Friday, August 29, 2008

For TJX, the impact of their data breach never ends.

http://www.pogowasright.org/article.php?story=20080829072037207

TrustCo sues TJX over breach (follow-up)

Friday, August 29 2008 @ 07:20 AM EDT Contributed by: PrivacyNews

TrustCo Bank Corp is resorting to litigation to recoup costs it incurred after reissuing thousands of credit cards to customers affected by the security breach at the parent company of the T.J. Maxx and Marshalls chains.

The Glenville bank holding company last month filed a lawsuit in Schenectady County Supreme Court against TJX Companies, shedding light on the financial burdens hackers are indirectly imposing on local banks and credit unions. The TrustCo Bank parent is suing the Framingham, Mass.-based TJX to recover the costs stemming from the cancellation and reissuance of MasterCard debit cards to affected customers. The breach, which TJX discovered in mid-December 2006, ended up costing the bank up to $20 per affected account.

Source - dailygazette.com



The list of victims is interesting...

http://www.pogowasright.org/article.php?story=20080828123021242

Tw: Biggest ever ID theft in Taiwan

Thursday, August 28 2008 @ 12:30 PM EDT Contributed by: PrivacyNews

Six people are currently being held in custody for what is believed to be the biggest personal data hacking enterprise undertaken in Taiwan's internet history.

Among the identities of those compromised are the current and several former national presidents, ZD Net reports.

An official speaking on behalf of the Taiwanese Criminal Investigation Bureau (CIB) said: "The suspects are believed to have stolen more than 50 million records of personal data including information about President Ma Ying-jeou, his predecessor Chen Shui-bian and police chief Wang Cho-chiun."

The information that the perpetrators - believed to have been operating out of Taiwan and China - appropriated was then offered for sale at around £5 per entry and they also made millions of Taiwanese dollars by raiding online bank accounts.

Source - Periscope IT

Related - ZDNet: Taiwan busts hacking ring, 50 million personal records compromised



A small breach, another unencrypted laptop, another vague reason for having the data in the first place.

http://www.pogowasright.org/article.php?story=20080828143825488

OH: Laptop With Students' Personal Information Stolen

Thursday, August 28 2008 @ 02:38 PM EDT Contributed by: PrivacyNews

A laptop containing the personal information of at least 4,000 students was stolen earlier this week, according to a Reynoldsburg City School district spokeswoman.

The spokeswoman told 10TV News that the laptop was stolen from a district employee on Monday.

The employee informed administrators that files on the laptop contained students' personal information, including Social Security numbers, 10TV News reported.

Source - 10TV News

[From the article:

The employee, who has been placed on paid administrative leave, [Is this “self defense” or did he do something wrong? Bob] said the laptop was stolen from his car while he attended a wedding. District officials said the employee was using the laptop to collect data for the district's lunch program, [and SSAN is required to plan a menu? Bob] 10TV's Brittany Westbrook reported



We don't know” One of many recurring themes.

http://www.pogowasright.org/article.php?story=20080828115925605

Network accessed, but Nye Lubricants unsure if employee data accessed

Thursday, August 28 2008 @ 11:59 AM EDT Contributed by: PrivacyNews

Jackson Lewis, lawyers for Nye Lubricants, has notified the New Hampshire Attorney General that an employee "may have accessed electronic personal information stored in certain of the Company's databases without proper authority and/or for improper purposes" on or about August 15.

According to the notification, 173 employees are being notified that their personal information, including their Social Security numbers, may have been accessed or misused, but the firm was reportedly unable to determine whether any of the current or former employees' data were accessed or misused. Frederic C. Mock, Executive Vice-President of Nye Lubricants, wrote to those affected that an employee had accessed the network without authorization, but "Despite our best efforts, we could not determine if any personal information contained in the databases on the Company's network was actually compromised -- only that the opportunity for unauthorized access or use of personal information existed." Nye Lubricants reports that it is reviewing its security and systems going forward and has offered employees free credit monitoring for one year.


