Saturday, April 21, 2007

Today's theme seems to be “Trust us! We're your government!”

Ignorance is bliss. That's a “law” that needs changing.

U.S. Exposed Personal Data

Census Bureau Posted 63,000 Social Security Numbers Online

By Ellen Nakashima Washington Post Staff Writer Saturday, April 21, 2007; A05

For more than a decade, the Census Bureau posted on a public Web site the Social Security numbers of 63,000 people who received financial aid, officials said yesterday. The apparent violation of federal privacy law prompted concerns about identity theft.

Government officials removed the data from the Web site on April 13, the day they were alerted to the breach by an Illinois farmer [“We're the Census Bureau, we don't know what's on our website!” Bob] who discovered the numbers while surfing the Internet. They did not publicize the matter until yesterday, saying they needed the delay to enable information-security officials to contact those whose numbers were revealed and to contact "at least a half-dozen" mirror sites.

"We take full responsibility for this and offer no excuses for it," said Terri Teuber, a spokeswoman for the U.S. Department of Agriculture. "We absolutely do not think it was appropriate."

A watchdog group countered that officials tried to suppress the news.

"The bottom line is the government screwed up," said Gary Bass, executive director of OMB Watch. "What's really important is that they now try to rectify the problem. Thousands of research groups have copies of this site."

... Teuber said the USDA had been using Social Security numbers as part of a 15-digit federal contract identifier number. The practice dates back more than 25 years, she said, to when Social Security numbers were printed on checks. She said the USDA's information-security division was not aware of this continuing practice until last week. [First: Take an inventory! Bob]

Ignorance is commonplace...

Los Alamos warns workers about identity theft

Personal data of NMSU students posted online

By SUE MAJOR HOLMES Associated Press April 20, 2007

ALBUQUERQUE, N.M. (AP) _ Los Alamos National Laboratory warned employees about protecting themselves against identity theft after the names and Social Security numbers of 550 lab workers were posted on a Web site run by a subcontractor working on a security system.

An April 5 letter to the employees from Jan A. Van Prooyen, the lab's acting deputy director, said the problem was discovered the previous week when a lab employee happened upon the Web site [Apparently, managers are genetically incapable of finding problems. Bob] of a software services company that had been hired years before.

Clicking a link and entering a password provided online [Now there's a “security technique” you seldom see... Bob] led to a table that included names, and in some cases, Social Security numbers, of people who entered certain lab sites around 1998, the letter said.

Van Prooyen said the lab wasn't aware of "this unauthorized use" of personal information until March 28, and that the former subcontractor removed the information that afternoon after the lab contacted the company.

... Van Prooyen's letter said the lab did not know how long the information had been online. [What records? Bob] However, it said the information wasn't likely to have been misused given that it was buried within the Web site, the site did not appear to have been widely accessed and the subcontractor's business had not been active for about two years.

Ignorance is widespread. (Somehow it looks more impressive when you summarize the whole week in one article...)

Data “Dysprotection:” Friday Roundup

Friday April 20th 2007, 6:52 pm

A quick recap of some of the breaches and follow-ups we reported in the news section this week:

At least 60 customers of Albertson’s Supermarket in San Lorenzo had their identities stolen and bank accounts raided by thieves who used a credit card skimmer. By the end of the week, authorities reported that another Albertson’s had also been compromised the same way.

The University of Pittsburgh Medical Center disclosed that a second set of patient data containing patient names, Social Security numbers, X-rays and other personal medical information had been found on UPMC’s web site and in the Internet Archives. This was in addition to the 80 patients previously reported to have been found on both the web and in the Internet Archives. Not a great week for UPMC.

When the Washington Post exposed the fact that student loan companies were improperly accessing a national database with confidential information on tens of millions of students, the lenders were blocked from access.

New Horizons Community Credit Union (NHCCU) is notifying members of a potential breach of confidential member loan information after the theft of a laptop computer from Protiviti, “a consultant employed by Bellco Credit Union conducting due diligence [but having none themselves... Bob] to prepare a possible acquisition bid.” Anybody else see any irony in the firm doing due diligence managing to get their laptop stolen or am I just in a weird mood?

Ohio State University reported a “two-fer” on breaches this week: a hack compromised the personal information of 14,000 current and former faculty and staff members. Additionally, two laptop computers stolen from a professor’s home contained the SSN and grades of about 3500 chemistry students. And in case one set of the data wasn’t enough, the professor had just finished copying over all of the data from one laptop to the other.

A Los Angeles County laptop computer that contained names and SSN of 28 people enrolled in the Department of Social Services’ Refugee Employment Program was stolen.

An employee of Gerald Champion Regional Medical Center was found to be in possession of confidential employee information, including SSN and bank account information, even though he was not authorized to have that information. Hey, at least they know where their data are, unlike some of these other folks…

The Texas Attorney General filed suit against CVS/Caremark Corp. for putting as many as 1000 customers’ records in a dumpster behind one of its stores. This was the second such suit as the AG also filed against Radio Shack recently.

A man who stole hundreds of identities from patients whose accounts were handled by Hospital Billing & Collection Service Inc. was sentenced to six years and three months in prison today.

A man in prison for identity theft is accused of running a similar operation from behind bars. Gimme that good old-fashioned American ingenuity…

A computer file server containing research subject information, SSN, and medical details on 3000 cancer research participants was stolen from the University of California at San Francisco.

Valve Software, the company behind Counter Strike and Half Life, has been accused of covering up a hack of its servers which allegedly exposed the credit card details of thousands of its customers.

The names and SSN of more than 5,600 New Mexico State University students were accidentally posted on the school’s Web site for a few hours.

Los Alamos National Laboratory was back in the news this week: 550 lab employees were notified that their names and in some cases, SSN, had been on a web site for what appears to be at least two years.

The SSN of up to 150,000 people who received loans or other financial assistance from two Agriculture Department programs were disclosed for 26 years in a publicly available database. Officials at the Agriculture Department and the Census Bureau, which maintains the database, were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.


Major mail-order Japanese retailer Japanet Takata Co. has filed a 110 million yen damages suit against a former employee who allegedly copied personal information on over half a million customers and then leaked it to outsiders.

In the UK, Lime Pictures exposed about 20,000 individuals’ personal details on its website in the form of completed job applications.

Also in the UK, about 100,000 customers of the broadband provider Bulldog appear to have had private details stolen.

But on a positive note:

Not one agency or business reporting a breach suggested that there was any chance that the information had been or even might be misused. (Note that I am struggling valiantly to type this with a straight face…)

Although the U.S. Dept. of Commerce reported that 33 computers were infected with data-stealing Trojans and other malware last year, no information is believed to have been stolen. Gotta stop opening those porn links at work, guys…

When does stupidity cross into gross negligence? Who should be talking to these people?

