“We don't need no stinking security!”
http://www.pogowasright.org/article.php?story=20080130064319797
A swiped Blue Cross laptop puts data at risk
Wednesday, January 30 2008 @ 06:43 AM EST Contributed by: PrivacyNews News Section: Breaches
Horizon Blue Cross/Blue Shield of New Jersey is notifying more than 300,000 [Because this employee phoned each of them every day? Bob]of its members that their names, Social Security numbers and other personal information were contained on a laptop computer stolen in Newark earlier this month.
The health insurance giant, which serves more than 3.3 million people across the state, said there was no reason to believe any of the information was compromised because it was protected by password [This is code for “We have no idea how to secure data.” Bob] and other security features -- although the data was not encrypted. [This is proof of my previous statement. Bob]
.... The laptop, which Rubino said was stolen Jan. 5, was being taken home by an employee who regularly works with member data. The data contained no medical information -- only names, addresses and in some cases, Social Security numbers.... . He said the computer was programmed to destroy the data as of Jan. 23. [I'll believe that when I see the mushroom cloud... Bob]
Source - NJ.com
[From the article:
Rubino would not provide specific details about the theft, but said the laptop was not taken during a robbery. [Huh? Bob]
... Rubino said it was not unusual for employees to work with data outside the office.
... "There are a number of security procedures that have to be in place. In this case, unfortunately, they were not," he said.
“Gee, we have a policy that says we should be secure...”
http://www.pogowasright.org/article.php?story=20080130065647624
MT: Hacker steals Davidson Cos. clients' data
Wednesday, January 30 2008 @ 06:56 AM EST Contributed by: PrivacyNews News Section: Breaches
A computer hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Great Falls financial services company's clients.
The database included information such as account numbers and balances, said Jacquie Burchard, spokeswoman for Davidson Companies. However, the hacker didn't get access to the accounts.
The computer hacker accessed information on 226,000 current and former clients, Burchard said.
Source - Great Falls Tribune
[From the article:
The computer break-in occurred earlier this month, Burchard said. Authorities investigating the crime asked the company to keep the news extremely confidential during the early stages of the investigation.
... Davidson Companies has many procedures and policies in place to protect client information, Johnstone added. [but apparently no security tools were actually implemented. Who would be deterred by a policy? Bob]
In September, the company hired an outside firm to test to see if it could hack into the company's computer system, he said. The firm wasn't able to. [Wouldn't you like to know who that was? Bob]
A very unusual story. Someone who thinks! Good on ya!
http://hosted.ap.org/dynamic/stories/D/DIGITAL_BANK_ROBBERY?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT
Jan 30, 8:23 AM EST
Swedish Bank Stops Digital Theft
STOCKHOLM, Sweden (AP) -- A gang of Swedish criminals was seconds away from completing a digital bank heist when an alert employee literally pulled the plug on their brazen scam, investigators said Wednesday.
The would be bank robbers had placed "advanced technical equipment" under the employee's desk that allowed them to take control of his computer remotely, prosecutor Thomas Balter Nordenman said in a statement.
The employee discovered the device shortly after he realized his computer had started an operation to transfer "millions" from the bank into another account, Nordenman said.
"By pulling out the cable to the device, the employee managed to stop the intended transfer at the last second," he said.
The foiled heist happened in August at a bank in Uppland county, north of Stockholm, police said. They announced it only Wednesday after seven suspects, all from the Stockholm region, were arrested this week while allegedly preparing another heist.
Some details are emerging, but we will probably never know enough to understand how he did it.
http://www.securityfocus.com/brief/671?ref=rss
Rogue trader simply sidestepped defenses
Robert Lemos 2008-01-29
A low-level trader caused the largest individual trading loss in banking history by simply using his knowledge of trading operations, some fake e-mail messages and, occasionally, colleagues' passwords to sidestep the bank's suspicion, according to media reports and a statement by French bank Société Générale.
... Starting in 2005, Kerviel began taking small positions on the trend in the European stock market without taking the countervailing position which would have offset the risk. The trader dodged financial controls by taking positions that did not trigger a margin call and which did not require immediate confirmation, the bank said in its statement. Since Kerviel bet on the European market's rise, the trader brought in significant profits until 2008, when the stock market began its decline.
When his activities arouse suspicions, Kerviel produced faked e-mails from the bank's clients to make it appear that the trades were legitimate, according to a New York Times article. Prosecutors in France continue to investigate Kerviel and could charge him with forgery, breach of trust and breaking into a computer system, the NY Times article stated. Kerviel did not steal from the bank itself, rather sought bigger profits so that his own bonus would be higher. Société Générale has called Kerviel a "computer genius." [Only in relation to the managers who never noticed what he was doing... Bob]
The bank has come under increasingly criticism for its lack of awareness of Kerviel's activities.
Tools & Techniques Any security pro should tell you the same thing.
http://www.technewsworld.com/rsstory/61426.html
The Biggest Security Threat for 2008 and Beyond: End Users
By Mike Wittig TechNewsWorld 01/30/08 4:00 AM PT
Safeguarding organizations against insiders with malicious intent requires effectively enforcing data access policies and auditing user activity with sensitive and confidential data and systems. The stories that have surfaced about company insiders stealing sensitive data worth millions of dollars -- if not billions -- is a nonstop cycle.
Study after study continues to reveal a fundamental truth about the shifting landscape of IT security today: The biggest threat to proprietary systems and information is not the traditional cyber-criminal writing malicious code in a virtual location, but rather trusted employees.
Savvy administrators recognize that because end users are privy to an organization's sensitive data, they represent a significant risk factor. However, mitigating this threat is something that security pros continue to struggle with. While no single "silver bullet" solution exists, there are steps organizations can take to ensure that corporate policies are effectively enforced and insider threat is neutralized.
Tools & Techniques Should you tell your employees about these?
http://www.bespacific.com/mt/archives/017308.html
January 29, 2008
World Privacy Forum's Top Ten Opt Outs
"In this Top Ten Opt Outs list, some opt outs can be done by phone, some have to be sent in a letter via postal mail, and some can be accomplished online. Some opt outs last forever, some have time limits, and others can be changed at will. If an opt out is on this list, it is because we thought it might be important enough to be worth whatever annoyance it may pose. Not every opt out is right for everyone, and not everyone will necessarily want to opt out. It is a personal choice. Take a look at the list...and see if any of the opt outs appeal to you, or might make a difference to you in some way."
Very Interesting: Access Control meets cultural taboos
http://yro.slashdot.org/article.pl?sid=08/01/29/2253239&from=rss
Aboriginal Archive Uses New DRM
Posted by kdawson on Tuesday January 29, @06:07PM from the serving-the-suser-for-a-change dept. Social Networks
ianare writes "An application that gives fresh new meaning to 'digital rights management' has been pioneered by Aboriginal Australians. It relies on a user's profile to control access to a multimedia archive. The need to create profiles based on a user's name, age, sex and standing within their community comes from traditions over what can and cannot be viewed. For example, men cannot view women's rituals, and people from one community cannot view material from another without first seeking permission. Images of the deceased cannot be viewed by their families. These requirements threw up issues surrounding how the material could be archived, as it was not only about preserving the information into a database in a traditional sense, but also about how people would access it depending on their gender, their relationship to other people, and where they were situated."
Boy, that Bruce Schneier is a smart guy..
http://techdirt.com/articles/20080124/17341363.shtml
If You're Watching Everyone, You're Watching No One
from the try-to-focus dept
The idea has become so commonplace that it's almost a cliche: security and privacy are opposites, and we as a society need to decide how much privacy we're willing to give up to get more security. That's been the basic message of the Bush administration over the last few months as they've begun talking about ambitious new plans to monitor more and more of our private communications. But Bruce Schneier points out that the dichotomy is false one. Many of the privacy-invading programs now being discussed don't actually provide more security. Confiscating shaving cream and nail files at the airport doesn't make anyone safer. Neither does creating a national ID card, because terrorists rely on surprise, not anonymity. The fundamental issue is that real security involves focusing resources on identifying and stopping the tiny fraction of the population that is engaged in criminal and terrorist acts. The vast majority of people pose no threat to anyone, and it's a waste of resources to monitor them. Programs focused on the general public, such as the TSA's airport searches, national ID cards, and Internet-wide surveillance are a bottomless drain on law enforcement resources [and therefore taxpayer wallets... Bob] that will turn up far more false positives than real leads. Abandoning them won't just enhance Americans' civil liberties, but it will also free up resources for the sort of difficult, in-depth police work that really does stop terrorist attacks.
Inevitable? Is this because the RIAA thinks no one understands the law?
http://yro.slashdot.org/article.pl?sid=08/01/29/2230246&from=rss
Magistrate Suggests Fining RIAA Lawyers
Posted by kdawson on Tuesday January 29, @06:48PM from the just-fine dept. The Courts Music
NewYorkCountryLawyer writes "Angered at the RIAA's 'gamesmanship' in joining multiple 'John Does' in a single case without any basis for doing so, a Magistrate Judge in Maine has suggested to the presiding District Judge in Arista v. Does 1-27 that the record companies and/or their lawyers should be fined under Rule 11 of the Federal Rules, for misrepresenting the facts. In a lengthy footnote to her opinion recommending denial of a motion to dismiss the complaint (PDF, see footnote 5), Judge Kruvchak concluded that 'These plaintiffs have devised a clever scheme to obtain court-authorized discovery prior to the service of complaints, but it troubles me that they do so with impunity and at the expense of the requirements of Rule 11(b)(3) because they have no good faith evidentiary basis to believe the cases should be joined.' She noted that once the RIAA dismisses its 'John Doe' case it does not thereafter join the defendants when it sues them in their real names. [Divide and conquer Bob] Arista v. Does 1-27 is the same case in which student attorneys at the University of Maine Law School, "enthusiastic about being directly connected to a case with a national scope and significance", are representing undergrads targeted by the RIAA."
Making the world safe for the feeble minded? (Perhaps he should apply for a disability since the stress is work related...)
http://techdirt.com/articles/20080128/195457100.shtml
Cop Gets Investigated Because MySpace Friend Links To Porn
from the you-have-to-be-kidding dept
Rich Kulawiec writes in to let us know about a ridiculous situation in Florida, that has some similarities to the ridiculous Julie Amero situation. Basically, a bunch of school officials and local newspaper folks are freaking out about the potential for students to access porn and are blaming the wrong people while displaying stunning levels of ignorance.
The basics of the situation are pretty straightforward. A cop who works at a middle school in Florida has a MySpace account, that he set up with the approval of the police department and the school, hoping it would allow him to connect with the kids he's supposed to be protecting. One of his many, many friends on MySpace happened to link to a porn site on their own profile. So, because one friend out of a huge list of friends happens to link to a porn page, the cop is now under investigation with the local paper dramatizing the situation by noting that students could (gasp!) get to porn "in just three clicks." Apparently, they're investigating whether the officer is criminally liable for exposing children to inappropriate content -- yes, because someone on his friend's list linked to porn. Under that definition, an awful lot of people are probably guilty.
Ah, but the story gets better (or worse, actually). You see, after some investigation, people noticed that the school's own website actually linked directly to a porn site itself -- which would seem a lot worse than what the police officer did. In this case, the school had a list of "resources" and one of the links was on a domain that had expired and was taken over by a porn site. Now, using the logic that the school used in having the police officer investigated, shouldn't the school officials also be investigated? Apparently not. Instead, they're angry about the changing domain and are looking at "legal recourse."
So, to summarize: If you happen to work at a school and have a MySpace profile where one friend of many links to a porn site via his own MySpace page: potentially illegal exposure of porn to children. If you work at a school and set up a website that directly links to porn: you're a victim who should be suing the website in question. Very logical.
Do you suppose he was getting a Doctorate in Big Brotherness? (If not, then what?)
http://www.pogowasright.org/article.php?story=20080129094025569
Anonymous? We Know Who You Are
Tuesday, January 29 2008 @ 09:40 AM EST Contributed by: PrivacyNews News Section: Internet & Computers
Steven J. Murdoch has published an extremely interesting paper as part of a dissertation for his work at the University of Cambridge. He has examined the use of covert channels and how they can be detected. In particular, Murdoch has looked at anonymity systems, or systems intended to hide your identity, and suggests ways in which it may be possible to glean valuable information simply from observation. ["You can observe a lot just by watchin'." Yogi Berra Bob]
The bottom line: While an anonymity system may hide your actions from trivial or even traditional examination, it may not provide the level of anonymity you believe it does if scrutinized seriously. Further, while many such systems use covert channels -- or channels other than those expected -- to communicate, those methods may not always work. If the protocol the covert channel alleges to be safe is fully examined, covert transmissions may stand out as non-standard. Murdoch's paper is well worth the read.
Source - Microsoft Certified Professional Magazine Related - Murdoch: Covert channel vulnerabilities in anonymity systems [pdf, 1.8 mb], December 2007
Another paper...
http://www.pogowasright.org/article.php?story=20080129153536316
Warrantless wiretaps, redux
Tuesday, January 29 2008 @ 03:35 PM EST Contributed by: PrivacyNews News Section: Fed. Govt.
A recurring theme in this blog over the last year has been how the sweeping surveillance technology envisioned by the 2007 US Protect America Act introduces fundamental technical vulnerabilities into the nation's communications infrastructure. These risks should worry law enforcement and the national security community at least as much as they worry civil liberties advocates. A post last October mentioned an analysis that I was writing with Steve Bellovin, Whit Diffie, Susan Landau, Peter Neumann and Jennifer Rexford.
The final version of our paper, "Risking Communications Security: Potential Hazards of the Protect America Act," will be published in the January/February 2008 issue of IEEE Security and Privacy, which hits the stands in a few weeks. But you can download a preprint of our article today at http://www.crypto.com/papers/paa-ieee.pdf [PDF]. Remember, you saw it here first.
Source - Exhaustive Search blog (Props, Slashdot)
Another slow mover. Is there a downside I'm missing or are these countries more forgiving of businesses?
http://www.pogowasright.org/article.php?story=20080130064823544
AU: Privacy Commissioner calls for mandatory reporting of major data security breaches
Wednesday, January 30 2008 @ 06:48 AM EST Contributed by: PrivacyNews News Section: Non-U.S. News
In the wake of recent significant data breaches in the United Kingdom, the Australian Privacy Commissioner, Karen Curtis, has reiterated her call for compulsory notification of major data security breaches by Australian organisations.
"While reporting would need to be proportional to the severity of the breach, it would provide organisations with a strong market incentive to adequately secure their databases," Ms Curtis said.
.... Ms Curtis's call for mandatory reporting was made in a 786-page submission by her Office to the Australian Law Reform Commission (ALRC) in response to its Discussion Paper 72: "Review of Australian Privacy Law".
Source - Office of the Privacy Commissioner of Australia Press Release
They speak English there too, but came up with yet another plan.
http://www.pogowasright.org/article.php?story=20080129175414850
NZ: Data breach rules years away
Tuesday, January 29 2008 @ 05:54 PM EST Contributed by: PrivacyNews News Section: Non-U.S. News
Privacy Commissioner Marie Shroff says she is likely to give voluntary guidelines that set out the way in which organisations should respond to the theft or accidental disclosure of customers' personal information 18 months to two years to take effect, before deciding whether mandatory rules are required.
Source - Stuff
(hat-tip, Identity and Privacy Blog)
This could be handy for my friends with small consulting businesses... I bet there are free versions out there.
http://www.killerstartups.com/Web-App-Tools/Time59com---Track-Time-and-Money/
Time59.com - Track Time and Money
For professionals like lawyers and consultants or freelancers, one of the hardest tasks to manage is time and getting what you’re worth for that time. Lately, a host of time management and invoicing software has cropped up on the nets. T ime59 is one of the newer ones. Time59 was developed by a tech developer who ran into the very problem of timekeeping and management. Like other web-based time management tools, Time59 lets you manage multiple projects with multiple hourly rates and invoice them. If you’re not mathematically inclined, Time59 will do the math for you—simply enter your hours and expenses. There’s email and a client contact information manager for clients and potential clients. Everything can be done on the web with Time59—you can email invoices as PDF files, clients can pay you, you can keep track of activity and payment entry. What’s more, all your data is secure and automatically backed up. Time59 even works with most mobiles, so you can track you time on the go, whereever you are. You can try Time59 at no cost for one month. After 30 days is up, Time59 costs only $19.99 a year.
https://www.time59.com/login.asp
Tools
http://biz.yahoo.com/prnews/080122/nytu076a.html?.v=2
Definitions.net and Synonyms.net Join Abbreviations.com
Tuesday January 22, 1:17 pm ET
New Website Brands Reflect Industry Leadership and Commitment to Providing the Web's Ultimate Reference Resources
... The new services can be accessed through the Abbreviations.com home page at: http://www.Abbreviations.com or directly at http://www.Definitions.net and http://www.Synonyms.net.
Wicked Widgets? I may give this to my web site class, but probably on the last day of class so they aren't too distracted from the basics...
http://www.techcrunch.com/2008/01/29/sprout-the-online-wysiwyg-editor-for-flash/
Sprout: The Online WYSIWYG Editor for Flash
Mark Hendrickson January 29 2008
A new application called Sprout, launching in private beta at DEMO today, promises to make the creation of Flash applets a whole lot easier.
Sprout is a browser-based, WYSIWYG editor for Flash with an interface reminiscent of Photoshop or Dreamweaver. Designers can use it to create, publish and track Flash widgets, websites and mashups, thereby obviating the need for them to work with programmers who would cost time and money, and who might not execute designs satisfactorily.
[There is a demo video Bob]
No comments:
Post a Comment