrors the situation with JPEG patents, where companies suddenly showed up well after the standard was popular to claim patent rights.

Thursday, February 22, 2007

Surprise, surprise, surprise! G. Pyle

http://www.madison.com/tct/business/index.php?ntid=119919&ntpid=0

TJX says computer security breach wider than previously reported

Data system also hacked in 2005

Published: February 21, 2007

FRAMINGHAM, Mass. (AP) - TJX Cos., operators of Marshall's and T.J. Maxx discount retail stores, said Wednesday a security breach into its computer systems was more extensive than previously reported.

TJX had thought the intrusion into its customer data files took place between May 2006 and January 2007, but has since learned its computer system also was hacked into in July 2005 and other periods during that year.

Credit and debit card data from transactions at its U.S. and Puerto Rican stores and credit card-only transactions at Canadian stores from January 2003 through June 2004 were stolen.

Also believed stolen are some drivers' license numbers together with related names and addresses associated with unreceipted merchandise returns at TJX's T.J. Maxx, Marshalls and Home Goods stores in the U.S. and Puerto Rico for the last four months of May 2003, as well as for May and June 2004.

TJX said it will notify those customers it can identify whose drivers' license numbers, names and addresses were taken.

Additionally, T.J. Maxx customers in Britain and Ireland may also have been compromised, the company said.

Names and addresses were not included with the stolen credit and debit card data. Also, debit card PIN numbers, information from transactions at the company's Bob's Stores and transactions made with Canadian bank debit cards are not believed to have been stolen.

TJX did not disclose the number of accounts affected, and said its investigation is ongoing.

[NOTE: There is a new statement (that says nothing) if you follow a link from the THX.com home page, but you have to look below that to find the actual (pdf) press release...

Click here to view the 2/21/07 Press Release Bob]


More.... (Great quote!)

http://www.eweek.com/article2/0,1759,2097398,00.asp?kc=EWRSS03119TX1K0000594

TJX: Data Theft Began in 2005; Data Taken from 2003

By Evan Schuman, Ziff Davis Internet February 21, 2007


... Mark Rasch, the managing director for technology at FTI Consulting in Washington, D.C. and a former federal prosecutor for high-tech crimes, said the continuing piecemeal disclosures from TJX of deeper and deeper penetrations of older data is potentially making a bad situation much worse.

"It's one thing to shoot yourself in the foot. It's another thing to reload," Rasch said. "And it's quite another thing to go get another gun."

Rasch argued that the original data breach—and the inability to quickly learn of the ongoing breach—was the foot-shooting. The way the investigation was initially handled was the reloading and the Feb. 21 statement that "what we said before wasn't true" is the "getting another gun," Rasch said.

... "The bigger questions are 'who else?' and 'when?' TJX has a mature IT shop with conservative practices, yet their data has been stolen for years. How many other retailers, who might not be quite as careful, are already being breached?" she asked.

... "This is nice, and I'm sure TJX is more secure today than they were before they discovered the breach. But how secure are they? Could they pass a PCI DSS audit right now?" Noell asked. "Until TJX has been validated as compliant by a Qualified Security Assessor, trusting them with credit card data is an act of faith."



Too small to get much attention...

http://atlanta.bizjournals.com/atlanta/stories/2007/02/19/daily20.html

Hackers hit Georgia Tech and steal personal info

Atlanta Business Chronicle - 3:28 PM EST Wednesday, February 21, 2007

The personal information of about 3,000 current and former Georgia Tech employees may have been compromised by unauthorized access to a Georgia Tech computer account by unknown sources outside the university, Georgia Tech reported Feb. 21.

The stolen information includes names, addresses, Social Security numbers and other sensitive information, including about 400 state purchasing card numbers. The individuals affected are mostly in the School of Electrical and Computer Engineering, the university said.

Georgia Tech said it is unaware of any misuse of the information from the compromised computer account, but it is contacting individuals affected by the incident as a precautionary measure. Georgia Tech is encouraging the affected staff to notify the appropriate credit reporting agencies that their personal information may have been compromised. Georgia Tech also has alerted the Georgia Bureau of Investigation and the Federal Bureau of Investigation.

"Georgia Tech regrets that this potential loss of data occurred and will work with the affected individuals to mitigate their exposure," said James Fetig, associate vice president of Institute Communications and Public Affairs. "Our investigation is continuing, and we apologize for any inconvenience this incident may cause."