Related One of the downsides of “not knowing” is that you make headlines every time you learn (and must disclose) new figures

http://www.pogowasright.org/article.php?story=20080828125141813

State learns customers affected by bank data loss could balloon to 10 million (BNY Mellon update)

Thursday, August 28 2008 @ 12:51 PM EDT Contributed by: PrivacyNews

Governor M. Jodi Rell today announced that the state’s investigation into the loss of confidential data of more than 500,000 Connecticut residents by the Bank of New York Mellon Corp. has revealed that the security breach is much broader than first reported.

... “It is simply outrageous that this mountain of information was not better protected and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months after the fact,” Governor Rell said. “We fear a substantial number Connecticut residents are among this latest group.”

Source - NorwalkPlus.com

[From the article:

The most recent figures came in response to the subpoenas that Governor Rell had ordered be issued in May by the state Department of Consumer Protection. [Looks like they don't entirely trust the 'disclosure' laws to extract full information. Expect to see much more of this! Bob]

BNY Mellon informed the state that it will begin the process of notifying these additional customers today. Under Connecticut state law, banks are required to immediately notify customers when such information is lost.


Related: See? Another headline. Anyone like to bid 15 million?

http://www.pogowasright.org/article.php?story=20080828144055979

Bank of NY Mellon data breach now affects 12.5 mln

Thursday, August 28 2008 @ 02:40 PM EDT Contributed by: PrivacyNews

Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information, including Social Security numbers, now affects about 12.5 million customers, up from an earlier 4.5 million.

Connecticut Gov. Jodi Rell, who announced a probe of the security breach in May, said in a statement she is still pursuing remedies against the New York-based bank, including a possible "substantial" fine, restitution and other remedies.

Source - Reuters


Related?

http://www.bespacific.com/mt/archives/019168.html

August 28, 2008

Justice Department Revises Charging Guidelines for Prosecuting Corporate Fraud

News release: "Department of Justice is revising its corporate charging guidelines for federal prosecutors throughout the country. The new guidance revises the Department’s Principles of Federal Prosecution of Business Organizations, which govern how all federal prosecutors investigate, charge, and prosecute corporate crimes. The new guidelines address issues that have been of great interest to prosecutors and corporations alike, particularly in the area of cooperation credit.

First, the revised guidelines state that credit for cooperation will not depend on the corporation’s waiver of attorney-client privilege or work product protection, but rather on the disclosure of relevant facts. Corporations that disclose relevant facts may receive due credit for cooperation, regardless of whether they waive attorney-client privilege or work product protection in the process. Corporations that do not disclose relevant facts typically may not receive such credit, like any other defendant."

Corporate Charging Guidelines



Related: Apparently, Best Western does know how many victims they had – they just can't convince the newspapers.

http://www.pogowasright.org/article.php?story=20080828171938846

Best Western CIO Scott Gibson On The Data Breach That Wasn't

Thursday, August 28 2008 @ 05:19 PM EDT Contributed by: PrivacyNews

Best Western CIO Scott Gibson hasn't been getting much sleep. "I've decided that sleep is highly overrated," he says ruefully.

Gibson has been dealing with a small data breach that somehow became "one of the most audacious cyber-crimes ever," as Glasgow's Sunday Herald put it.

Source - InformationWeek


Related

http://www.pogowasright.org/article.php?story=20080828143517234

Best Western forced to play defense on data breach disclosure

Thursday, August 28 2008 @ 02:35 PM EDT Contributed by: PrivacyNews

... Best Western's experience highlights the public relations problems that can result from breach disclosures, as well as the need for companies to have comprehensive incident-response plans in place for dealing with such disclosures.

In this case, Best Western could have beaten the Sunday Herald to the punch by breaking the news about the breach itself. The intrusion took place on Aug. 21; according to the newspaper, it brought the breach to the company's attention the following day, two days before the story was published.

In comments sent via e-mail this week, a Best Western spokeswoman indicated that the company was blindsided by the Sunday Herald's claims about the scope of the breach. The reporter who wrote the story didn't mention the possibility that 8 million records had been stolen when he talked to Best Western officials, the spokeswoman said. She said that he simply asked for the number of Best Western hotels and rooms in Europe, and that he appears to have used those numbers to extrapolate the 8 million figure.