ISP Kicks Out User Who Exposed Vulnerability; Doesn't Fix Vulnerability

from the blame-the-messenger dept

Over the past few years, there have been plenty of examples of companies with security vulnerabilities blaming the messenger when the vulnerabilities are pointed out, often threatening them with time in jail. The end result, of course, is that many security researchers are afraid to report vulnerabilities, as they may be blamed for them. Of course, that doesn't mean that others haven't found the same vulnerabilities and started using them for malicious purposes. The latest such case is pointed out by Broadband Reports and involves an ISP in the UK called BeThere. Apparently, a college student discovered and published a pretty major vulnerability found in the routers the company uses, allowing anyone to access the routers remotely. Rather than thank the customer for finding and highlighting a pretty serious vulnerability, the company has cut off his service and threatened him with lawsuits. Oh yeah, they also haven't bothered to fix the vulnerability -- despite it being published 7 weeks ago. The reasoning from the ISP is astounding. They claim that since they can't find any evidence that anyone ever used the vulnerability, he must have discovered it by "illegal" means. Who knew that simply probing for security vulnerabilities was illegal? And, of course, the ISP told the guy he's not allowed to talk about its legal threat to him -- which isn't actually legally binding. It's not clear if the ISP doesn't understand what it's done or simply doesn't want to fix the vulnerability -- but the fact that it seems to think it's ok to leave the vulnerability there and just cut off the guy who pointed it out should make other customers of BeThere wonder about how the ISP treats their security.

While we're on the subject of ill-logic... Is this a case of: “We shoulda thought of this first?”

Google-DoubleClick Raise Red Privacy Flags

By Roy Mark April 20, 2007

UPDATED: Online privacy groups filed a complaint with the Federal Trade Commission (FTC) today seeking to block Google's $3.1 billion bid for online advertising firm DoubleClick unless the world's largest search engine agrees to greater consumer privacy protections.

The combination of Google (Quote) and DoubleClick would combine two of the biggest players in online advertising. Google's AdSense business is algorithm-driven and based on clickable links, while DoubleClick's DART technology places targeted banners on popular online sites.

The complaint alleges if the deal is allowed to go unchecked, Google will have the unprecedented ability to "record, analyze, track and profile" the activities of Internet users, [Surely, they can do that now? Bob] a charge both Google and DoubleClick were quick to deny.

"Google's proposed acquisition of DoubleClick will give one company access to more information about the Internet activities of consumers than any other company in the world," [Surely, one company is number one today... Bob] the complaint states. "Moreover, Google will operate with virtually no legal obligation to ensure the privacy, security and accuracy of the personal data that it collects." [but not because of this merger... Bob]

The groups also complain that at least some the data is personally identifiable.

But DoubleClick insisted in a statement, "Any and all information collected by DoubleClick is, and will remain, the property of the company's clients. Ownership rights, like the other terms of DoubleClick's client contracts, will be unaffected by any acquisition."

The privately held DoubleClick added, "Google would not be able to match its search data to the data collected by DoubleClick, as DoubleClick does not have the right to use its clients' data for such purposes." [This is based on the Privacy statement, not a technical barrier. Changing the Privacy statement is as simple as uploading a new page. Bob]

Nicole Wong, Google's deputy general counsel, issued a statement calling the complaint "unsupported by the facts and the law." Wong said the complaint "utterly fails to identify any practice that does not comply with accepted privacy standards."

The Electronic Privacy Information Center (EPIC), the Center for Democracy and Technology (CDT) and the U.S. Public Interest Research Group (U.S. PIRG) want DoubleClick to remove user-identified cookies and "other persistent pseudonymic" identifiers from all corporate records and databases prior to any transfer to Google.

The groups also want the FTC to require Google to publicly present a plan to comply with government and industry privacy standards as a condition of the deal. [Most interesting! Who does that now? Bob] In addition, they are seeking to force Google to establish a meaningful data destruction policy and offer consumers "reasonable access" to all personally identifiable data held by the company.

According to the complaint, "Absent injunctive relief [by the FTC]…other companies will be encouraged to collect large volumes of information from consumers in an unfair, disproportionate and deceptive manner." [How? Bob]

When the deal was announced late last week, DoubleClick CEO David Rosenblatt said, "Google is the absolute perfect partner for us. Combining DoubleClick's cutting edge digital solutions for both media buyers and sellers with Google's scale and …resources will bring tremendous value to both our employees and clients."

Google co-founder Sergey Brin added, "Together with DoubleClick, Google will make the Internet more efficient for end users, advertisers and publishers."

The market was unimpressed with the privacy groups' FTC complaint. In late afternoon trading, Google shares were up almost $15 to $486.70.

If the deal is approved, it will close by the end of the year.

Tools & Techniques Not new, but an interesting question: Is it 'wiretapping' when you a 'broadcasting?'

Friday, April 20, 2007

Seeing through walls

Have you considered that someone could be reading what's on your monitor from a few rooms away? It's unlikely, but possible, as work by Cambridge University computer security researcher Markus Kuhn shows.

A radio antenna and radio receiver - equipment totalling less than £1000 - is all you need. Kuhn managed to grab the image to the left through two intermediate offices and three plasterboard walls.

Back in 1985, Wim Van Eck proved it was possible to tune into the radio emissions produced by electromagentic coils in a CRT display and then reconstruct the image. The practice became known as Van Eck Phreaking

... CRTs are now well on the way to being history. But Kuhn has shown that eavesdropping is possible on flat panel displays too.

... Kuhn also mentioned that one laptop was vulnerable because it had metal hinges that carried the signal of the display cable. I asked if you could alter a device to make it easier to spy on. "There are a lot of innocuous modifications you can make to maximise the chance of getting a good signal," he told me. For example, adding small pieces of wire or cable to a display could make a big difference.

... For another cool security demonstration by Kuhn, check out this story on decoding the flicker a monitor casts on the walls.

How to steer customers to your storefront... (screw up 'first responders, etc.)

Don't let your navigation system fool you

By Joris Evers Story last modified Fri Apr 20 15:46:46 PDT 2007

VANCOUVER, B.C.--That roadblock alert on your navigation system may not be real. Neither may that warning for a "terrorist incident," an "air raid" or a "bullfight."

Two Italian hackers have figured out how to send fake traffic information to navigation systems that use a data feature of FM radio for real-time traffic information. Using cheap, off-the-shelf hardware, they can broadcast traffic data that will be picked up by cars in about a one-mile radius, the hackers said during a presentation at the CanSecWest event here.

"We can create queues, bad weather, full car parks, overcrowded service areas, accidents, roadwork and so on," Andrea Barisani, chief security engineer at Inverse Path, a security company. "Traffic information displayed on satellite navigation systems is trusted by drivers. Normal people do not think that you can do nasty things."

Barisani and hardware hacker Daniele Bianco discovered that the system used by many navigation aides to get traffic data isn't secured. [Planning! Bob] The data is sent using the Traffic Message Channel (TMC) of the Radio Data System (RDS), a standard way of transmitting data over FM radio also used to display station names and program titles.

... The hackers wrote a program to decode the RDS data. "As far as we know it is the first open-source tool that tries to fully decode RDS information," Barisani said. They then figured out how to create their own TMC messages and broadcast those using an RDS encoder, an FM transmitter, an antenna and some other tools.

Perhaps we are becoming (or always were) a nation of voyeurs?

Analyst: Web 2.0 Users Would Rather Watch Than Upload

By John P. Mello Jr. TechNewsWorld 04/20/07 8:00 AM PT

New findings by Hitwise suggest the great majority of Web 2.0 users are the online equivalent of couch potatoes. Among visitors to sites that encourage active participation from users in the form of editing or uploading content, only a tiny fraction of visitors typically do so -- most are just observers.

The so-called "New Web" has been hailed as a great place for sharing and interacting, but data released Tuesday by Internet traffic researchers suggests most cybersurfers are watchers, not uploaders.