It probably was an honest mistake. So how will managers prevent more of the same in the future?

http://www.myeyewitnessnews.com/news/local/story.aspx?content_id=8e926799-be39-4ad7-84b4-517cbafec403

Social Security Numbers Tossed Out By Employee

Last Update: Feb 21, 2007 9:08 PM Posted By: Shane Myers Watch This Video

Dozens of people recently applied for jobs at L.A. Weight Loss, but they probably did not expect the applications would end up in the trash.

Many of the applications listed social security numbers, phone numbers, addressees'. The information was in a box that was left next to a dumpster behind the store. We are told it was put there by an employee.

A company spokesperson says the employee still has a job, and is calling it an hone mistake. The company is calling those affected and offering them 1 year of I. D. theft protection.



A billion records is not a billion identities.

http://www.macon.com/mld/macon/business/technology/16750676.htm

8th Circuit upholds conviction in Acxiom data-theft case

LITTLE ROCK (AP) - A federal appeals court Wednesday upheld the conviction and 8-year prison sentence given to a Florida man in the theft of 1 billion records that the database manager Acxiom Corp. collected in its work for large corporations.

Scott Levine, 47, owned Snipermail Inc., a Florida company that distributed Internet ads to e-mail addresses. Prosecutors said Levine and others stole records from Acxiom, a Little Rock company that provides data-management services to large corporations for marketing purposes.

Levine, of Boca Raton, Fla., was also ordered to pay $153,395 in restitution [Why so little? Bob] to Acxiom, one of the world's largest repositories of personal, financial and corporate data.

... Prosecutors said Levine had permission to access part of Acxiom's database but that he used decryption software to obtain passwords and go beyond his authorized access. Data stolen included names, telephone numbers, street addresses and e-mail addresses, along with highly detailed demographic information.



Think of it as a tool for targeting your hacks. Technology: Making Identity Theft easier!

http://www.eweek.com/article2/0,1759,2097207,00.asp?kc=EWRSS03119TX1K0000594

Scentric Launches Free Data Privacy Assessment Tool

February 21, 2007 By Chris Preimesberger

Scentric, developer of what it calls "the world's first universal data classification solution," on Feb. 21 made available for free download a new data privacy assessment tool that enables enterprise users to make a full accounting of data with potential privacy risks.

The 3.57 MB Windows application is available at www.scentric.com for a 30-day period following free user registration on the site. The application provides on-demand classification of files on laptops, desktops, filers and file servers.

The tool scans local or network drives for files containing potentially sensitive information, such as credit card numbers and social security numbers.

The types of information it seeks to identify include:

# Personal identity—documents that may contain sensitive information related to a person's identity and which could be used for identity theft. The scan looks for a variety of items, including credit card (MasterCard, Visa, American Express, Diners Club International and Discover) and Social Security numbers.

# Confidential material—documents that may contain sensitive information related to company projects. The scan looks for keywords including "Confidential" and "For Internal Use."

# Medical information—documents that may contain sensitive medical or health-care-related information. The scan looks for keywords including "Life Insurance" and "Health Insurance."

# Payroll information—documents that may contain sensitive information related to the company payroll. The scan looks for keywords including "Salary," "Stock Options" and "Date of Hire."

# Objectionable material—documents that may contain explicit language of a sexual nature. A list of the words included in this search can be supplied on request.

Before downloading and installing the application, users need Microsoft's .NET Framework 2.0 or higher running on their computers. This can be downloaded from Microsoft's Web site.

... Scentric's Data Privacy Assessment Tool is a quick, non-obtrusive way to determine how bad your situation is in terms of privacy or other violations, either based on corporate or regulatory policies, said Arun Taneja, founder and consulting analyst, Taneja Group.



First, How much can we make? Second, How fast can we install these cameras? 497Th, Think anyone will object?

http://www.topix.net/content/trb/2793331669235160489206102145403682927625

Red-light cameras could rake in cash

The Orlando Sentinel Jay Hamburg February 21, 2007

What happens when drivers run red lights more than 11,000 times every day at just five intersections in Orange County?

Not a lot right now. But if county officials could install cameras to catch and automatically ticket those drivers, they'd stand to rake in fines that might rival lottery winnings: $2 million a day.

That's $180.50 per ticket for each violation. And that's not to mention the people saved from death or injury. [“'Cause who cares?” Bob]

... State statutes now allow law-enforcement agencies to use red-light cameras to catch and warn violators but not ticket them.

... Camera opponents cite privacy concerns, and critics say research is mixed on whether cameras act as deterrents or actually cause more rear-end crashes.