And the only evidence of a breach that the reporter presented was a screenshot of a single log-in suggesting a possible compromise, the spokeswoman added. "Basically, the Herald elicited a statement from us on one issue and used the statement to report on another," she said.

The reporter, Iain S. Bruce, has yet to respond to questions about the matter that were sent to him via e-mail at his request on Tuesday. Included was a question about whether he had discussed the claim of 8 million victims with Best Western before his story was published.

Source - Computerworld

[From the article:

In this case, Best Western could have beaten the Sunday Herald to the punch by breaking the news about the breach itself. The intrusion took place on Aug. 21; according to the newspaper, it brought the breach to the company's attention the following day, two days before the story was published.

... It's reasonable for a company whose systems have been breached to make sure it fully understands the extent of what has happened before going public, said Chris Hoofnagle, senior staff attorney at the Berkeley Center for Law and Technology at the University of California, Berkeley. "The general rule is that one should not disclose the breach until its scope has been determined," [See Mellon Bank, above Bob] Hoofnagle said.

... The episode shows why companies should simulate various worst-case scenarios [Could make an interesting article... Bob] when they test their incident-response plans, Pescatore added. Best Western, he said, may have discovered what "many businesses learn the first time they actually have to implement their disaster recovery plan — 'Oops, we should have had a dry run.'" [Amen! Bob]



Future fraud: Will this US export help the economy?

http://www.pogowasright.org/article.php?story=20080828091111327

UK: Hackers prepare supermarket sweep

Thursday, August 28 2008 @ 09:11 AM EDT Contributed by: PrivacyNews

Self-service systems in UK supermarkets are being sought by hi-tech criminals with stolen credit card details.

A BBC investigation has unearthed a plan hatching online to loot US bank accounts via the checkout systems. Fake credit cards loaded with details from the accounts will be used to get cash or buy high value goods.

The supermarkets targeted said there was little chance the fraudsters would make significant amounts of cash with their plan.

With the help of computer security experts the BBC found a discussion on a card fraud website on which in which hi-tech thieves debated the best way to strip money from the US accounts.

The thieves claim to have comprehensive details of US credit and debit cards passed to them from an American gang who tapped phone lines between cash machines and banks.

Source - BBC

[From the article:

He said it was an example of a long observed trend in fraud.

"We've seen a shift from card-present fraud to card-not-present to fraud abroad," he said.

... He said many criminal gangs even offer their fraudulent services via the web.

"They will do it for you in India and China," he said.



Hack du jour

http://howto.wired.com/wiki/Download_MP3s_from_Streaming_Music_Sites

Download MP3s from Streaming Music Sites

From Wired How-To Wiki

Have you ever been annoyed that services like Muxtape (which is currently unavailable, thanks to the RIAA), Favtape or other playlist-based music sites don't let you download songs? The better sites offer a link to purchase the songs through the iTunes Store or Amazon.com, but the rest just stream the music. And once the player moves on to the next song, that song is gone.

Or is it? Most services like the ones above rely on Flash or JavaScript to obfuscate URLs [Security through obscurity Bob] and make it difficult, though not impossible, to download the actual files.

In this guide, we'll show you how you can grab just about any file you want by exploring your browser's cache.

NOTE: Depending on the copyright applied to the song you're downloading, using this technique may violate the copyright of the content owner. This wiki article is not intended as legal advice and is for educational purposes only. [Oh, like ditto, dude. Bob]



How to get the word out?

http://www.bespacific.com/mt/archives/019175.html

August 28, 2008

Pew Internet Survey: Podcast Downloading 2008

Pew Internet and American Life Project - Podcast Downloading 2008, 8/28/2008, Mary Madden Sydney Jones

  • "As gadgets with digital audio capability proliferate, podcast downloading continues to increase. Currently, 19% of all internet users say they have downloaded a podcast so they could listen to it or view it later. This most recent percentage is up from 12% of internet users who reported downloading podcasts in our August 2006 survey and 7% in our February-April 2006 survey. Still, podcasting has yet to become a fixture in the everyday lives of internet users, as very few internet users download podcasts on a typical day."



