Let's hope that the damage doesn't escalate like it does in most data spills.
OK: Law enforcement system breached
Private information may have been leaked inadvertently from a statewide law enforcement computer system at three Oklahoma law enforcement agencies.
The Department of Public Safety announced Friday it discovered the first-ever security breach in the Oklahoma Law Enforcement Telecommunication System, which could put some Oklahomans at risk for identity theft.
The breach affected only the Elk City and Eufaula Police Departments and Kiowa County Sheriff's Office, Capt. Chris West said. The agency is urging anyone who has had contact with those agencies to check their credit report as soon as possible to see whether their information has been compromised.
West initially would not say in what timeframe the breach occurred or how long security had been compromised at those locations.
Source - NewsOK
[From the article:
Eufaula Police Chief Don Murray said he first learned about the problem about 11 a.m. Friday. [Same day notice? Wow! Bob]
Murray said the state provided the computer his dispatchers use to access the telecommunications system and he didn't know it was capable of doing anything else. [Not unusual. The problem is managers don't specify that they should be limited in what they can do... Bob]
Somehow I don't trust this statement...
MedicAlert says accessed info didn't hurt clients
Information inappropriately e-mailed to her own account by a former MedicAlert alert employee did not compromise the financial records of the company's 4 million members, its chief executive said Thursday.
Investigators arrested Andrea Terry on Wednesday on suspicion of e-mailing information about 10,000 MedicAlert clients to an outside account she controlled.
MedicAlert CEO Paul Kortschak said those records did not include medical information, Social Security numbers or bank-related data. ... Stanislaus County Sheriff's Detective Lydell Wall said the information Terry accessed consisted of a list of member names and a corresponding client identification number.
Source - Modesto Bee
[From the article:
Aside from identity theft, Wall said, the information could be used to pick out vulnerable seniors, [See? No problem. Bob] or a competitor could take advantage of it.
Terry, 43, was booked at the Stanislaus County Jail on Wednesday on suspicion of using a computer without authorization. [Her own computer? Bob] She was released after posting a $10,000 bond, Wall said.
MedicAlert dismissed Terry on May 8 and hired her back as a consultant May 29, police said. As a consultant, she worked from home, police said. On Aug. 15, she was given notice that her contract would not be renewed.
Kortschak said the company worked closely with the Turlock Police Department to ensure that Terry did not have a chance to use the information she sent herself.[Huh? Bob] "We were able to cut it off very quickly," he said.
Wall said MedicAlert's information technology department tracked the e-mail Terry sent herself, prompting the company to contact law enforcement officers. [More likely, looked into the e-mail she (stupidly) sent via the companies mail server. Bob]
If I read this one right, clicking on SPAM that takes you to a child porn site is sufficient to convict under this reading of the law. (Nothing you can do will reverse that interpretation?) If the SPAM takes you to an Al Qaeda site, you could wind up in Guantanamo.
Pa. Court: Viewing Child Porn on Computer Enough for Possession
Gina Passarella The Legal Intelligencer 08-24-2007
The Pennsylvania Superior Court isn't buying the argument that a man who viewed child pornography on his computer, but didn't save the images, couldn't be charged with possession of child pornography.
A 7-2 en banc Superior Court panel in Commonwealth v. Diodoro reversed a prior three-judge panel that found there was not sufficient evidence to show Anthony Diodoro downloaded or saved the images of child pornography he viewed.
In the latest majority opinion, Judge Correale F. Stevens said §6312(d) of the Crimes and Offenses Code, which prohibits the possession of child pornography, clearly states that anyone who "possesses or controls" child pornography is guilty of a third-degree felony.
Diodoro, who freely admits that he viewed at least 30 images of child pornography, argued that he never possessed them.
"[Diodoro's] actions of operating the computer mouse, locating the Web sites, opening the sites, displaying the images on his computer screen, and then closing the sites were affirmative steps and corroborated his interest and intent to exercise influence over, and, thereby, control over the child pornography," Stevens said.
He added that while Diodoro was viewing the pornography, he had the ability [but never did? Bob] to download, print, copy or e-mail the images.
... Klein said the Legislature didn't include the word "viewing" in the statute, and the judges shouldn't write it in.
"If the Legislature fails to keep up with modern technology, it is not our responsibility to correct its oversight," he said.
... "If a person intentionally enters the Philadelphia Art Museum to view Cezanne's bathers, one would not say that that person 'possesses or controls' the painting," Klein wrote. "Why should it be different if a person visits the museum's Web site ... and clicks on the part of the site that shows images of the same Cezanne bathers?"
... The decision was a big win for Delaware County District Attorney G. Michael Green, who heads up the state's Internet Crimes Against Children Task Force out of his office.
He said the ruling has broader applications in an age when computer-based information is being used in cases involving drugs, homicide and domestic relations. Green said there really is no possession of data in the traditional sense in the virtual world, but people can control the data.
13 Freaky Hidden Surveillance Cameras - [photos]
You never know who's watching. Or from where.
Uniform Law Commission Approves Model e-Discovery Rules
The Uniform Law Commissioners have now adopted model rules of e-discovery for use by state courts. Uniform Rules Relating To Discovery of Electronically Stored Information. The proposed uniform rules of civil procedure essentially clone the bigger federal rules.
... The Draft Text of the Rules included Prefatory and Reporters Notes, which, as always, were excluded from the final version approved as a model to be adopted by the states. The Notes are not intended to be authoritative, but still are interesting to understand the thinking behind the committee that prepared the rules. You might want to review the Draft Text for that reason.
A big deal?
August 24, 2007
Free, Full-text Searchable Database of Supreme Court and Federal Appellate Case Reports
AltLaw Beta: "The law is meant to belong to the people, but it can be surprisingly hard to find. Case reports, a major part of the laws of the United States, are hard to get at, and even when on the Internet, rarely searchable. To get full access you generally need either a library of law reports, or an expensive subscription to an online database, which can cost hundreds of dollars per hour. AltLaw is a small effort to change that—to make the common law a bit more common. AltLaw provides the first free, full-text searchable database of Supreme Court and Federal Appellate case reports. It is a resource for attorneys, legal scholars, and the general public."
"Coverage, for most Circuits, limited to about the last 10 to 15 years. West Reporter Citations...not yet available (work in progress). As of yet, no state law or district court cases.
AltLaw is a joint project of Columbia Law School’s Program on Law and Technology, and the Silicon Flatirons Program at the University of Colorado Law School. AltLaw was written by Stuart Sierra and Paul Ohm, with help from Luis Villa, and produced by Tim Wu."
Even less of a big deal?
Open Access to Law: Swiss Data Privacy Cases Now Online
I’m delighted to announce that our Research Center for Information Law at the University of St. Gallen - usually focusing more on basic research rather than implementing project work - has just launched an online data privacy case law collection (in German and French) that features the entire collection of cases decided by the Swiss Commission for Data Privacy and Freedom of Information from 1993 - 2006.
Research tool for money launderers...
August 24, 2007
Agencies Release Revised Bank Secrecy Act/Anti-Money Laundering Examination Manual
Press release: "The Federal Financial Institutions Examination Council (FFIEC) today released the revised Bank Secrecy Act/Anti-Money Laundering (BSA/AML) Examination Manual (405 pages, PDF). The revised manual reflects the ongoing commitment of the federal and state banking agencies and the Financial Crimes Enforcement Network (FinCEN) to provide current and consistent guidance on risk-based policies, procedures, and processes for banking organizations to comply with the BSA and safeguard operations from money laundering and terrorist financing. The 2007 version further clarifies supervisory expectations since the July 28, 2006, update. The revisions again draw upon feedback from the banking industry and examination staff."
For your Security Manager...
Forensics On a Cracked Linux Server
Journal written by Noryungi (70322) and posted by kdawson on Friday August 24, @01:33PM from the hmmm-ls-looks-funny dept.
This blog entry is the step-by-step process that one administrator followed to figure out what was going on with a cracked Linux server. It's quite interesting to me, since I have had the exact same problem (a misbehaving ls -h command) on a development server quite a while back. As it turns out, my server was cracked, maybe with the same tool, and this analysis is much more thorough than the one I was able to do at the time. If you've ever wondered how to diagnose a Linux server that has been hijacked, this short article is a good starting point.
When your day job gets boring...
How To Steal Cars — A Practical Attack on KeeLoq
KeeLoq is a cipher used in several car anti-theft mechanisms distributed by Microchip Technology Inc. It may protect your car if you own a Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Volvo, Volkswagen, or Jaguar. The cipher is included in the remote control device that opens and locks your car and that activates the anti-theft mechanisms.
Each device has a unique key that takes 18 billion billion values. With 100 computers, it would take several decades to find such a key. Therefore KeeLoq was widely believed to be secure. In our research we have found a method to identify the key in less than a day. The attack requires access for about 1 hour to the remote control (for example, while it is stored in your pocket). [I wonder if I could sit outside the Jaguar dealership and read all the keys – it is wireless after all... Bob] Once we have found the key, we can deactivate the alarm and drive away with your car.