... Orlando police installed a red-light camera at the corner of Hiawassee Road and Raleigh Street at the end of 2005. In a little less than a year, they documented 7,549 red-light runners on southbound Hiawassee alone. They sent warning letters to about 3,000; the others could not be identified either because of obscured license plates or problems linking the auto to the correct vehicle registration. [Perhaps it won't be the vast revenue generator they expect. Looks like it is only half vast. Bob]



Interesting sequence of events...

http://www.law.com/jsp/article.jsp?id=1171965784912

Former Judge Collapses as He's Sentenced to 27 Months for Child Porn

By The Associated Press 02-21-2007

A former Orange County (Calif.) Superior Court judge collapsed in court Tuesday upon learning he was being sentenced to 27 months in prison for possessing child pornography on his home computer.

... He was arrested in November 2001 after a Canadian hacker used a computer program to download diary entries and other images from the former judge's computers. The hacked information was turned over to Pedowatch, a Colorado watchdog group, which notified Irvine, Calif., authorities. Police searched Kline's Irvine home and seized his computer.



Interesting summary. I wonder if TSA (and others) have heard of it?

http://www.bespacific.com/mt/archives/014015.html

February 21, 2007

DOJ Information Quality Factsheet: The Foundation for Justice Decision Making

Information Quality: The Foundation for Justice Decision Making -- Global Privacy and Information Quality Working Group (GPIQWG) - February 21, 2007.



Book suggestion

http://knowledge.wharton.upenn.edu/article.cfm?articleid=1663

Make Room, Wikipedia: Internet-based Collaboration Could Change the Way We Do Business

Published: February 21, 2007 in Knowledge@Wharton

... Wikinomics: How Mass Collaboration Changes Everything

[See also:

http://www.socialtext.net/wikinomics/index.cgi

Welcome to The Wikinomics Playbook, the "unwritten chapter" of Wikinomics: How Mass Collaboration Changes Everything -- the first peer-produced guide to business in the twenty-first century.



Do you suppose Bill Gates will be elected president?

http://politics.slashdot.org/article.pl?sid=07/02/21/2319213&from=rss

The World's First National Internet Election

Posted by samzenpus on Wednesday February 21, @08:04PM from the vote-through-the-tubes dept. The Internet Politics

InternetVoting writes "Expanding on the limited 2005 Internet voting pilot successes, the small European nation of Estonia will become the first country to allow voting in a national parliamentary election via the Internet. Fresh off the news of France's successful primary election using Internet voting and the announcement of 12 new UK election pilots, is Europe leaving the U.S. behind?"



Just think of it – some day those voting machines (we've been using for years) will be tested! Perhaps some may even pass the test! (Nah!) Colorado is the center of e-voting machine certification?

http://news.com.com/2061-10796_3-6161167.html?part=rss&tag=2547-1_3-0-5&subj=news

Feds OK pair of e-voting test labs

February 21, 2007 2:21 PM PST

Two Colorado-based laboratories on Wednesday became the first to receive final federal approval to test electronic voting machines for use by American voters.



Relax, we may be a monopoly but we love you...

http://news.com.com/2100-1016_3-6161250.html?part=rss&tag=2547-1_3-0-5&subj=news

Limited choices for Windows XP holdouts

If you're hesitant about making the leap to Windows Vista, expect a hassle trying to find a Windows XP PC on store shelves.

By Tom Krazit Staff Writer, CNET News.com Published: February 22, 2007, 4:00 AM PST

Despite words of caution from some in the tech industry that it's too early to make the switch to Microsoft's Windows Vista, many PC shoppers have no choice.



It's that last sentence...

http://science.slashdot.org/article.pl?sid=07/02/21/2326240&from=rss

SETI Finally Finds Something

Posted by samzenpus on Wednesday February 21, @09:21PM from the laptop-phone-home dept. It's funny. Laugh. Space Technology

QuatumCrypto writes "SETI@home is a distributed processing client from UC Berkeley that installs on the vounteers' home computers and harnesses their processing power in the search for extraterrestrial intelligence. So far nothing noteworthy has comeout of this massive project... that is until today! One of the voluteers was able to track down his wife's stolen laptop using the IP address that SETI@home client reports back to the server. After getting back the laptop his wife said, 'I always knew that a geek would make a great husband.'"

Wednesday, February 21, 2007

Given a choice, these are the last records I'd toss out where someone could find them...

http://www.mysanantonio.com/news/metro/stories/MYSA021907.medicalrecordsdumped.KENS.184ada9d.html

Medical records found dumped

Web Posted: 02/20/2007 12:35 AM CST Barry Davis KENS 5 Eyewitness News

Hundreds of medical records from a chiropractor's office, protected under federal law, were found in the trash Monday behind a building.

The paperwork, covered under the HIPPA law, included Social Security numbers, photocopies of driver's license numbers, addresses, phone numbers and private medical history.