Still manipulating the system.

http://blog.wired.com/27bstroke6/2008/08/kevin-mitnick-t.html

Kevin Mitnick Tells All in Upcoming Book -- Promises No Whining

By Kim Zetter August 28, 2008 | 8:19:07 PM



Why an NDA? Unless Microsoft has another questionable contract with Lenovo...

http://tech.slashdot.org/article.pl?sid=08/08/28/1822227&from=rss

Lenovo Requires NDA For Windows License Refund

Posted by timothy on Thursday August 28, @02:36PM from the deserves-a-raise dept. Windows Microsoft The Almighty Buck

tykev writes

"A customer wanted to return the license for preinstalled Windows Vista Business that came with his Lenovo laptop. After some lengthy negotiations with representatives of Lenovo's technical support and management, he was offered financial compensation for returning the license in the amount of CZK 1950 (USD 130, EUR 78), pending his acceptance of a non-disclosure agreement that would cover the entire negotiations with the company and its results. He declined and published his experiences on a Czech Linux website. [and now “everyone” knows... Bob] The website editors decided to reward the customer for publishing the article by paying him an author's royalty in the same amount as was the offered compensation for returning the license."



The politician's need to be seen “doing something” should never outweigh the need to think that something through...

http://www.pogowasright.org/article.php?story=20080829051750101

UK: ContactPoint child database launch delayed following security fears

Friday, August 29 2008 @ 05:17 AM EDT Contributed by: PrivacyNews

The launch of the Government's flagship database of every child living in England has been delayed just days after The Daily Telegraph exposed serious concerns about its purpose.

ContactPoint will include the names, ages and addresses of all 11 million under-18s in the country, as well as detailed information on their parents, GPs and schools.

It was announced in the wake of the murder of Victoria ClimbiƩ as a way to protect children by connecting the different services dealing with them, but this newspaper disclosed that it will actually be used by police to hunt for evidence of crime.

Source - Telegraph

[From the article:

The £224million computer system was meant to come into operation in April 2008 but was delayed following the loss of data discs containing 25 million child benefit records by HM Revenue & Customs last year, which triggered fears that ContactPoint records could easily find their way into the hands of paedophiles.

A review of its security - which the Government refused to publish in full - found the risk of a data breach could never be eliminated and the launch of ContactPoint was pushed back to October.



Goodbye “unlimited use” Comcast opens the door (wider) for competition. I suppose it is better than “double secret” caps.

http://tech.slashdot.org/article.pl?sid=08/08/28/2339207&from=rss

Comcast To Cap Data Transfers At 250 GB In October

Posted by timothy on Thursday August 28, @08:10PM from the crimp-in-your-style dept. The Internet Networking

JagsLive writes with this story from PC Magazine:

"Comcast has confirmed that all residential customers will be subject to a 250 gigabyte per month data limit starting October 1. 'This is the same system we have in place today,' Comcast wrote in an amendment to its acceptable use policy. 'The only difference is that we will now provide a limit by which a customer may be contacted.' The cable provider insisted that 250 GB is "an extremely large amount of data, much more than a typical residential customer uses on a monthly basis. ... As part of our pre-existing policy, we will continue to contact the top users of our high-speed Internet service and ask them to curb their usage,' Comcast said Thursday. 'If a customer uses more than 250 GB and is one of the top users of our service, he or she may be contacted by Comcast to notify them of excessive use,' according to the AUP."



Creating the perfect Privacy Policy? Contracting with third parties...

http://www.pogowasright.org/article.php?story=20080828123409462

The privacy policy problem, Part 2: Controlling business partners

Thursday, August 28 2008 @ 12:34 PM EDT Contributed by: PrivacyNews

In this series of four articles, I'm exploring privacy policies. Today I'll continue with an analysis of potential problems due to independent partner organizations working on behalf of their clients without adequate supervision and coordination.