In a presentation at the Web 2.0 Expo in San Francisco this week, Hitwise analyst Bill Tancer noted that upload rates at participatory cyberstops like YouTube and Flickr were well under 1 percent -- 0.16 percent for video-sharing site YouTube and 0.2 percent for photo-sharing site Flickr, which is owned by Yahoo.

The Hitwise findings beg the question, is the Web moving the realm of the couch potato from the living room into Cyberspace?

"Web 2.0 is to the Internet what the remote was to TV," Jaron Lanier a scholar-in-residence at the University of California at Berkeley and a pioneer in virtual reality research, told TechNewsWorld. "It encourages skittish attention deficit behavior."

80 Percent Watchers

By and large, most visitors to participatory Web sites are watchers, maintained Randall C. Bennett, former lead blogger for DV Guru and founder of Tech Check Daily, a daily video podcast about technology.

As a rule of thumb, he estimated that about 1 percent of a site's visitors are "creatives" -- enthusiastic and frequent uploaders of site content; some 20 percent are "contributors" who might do some uploading and add comments and tags to a site's content; and the rest of the visitors are just watchers.

"They're the kind of people who use Wikipedia just because the information is useful to them," he exemplified.

Ironically, Wikipedia, the online encyclopedia written and edited by volunteers, had a relatively high participation rate in the Hitwise findings -- 4.49 percent of visitors edited entries at the site.

Conversational Dynamic

"I'm not surprised that the percentage of people who upload videos is much smaller than the percentage of people who watch them," John Battelle, a Web marketing analyst with Battelle Media told TechNewsWorld.

"But I don't think the act of watching on the Web is necessarily passive," he added. "You're watching a conversation, which is different than watching a presentation."

For example, he explained that many visitors to a video-sharing Web site aren't just looking at a video. They're looking at related videos, responses to video, commentary on videos and so forth.

"It's a conversational dynamic as opposed to a receiving dynamic," he observed.

Skyrocketing Growth

That conversational dynamic inherent in Web 2.0 appears even at sites that limit user uploads.

Jeffrey D. Neuburger, chairman of the technology, media and communication department at the law firm of Thelen Reid Brown Raysman & Steiner, cited a major record company that has moved all its talent acquisition operations to the Web.

"It's like American Idol," he told TechNewsWorld. "Artists upload their music and videos, but the public can post comments on them so the A&R (artist and repertoire) people can actually get a sense of what the public thinks about the content before they approach an artist."

Even if participation rates at Web 2.0 sites remain low, visitors continue to flock to the cyberstops, according to Hitwise. Its presentation showed that in the last two years, visits to the top participatory Web sites increased 668 percent.

Hot Newcomers

Other findings in the Hitwise presentation included:

  • Visits to Wikipedia outnumber visits to Microsoft's Encarta encyclopedia site 3,400 to 1.

  • Biggest users of Wikipedia are 18- to 24-year-olds (25.89 percent) and 35- to 44-year-olds (25.53 percent), while most of the editing of the encyclopedia is being done by 35- to 44-year-olds (27.35 percent), 45- to 54-year-olds (28.85 percent) and the over-55 set (25.59 percent).

  • Web 2.0 photo sites account for 56 percent of all photo site traffic on the Internet.

  • Most YouTube visitors are 18- to 24-year-olds (30.55 percent), while most video is uploaded to the site by 35- to 44-year-olds (35.65 percent).

So who watches the watchers?

YouTube to collect user data

Posted by Greg Sandoval April 20, 2007 11:16 AM PDT

YouTube, the Internet's No. 1 video warehouse, is gearing up to collect user data that could prove valuable to marketers, according to the company's chief marketing officer.

Suzie Reider, YouTube's chief marketing officer, told an audience at the Advertising Research Foundation's Rethink conference this week that YouTube will launch in a few weeks its first user study, according to trade publication Advertising Age.

"By Q3, we'll have a tremendous amount of metrics and data around every video," Reider told the audience. "There's lots you can glean from looking at who's looking at what. ["You can observe a lot just by watchin'." Yogi Berra Bob] It's a real-time focus group that happens all day, every day."

More than 34 million U.S. residents visit YouTube each month, according to ComScore Networks.

Good on ya', Annie Oakly! (In the old days, women were TUFF!)

One tough beauty queen

Venus Ramey, 82, shoots tire, stops intruders


Venus Ramey has earned lots of fame in her 82 years.

She was Miss America 1944 and later a candidate for Cincinnati City Council and worked to save Over-the-Rhine's historic buildings. She performed on Broadway and in movies.

Now, though, she's in the news for another reason.

After confronting a man she said was stealing from her Kentucky farm, Ramey pulled out a gun and shot out a tire on his truck so he couldn't leave, allowing police to arrest him and two others.

"He was probably wetting his pants," Ramey said Thursday from her home in Waynesburg, about 140 miles south of Cincinnati.

Ramey was on her Lincoln County farm last week - "Friday the 13th, apropos date, isn't it?" she noted Thursday - feeding a horse when she saw her dog run to a nearby building where she stores old steel-shaping machines, lathes and other equipment.

"This stuff is over 100 years old," she said.

For some time, thieves had been breaking into the building to steal the machines to sell for scrap. She hadn't been able to catch anyone in the act until last week.

She drove over to the building and blocked the truck sitting there.

When she asked a man what he was doing, he replied "scrapping," and said he would leave.

"I said, 'Oh, no you won't,' and I shot their tires so they couldn't leave," Ramey said.

She had to balance on her walking stick as she pulled out a snub-nosed .38-caliber handgun.

"I didn't even think twice. I just went and did it. If they'd even dared come close to me, they'd be 6 feet under by now."

Ramey then tried to flag down people driving by. When one stopped, she asked them to call 911. Eventually, three people were arrested - one at the scene and two others walking on a nearby road.

"They've been stealing from me for years. Those good-for-nothing slobs," she said.

Friday, April 20, 2007

This should be easy to program. Where would you like the money sent?

Airman loses $600 to '1-cent deposit' scam

by Staff Sgt. Don Branum 50th Space Wing Public Affairs

4/19/2007 - SCHRIEVER AIR FORCE BASE, Colo. (AFNEWS) -- An Airman assigned to the 50th Mission Support Squadron here recently fell victim to a new banking scam against which vigilance is the only defense.

Airman A, whose full name has been withheld for privacy reasons, first noticed the scam when money began disappearing from his account at a local bank.

"I'm not usually the type of person who checks his account balances every day," Airman A said. "I called the bank recently to find out my balance, and the amount in the account was lower than I'd expected."

More specifically, the account balance was $124.90 less than it should have been. A business named "Equity First" had made the debit. The toll-free number listed on the transaction led to dead ends -- none of the options would allow Airman A to speak with a human. So he went online.

"I searched for information, and the result that came up was for a mortgage company," said Airman A, who lives in one of the Schriever Air Force Base Airmen's dormitories on Peterson AFB. He found a toll-free number on that site and called.

Joanna Thorndyke is an employee at the mortgage company Airman A contacted. Equity 1st Mortgage, based in Wilmington, N.C., is not the "Equity First" making the withdrawals, but company employees have fielded dozens of complaints since the scam began.

"We've had people calling from all over the country except North Carolina -- the only state in which we're licensed to do business," Mrs. Thorndyke said.

She has handled approximately 100 phone calls from scam victims since at least 2006, including five calls she received April 1. In every case, the amount withdrawn was the same: $124.90.

The scammers apparently generate random routing and account numbers, into which they try to deposit one cent, Mrs. Thorndyke said. Once the one-cent deposit clears, the perpetrators know the account is active and begin to withdraw funds from the account.

Based on the call traffic, Mrs. Thorndyke said the withdrawals seemed to take place near the beginning of the month. Some people had only seen a single withdrawal from their accounts. In Airman A's case, however, the perpetrator had struck several times. His total loss was more than $600.

"We've contacted everyone we can in our state to clear our name," Ms. Thorndyke said. "We hate that our name's associated with something like this, but we're letting victims know that they need to contact their banks."

Airman A contacted his bank, the Peterson AFB branch of 5-Star Bank. Vickie DuVal, the bank manager, refunded the amounts and recommended Airman A open a new bank account to stop the fraudulent withdrawals.

"This was the first time I'd seen this," Ms. DuVal said.

Because the transfers clear electronically, people are not asked to verify the transactions. However, they may dispute the transactions once they notice what's happening.

Logical, but nasty. Perhaps a smart bomb or six would solve the problem?

Military Targets

Posted by Sean @ 08:07 GMT

In our recent examination of Banker Keyloggers and Phishing sites we're noticing a growing trend. "Military" banks.

Why target banks that cater to U.S. military personal? Our guess is with the increased deployment of U.S. Military personal around the world, they've becoming an interesting target for the bad guys. If you're away from home – you'll do your banking online.

No rush, they probably already know they're victims...

Details of 100,000 Bulldog customers stolen

OUT-LAW News, 19/04/2007

The private details of 100,000 internet users have been stolen from broadband provider Bulldog. The security breach happened when the company was owned by Cable & Wireless.

The data was stolen from Cable & Wireless in December 2005 by a third party which the company believes it can identify. Bulldog's customer base has since been sold to broadband provider Pipex, but C&W is investigating the breach.

James Brown, managing director of Bulldog Internet, told the Guardian newspaper: "Our understanding is that, following an external enquiry by Cable & Wireless, it has become apparent that at some point in December 2005 Cable & Wireless had some of their customer contact details illegally obtained by a third party. This resulted in a small number of their customers receiving unsolicited calls."

C&W said that it was preparing legal action against a third party which it said could be the source of the leak.

It is not yet clear exactly what customer data was taken. Several customers have reported receiving telephone calls that alerted them to the security breach. It is not known whether or not credit card or bank details were among those taken. C&W said that there was no evidence that that was the case.

Small and contained?

Personal data of NMSU students posted online

By ASSOCIATED PRESS April 19, 2007

LAS CRUCES, N.M. (AP) - The names and Social Security numbers of more than 5,600 New Mexico State University students were accidentally posted on the school's Web site, but officials say odds are minimal that any students' identities were compromised.

The information was in a public section of the site for nearly two hours on April 5 before the mistake was caught.

The file was accessed by 14 computers and all of their IP addresses have been tracked, said Mrinal Virnave, NMSU's director of enterprise application services.

Virnave said the file contained the names and Social Security numbers of students who registered online to attend their commencement ceremonies from 2003 to 2005, meaning most of the names and numbers are of former students.

What's happening to my warm fuzzy feeling?

State Department got mail _ and hackers

By TED BRIDIS, Associated Press Writer Wed Apr 18, 8:29 PM ET

A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail [This isn't the 'Twilight Zone' Bob] that quietly allowed hackers inside the U.S. government's network.

In the first public account revealing details about the intrusion and the government's hurried behind-the-scenes response, a senior State Department official described an elaborate ploy by sophisticated international hackers. They used a secret break-in technique [Just because you don't know who Sponge Bob is, doesn't make him a secret Bob] that exploited a design flaw in Microsoft software.

Consumers using the same software remained vulnerable until months afterward.

Donald R. Reid, the senior security coordinator for the Bureau of Diplomatic Security, also confirmed that a limited amount of U.S. government data was stolen [“Any” is too much, “limited” is way too much Bob] by the hackers until tripwires severed all the State Department's Internet connections throughout eastern Asia. The shut-off left U.S. government offices without Internet access in the tense weeks preceding missile tests by North Korea.

Reid was scheduled to testify Thursday at a cybersecurity hearing for a House Homeland Security subcommittee. He was expected to tell lawmakers an employee in the State Department's Bureau of East Asian and Pacific Affairs — which coordinates diplomacy in countries including China, the Koreas and Japan — opened a rigged e-mail message in late May giving hackers access to the government's network.

... The department struggled with the break-ins between May and early July.

... The State Department detected its first break-in immediately, Reid said, and worked to block suspected communications with the hackers. But during its investigation, it discovered new break-ins at its Washington headquarters and other offices in eastern Asia, Reid said.

... Reid also complained the State Department's efforts to deal quietly with the break-in were disrupted by news reports. The Associated Press was first to reveal the intrusions.

"We were successful here until a newspaper article telegraphed what we were dealing with," Reid said.

[Since no one at State would ever leak information to the press, the AP must have been the hacker! QED Bob]


No data stolen in 2006 computer intrusions, says Commerce Dept.

Jaikumar Vijayan

April 19, 2007 (Computerworld) Unknown intruders last year managed to infect 33 computers belonging to a bureau of the U.S. Department of Commerce (DOC) with data-stealing Trojans and other malware.

But the compromises were quickly detected and no information is believed to have been stolen, according to testimony presented today at a congressional subcommittee hearing on the extent to which federal networks and critical infrastructure have been compromised by foreign hackers. The hearing is being held by a subcommittee of the Committee on Homeland Security and is being chaired by Rep. James Langevin (D-R.I.).

Lawmakers expressed concern at those hearings that multiple U.S. agencies whose networks were hacked recently can't be sure they've fixed their vulnerabilities because of poor cybersecurity practices.

... According to Jarrell, the cyberintrusion affecting the Commerce Department's Bureau of Industry and Security systems was first noticed last July 13, when a BIS deputy under secretary reported being locked out of his computer. [Not the security software – good thing he wasn't on vacation! Bob]

... At the time its systems were compromised, BIS had in place all of the security requirements mandated by the Federal Information Security Management Act (FISMA), Jarrell noted. However, even with those measures in place, the incidents could not have been prevented because the intruders took advantage of unpatched flaws to gain access, he said.

Does this make you feel better?

RIM offers explanation for massive outage

By Marguerite Reardon Story last modified Fri Apr 20 06:24:15 PDT 2007

Research In Motion finally gave some details late Thursday about what caused a severe outage of its popular BlackBerry e-mail service that began Tuesday evening and lasted until the wee hours of Wednesday morning.

The company said in a statement that it had ruled out security and capacity issues as a cause of the outage that left millions of so-called "CrackBerry" addicts without access to their e-mail for several hours. The company also said the incident was not caused by any hardware failure or core software issue.

Ruling out those causes, the company has "determined that the incident was triggered by the introduction of a new, noncritical system routine that was designed to provide better optimization of the system's cache."

... But despite previous testing, [previous does not equal adequate Bob] the new system routine produced an unexpected impact that set off a chain reaction triggering a series of interaction errors between the system's operational database and the cache.

After RIM isolated the database problem and tried unsuccessfully to fix the issue, it began its "failover" process to a backup system. But that also failed.

