Wednesday, July 16, 2008

Most common(?) means of Identity Theft and we still see the same PR spin attempting to calm the victims.

http://www.pogowasright.org/article.php?story=20080715175618209

Stolen laptop contains ISU student information

Tuesday, July 15 2008 @ 05:56 PM EDT Contributed by: PrivacyNews

A password-protected laptop computer [Translation: Unprotected Bob] containing personal information for an estimated 2,500 or more current and former Indiana State University students was stolen during the weekend, the university reported today.

Source - TribStar.com

[From the article:

While there is no evidence to suggest that password security was breached, [Translation: We don't have a clue what the thief is doing, but we really really hope this is true. Bob] the university is taking the precaution [Translation: required by law Bob] of notifying all affected students for whom it has current contact information.

... Beginning in 2003, use of Social Security numbers as student ID numbers was discontinued [but we didn't make any effort to change existing files... Bob] in favor of university-specific identification numbers.

... Faculty and staff are being reminded that university policy prohibits the storage of private, sensitive data on portable computers. [it is only policy, since we have implemented no controls to prevent this Bob]



There is a tendency to anthropomorphise computers. It gives the true culprit (management) someone (something) to blame.

http://www.pogowasright.org/article.php?story=20080716060031789

NV: Potential jurors’ IDs put at risk in breach (updated)

Wednesday, July 16 2008 @ 06:00 AM EDT Contributed by: PrivacyNews

District Court in Clark County inadvertently put tens of thousands of people at risk for identity theft during the past three years.

The court’s computer software allowed [Translation: The program was designed to... Bob] prospective jurors’ confidential personal information to be released to a private contractor, court administrators said.

Court officials stumbled onto the security breach [Now there a tried and true security procedure... Bob] a month and a half ago after learning that a woman who worked for the company that prints jury summons letters had sent names, dates of birth and Social Security numbers of 380 prospective jurors to her personal e-mail account.

Chuck Short, the court’s retiring chief executive, said that once officials learned of the breach at A&B Printing, they moved quickly to purge the computer software of all confidential data. [This make no sense for many reasons, including “How will you mail me a jury summons if you don't have my name and address?” Bob]

Source - Las Vegas Sun

Earlier coverage - from July 4.



Strange enough to see an organization that still uses physical media for backup, but floppy disks? How 1980's...

http://www.phiprivacy.net/?p=534

Jul-15-2008

Hk: Yan Chai Hospital reports data loss

Yan Chai Hospital has lost a batch of backup floppy discs containing 3,000 medical record applicants’ names and identity card numbers.

The discs serve as backup copies storing the processing log sheet on medical report applications dated January 16, 2005, to January 15, 2006. They went missing during the encryption process [Must be one hell of a backlog... Bob] and the hospital management was informed of the incident on June 30. The files do not carry medical information.

Full story - news.gov.hk



Another trend. Disclose a breach, but no information on how it happened – changing the question from “You still have no (encryption/locks on the doors/etc.)?” To “So you have no idea what happened?”

http://www.pogowasright.org/article.php?story=20080715114556389

Breach puts Mo. soldiers' personal data at risk

Tuesday, July 15 2008 @ 11:45 AM EDT Contributed by: PrivacyNews

The Missouri National Guard has called for a criminal investigation after it learned that the personal information of as many as 2,000 soldiers had been breached.

... The Guard would not release how the personal information had been taken -- whether by computer hackers or other means -- because it has asked for a "full law enforcement investigation into the matter, the statement said.

Source - STLtoday.com

[Not even BreachBlog has details: http://breachblog.com/2008/07/15/moguard.aspx Bob]



For the record...

http://www.networkworld.com/community/node/29930

Making data-breach research easier

Submitted by Paul McNamara on Tue, 07/15/2008 – 6:36am.

... Logging these incidents and assembling reliable research data about the problem has been a bailiwick of security Web site Attrition.org since July 2005 -- and has at times proven daunting, as the database now contains more than 1,000 incident reports covering some 330 million records. Into the breach, so to speak, steps the Open Security Foundation, which is announcing with Attrition.org that as of this morning OSF will formally maintain the DataLossDB -- also known as the Data Loss Database - Open Source.


Related

http://www.emergentchaos.com/archives/2008/07/breach_notice_primary_sou.html

Breach notice primary sources

(Posted by cwalsh)

Today on the Dataloss mailing list, a contributor asked whether states in addition to New Hampshire and Maryland make breach notification letters available on-line.

... I know only of NH and MD.

... A later response pointed out that Wisconsin publishes some data as well. Actually, so does New York, but it's pretty measly.



A minimal “What we should do” suggestion list? Does your cell phone/PDA comply?

http://www.pogowasright.org/article.php?story=20080716061620991

MMA Issues Mobile Privacy Guidelines

Wednesday, July 16 2008 @ 06:16 AM EDT Contributed by: PrivacyNews

Continuing its push for worldwide standards, the Mobile Marketing Association Tuesday released a set of global privacy guidelines for mobile marketers. The new Global Code of Conduct broadens the scope of privacy rules the MMA issued last year for the U.S., with input from its Latin America, Asia-Pacific and Europe, Middle East and Africa chapters.

Source - MediaPostPublications

[From the article:

The code encompasses voluntary guidelines in five categories:

• Notice -- Informing users of the marketers' identity or products and services offered and the key terms and conditions that govern an interaction between the marketer and the user's mobile device.

• Choice and Consent -- Respecting the right of the user to control which mobile messages they receive by obtaining opt-in consent and implementing a simple termination, or opt-out, process.

