How often does this type of breach need to occur before we consider it a “Best Bad Practice?” Why do the guys whose job it is to “make things public” have access to data the organization should have labeled “Never make public?”
http://www.pogowasright.org/article.php?story=20080715044342165
Posting of Social Security Numbers Results in Suspension of 3 Workers
Tuesday, July 15 2008 @ 04:43 AM EDT Contributed by: PrivacyNews
Three Metro employees have been disciplined after the Social Security numbers of nearly 4,700 current and former employees were mistakenly posted on the transit agency's Web site last month, officials said yesterday.
The information was posted between June 9 and June 25, when the breach was discovered.
Source - Washington Post
[From the article:
Although the affected employees were informed through letters and an e-mail sent last week, officials did not make the security breach public until yesterday, in response to a reporter's query.
[“We don't need to comply with no stinking disclosure law!” Bob]
Related “Oops, we did it again...”
http://www.pogowasright.org/article.php?story=20080715051744651
Watchdog Group finds UT Students’ Socials Online
Tuesday, July 15 2008 @ 05:17 AM EDT Contributed by: PrivacyNews
A national privacy watch dog group says almost twenty-five hundred UT Austin students have had their personal information posted on the web without their knowledge for about five years.
Aaron Titus with the Liberty Coalition’s www.ssnbreach.org says he was able to find about 60 files containing personal information about 2,490 students by doing a Goggle Search. He says the information, including social security numbers, tax information, test scores, addresses and phone numbers was posted by professors who were unaware it could be accessed by anyone.
Source - KLBJ
Kidnapping data? I can't believe they can't bypass the admin password – my students could, and several solutions are proposed in the comments.
http://news.slashdot.org/article.pl?sid=08/07/15/120220&from=rss
Disgruntled Engineer Hijacks San Francisco's Computer System
Posted by timothy on Tuesday July 15, @08:51AM from the wait-'til-he-turns-off-the-earthquake-preventor dept. Security United States IT
ceswiedler writes
"A disgruntled software engineer has hijacked San Francisco's new multimillion-dollar municipal computer system. When the Department of Technology tried to fire him, he disabled all administrative passwords other than his own. He was taken into custody but has so far refused to provide the password, and the department has yet to regain admin access on their own. They're worried that he or an associate might be able to destroy hundreds of thousands of sensitive documents, including emails, payroll information, and law enforcement documents."
An optimal business structure? I wonder how you get to be a “made man?”
http://www.eweek.com/c/a/Security/Web-Security-Report-Outlines-Structure-of-Cybercrime-Gangs/
Web Security Report Outlines Structure of Cybercrime Gangs
By Brian Prince 2008-07-15
... Individual hackers and loosely organized groups have apparently gone the way of the dinosaur, replaced by well-structured organizations complete with a boss and underboss, according to the report, released July 15.
... Just like a mafia family, in the world of cybercrime, the boss of the operation is well insulated. The underboss manages the operation, providing Trojans for attackers and heading up the command and control of those Trojans. Below the underboss are “campaign managers” that lead their own attack campaigns and use their own affiliation networks as distribution channels to perform the attacks and steal the data. The stolen data is then sold by “resellers” uninvolved in the crimeware attacks themselves.
How to outsource quality testing... Is an Election Commission able to detect all possible errors (“features?”) in these machines?
http://blog.wired.com/27bstroke6/2008/07/ny-50-percent-o.html
NY: 50 Percent of Sequoia Voting Machines Flawed
By Kim Zetter July 14, 2008 11:00:00 AM
... Douglas Kellner, co-chair of the New York State Board of Elections, expressed frustration with the vendor, saying it appeared that Sequoia was using the state's acceptance testing process to find problems with its machines in lieu of a sound quality-control process. [Or, hoping to slip enough past the testing to determine the outcome of the election? Bob]
... In Nassau County alone, the largest voting district outside of New York City, officials found problems with 85 percent of the 240 ImageCast machines it received so far -- problems that the county characterized in a letter as "substantial operational flaws that render them unusable or that require major repairs."
Imagine searching for consistency in political speech... and finding there is none. (This technology could also be used to transcribe/search video depositions...)
http://googleblog.blogspot.com/2008/07/in-their-own-words-political-videos.html
"In their own words": political videos meet Google speech-to-text technology
7/14/2008 04:32:00 PM Posted by Arnaud Sahuguet and Ari Bezman, Product Managers
... With the help of our speech recognition technologies, videos from YouTube's Politicians channels are automatically transcribed from speech to text and indexed. Using the gadget you can search not only the titles and descriptions of the videos, but also their spoken content. Additionally, since speech recognition tells us exactly when words are spoken in the video, you can jump right to the most relevant parts of the videos you find.
Related When the candidates start playing “Happy days are here again” the Copyright ghouls will attack!
http://www.downloadsquad.com/2008/07/13/iphone-app-review-shazam-helps-you-name-that-tune/
iPhone App Review: Shazam helps you 'Name that tune'
Posted Jul 13th 2008 3:00PM by Nik Fletcher Filed under: Audio, Freeware, iPhone
... By launching the application, holding your iPhone to the sound source you want to 'tag' and waiting a few seconds to sample the track, Shazam will tell you what that track is, and present you with links to buy the song using the iPhone's built-in iTunes store, as well as doing a YouTube search for the track to see if there's any related videos you could see.