"Although the backup system and failover process had been repeatedly and successfully tested previously, the failover process did not fully perform to RIM's expectations in this situation and therefore caused further delay in restoring service and processing the resulting message queue," the company said in the statement.

RIM also said it has already identified several aspects of its testing, monitoring and recovery processes that it plans to enhance as a result of the incident. [Ya think? Bob]

Is this what we want? (Is it okay to send parents the bill...)

Privacy Laws Restrict Mental Illness Disclosure to Parents

By Tamar Lewin THE NEW YORK TIMES April 20, 2007

Federal privacy and antidiscrimination laws restrict how universities can deal with students who have mental health problems.

For the most part, universities cannot tell parents about their children's problems without the student's consent. They cannot release any information in a student's medical record without consent. And they cannot put students on involuntary medical leave, just because they develop a serious mental illness.;988922035

HSBC customers outraged by bank's handling of security breach

Commercial interests favoured over privacy

Sandra Rossi 20/04/2007 13:03:30

HSBC Australia account holders are outraged that the bank didn't bother to contact a single customer in the wake of a serious security breach which exposed banking details, names and home addresses, as well as other financial information.

Full-name badges breach privacy

Nurses in Prince Edward Island, a province of Canada, have won the right not to wear name tags displaying their full names as the result of a recent ruling by Acting Privacy Commissioner, Karen Rose. She ruled that a nurse in a long-term care facility should not be required to display both her first and family names, because doing so could expose her to an immediate personal risk. [Perhaps they could wear those surgical masks too! Bob]

GPs could sue over breach of a dead patient’s confidence

The Information Commissioner has upheld a decision made by County Durham NHS Primary Care Trust not to release records of a deceased patient, on the grounds that the patient’s GP could sue for damages.

It's simple economics. There's a consumer born every minute...

Security Matters Commentary by Bruce Schneier

How Security Companies Sucker Us With Lemons

04.19.07 | 2:00 AM

More than a year ago, I wrote about the increasing risks of data loss because more and more data fits in smaller and smaller packages. Today I use a 4-GB USB memory stick for backup while I am traveling. I like the convenience, but if I lose the tiny thing I risk all my data.

Encryption is the obvious solution for this problem -- I use PGPdisk -- but Secustick sounds even better: It automatically erases itself after a set number of bad password attempts. The company makes a bunch of other impressive claims: The product was commissioned, and eventually approved, by the French intelligence service; it is used by many militaries and banks; its technology is revolutionary.

Unfortunately, the only impressive aspect of Secustick is its hubris, which was revealed when completely broke its security. There's no data self-destruct feature. The password protection can easily be bypassed. The data isn't even encrypted. As a secure storage device, Secustick is pretty useless.

On the surface, this is just another snake-oil security story. But there's a deeper question: Why are there so many bad security products out there? It's not just that designing good security is hard -- although it is -- and it's not just that anyone can design a security product that he himself cannot break. Why do mediocre security products beat the good ones in the marketplace?

In 1970, American economist George Akerlof wrote a paper called "The Market for 'Lemons'" (abstract and article for pay here), which established asymmetrical information theory. He eventually won a Nobel Prize for his work, which looks at markets where the seller knows a lot more about the product than the buyer.

Akerlof illustrated his ideas with a used car market. A used car market includes both good cars and lousy ones (lemons). The seller knows which is which, but the buyer can't tell the difference -- at least until he's made his purchase. I'll spare you the math, but what ends up happening is that the buyer bases his purchase price on the value of a used car of average quality.

This means that the best cars don't get sold; their prices are too high. Which means that the owners of these best cars don't put their cars on the market. And then this starts spiraling. The removal of the good cars from the market reduces the average price buyers are willing to pay, and then the very good cars no longer sell, and disappear from the market. And then the good cars, and so on until only the lemons are left.

In a market where the seller has more information about the product than the buyer, bad products can drive the good ones out of the market.

The computer security market has a lot of the same characteristics of Akerlof's lemons market. Take the market for encrypted USB memory sticks. Several companies make encrypted USB drives -- Kingston Technology sent me one in the mail a few days ago -- but even I couldn't tell you if Kingston's offering is better than Secustick. Or if it's better than any other encrypted USB drives. They use the same encryption algorithms. They make the same security claims. And if I can't tell the difference, most consumers won't be able to either.

Of course, it's more expensive to make an actually secure USB drive. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. In this market, the more-secure USB drive is going to lose out.

I see this kind of thing happening over and over in computer security. In the late 1980s and early 1990s, there were more than a hundred competing firewall products. The few that "won" weren't the most secure firewalls; they were the ones that were easy to set up, easy to use and didn't annoy users too much. Because buyers couldn't base their buying decision on the relative security merits, they based them on these other criteria. The intrusion detection system, or IDS, market evolved the same way, and before that the antivirus market. The few products that succeeded weren't the most secure, because buyers couldn't tell the difference.

How do you solve this? You need what economists call a "signal," a way for buyers to tell the difference. Warrantees are a common signal. Alternatively, an independent auto mechanic can tell good cars from lemons, and a buyer can hire his expertise. The Secustick story demonstrates this. If there is a consumer advocate group that has the expertise to evaluate different products, then the lemons can be exposed.

Secustick, for one, seems to have been withdrawn from sale.

But security testing is both expensive and slow, and it just isn't possible for an independent lab to test everything. Unfortunately, the exposure of Secustick is an exception. It was a simple product, and easily exposed once someone bothered to look. A complex software product -- a firewall, an IDS -- is very hard to test well. And, of course, by the time you have tested it, the vendor has a new version on the market.

In reality, we have to rely on a variety of mediocre signals to differentiate the good security products from the bad. Standardization is one signal. The widely used AES encryption standard has reduced, although not eliminated, the number of lousy encryption algorithms on the market. Reputation is a more common signal; we choose security products based on the reputation of the company selling them, the reputation of some security wizard associated with them, magazine reviews, recommendations from colleagues or general buzz in the media.

All these signals have their problems. Even product reviews, which should be as comprehensive as the Tweakers' Secustick review, rarely are. Many firewall comparison reviews focus on things the reviewers can easily measure, like packets per second, rather than how secure the products are. In IDS comparisons, you can find the same bogus "number of signatures" comparison. Buyers lap that stuff up; in the absence of deep understanding, they happily accept shallow data.

With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.

Poorly argued?

Saying You Have An Open WiFi AP May Not Help You Beat Child Porn Charges

from the what-would-matlock-do dept

CNet had a slightly bizarre story Wednesday as part of their regular series looking at the intersection of technology and the judicial system. A federal appeals court recently rejected the appeal of a Texas man convicted on child-porn charges, who'd argued that the fact that he had an open WiFi access point that anybody could access made the original search warrant for his home invalid. There are some strange parts to this tale. The case began when a woman in New York reported getting some child porn sent to her over Yahoo Messenger, and the FBI traced the sender back to an IP address from Time Warner Cable in Austin, Texas. The ISP gave up the name on the account using that IP, and a search warrant for the account holder's house was executed, and child porn was found in the account holder's part of the house. The man argued that the warrant should be invalid because the open AP meant one of his roommates or somebody outside the house could have sent the images that sparked the investigation -- and indeed, the Yahoo account was registered under the name "Mr. Rob Ram", and one of the guy's roommates was named Robert Ramos.