• Customization and Constraint -- Ensuring that collected user information is used to tailor communication to the interests of the recipient and is handled responsibly, sensitively and in compliance with applicable law. Mobile messages should be limited to those requested by the user and provide value such as product and service enhancements, contests, requested information, entertainment or discounts.

• Security -- The implementation of reasonable technical, administrative and physical procedures to protect user information from unauthorized use, alteration, disclosure, distribution, or access.

• Enforcement and Accountability -- The MMA expects its members to comply with the MMA Privacy Code of Conduct and has incorporated the code into relevant MMA guidelines, including the U.S. Consumer Best Practice guidelines.

Until the code can be enforced effectively by a third party enforcement organization, mobile marketers are expected to use evaluations of their practices to certify compliance with the code. [“After thinking about the marketing potential for several seconds, I hereby declare us “Compliance Certified!” Bob]



Is it: “Crooks make good cybercrime consultants?” or “Crooks want inside information on how cybercops find them?”

http://www.pogowasright.org/article.php?story=20080716053632906

NZ teenage hacker charges dropped

Wednesday, July 16 2008 @ 05:36 AM EDT Contributed by: PrivacyNews

A New Zealand teenager who admitted to taking part in an international cyber-crime network has been discharged without a conviction. The charges against him related to a hack of a U.S. university in 2006. Police said the group hijacked more than one million computers and used them to take at least $20.4m (£10.3m) from private bank accounts. Owen Thor Walker, 18, was ordered to pay $10,000 (£5,000) in damages and hand over his computer-related assets. Police said they were interested in using his skills to fight cyber-crime.

Source - BBC

[From the article:

He did not take money from people's accounts, but he was paid nearly $31,000 (£15,500) for software he designed that gave the cyber-ring access usernames, passwords and credit card details.

Judge Judith Potter dismissed the charges, relating to a 2006 attack on a computer system at a US university, saying a conviction could jeopardise a potentially bright career. [Why didn't they try this with Charles Manson? Ted Bundy? Bob]

... Mr Walker pleaded guilty to charges of accessing a computer for dishonest purposes, interfering with computer systems, possession of software for committing crime and accessing computer systems without authorisation, the New Zealand Press Association said. [Apparently these are so minor he can still qualify to be a “computer cop” Bob]



I think this explains(?) the case I was confused about yesterday.

http://www.eff.org/deeplinks/2008/07/you-bought-it-you-dont-own-it

July 15th, 2008

You Bought It, But You Don't Own It

Posted by Corynne McSherry

In a devastating blow to user rights, an Arizona federal court has ruled that consumers can be guilty of copyright infringement if they violate the end user license agreement ("EULA") that comes with the software--even where the so-called "violation" is specifically excluded from copyright liability. Why? Because those protections only apply if you own the software you buy--not if you license it. Stunningly, this means that "cheating" while playing a computer game can expose you to potentially huge statutory damages for copyright infringement.

As we noted back in May, Blizzard Entertainment, the company that makes the hugely popular massively multi-player online role-playing game World of Warcraft, sued Michael Donnelly, the developer of Glider, a program that helps WoW users raise their character level to 70 by "playing" for the user. Blizzard said that because the license agreement forbids using Glider with WoW, Glider users are committing copyright infringement when they load copies of WoW into RAM in order to play the game, and Donnelly is illegally contributing to that infringement.

As Public Knowledge explained in its brief, Blizzard's theory confuses a copyright holder's intellectual property rights in the software it develops with a buyer's rights in the actual copy of the software. An owner of software has a right to copy it if that copy is essential to the customer's use of the software. (See Section 117 of the Copyright Act.) This rule helps balance the rights of the copyright holder to manage and benefit from its expressive work, and the rights of the public to use and build on that work.



It's not hacking, it's forensics!

http://blogs.securiteam.com/index.php/archives/1113

Finding the name behind the gmail address

July 15th, 2008 by Aviram, Filed under: Web, Privacy, Full Disclosure, Google

Ever wondered what name is behind some obscure gmail address?

... Here’s a cute vulnerability in the gmail system that comes from the strong tie-ins between gmail, the google calendar and all the other services.



Everything you ever wanted to know about e-Discovery but were afraid to ask?

http://ralphlosey.wordpress.com/2008/07/13/more-must-read-2008-cases-part-one-in-a-three-part-series/

More “Must Read” 2008 Cases - Part One in a Three Part Series

This is the first of a three-part blog, and a follow-up to an earlier essay, Online Reference and Thirty One More e-Discovery Cases. In this and the next two blogs, I will add thirty new case summaries and analysis in alphabetical order.



For my website class

http://www.killerstartups.com/Web-App-Tools/flasheezy-com-free-flash-files-and-tutorials

Flasheezy.com - Free Flash Files and Tutorials

The site offers free flash files and tutorials as well. On the homepage you’ll find a collection of the latest free flash additions to the site; today’s selection includes a peeling sticker button, a calendar, a New Year’s greeting, and an XML music player among other things. Each item can be rated by the community at large, and each comes with a preview, review and short description. Beyond the homepage, there are three main sections (separated by navigational tabs) through which you can browse. Under resources you should be able to find links to flash resources, however the section hasn’t been completed yet. The tutorials section houses tutorials, of course, but like the other section, it has yet to be finished. You can browse the Gallery to find a range of flash files; filter your search by category, flash version, or sort by comments, date, ratings, etc. As the site is run by users, anyone can submit flash elements of their own making.

http://www.flasheezy.com/

No comments: