New words, same old ignorance...

http://www.pogowasright.org/article.php?story=20080720140046543

Baxter International notifies 6,900 employees that their personal info was stolen

Sunday, July 20 2008 @ 02:00 PM EDT Contributed by: PrivacyNews

Baxter International reports that while a human resources employee was attending a human resources conference in Chicago, Illinois, a thief reportedly entered the employee's hotel room while the employee was at the conference and stole a company laptop.

Two data files on the stolen laptop contained personal information, including names, social security numbers, encoded information regarding background checks, and addresses of certain current, former, and prospective U.S. Employees. No customer or patient data were reportedly included in these data files.

The data files included personal information of roughly 6,900 people, of which 2 reside in New Hampshire.

In their letter to those affected, Jeanne K. Mason, Corporate Vice President, Human Resources, notes that the laptop "required a user to enter certain user credentials, such as a correct username and password, in order to access the laptop computer." [Oh, he had to logon. No security there... Bob]

Source - Notification to New Hampshire Attorney General [pdf]

There must be a PR guy somewhere making a lot of money coming up with these inanities...

http://www.pogowasright.org/article.php?story=20080720135401327

Bristol-Myers' notification letter (update)

Sunday, July 20 2008 @ 01:54 PM EDT Contributed by: PrivacyNews

In their notification letter to the New Hampshire Attorney General, Bristol-Myers provides some additional details on their recent security breach involving the theft of a backup tape that affected 458 New Hampshire residents and an unspecified total number of individuals.

By letter dated July 11, James M. Beslity, Senior Counsel, Global Privacy and Records Management Law Department, reported that the data on the tape were protected by a 12-character password [Protected from what? The tape drive doesn't ask for a password and I won't run the software that does Bob] "that it is readable and accessible only through the use of specialized software." [Nonsense. Bob] Personal information on the tape included name, address, date of birth, Social Security number, marital status, gender, salary, hire date, termination date, retirement date, and, in some instances, bank account information. The names, addresses, and Social Security numbers of some employee dependents also were included on the tape.

Source - Notification Letter [pdf]

The older (manual) techniques still work.

http://www.pogowasright.org/article.php?story=20080721062130790

Huron Consulting Group employees notified of security risk

Monday, July 21 2008 @ 06:21 AM EDT Contributed by: PrivacyNews

On July 1, Huron Consulting Group discovered that an employee may have stolen paychecks and fraudulently endorsed and cashed or deposited them.

The employee was fired, but when the employee's company laptop was returned to them by an associate of the employee on July 8, Huron discovered that the employee, who had had authorized access to personal financial information of Huron's current and former employees, had downloaded a full set of employee W-2 forms in a text file on to her laptop. The personal information on the laptop included Social Security numbers as well as banking information used to make direct payroll deposits to employee accounts.

By letter to the New Hampshire Attorney General, Huron reports that it has no evidence of any use of the employee data but was notifying its employees. The company also arranged for free credit monitoring and identity theft insurance for non-New York employees.

Huron's notification did not indicate the total number of current and former employees potentially affected, but their web site indicates that they currently have 1,638 full-time employees.

Source - Notification Letter [pdf]

Somehow this seems like a reallllly bad idea. Think of it as a cross between “Who's Who” and a “Yo Mama” contest.

http://www.killerstartups.com/User-Gen-Content/wikiforus-com-wikipedia-for-you-and-me

WikiForUs.com - Wikipedia for You and Me

Something new from the folks at Wikipedia has just been launched by the name Wiki For Us. Advertised as a ¨free encyclopedia about normal and not so famous people¨, Wiki For Us works like the rest of Wikipedia in that users can edit pages of others to create a comprehensive page about each normal person out there. You can create a page about yourself or about someone you know personally, including information about childhoods, achievements and the people who helped shape their lives. The creators designed this website in contrast to other social networking sites to help create a team effort of ordinary individuals who want to share anecdotes of their family and friends.

http://www.wikiforus.com/wiki/Main_Page

I've asked this question before: Is it better strategically to admit exactly how bad your breach was up front, or should you keep the company name in the news as each individual victim/client makes headlines? (NOTE: Assumes you knew in the first place.)

http://www.pogowasright.org/article.php?story=20080721063229537

Gilead Science employees join the list of Colt Express victims

Monday, July 21 2008 @ 06:32 AM EDT Contributed by: PrivacyNews

Biopharmaceutical firm Gilead Sciences, Inc. reports that it, too, had employee data on computers stolen from Colt Express Outsourcing Services on May 26th. The unencrypted personal information on Gilead employees included name, address, date of birth, Social Security number, base salary, and hire date.

As with some of the other firms whose employees had data on the stolen computers, Gilead was not a client of Colt's at the time of the burglary. [Ex-clients get their own can of worms. Bob] Their lawyer's notification to the New Hampshire Attorney General's office indicates that Colt had provided benefit plan administrative services through August 2007.

Other firms known to be affected by the Colt burglary include C|net, Google, Ebara Technologies, former Avant! employees, former Netegrity, Inc. employees, bebe employees, and Punahou School employees,

Gilead did not indicate the total number of employees affected by this incident. Its web site indicates that it has more than 3,000 employees worldwide.

Source - Notification Letter [pdf]

...because...

http://www.pogowasright.org/article.php?story=20080721060013978

Data “Dysprotection:” breaches reported last week

Monday, July 21 2008 @ 06:00 AM EDT Contributed by: PrivacyNews

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

For Privacy researchers...

http://www.pogowasright.org/article.php?story=20080721061807390

Annual NSW privacy report-better late than never

Monday, July 21 2008 @ 06:18 AM EDT Contributed by: PrivacyNews

... The report is published in two parts- some interesting case studies from page 19 onwards in Part 1 continued in Part 2 with a summary of some important Tribunal cases

Source - Open and Shut blog

Infamy is as profitable as fame. (Some videos if you are curious)

http://news.cnet.com/8301-1009_3-9995253-83.html

July 20, 2008 10:36 AM PDT

Social Engineering 101: Mitnick and other hackers show how it's done

Posted by Elinor Mills

For your Security Manager

http://blog.wired.com/27bstroke6/2008/07/the-ghost-in-yo.html

The Ghost in Your Machine: IPv6 Gateway to Hackers

By Kim Zetter EmailJuly 18, 2008 | 8:10:00 PM

... Joe Klein, a security researcher with Command Information, says many organizations and home users have IPv6 enabled on their systems by default but don't know it. They also don't have protection in place to block malicious traffic, since some intrusion detection systems and firewalls aren't set up to monitor IPv6 traffic, presenting an appealing vector through which outsiders can attack their networks undetected.

Ditto Are your executives secure?

http://www.bespacific.com/mt/archives/018828.html

July 20, 2008

Majority of UK businesses miss out on instant messaging benefits because of security fears

"Research released...by instant messaging experts, ProcessOne, revealed that 72% of UK businesses have banned the use of public instant messaging (IM) software, such as MSN, AIM and Yahoo!, because of security fears. These fears include the ability for employees to download the software without the IT department’s knowledge and potentially use it to send confidential information outside the business. This is despite the fact that 74% of those surveyed say that they think IM could provide valuable collaboration benefits to their organisation; indicating that at the moment, security fears are overriding the opportunity that UK businesses have to increase collaboration and business productivity."

Related Are you sure you don't need encryption?

http://mobile.slashdot.org/article.pl?sid=08/07/21/081229&from=rss

It's Not Just 02 Leaking MMS Messages

Posted by timothy on Monday July 21, @07:18AM from the feature-not-bug dept. Privacy

wiedzmin writes

"A recently publicized issue with UK's O2 leaking private MMS to the Internet by making them available and searchable in Google has gained a lot of momentum and forced the company to promptly fix the problem. However a quick internet search shows that other mobile server providers, including those located in US and Canada, also make all MMS messages available in a similar manner. In fact, operators like Sprint and Boost Mobile will even let you see the phone number from which the picture or video was sent, download it, print it, forward it or reply to it from the same web page. Other operators like Canada's Bell, Solo Mobile, Verizon, Rogers and Quest appear to have removed or otherwise protected all MMS messages recently as all the cached search listings that show up for these providers are no longer available. There is no telling how many other operators' MMS listings can be accessed given correct search terms, but it looks like they are starting to get the idea and remove them from the web."

Related How about using superglue to keep your employees lips sealed?

http://houseofhackers.ning.com/profiles/blog/show?id=2092781%3ABlogPost%3A61166

No-Tech Hacking

Posted by hitechpo on July 19, 2008 at 4:02pm

... Have you ever noticed how many people are talking on cell phones now days? Everyone has one. Everyone uses them. They use them when they are driving. T hey use them when they are eating. They use them while waiting for planes at the airport. Now, have you ever had the tendency to listen in on these conversations? Of course you have, everyone has. Why? A person normally speaks in an average volume when talking face to face; however, when talking on the cell phone, the volume goes up. Have you ever noticed that?

Well, enough talk. Let me get to my stories. I've had several examples that I can share, but I'll point out these two and the latter is the one that provoked me to write this blog. While waiting for a plane, I overheard a gentleman on the cell phone calling his credit card company. The gentleman apparently had an issue with his card and needed to correct it. You ask, so what? Well, when you call a credit card company, they require some proof to authenticate you. How do they do this? They ask you some questions such as your name, account number, maybe the last four digits of your social security numer or your mother's maiden name. They may even ask you for your address and phone number. It doesn't really matter what they ask for, suffice it to say that they will probably ask for the same information every time you call to verify that they are talking to 'you', the person that is the card holder. This is all good and dandy, but what if I'm 'J' hacker listening to your conversation. I've just copied down all of your personal information and more than likely not, have already seen what type of credit card you use since you have it in your hand to read off the numbers. This is one of those reasons why someone's identity is stolen at a rate of one every three seconds.

This next story takes the cake. Again, while waiting for a plane, I overheard another gentleman on the cell phone talking to someone at his office. Apparently, he either needed the administrator password for his computer system or someone else needed this information. It doesn't matter either way, but safe it to say that he gave this information over the phone and in 'ear shot' of about 50 other people. In addition, the individual was utilizing a blue tooth enabled ear set along with utilizing the publicly available wireless access. We all know the security holes that come with blue tooth and of course, sniffing the 'wire' of a public network. I am betting that the individual wasn't using a VPN connection and I could have easily figured out his company. How? He probably had a briefcase or a polo shirt with his company logo on it. (At this point, I didn't really pay attention to this because I was too busy laughing at the man for giving his administrator passwrod over the phone.) I could have easily 'made friends' with him and got a business card with all of his company information on it.

So ladies and gentlemen, the next time you are in public, pay attention to your surroundings. It is very interesting to see (or hear) what is around you. My warning to you: if you are going to be passing along sensitive information on your cell phone, do it in privacy. Step away from the crowds, if you can, or wait until you are out of 'ear shot' of people around you. You just never know when 'J' hacker is listening to your conversation.

Is someone you know going to the Olympics?

http://www.pogowasright.org/article.php?story=20080721065425615

US cyberspying fears hang over Beijing Olympics

Monday, July 21 2008 @ 06:54 AM EDT Contributed by: PrivacyNews

US paranoia about Chinese computer hackers has created a diplomatic dilemma about whether or not to warn visitors and business people traveling to next month's Beijing Olympics about cyber-security risks.

Last month the department of Homeland Security privately warned government and key private-sector contacts of the cyber-security perils facing overseas travelers from foreign governments. Spying techniques outlined in the advisory, which wasn't made public, included copying the contents of laptop hard disks at border crossing or in hotel rooms and "loading spyware" onto BlackBerry mobile devices, the Wall Street Journal reports.

Source - The Register

Related

http://www.pogowasright.org/article.php?story=20080721065815485

UK: Big Brother is Bluetoothing You

Monday, July 21 2008 @ 06:58 AM EDT Contributed by: PrivacyNews

A controversial new study that uses Bluetooth technology to track UK citizens, without their knowledge, has come under fire from privacy campaigners.

The Cityware study - has been set up with the objective "to develop theory, principles, tools and techniques for the design, implementation and evaluation of city-scale pervasive systems as integral facets of the urban landscape."

Source - TechRadar.com

[From the article:

... However, certain privacy campaigners strongly disagree, with Simon Davies, director of Privacy International responding: "This is yet another example of moronic use of technology. [Don't you love people who say exactly what they mean? Bob]

... [The Cityware study link in the article is bad. Here is the correct one: http://www.cityware.org.uk/ Bob]

Tools & Techniques: Something for the Forensics Files

http://developers.slashdot.org/article.pl?sid=08/07/20/1624253&from=rss

Cold Boot Attack Utilities Released At HOPE Conference

Posted by Soulskill on Sunday July 20, @01:26PM from the shining-a-spotlight dept. Security Software

An anonymous reader writes

"Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."

Tools & Techniques Seems like everyone is publishing hacks. Not everyone is willing to fool around with their expensive toys.

http://www.iphonehacks.com/2008/07/pwnage2-win-fix.html

Step-by-Step Guide to Pwn first generation iPhone running firmware 2.0 using Windows

Tools & Techniques: Securing the Cloud

http://yro.slashdot.org/article.pl?sid=08/07/20/1955243&from=rss

Encrypting Google Calendar With Firefox Extensions

Posted by timothy on Sunday July 20, @04:42PM from the show-as-unavailable dept. Privacy Google

mrcgran writes

"IBM's Nathan Harrington has an interesting essay on using open-source tools to ensure privacy on Google Calendar: 'Today's Web applications provide many benefits for online storage, access, and collaboration. Although some applications offer encryption of user data, most do not. This article provides tools and code needed to add basic encryption support for user data in one of the most popular online calendar applications. Building on the incredible flexibility of Firefox extensions and the Gnu Privacy Guard, this article shows you how to store only encrypted event descriptions in Google's Calendar application, while displaying a plain text version to anyone with the appropriate decryption keys.'"

e-Discovery case study

http://www.bespacific.com/mt/archives/018822.html

July 20, 2008

New on LLRX.com: Sex Offender Residency Restrictions, Lessons From An E-Discovery Disaster

• Criminal Justice Resources: Sex Offender Residency Restrictions - Ken Strutin's guide collects recent court decisions, research papers and reports that have addressed the efficacy of exclusionary zoning laws and the impact of these restrictions on sex offenders reentering their communities. Published July 20, 2008

• E-Discovery Update: Lessons From An E-Discovery Disaster - Conrad J. Jacoby examines the recent case of Southern New England Telephone Company (“SNET”) v. Global NAPS, Inc. as an example of how stonewalling and committing perjury, especially with respect to electronic discovery matters that can be independently validated, remains a poor litigation strategy. Published July 20, 2008

Have you been thinking about starting a blog?

http://www.killerstartups.com/Blogging-Widgets/bustablog-com-make-blogs-make-money-get-traffi

BustaBlog.com - Make Blogs, Make Money, Get Traffi

For any blogger, writer and publisher out there, BustaBlog is the new website where you can create a free blog, make money off relevant advertisements connected with your articles and receive traffic through the site´s optimization. BustaBlog offers over 100 blog templates and allows users to add widgets to the blog´s design for free. Those who already have a blog can make extra money from syndicating with BustaBlog because they will monetize your articles with advertisements . And for those out there who love to read blogs and get connected with others on topical discussions, BustaBlog features new, active and updated blogs right on its website.

http://bustablog.com/

Related Perhaps we could start a “Save the Bloggers Fund?”

http://abcnews.go.com/Technology/story?id=5406538&page=1

Lawsuits Against Bloggers Seen Rising

Since 2004, 159 Court Actions Have Targeted Citizen Journalists for Libel and Other Charges

By HUMA YUSUF July 20, 2008

Related How to get sued...

http://www.pogowasright.org/article.php?story=20080721061123327

In: I had my food in your privacy*

Monday, July 21 2008 @ 06:11 AM EDT Contributed by: PrivacyNews

... What you are looking at is the complete details of the voters list in the state of Andhra Pradesh. Complete details means every single thing the state knows about you.

... Apparently the authorities sold their waste papers to a vendor. Incidentally this vendor made paper plates using these and sold it a local cafe. I got the paper plates whenever I ordered something from there.

I took some more samples from there. Then came another shocking truth. Among the data there was data corresponding to the details of the customers of a famous bank. Looking at the samples it was obvious that the papers contained data of all the customers of the bank from all parts of India.

Source - diovo blog

Comment - the blog's author provides a few unredacted images of what he found, [Dumb, dumb, dumb. Bob] with a note, "If your personal details are in the photo above, I am sorry. I care less about your privacy than the state." This site links to article because of the breach aspects, but with regret that the author did not care enough about privacy to redact names.-- Dissent.

Probably the next thing to replace “Blogs” -- make your own television studio and create your own show. (Watch the “behind the scenes” video if you want to do it yourself.)

http://www.technewsworld.com/rsstory/63868.html

A Webcast Odyssey

By Randy A. Salas Knight Ridder/Tribune Business News 07/20/08 4:00 AM PT

"It's something I believe in. It's something I'm passionate about," says Benjamin Higginbotham. "And if that means I have to spend my own money to make it go, then I spend my own money to make it go." Higginbotham is talking about SpaceVidcast, a daily online Internet show he cohosts with his wife, Cariann. SpaceVidcast focuses on anything and everything about space exploration.

For my website class

http://www.killerstartups.com/Web20/interes-tingness-com-pretty-pictures-on-a-wall

Interes.tingness.com - Pretty Pictures on a Wall

Simply put, it’s a new “interface experiment” that mashes Flickr with Interestingness’s own API to create a stunning visual wall of photos for your pleasure. You can choose a photo wall by date or ‘Randomise’. Click on any pic to access its Flickr page. You can also customize the number of pictures on the page being displayed at once. The max is 500. Images can be viewed as big as 500 pixels as well.

http://interes.tingness.com/