At least 20 boxes with medical files were recovered. Some of the files were found loose on the ground. They all belonged to Dr. James D. Strader of the now-defunct Back and Joint Institute of Texas.

... "I just finished up an identity theft myself," said a San Antonio Police Department officer whose file was dumped with the others. He wanted to remain anonymous. "This is an easy way for people to get a hold of your information. Give it back to us. Shred it. Do whatever, if it's no longer needed. But just to dump out for everybody else and their mother to pick it up [is wrong]."

Members of the police and fire unions came out to pick up the records because many of Strader's patients were cops and firefighters. Strader recently told the state chiropractic board that he moved offices to Northeast San Antonio, but that practice said he is no longer there.

... Strader later said the records must have been dumped by a bankruptcy trustee since the Back and Joint Institute of Texas folded.



Also see the next article... Are we moving toward penalties or just churning to look active?

http://www.boston.com/business/globe/articles/2007/02/20/bill_targets_retailers_for_costs_to_fix_data_thefts/

Bill targets retailers for costs to fix data thefts

They say plan would fatten bank profits, not protect public

By Peter J. Howe, Globe Staff | February 20, 2007

Citing the high-tech theft of credit card numbers from Stop & Shop Supermarket Cos., Massachusetts bankers yesterday urged state legislators to force retailers and others who fail to keep card data protected to pay all costs for fixing security breaches.

"What happened at Stop & Shop is another example of retailers not doing enough to protect consumers," said the Massachusetts Bankers Association's spokesman, Bruce E. Spitzer. "If companies know they'll be responsible for every expense caused by a security breach, maybe they'll finally invest in better security."

... Costello's legislation would require that when any enterprise, including retailers and banks, allows card numbers to be revealed, it would have to notify affected consumers within five days. It would also be liable for covering all expenses caused by the breach, including the cost for banks to issue replacement cards.

Hurst said retailers "firmly oppose" the bill because existing card-issuer policies already let banks recoup fraud expenses from companies that mishandle credit-card data. Banks charge retailers 2 to 4 percent of sales, ostensibly in part to cover fraud costs, Hurst said. Small banks that don't want to pay for expensive round-the-clock card fraud monitoring like Bank of America Corp. and other giants perform want to shift costs to retailers, Hurst said.

But Costello said existing laws need to be clarified in several ways, which his bill would do. Spitzer, of the bankers association, said fewer than one-third of major retailers comply with national card-security standards, adding, "If this legislation passes, all retailers, all companies, and all banks will know they'll be responsible for absorbing every cost associated with a data breach."


Not the way I would do it....

http://techdirt.com/articles/20070220/105239.shtml

New Cybersecurity Czar's Crazy Ideas Won't Fit In Washington

from the might-we-suggest-starting-at-the-VA? dept

CNET News.com has an interview with Greg Garcia, the new assistant secretary for cybersecurity and telecommunications in the Department of Homeland Defense -- the country's top cybersecurity official. Perhaps the most interesting part of the interview is where he discusses his plans to call on Congress to create some incentives for companies to invest in better security and training. There's a risk in creating incentives for this sort of thing, since many companies will just focus on creating solutions that comply in order to receive benefits, rather than ensuring something is actually secure. But the idea of creating incentives, or at least removing disincentives, generally makes sense -- perhaps too much sense to survive in Washington. If you consider how courts and governments respond to security breaches that expose people's personal information, it could almost be argued that companies have an incentive not to invest in better security, since they get let off the hook so easily, and when they do get in trouble, the penalties are such a slap on the wrist that it probably makes more sense just to accept them as a cost of doing business, rather than investing in security and changing procedures to avoid paying them in the future. It appears that this is what many companies do already. For instance, in the wake of the recent TJX data leak (which looks like it's the biggest credit-card leak ever), it was revealed that just 31% of retailers follow Visa's regulations on how credit-card info should be handled. But if they don't comply, and lose data, they're not the ones on the hook for fines -- the bank that processes their payments is liable -- so they hardly have any reason to follow the rules. And in any case, Visa assessed less than $5 million in fines last year, which isn't even a drop in the bucket to the banking or retail industry. The incentives in this area are badly misaligned; hopefully this new cybersecurity czar will be able to straighten them out.



Perspective?

http://www.usnews.com/usnews/news/badguys/070220/fbi_translating_over_1000_wire.htm

FBI Translating Over 1,000 Wiretap Conversations a Day

Spurred by adding hundreds of new linguists and help from allies overseas, the FBI is translating a record 34,000 wiretapped conversations a month, bureau officials tell the Bad Guys blog. Long criticized for its lack of language specialists, the FBI, they say, is finally catching up to an unprecedented intake of foreign-language surveillance recordings, electronic data, and text since 9/11.

Most of the wiretaps are tied to counterterrorism and counterintelligence cases, officials say. Since 9/11, the FBI's counterterrorism agents, in particular, have collected a mother lode of intelligence. In a widely overlooked report to the Senate Judiciary Committee in November, bureau officials ticked off their counterterrorism take over the past four years:

  • 519,217 hours of audio

  • 5,508,217 electronic data files

  • 1,847,497 pages of text

A July 2005 audit by the Justice Department's inspector general found that the bureau's counterterrorism audio backlog had doubled over the preceding year to 8,354 hours. But in their Senate report, FBI officials counter that the backlog represents only 1.35 percent of all the audio collected, and that nearly all of the agency's text and electronic data files have now been translated.

"We've made great strides," says Jeff Lanza, an FBI spokesman. "Ninety-nine percent of the backlog has been eliminated." Nearly a third of what remains is "white noise" not expected to yield anything of value, officials say. Of most concern are 3,240 hours of "audio from very obscure languages and dialects," which the bureau is scrambling to find linguists for.

The FBI has eased its backlog by markedly increasing its reservoir of translators. Since 2001, the number of FBI staff linguists has grown to 1,409, an 80 percent jump, officials say. The FBI has also turned to "the language programs of allied intelligence agencies," as well as to contract linguists, according to testimony by FBI Director Robert Mueller.

Since the 9/11 attacks in 2001, the number of national security wiretaps approved by the secret U.S. Foreign Intelligence Surveillance Court more than doubled, according to the Justice Department, from 934 in 2001 to 2,072 in 2005–an increase of 122 percent. These include wiretaps of counterterrorism suspects as well as counterintelligence targets such as foreign spies in America. In addition, thousands of electronic intercepts are thought to have been made under the National Security Agency's controversial warrantless surveillance program begun after 9/11. (That program was recently brought under the Foreign Intelligence Surveillance Court's purview.)

By contrast, the growth has been much slower in criminal wiretaps, which include eavesdropping on Mafia bosses, corrupt officials, and other suspected lawbreakers. In 2001, authorities completed 1,491 of these intercepts authorized by federal and state courts, according to the Administrative Office of the United States Courts. That number grew to 1,773 in 2005, representing an increase of 19 percent.

  • Posted at 06:30 PM



It is only human to want to feel superior. But this is a very dangerous attitude to have when you are trying to help users solve problems.

http://it.slashdot.org/article.pl?sid=07/02/20/1924218&from=rss

IT Departments Fear Growing Expertise of Users

Posted by kdawson on Tuesday February 20, @03:42PM from the illusion-of-control dept.

flatfilsoc recommends a long article in CIO magazine on users who know too much and the IT leaders who fear them. Dubbing the universe of consumer technology the "shadow IT department," the article highlights the extent to which the boundary between users' workplace and home have broken down. It notes the increasing clash — familiar to anyone who works in a company with an IT department — between users' home-grown productivity boosters and IT's mandate to protect corporate data. The inherent tendency of the IT department to want to crack down and control technology that it doesn't supply should be resisted at all costs, according to CIO. The article outlines strategies for co-existence. It just might persuade some desperate CIO somewhere not to embark on a career-limiting path of decreeing against gmail and IM.



More expensive than I thought!

http://slashdot.org/article.pl?sid=07/02/20/2213231&from=rss

4 GB May Be Vista's RAM Sweet Spot

Posted by kdawson on Tuesday February 20, @07:09PM from the honkin' dept. Windows Microsoft

jcatcw writes "David Short, an IBM consultant who works in the Global Services Division and has been beta testing Vista for two years, says users should consider 4GB of RAM if they really want optimum Vista performance. With Vista's minimum requirement of 512MB of RAM, Vista will deliver performance that's 'sub-XP,' he says. (Dell and others recommend 2GB.) One reason: SuperFetch, which fetches applications and data, and feeds them into RAM to make them accessible more quickly. More RAM means more caching."



No doubt the RIAA will lobby for an invasion....

http://www.technewsworld.com/rsstory/55862.html

SlySoft Tool Cracks HD DVD Encryption

By Tim Gray TechNewsWorld 02/20/07 3:20 PM PT

SlySoft, an Antigua-based software company that develops tools for breaking encryption coding, has released AnyDVD HD, a tool that cracks protections on HD DVDs and makes them easy to copy. Although the news may come as a blow to the consortium that designed the decryption specifications, it is unlikely that mass pirating of HD DVDs will occur any time soon, given the cost of the undertaking.