Enquiring hackers want to know! Being highly visible is not the same as being highly secure. I doubt there was a great loss of treasure, but a certain amount of credibility has clearly gone south.
http://www.pogowasright.org/article.php?story=20080508062418831
Ie: Data Commission subject of security breach
Thursday, May 08 2008 @ 06:24 AM EDT Contributed by: PrivacyNews News Section: Breaches
The office of the Data Protection Commissioner, which aims to protect people's privacy, has been the subject of a security breach.
A blogger succeeded in getting access to information on the commissioner's website, which was not due to be released until later this morning.
Details of the Data Protection Commissioner's Annual Report for 2007 were published on an Irish blog yesterday. The full report will be released at 11am.
Source - RTÉ
[The report is availble here: http://www.dataprotection.ie/docs/Home/4.htm or from your friendly neighborhood hacker... Interesting “Top Ten Threats to Privacy” list Bob]
This is small, but the police comments are new. (My guess is the hardware is made right next to the license plate lines...)
http://www.pogowasright.org/article.php?story=20080507181238775
Word spreads in Los Gatos on ATM thefts (update)
Wednesday, May 07 2008 @ 06:12 PM EDT Contributed by: PrivacyNews News Section: Breaches
From Blossom Manor to Almond Grove, through e-mails, doctor's offices and while dropping off the kids at kindergarten, word spread quickly last week that a massive identity theft crime had hit Los Gatos.
Police say that at least 212 people had their debit card and personal identification numbers stolen while shopping at Lunardi's Supermarket, 720 Blossom Hill Road.
Source - Mercury News
[From the article:
"What we have here is more than one person; they've been able to get in [Lunardi's] and switch out the ATM card reader," Sgt. Tam McCarty said. "Once they've done that they can read the card and PIN numbers and either make a temporary card or sell the numbers over the phone."
... Police chief Scott Seaman said investigating the Lunardi's thefts has been complicated by the fact that there are so many victims and different banks involved. He said the fact that the cash withdrawals have occurred in Southern California is yet another complication. [Not sure why that would be. Bob]
... Kalogeros described the Lunardi's crime as "fairly new," adding, "There's actually going to be another type of crime coming up involving radio frequency identification tags."
"The new cards that you touch to the reader using RFID technology can actually be read from up to 10 feet away," he said. "So, for example, you could go up to a drive-through and use your card, and a criminal sitting in the parking lot could potentially download your information."
Kalogeros said when banks send customers the tap cards, they are shipped in a foil sleeve for protection. He advised people to do the same thing. "You can buy a little wire mesh slipcover for about $8."
This happens when you assign a junior geek to create the portal and assume said geek knows you want it fully secured.
http://www.pogowasright.org/article.php?story=20080508072048718
Adobe portal site exposed edu software users' information
Thursday, May 08 2008 @ 07:20 AM EDT Contributed by: PrivacyNews News Section: Breaches
Lawyers for Adobe Systems Inc. have notified the New Hampshire Attorney General's office of a web security incident that occurred in April. In the notification to the state, Mauricio F. Paez writes: ".... It appears that certain personal information was stored on a server accessed via an Adobe website portal at a time when the server did not contain security or authentication procedures. The server was created to allow customers to upload information in order to enable Adobe to validate a customer's qualification to purchase certain education software." The notification letter did not reveal for how long the security problem existed before it was detected, not how many individuals, total, may have had their data exposed.
The personal information collected by Adobe included pretty much everything except the kitchen sink and the client's first-born child:
"Based on our investigation to date, we believe some combination of the following information may have been exposed for the customers we are notifying: name, address. home and/or cellular phone number, email address, date of birth, school name, partial or full credit card number, credit card expiration date, credit card security code, partial or full bank account number, partial or full social security number, school identification card, driver's license number, government identification, military identification number, and copy of signature."
As in other breaches recently reported in the news such as the WellPoint breach, Adobe apparently did not discover the problem through its own security checks, but was notified of the problem by a customer.
The bad side of having instant brand recognition is that everyone knows who screwed up! Question: Is this really four separate incidents?
http://www.pogowasright.org/article.php?story=20080508073738366
Stolen Saks Fifth Ave. laptops contained customer data
Thursday, May 08 2008 @ 07:37 AM EDT Contributed by: PrivacyNews News Section: Breaches
Department store Saks Fifth Avenue has notified the New Hampshire Attorney General's office that in mid-April 2008, it learned that four company laptops were stolen. Two of the stolen laptops contained "several files that included customer names, addresses, Saks Fifth Avenue credit card account numbers, and/or Saks Fifth venue/MasterCard co-branded credit card account numbers." Approximately 163 New Hampshire residents had data on the laptops; the number of customers nationwide was not indicated. Nor did the notification whether the company laptops were stolen from offices, unattended vehicles, or employees' homes.
Saks reported that, "Based on our investigation, we have confirmed that these files did not include Social Security numbers, the credit cards' expiration dates, pin numbers, codes, or passwords, or any other types of sensitive data."
In its letter to affected customers, Saks did not offer any free services, explaining that they believed the risk of misuse was very low. Somewhat atypically for such disclosures, they included a statement to those affected, "Nor was this a breach of our network, website, or database (as is typical in many company breaches covered by the news)." Whether Saks believes that theft of laptops is somehow not as bad as hacking into a web site is unclear at this time.
When you need a computer, steal a laptop. When you need to host a lot of stolen credit information, you need a server... (“We don't need to encrypt the data, the front door is closed... usually.”)
http://www.pogowasright.org/article.php?story=20080508062546886
HSBC admits huge data loss in Hong Kong
Thursday, May 08 2008 @ 06:25 AM EDT Contributed by: PrivacyNews News Section: Breaches
Banking giant HSBC was under fire Thursday after admitting it had lost the data of 159,000 accounts from a Hong Kong branch.
The data was held on an Internet server which is understood to have gone missing from the Kwun Tong branch of the bank while it was undergoing renovation last month.
The loss was reported to the police and the Hong Kong Monetary Authority April 26, but many customers affected only learnt of the security breach after reading reports in the local media.
In a statement issued Wednesday, the bank acknowledged a server had disappeared containing the account numbers, names and transaction details of 159,000 accounts.
Source - mangalorean.com
[From the article:
However, it said the server did not contain customers PIN numbers or user IDs and insisted that the likelihood of anyone gaining access to the data was low, as the server was protected by multiple security systems. [but not enough to keep it from walking out the door... Bob]
Another small case of a server being stolen. Perhaps the e-crooks are equipping a data center in their secret lair?
http://www.pogowasright.org/article.php?story=20080508081515306
UK: Bank details safe after computer thefts
Thursday, May 08 2008 @ 08:15 AM EDT Contributed by: PrivacyNews News Section: Breaches
THE ORGANISERS of an international music festival say customers' details are safe after their website servers were stolen from a High Wycombe software company.
Burglars broke into the offices of Opal communications company in Cressex Business Park at around 10.30pm on Sunday. They used a stepladder to gain access to a first floor window. [“We put our computers on the second floor. We call that “Heightened Security” Bob]
When inside they stole computer accessories, software and hard drives including those used to power the website of the World of Music, Arts and Dance (WOMAD) music festival.
... Mr Wood said that all of the confidential information of customers who bought tickets to the festival are stored in a secure location, so no bank details have been lost.
Source - Bucks Free Press
Alert the folks at Guinness! It is inevitable that you will care for and improve any tool that makes you money.
Parasitic botnet spams 60 billion a day
Srizbi botnet is responsible for 50 percent of all spam and is the biggest of its kind in history, researchers say
By Darren Pauli, Computerworld Australia May 08, 2008
The Srizbi botnet has stormed over its competition to become the Internet's biggest spammer.
Researchers claim the botnet is responsible for 50 percent of all spam, and is the biggest of its kind in history.
I have good news and I have bad news...
http://www.pogowasright.org/article.php?story=20080507152103713
UK: 2008 Information Security Breaches Survey
Wednesday, May 07 2008 @ 03:21 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News
Survey conducted by PriceWaterhouseCoopers in conjunction with Symantec for the Department for Business, Enterprise and Regulatory Reform:
Throughout history, the sea has been the lifeblood of commerce. Today, the Internet is the modern sea, carrying electronic commerce and communications around the world. Since the turn of the century, that sea has been rough, with wave after wave of viruses and hacking attacks crashing into the cyber ports. Over time, the harbour defences have improved, and now within those firewalls, the waters appear calmer.
Yet, there remain some fundamental contradictions. 79% of businesses believe they have a clear understanding of the security risks they face, but only 48% formally assess those risks. 88% are confident that they have caught all significant security breaches, but only 56% have procedures to log and respond to incidents. 81% believe security is a high priority to their board, but only 55% have a security policy. 77% say protecting customer information is very important, but only 11% prevent it walking out of the door on USB sticks. 71% have procedures to comply with the Data Protection Act, but only 8% encrypt laptop hard drives.
Source - Department for Business, Enterprise and Regulatory Reform (UK) [pdf]
Should be interesting.
http://www.pogowasright.org/article.php?story=20080507151305801
FBI Withdraws Unconstitutional National Security Letter After ACLU and EFF Challenge
Wednesday, May 07 2008 @ 03:13 PM EDT Contributed by: PrivacyNews News Section: In the Courts
The FBI has withdrawn an unconstitutional national security letter (NSL) issued to the Internet Archive after a legal challenge from the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF). As the result of a settlement agreement, the FBI withdrew the NSL and agreed to the unsealing of the case, finally allowing the Archive's founder to speak out for the first time about his battle against the record demand.
Source - EFF
Related - Threat Level: FBI Targets Internet Archive With Secret 'National Security Letter', Loses
[From the article:
This lawsuit is the first known challenge to an NSL served on a library since Congress amended the national security letter provision in 2006 to limit the FBI's power to demand records from libraries.
For the newly unsealed documents (still partially redacted):
http://www.eff.org/cases/archive-v-mukasey?docs
For more information about this case:
http://www.eff.org/cases/archive-v-mukasey
For more information on NSLs:
http://www.eff.org/issues/foia/07656JDB
Good Morning, Vietnam! Looks like there are still a few of us older geeks working on Firefox.
http://tech.slashdot.org/article.pl?sid=08/05/08/1236229&from=rss
Firefox Vietnamese Language Pack Infected With Trojan
Posted by timothy on Thursday May 08, @09:16AM from the when-childhood-goes-wrong dept.
An anonymous reader writes "Wired.com is reporting that the Firefox browser has been unknowingly distributing a trojan with the Firefox Vietnamese language pack. Over 16,000 downloads of the pack occurred since being infected. This highlights a risk on relying on user-submitted Firefox extensions, or a lack of peer-review of the extensions, many of which receive frequent upgrades."
http://blog.wired.com/27bstroke6/2008/05/national-intell.html
National Intelligence Agency Breaks Out RSS Feed
By David Kravets May 06, 2008 | 6:29:05 PM
The Office of the Director of National Intelligence, which controls 16 federal agencies that make up the U.S. intelligence community, is engaged in a technological revolution of sorts.
On at least one technological front, the office on Tuesday broke out an RSS feed on its flashy, newly designed public web site.
Did you pay for “Unlimited” Internet access?
http://torrentfreak.com/test-does-your-isp-slow-down-bittorrent-traffic-080507/
Test: Does Your ISP Slow Down BitTorrent Traffic?
Written by Ernesto on May 07, 2008
A while back we posted about the plugin Azureus had developed, which allowed people to check whether their ISP is interfering with their traffic. The results showed that indeed quite a few ISPs were, but the plugin didn’t provide the user with direct feedback.
The new tool developed by the “max planck institute for software systems” can be used without having to run your BitTorrent client, and compares BitTorrent traffic to regular traffic. On top of that, it will give you more information than the Azureus plugin does.
Cool! I'll have to use this as a model for my Computer Security Final Exam! (Doesn't sound like it will be a widespread attack tool...)
Zero-day treasure hunt: Researcher hides IE attack on Web
Aviv Raff has discovered zero-day vulnerability in Internet Explorer that would allow an attacker to take control of a victim's PC
By Robert McMillan, IDG News Service May 07, 2008
Security researcher Aviv Raff has published code that would allow someone to take control of a computer running Internet Explorer, but there's a catch. He's not saying exactly where he's hidden the attack.
"Somewhere in my blog, I embedded a proof-of-concept code that exploits this zero-day vulnerability," Raff wrote in a Wednesday blog posting. A zero-day attack is a previously undisclosed software flaw that has not been fixed by the software maker.
L'il Abner's dream job. Paid for by taxpayers.
http://science.slashdot.org/article.pl?sid=08/05/08/0325252&from=rss
NASA Offers $5000 a Month For You to Lie in Bed
Posted by samzenpus on Thursday May 08, @07:57AM from the I-know-someone-perfect-for-this dept. NASA Science
tracer818 writes
"In order to study a person as if they were in space without gravity, NASA scientists are paying subjects $17,000 to stay in bed for 90 straight days. The study will follow the Bed Rest Project standard model and be conducted at the University of Texas Medical Branch in Galveston, Texas. Participants will live in a special research unit for the entire study and be fed a carefully controlled diet." [Schmoo? Bob]
Dilbert explains statistics... Again.
No comments:
Post a Comment