While there would seem to be room for some doubt in all of this, the appeals court rightly noted that the level of proof needed for a warrant is much lower than that needed for a conviction, and the fact that child porn was sent from his IP is a reasonable basis to issue the search warrant. This case would appear to have some slight parallels to some of the RIAA's cases against file-sharers, where it simply goes after whoever holds the ISP account without making any effort to identify the actual copyright infringer. This idea of secondary liability isn't standing up for the RIAA, but it's a little different than what's being argued here. The charges against this man weren't based on what was sent from his ISP account; rather the FBI used that as the basis for an investigation that resulted in charges based on materials found in the guy's house. The RIAA, of course, doesn't really bother so much with the investigation part, preferring instead just to hit anybody they can with a lawsuit. One more twist to the child porn case: the guy entered a guilty plea to the charges, pending the outcome of this appeal. Arguing that you shouldn't have been caught, and not that you didn't do it, probably doesn't help your case much.

Dumb argument?

SCO Head Wants To Ban Public WiFi To Stop Porn

from the that'll-help dept

Last month, Utah's governor signed a resolution urging Congress to pass a law that would set up "family" and "adult" channels on the internet as a way to keep kids from seeing boobies. The resolution was based on the work of a group called CP80, which advocates mandating porn be put on its own port, and is headed by the chairman of everybody's favorite tech company, the SCO Group, Ralph Yarro. Now, Yarro's told a Utah legislative committee that open WiFi networks should be banned, and all WiFi networks should have filtering software to keep out porn, or be password-protected, so that if any porn makes its way onto a minor's computer, the network provider can be fined. That seems little odd, like fining the state's transportation department for building roads that people might drive on to go buy porn somewhere. But the suggestions didn't stop there: a BYU law professor says the state should circumvent the constitution not by forcing ISPs to block porn, but rather by giving tax incentives to those that do. One state senator says that the key is "a statewide education program so citizens can learn about the real problem with the uncontrolled porn in our society, mainly coming through the Internet." We'd imagine that advertising the availability of porn on the internet would run counter to these people's goals, but apparently not.

Tools & Techniques: Understand what can be done...

Google Search History Expands, Becomes Web History

Google's Search History feature, which was switched on as a default option for many Google searchers in February, has now been renamed Web History to reflect how it has expanded to track what Google users do as the surf the web. It's a huge move for Google and raises anew privacy issues. Below, a detailed look at how the system works, how to pause or delete logging if you want, the impact on search results and more.

Tools & Techniques (Never be less well armed than your neighborhood hacker...),1759,2115879,00.asp?kc=EWRSS03119TX1K0000594

Researcher: Tools Will Help Personalize ID Theft by 2010

April 19, 2007 By Lisa Vaas

VANCOUVER, British Columbia—Hackers with scrounged-up data ask the same question as dogs who've caught the school bus: What do we do with it now?

Roelof Temmingh has the answer, at least for rogue hackers, in the form of a framework that makes identity theft a much easier proposition. The framework, which is in the early stages of development, is called Evolution. Temmingh, a security expert who's authored well-known security testing applications such as Wikto and CrowBar, demonstrated Evolution during his opening presentation here at the CanSecWest security conference on April 18.

... The framework's genius lies in transforming one type of information to another. Evolution can transform a domain into an e-mail address or telephone number, or both (through the Whois domain name lookup service), to related DNS names, to IPs, to a Web site, to e-mail addresses (again, via Whois), to telephone numbers, to geographic locations, to alternative e-mail addresses, to related telephone numbers, to co-hosted sites with the same IP, and so on.

... "Real criminals don't write buffer overflows," he said. "They follow the route of least resistance."

Mainstream criminals tend to lag behind technological advance, he said. For example, phishing attacks were known about as far back as 1995. The question is, what will be on criminals' minds in 2010? Temmingh believes that the Internet's darker elements will be using tools "something close to" what he's demonstrated in Evolution: a framework that can execute personalized identity theft with scraps of information.

"[Criminals] will be able to have tools to merge this information together to manipulate outcome of certain events," Temmingh said.

Tools & Techniques: This seems to be an increasingly common trick...

Identity theft probe expands to Alameda

PIN pads in Albertsons stores were tampered with to allow card numbers to be stolen

By Alejandro Alfonso, STAFF WRITER Article Last Updated: 04/20/2007 03:07:07 AM PDT

SAN LORENZO — The investigation into an identity theft ring that began after a PIN pad was tampered with at an Albertsons supermarket in San Lorenzo has broadened to include another Albertsons store in Alameda and the number of reported victims has topped 100 people who together lost about $70,000, according to the Alameda County Sheriff's Office.

Investigators now believe a sophisticated group of thieves replaced an Electric Funds Transfer unit, or PIN pad, at the Albertsons stores with a nearly identical pad that would steal customer's account information and PIN numbers, sheriff's Detective Greg Swetnam said.

I like it! Why you ask? See the next article...

Hackers Invited To Break Into Philippine Internet Voting System

April 17, 2007 7:26 p.m. EST Geoffrey Ramos - All Headline News Staff Writer

Manila, Philippines (AHN) - Local and foreign computer hackers will be tapped to try and break into an Internet-based voting system that will be pilot tested by the country's Commission on Elections (Comelec) starting July 10.

Testimony Released on Electronic Voting Machines

April 19, 2007 News Report

The U.S. Government Accountability Office yesterday released a transcript of testimony on electronic voting machines. Titled All Levels of Government Are Needed to Address Electronic Voting System Challenges -- by Randolph C. Hite, director of information technology architecture and systems -- said, in part: "The integrity of voting systems -- which is but one variable in a successful election process equation -- depends on effective system life cycle management, which includes systems definition, development, acquisition, operations, testing and management. It also depends on measuring actual voting system performance in terms of security, reliability, ease of use and cost effectiveness, so that any needed corrective actions can be taken. Unless voting systems are properly managed throughout their life cycle, this one facet of the election process can significantly undermine the integrity of the whole.

"Election officials, computer security experts, citizen advocacy groups, and others have raised significant concerns about the security and reliability of electronic voting systems," continued Hite, "citing vague or incomplete standards, weak security controls, system design flaws, incorrect system configuration, poor security management and inadequate security testing, among other issues. Many of these security and reliability concerns are legitimate and thus merit the combined and focused attention of federal, state, and local authorities responsible for election administration."

What a great way to begin your legal career!

EarthLink Subpoenaed for Customer Records When Anonymous Web Posting Reveals Bar Questions

By R. Robin McDonald Fulton County Daily Report 04-20-2007

The National Conference of Bar Examiners is hunting for the anonymous person who published 41 questions from the 2006 Multistate Bar Examination on an Internet blog within hours of taking the exam last year.

The conference -- which develops and distributes the national portion of the biannual bar exam, called the MBE -- asserts in federal court documents that whoever posted the questions on infringed the MBE copyright and disregarded instructions that prohibit exam-takers from disclosing exam questions and answers.

... The NCBE staff routinely monitors Web sites and blogs before and after the exam and occasionally has found "smatterings of [exam] questions," she said. "What prompted us to action in this particular case was the sheer volume and audacity of the posting."

... Moeser said that EarthLink lawyers responded Wednesday to the subpoena request but did not provide the identity or e-mail of the individual who posted the bar questions on July 26, 2006.

"At this stage, it's not clear they have retained records back to when the posting occurred," she said.

For jurisdiction shoppers?

April 19, 2007

Global Legal Information Network Now Searchable Via World Legal Information Institute

"The Global Legal Information Network (GLIN) of the United States Law
Library of Congress is now searchable via WorldLII, the World Legal Information Institute. GLIN Abstracts provides databases from 40 countries: Angola - Argentina - Belize - Bolivia - Brazil - Canada - Cape Verde - Chile - Colombia - Congo - Costa Rica - Cuba - Dominican Republic - Ecuador - El Salvador - Guatemala - Haiti - Honduras - Kuwait - Mali - Mauritania - Mexico -Mozambique - Nicaragua - Pakistan - Panama - Paraguay - Peru -Philippines - Portugal - Romania - Russia - Saudi Arabia - South Korea - Spain - Taiwan - Tunisia - United States - Uruguay - Venezuela. Approximately half of the the 139,622 abstracts in GLIN provide links to the full texts of the legislation, court decisions and other documents that are abstracted." [Graham Greenleaf, Professor of Law Faculty of Law, University of New South Wales]

Thursday, April 19, 2007

Laptops are simple, it takes muscles to carry a server!

UCSF computer server with research subject information is stolen

Corinna Kaarlela, News Director Source: Corinna Kaarlela 415-476-2557

18 April 2007

A computer file server containing research subject information related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office on March 30, 2007.

The server contained files with names, contact information, and social security numbers for study subjects and potential study subjects. For some individuals, the files also included personal health information.

... Notification letters were sent Monday, April 16, to about 3,000 individuals. Using backup files, UCSF officials are conducting an extensive analysis of the server data to determine as quickly as possible all the names involved in this incident.

Letter notification will continue as more names are identified. [A data inventory would have benn useful... Bob] Because of the large number of files on the server and their complex variety of formats, layouts, and data content, the process is extremely complicated, and UCSF officials cannot predict the total number of names at this time.

I'd like more detail on this. How does “making comments” interfere?

Student Arrested Over Va. Tech Remarks

Colorado Student Arrested After 'Threatening' Comments About Virginia Tech Shootings

The Associated Press

BOULDER, Colo. - A University of Colorado student pleaded not guilty Wednesday to making comments that classmates deemed sympathetic toward the gunman blamed for killing 32 students and himself at Virginia Tech, authorities said.

During a class discussion Tuesday of Monday's massacre at Virginia Tech, Max Karson "made comments about understanding how someone could kill 32 people," university police Cmdr. Brad Wiesley said.

... Karson, of Denver, was arrested Tuesday on a misdemeanor charge of interfering with staff, faculty or students of an education institution.

... At Oregon's Lewis & Clark College, another student was detained by campus police Wednesday shortly before a vigil for the Virginia Tech victims when he was spotted wearing an ammunition belt. Portland police later determined that it was "a fashion accessory" made of spent ammunition, and said the man did not have a weapon. The belt was confiscated. [...and will be sent to Guantanamo. Bob]

So easy a caveman could do it!

Feds: ID Theft Ring Run From Prison

Associated Press 04.18.07, 12:03 PM ET

A man in prison for identity theft is accused of running a similar operation from behind bars, with an Emmy award-winning television producer and animator among the victims.

... Curry will be transferred to federal custody this summer, Mrozek said. He is serving a three-year sentence for identity theft at Centinela prison in Imperial County.

What's going on here? Why weren't they ready for this? (They have done it before...) Would any other provider get this treatment? How could the IRS respond so quickly? (see next article) Who is getting paid to waive the regulations?

No Penalty for Tax Filers Hit by Glitch

By JORDAN ROBERTSON The Associated Press Wednesday, April 18, 2007; 7:00 PM

SAN JOSE, Calif. -- Taxpayers who couldn't electronically file 11th-hour returns using Intuit Inc.'s TurboTax, ProSeries and Lacerte software won't be penalized for delays caused by the company's overtaxed servers, the Internal Revenue Service said Wednesday.

"We will do everything we can to assist taxpayers affected by the situation," said IRS spokesman Bruce Friedland. "If people couldn't e-file last night, we encourage them to file as soon as they can."

A record number of returns from individual taxpayers and accountants on Tuesday choked the Mountain View-based company's computers, leading to delays in customers receiving confirmation that their returns had been submitted successfully, Intuit spokeswoman Julie Miller said.

As the midnight filing deadline approached, the problem got worse.

[Here's the simple math: We sold X tax packages, so far Y returns have been filed. We still need to process (X-Y) returns. Bob]

... The company's server farm near San Diego processed more than a million returns Tuesday alone, twice the amount during the peak filing day last year, Miller said.

And once the system reached its capacity, many filers were simply turned away. The company said it will refund the $16.95 electronic filing fee for TurboTax users who experienced delays.

... Penalties for late filing start at 5 percent of the unpaid taxes per month, and max out at a total of 25 percent. The IRS said it would extend the deadline to midnight April 19 for people who encountered problems.

Customers lit up Intuit's online customer support forums with complaints, with some angrily swearing off Intuit's software altogether for future returns and others threatening to sue the company if they were penalized by the IRS.

Beyond Intuit's consumer products, the delays also hampered professional tax preparers who use the company's Lacerte brand software.

Wesley Fachner, a certified public accountant in Campbell, Calif., said the slowdowns started Monday [so the Tuesday volume wasn't the reason! Bob] and got worse Tuesday, with backups cropping up for nearly all of the 20 returns he filed those days.

... Kansas City, Mo.-based H&R Block Inc., whose TaxCut software also allows people to file electronically, said Wednesday it did not experience any slowdowns despite a similar spike in traffic. The company did not provide details on the number of filings it received.

Technology experts were flabbergasted that Intuit was caught off guard by a surge in activity on its busiest day of the year.

... At the peak, Intuit was processing 50 to 60 returns per second. [Trivial! Bob]

Not the most technologically sophisticated organization...

Wireless Security Puts IRS Data at Risk

The Associated Press Tuesday, April 17, 2007; 6:34 PM

WASHINGTON -- Internal Revenue Service offices across the nation that use wireless technology are still vulnerable to hackers, according to the latest assessment of the agency's security policies released Tuesday.

Despite efforts to improve wireless security the past four years, the Inspector General's assessment of 20 buildings in 10 cities discovered four separate locations at which hackers could have easily gained access to IRS computers using wireless technology.

... "However, anyone with a wireless detection tool could pick up the wireless signal and gain access to the computer," wrote Michael Phillips, the Inspector General.

... The vulnerabilities were discovered in Denver and at three other IRS facilities in Texas and Florida.

Is this a new consumer area? Monitoring your friends? (Didn't this used to be called “stalking?”)

See All of Your Friend's Online Activity in One Place

With Tabber you can import your contacts from a number of sources (gmail, digg, myspace, yahoo, aim etc) and tie them to additional social sites such as blogs, and photo galleries. You can then view their recent activity on these sites in aggregate or individually.

Could they have done worse?

Could RIM have responded better to outage?

Analysts disagree as to whether RIM should have been more communicative in the early stages of the BlackBerry outage

By Nancy Weil and Grant Gross, IDG News Service April 18, 2007

As of late Wednesday afternoon, U.S. Eastern Time, Research in Motion had offered no explanation for the cause of the BlackBerry e-mail service outage that affected users in North America.

Throughout the outage, which started Tuesday evening at about 8:15 p.m. ET and lasted through at least midmorning Wednesday ET, the RIM and BlackBerry Web sites lacked any information regarding the outage. Multiple inquiries to press representatives made via telephone and e-mail were not answered through Wednesday afternoon, although RIM did issue a statement to European reporters earlier in the day, confirming the outage and saying service had been restored to most users and that it was looking into the cause of the problems.

One crisis management consultant said customers expect more details in crisis situations. "The general rule is, if it's really bad, get [information] out fast," said James Lukaszewski, CEO of The Lukaszewski Group, in White Plains, New York. "It'd be a far less large situation if they communicated more."

However, another offered the opposite viewpoint. While more communication might help to contain a news story, RIM's focus might instead be on reassuring stock markets, said Mark Towhey, president of the Towhey Consulting Group in Toronto. His company provides crisis management advance, and he thought RIM's response seemed appropriate for the circumstances.

It probably works in the other direction too

April 17, 2007

Report: How U.S. Companies Select International Outside Counsel

ALM: "How do companies select counsel in foreign countries? What tools and resources do companies use to select overseas counsel? What are the "must-have" qualities for overseas outside counsel? See ALM's new study, How U.S. Companies Select International Outside Counsel."

Something to watch – literally!

Online Video Suddenly Gets Brainy

Posted by ScuttleMonkey on Wednesday April 18, @02:45PM from the hard-to-compete-against-jackass-tv dept. Television The Internet

David Kesmodel writes "Several online-video efforts are under way that offer a more cerebral alternative to the typical fare seen on the Web, the Wall Street Journal reports. T he ambitious, for example, intends to establish relations with all of the lecture series from the nation's scores of think tanks, civic groups, bookstores and the like, and then put tapes of their speeches and panel discussions online in an easily searchable fashion."

Always useful information...

April 18, 2007

GAO Report on E-Voting Challenges

Elections: All Levels of Government Are Needed to Address Electronic Voting System Challenges GAO-07-741T, April 18, 2007.

  • "Voting systems are one facet of a multifaceted, year-round elections process that involves the interplay of people, processes, and technology, and includes all levels of government. How well these systems play their role in an election depends in large part on how well they are managed throughout their life cycles, which begins with defining system standards; includes system design, development, and testing; and concludes with system operations. Important attributes of the systems' performance are security, reliability, ease of use, and cost effectiveness. A range of groups knowledgeable about elections or voting systems have expressed concerns about the security and reliability of electronic voting systems; these concerns can be associated with stages in the system life cycle. Examples of concerns include vague or incomplete voting system standards, system design flaws, poorly developed security controls, incorrect system configurations, inadequate testing, and poor overall security management."

They are even less trusting than we are...

Latest National Research Reveals Lack Of Consumer Trust In The Security Of Data In The UK

Release Date: 04/17/2007 Industries: IT Category: Private Company News Website: Source: Secerno

Poll shows 91% of the country is bothered about information protection and that consumers will not tolerate any organisation taking a lax approach to data security

OXFORD, Tuesday,17 April 2007, UK company Secerno, the technology leader in data security, today announced the results of an independent survey of over 1,200 UK consumers reviewing their concern on the issue of personal data theft.

The survey, conducted by Ipsos MORI, reveals that only 5% of respondents claimed not to be concerned about the security of their personal data. The recent publicity on international breaches, such as the TJX/TKMaxx data loss, has had a dramatic impact on the UK consumer.

It is not only the ability to secure UK data that concerns the public. More and more British companies are choosing to outsource their database storage and management facilities overseas. However, the survey reveals that 63% of adults are concerned about the ability of data centres to protect their data, in the UK and abroad.

The survey suggests there is clearly a requirement for the issue of high-profile data breaches to be addressed on a political level as 58% of respondents want to see Government bodies, along with banks and building societies, taking greater responsibility for the protection of personal data.

For those companies which disregard the importance of the immediate communication of security incidents to their affected customers, they can expect to see their customers firstly, abstaining from using their services (53%) before secondly, opting to cancel their credit cards (48%) and thirdly, reporting them to the Police (20%) or national consumer bodies, e.g Watchdog (17%).

... Additional findings from Secerno's survey include:

45% do not think that banks and online retailers do enough to protect their personal data;

83% specifying the security of their bank and credit card details as being their priority concern;

36% of consumers would not put personal information online, yet 11% of them have still been a victim of data theft;

As well as the security of financial data being a concern, 46% of all respondents are most concerned about protecting their medical records, and is highest amongst the 45+ ages 45-plus (52%).

Another reason to hate Powerpoint presentations?

Hackers turn to PowerPoint for virus infection

Slack patching leaves application open

Iain Thomson, 18 Apr 2007

Malware authors have made Microsoft's PowerPoint their vector of choice for infecting corporate systems.

Microsoft Word was the top choice for malware authors last year looking to embed code in seemingly innocuous documents.

But research from MessageLabs suggests that increased patching of Word, and a slack attitude to patching other applications, has prompted hackers to target PowerPoint.

... The research found that PowerPoint now hosts 45 per cent of attacks, compared to 35 per cent in Word documents.

...which is good news for:

Word Vulnerability Compromised US State Dept.

Posted by samzenpus on Wednesday April 18, @11:54PM from the you've-got-a-virus dept. Security Microsoft United States

hf256 writes "Apparently hackers using an undisclosed (at the time) vulnerability compromised the State Departments network using a Word document sent as an email attachment. Investigators found multiple instances of infection, informed Microsoft, then had to sever internet connectivity to avoid leaking too much data!"

Employee monitoring: Perhaps we should? (What else is there?)

Porn Found On One In Four Corporate PCs

Think there aren't any pornographic images on your users' desktops or laptops? Think again. A new study shows that they're being downloaded and sent via e-mail through the office.

By Sharon Gaudin, InformationWeek April 17, 2007

A new study found pornography on one in four PCs despite the use of content filtering technology at the gateway.

PixAlert, a company that focuses on keeping illicit images out of corporate networks, audited 10,000 PCs on 125 business and public sector networks over the last nine months. The study found that one-quarter of the computers contained pornography or "other inappropriate images." The same audit found that 12.4% of the 12,000 e-mail accounts and 5.4% of 26,000 file server shares scanned were similarly affected.

"With over a third of all images found created in the last 12 months, it is clear that a significant number of employees continue to ignore corporate policies and in some cases are going to extraordinary lengths to bypass protection systems in order to obtain and distribute inappropriate material," said Andy Churley, a director at PixAlert, in a written statement. "Corporate officers wrongly assume that boundary protection systems stop all digital pornography from entering the organization but, in PixAlert's experience, almost all corporations will have a significant amount of pornography on their networks."

The study found that 46.8% of the images showed full nudity or sexual activity and 0.3% of all the images were determined to be illegal. [ 99.7% were okay? Bob] While 35% were downloaded online images, 45.2% of the images detected came from e-mails. The study also found that 35.5% were sent internally.

... Last month, Maryland authorities nabbed 22 state employees who were visiting pornographic Web sites -- sometimes a few thousand times a week -- on the job. Investigating officials reported that the number of employees involved was understated, and a wider investigation is being called for.

Pornographic images aren't the only problem in business settings. In February, forensic investigators announced that they went over 70 used hard drives bought from 14 sources and recovered "private information" on 62% of them. While they did indeed find pornographic images, they also found one man's will and a man's personal fan letter to a female celebrity.