I'll have to give this one a try...
http://www.pogowasright.org/article.php?story=20080714110901100
Dutch search engine wins first Euro-privacy award
Monday, July 14 2008 @ 11:09 AM EDT Contributed by: PrivacyNews
Dutch search engine IxQuick Monday became the first company to receive the newly-established European Privacy Certificate. The award, expected to become an important instrument in privacy and data protection legislation, was given to IxQuick by the European watchdog for data protection in Kiel, Germany.
"This certificate could not come at a better moment," Ixquick CEO Robert Beens told Deutsche Presse-Agentur dpa.
"Just ten days ago a New York court ordered YouTube to transfer data it had stored, to Viacom. This incident only confirms what IxQuick has been saying for a long time - only erasing data can guarantee privacy."
Source - The Earth Times press release
[From the article:
IxQuick is a so-called meta-search engine, available in 17 languages. It uses the search results of several search engines to provide its own list of search results.
Another research tool. Stay current on events in your field
http://www.killerstartups.com/Search/feedmysearch-com-rss-feeds-for-your-search-terms
FeedMySearch.com - RSS Feeds For Your Search Terms
Sometimes, when you need to find information fast, running a standard web search isn’t enough. Apart from Google Updates, several other options for executing quick, relevant searches exist. One such option is FeedMySearch, an RSS-based search tool powered by Google which lets you enter in a given search term and produces a list of RSS feeds to which you can subscribe to receive updates on your keywords. For example, you can run a search on “Paris Hilton”, by entering the terms into the search bar, selecting the type of search from the provided drop-down menu (blog, website, video, etc). FeedMySearch will then generate a list of relevant feeds that, when subscribed to, will give you instant updates when your search term appears “significantly” on Google.
Tools & Techniques Even if your code is perfect it does little good if the hardware is insecure...
http://it.slashdot.org/article.pl?sid=08/07/14/1852203&from=rss
Kaspersky To Demo Attack Code For Intel Chips
Posted by ScuttleMonkey on Monday July 14, @04:14PM from the also-releasing-a-paint-by-number dept. Security IT
snydeq writes
"Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."
Another measure of risk. Unpatched (in most cases) is how the computer comes out of the box.
http://it.slashdot.org/article.pl?sid=08/07/15/0123245&from=rss
Estimating the Time-To-Own of an Unpatched Windows PC
Posted by kdawson on Tuesday July 15, @02:46AM from the 5-minutes-16-hours-whatever dept.
An anonymous reader notes a recent post on the SANS Institute's Internet Storm Center site estimating the time to infection of an unpatched Windows machine on the Internet — currently about 4 minutes. The researcher stipulated that the sub-5-minute estimate was valid for an unpatched machine in an ISP netblock with no NAT or firewall. The researcher, Lorna Hutcheson, called for others to post data on time-to-infection, and honeypot researchers in Germany did so the same day. They found longer times to infection, an average of 16 hours. Concludes the ISC's Hutchinson: " While the survival time varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas."
http://yro.slashdot.org/article.pl?sid=08/07/14/2313247&from=rss
Blizzard Wins Major Lawsuit Against Bot Developers
Posted by kdawson on Monday July 14, @07:59PM from the gliding-off-into-the-sunset dept. The Courts Role Playing (Games) Games
Captain Kirk writes
"World of Warcraft owners Blizzard have won their case against the programmer who wrote Glider, Michael Donnelly. (We discussed the case here when it was filed.) Blizzard won on two arguments: first, that if a game is loaded into RAM, that can be considered an unauthorized copy of the game [and if it is not, it is unplayable... Bob] and as such a breach of copyright; second, that selling Glider was interfering with Blizzard's contractual relationship with its customers. The net effect? If you buy a game, you transfer rights to the game developer that they can sue you for."
[From the article:
For the background of this suit, see Virtually Blind’s complete coverage of MDY v. Blizzard. Here is today’s Order re: Blizzard’s and MDY’s Summary Judgment Motions (.pdf).
Strange that they need to “dumb down” this information so mere mortals can understand it...
http://www.bespacific.com/mt/archives/018789.html
July 14, 2008
New FTC Online Resource Answers Questions about U.S. Antitrust Laws
"FTC Guide to the Antitrust Laws: This plain-language guide is written for consumers and business people with questions about the antitrust laws. The Guide summarizes the core laws that ban unfair business practices and prevent mergers that harm consumers, and explains how antitrust cases are brought by U.S., state, and international authorities, as well as private parties. Antitrust rules are organized into four basic areas by the business conduct they regulate: Dealings with Competitors, Dealings in the Supply Chain, Single Firm Conduct, and Mergers."
An interesting document. Should be useful in many ways...
http://www.bespacific.com/mt/archives/018788.html
July 14, 2008
FTC Issues Staff Report on Roundtable Discussion About Phishing Education
News release: "The Federal Trade Commission today released a staff report on a Roundtable Discussion on Phishing Education that it hosted in April. Approximately 60 experts from business, government, the technology sector, the consumer advocacy community, and academia met at the FTC to discuss strategies for outreach to consumers about avoiding phishing. Phishers use deceptive spam that appears to come from legitimate, well-known sources to trick consumers into divulging sensitive or personal information, such as credit account numbers or passwords, often through a link to a copycat of the purported source’s Web site."
No comments:
Post a Comment