... The lesson I draw from this cursory investigation is that no one can afford to do business with people who do not use the same strict policies of privacy protection as their own organization. Readers should perform a systematic audit of all their organizations’ links to third parties to verify that deviations from their privacy policies do not lead to embarrassment and legal liability.

Source - NetworkWorld



It is bettetr to look secure than to be secure.” Hernando (and the folks in Microsoft's Marketing Dept.)

http://www.pogowasright.org/article.php?story=20080829054749282

IE8's 'privacy' mode leaks your private data

Friday, August 29 2008 @ 05:47 AM EDT Contributed by: PrivacyNews

Information concealed by the InPrivateBrowsing feature of Microsoft's Internet Explorer 8.0 can easily be recovered by forensic experts, a Dutch website has found.

The InPrivate Browsing feature in Microsoft's latest browser is designed to delete a user's browsing history and other personal data that is gathered and stored during regular browsing sessions. The feature is commonly referred to as 'porn mode' for its ability to hide which websites have been visited from nosy spouses or employers.

Forensic experts however found it trivial to retrieve the history, according to a test by Webwereld.nl, an affiliate of PC Advisor in the Netherlands, and Fox IT, a Dutch firm specialising in IT security and forensic research.

"The privacy option in this beta is mainly cosmetic. For a forensic investigator, retrieving the browsing history should be regarded as peanuts," said Christian Prickaerts, forensic IT expert with Fox IT.

Source - PC Advisor



Maybe this is why my anti-virus programs are blocking SP3...

http://www.infoworld.com/article/08/08/28/Microsoft_warns_of_IE8_lockin_with_XP_SP3_1.html?source=rss&url=http://www.infoworld.com/article/08/08/28/Microsoft_warns_of_IE8_lockin_with_XP_SP3_1.html

Microsoft warns of IE8 lock-in with XP SP3

XP SP3 users won't be able to uninstall either the service pack or Internet Explorer 8 under some circumstances

By Gregg Keizer, Computerworld August 28, 2008

Microsoft yesterday warned users of Windows XP Service Pack 3 (SP3) that they won't be able to uninstall either the service pack or Internet Explorer 8 (IE8) under some circumstances.



Sure to be of interest to my Security Process Engineering class. Their project is to secure a wiki for use by the White Hat Hacker club...

http://www.killerstartups.com/Blogging-Widgets/wibokr-com-create-your-own-wiki-or-blog

Wibokr.com - Create Your Own Wiki Or Blog

If you still haven’t created your own blog, or you want to create your personal wiki, you should try out Wibokr.com. With this free service, you’ll be able to create and host your own blog and/or wiki. The customizable dashboard will allow you to easily keep track of all your accounts, making updating and things of that nature flow smoothly. You can control who accesses what page. This could allow you to create different content for different people, letting your better organize your wiki and blog. You can upload photos to the site too. All these features make it possible for you to have a highly customized interface that allows you to control all the content you’ve chosen to share with others. Another great thing about the site is how quickly you can get the hang of it, allowing you to thoroughly enjoy the experience without having to spend too much time figuring things out.

Unlimited spaces for wiki or blog. [Unlike Comcast, above Bob]

http://www.wibokr.com/page/page.do



Politicians know this. They just can't see themselves being defeated.

http://news.cnet.com/8301-13578_3-10028603-38.html?part=rss&subj=news&tag=2547-1_3-0-5

In YouTube age, political criticisms can (and will) be used against you

Posted by Declan McCullagh August 28, 2008 4:36 PM PDT

DENVER--If you're a candidate for president during the 2012 primaries, you may want to watch how sharply you criticize your rivals. Your critiques may come back to haunt you on the Web.

That's what the Republicans, at least, are hoping to demonstrate with their notready08.com site, which features clips of Hillary Clinton, Bill Clinton, and John Edwards slamming Barack Obama last year and earlier this year for being inexperienced or over his voting record in Illinois.

No comments: