Monday, August 11, 2008

Some days it seems that reporters get together and agree on a slant to their reporting. Today that seems to be: “Let's point out what a bad job some organizations are doing protecting their customer's information...”



Even the Wall Street Journal is reporting “bad behavior” related to data breaches...

http://www.pogowasright.org/article.php?story=20080811055114872

Some Stores Quiet Over Card Breach

Monday, August 11 2008 @ 05:51 AM EDT Contributed by: PrivacyNews

Most states mandate that companies tell their customers when their credit-card data is stolen from the stores. The laws are designed to give consumers a chance to protect themselves against fraud or identity theft.

But when federal prosecutors disclosed last week that computer hackers swiped more than 40 million credit-card numbers from nine retailers in the biggest such heist ever, it was the first time that many shoppers had heard about it.

That's because only four of the chains clearly alerted their customers to breaches. Two others -- Boston Market Corp. and Forever 21 Inc. -- say they never told customers because they never confirmed data were stolen from them. [After all, those Secret Service guys could be wrong... Bob]

The other retailers -- OfficeMax Inc., Barnes and Noble Inc., and Sports Authority Inc. -- wouldn't say whether they made consumer disclosures. Computer searches of their Securities and Exchange Commission filings, Web sites, press releases and news archives turned up no evidence of such disclosures.

Source - Wall Street Journal

[From the article:

"If I were the companies, I would be issuing public disclosures five nanoseconds after the indictments were announced," says Evan Stewart, an adjunct professor at Fordham University School of Law and an electronic-data breach expert. "If not, there could be big checks the companies will have to be writing" to cover consumer litigation, he said. [The WSJ's subtle way to telling their readers that they should have a plan for disclosure? Bob]

... The indictments also allege that Boston Market, a fast-food chain based in Golden, Colo., was hit by credit-card thieves. Company spokeswoman Angela Proctor acknowledges that the company was notified by federal authorities in 2004 about a potential breach. She says it never disclosed the matter to consumers "because we couldn't find any definite information that we'd been breached."

Ms. Proctor now says it isn't likely the company will inform consumers "because there is no way for us to identify customers who might have been affected." She added, "The consumer always does have an opportunity to report fraudulent activities" to credit-card companies. [Do I detect a hint of “We really don't care” in that statement? Bob]

... Barnes and Noble, the New York-based bookseller, issued a release last week saying it "had not received inquiries from credit card companies or customers about these alleged activities." [How would customers know it was Barnes & Noble that lost the information? Fortune tellers? Bob]


Related, but this could just be government bashing...

http://www.pogowasright.org/article.php?story=20080811064208460

Ie: Thousands of social welfare details on stolen laptop (Update 2)

Monday, August 11 2008 @ 06:42 AM EDT Contributed by: PrivacyNews

Personal details of 380,000 social welfare recipients were stored on a laptop which went missing in April 2007, it emerged today.

Up to 106,000 of the records held on the laptop contained bank account details as recipients were paid benefits directly into their accounts.

Last week, the Comptroller and Auditor General John Buckley said that 16 laptops belonging to his office had been stolen since 1999. Following an examination three of these laptops have been identified as containing data that could, if improperly disclosed, be misused.

In addition to the laptop containing information on social welfare scheme payments, the other two laptops contained PPSN and banking details related to the payrolls of seven public bodies.

Source - Irish Times Related - Irish Government data breach slammed as ‘serious incident’



http://www.pogowasright.org/article.php?story=20080809132438418

AT&T notified over 113,000 employees of stolen laptop (update)

Monday, August 11 2008 @ 06:21 AM EDT Contributed by: PrivacyNews

In June, this site reported the May 15th theft of one of AT&T's laptops after being contacted by an employee who received a notification letter. At the time, the company was not revealing details such as where and how the laptop was stolen or how many employees were affected by the theft. In a disclosure letter to the Maryland Attorney General's office subsequently posted online, AT&T reported that the laptop, stolen from an employee's vehicle in San Antonio, contained unencrypted Social Security numbers and bonus/salary information.

AT&T's mandated notification to the NYS Attorney General's office, now obtained by this site, reveals that 113,595 employees had their personal information on the stolen laptop. Of the total, 1,933 were New York State residents.

Unlike many other states, NYS's disclosure form asks entities to disclose the total number affected as well as the number of NYS residents affected.

In response to a request for clarification and comment, AT &T's legal counsel now informs us that affected employees were "spread across virtually all states, Guam, Puerto Rico and the USVI."

The laptop has not been recovered, but according to their counsel, there have been no reports of misuse of the data.

AT & T continues to monitor the loss with law enforcement, and notes that "Since this loss impacted employees, AT&T is better able to monitor the situation and, should evidence of mis-use surface, we will respond accordingly."



Nice of them to send all that data in electronic form. It makes creating a database so much easier...

http://www.pogowasright.org/article.php?story=20080811053935910

AU: Spam alert after Ticketek email blunder

Monday, August 11 2008 @ 05:39 AM EDT Contributed by: PrivacyNews

In the body of an email sent to customers advertising an internet pre-sale offer for The Dandy Warhols, Ticketek accidentally included a dump of its email database.

The exact number of addresses exposed is unknown but the email prints out to more than 110 pages, or tens of thousands of names.

Source - The Age

[From the article:

However, under privacy laws she does not have powers to penalise or compel an organisation to do something unless her office receives a direct complaint from an individual. [A not-so-subtle hint... Bob]

... Roger Clarke, chair of the Australian Privacy Foundation, said: "This kind of thing is ludicrous - that such errors could be permitted to occur and not have controls in place to prevent them occurring. "While we don't want to go off the deep end about a single error the fact is corporations aren't being careful enough with consumer data and are not being held to account." [People are waking up... Bob]


Related WARNING: The report is 2700 pages long. You probably don't want to print it...

http://www.pogowasright.org/article.php?story=20080811054523841

AU Media Release: ALRC report – a valuable contribution to privacy law reform, says Privacy Commissioner

Monday, August 11 2008 @ 05:45 AM EDT Contributed by: PrivacyNews

The Privacy Commissioner, Karen Curtis, has welcomed the release of the final report of the privacy law review undertaken by the Australian Law Reform Commission over the past two years.

"The report is a valuable contribution to assist the Government develop its approach to the reform of Australia's privacy regime," Ms Curtis said.

Source - Office of the Privacy Commissioner

Related - Australian Law Reform Commission - Inquiry into the Privacy Act, Report 108



If you can't trust your auditors, who can you trust?

http://www.pogowasright.org/article.php?story=20080810172912791

Ie: State loses ‘significant number’ of citizens’ social welfare details

Sunday, August 10 2008 @ 05:29 PM EDT Contributed by: PrivacyNews

Personal confidential records containing the social welfare details of a ‘‘very significant’’ number of Irish citizens were lost by a government official, The Sunday Business Post has learned.

Informed sources have described the confidential personal data, which was lost during an audit of the department of Social and Family Affairs in July, as ‘‘highly sensitive’’.

The Comptroller and Auditor General John Buckley’s (CAG) department had said it lost a laptop last month, initially claiming the computer contained non-personal data.

However, this newspaper has established that the CAG has now said, in a report submitted in past days to the office of the Data Protection Commissioner Billy Hawkes, that the laptop also contained the confidential personal records of a large number of social welfare recipients.

Source - Sunday Business Post Thanks to Brian Honan for this link.



...because...

http://www.pogowasright.org/article.php?story=20080811055904369

Data “Dysprotection:” breaches reported last week

Monday, August 11 2008 @ 05:59 AM EDT Contributed by: PrivacyNews

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee

Source - Chronicles of Dissent



It's like no one has heard of the “Streisand Effect” except the entire Internet using public!

http://techdirt.com/articles/20080811/0035111937.shtml

Boston Subway System Stops Defcon Talk; But Paints Security Target On Its Back

from the yeah,-that'll-work dept

You would think after years and years of it backfiring every time some scared organization tries to shut down a talk concerning their security vulnerabilities, that people wouldn't even bother any more. But never underestimate the short-sightedness of some execs. The Massachusetts Bay Transportation Authority uses a magnetic strip card system to access the subway system in Boston. That system is not particularly secure, and some enterprising MIT students planned to demonstrate just how weak the security was on the system this weekend at the Defcon conference... until the MBTA convinced a judge to ban the presentation and demand that all copies of the presentation not be released -- which is problematic since all attendees at the conference already obtained CDs with a copy of the presentation. Also, somewhat ironically, a copy of the presentation was entered in as evidence in the case, and that copy is now publicly available as part of the court records system. Oops

Of course, even if the court had actually been able to stop the distribution of the presentation, it's silly to think that this would have stopped the dissemination of the methods for hacking the system. The truth is that the MBTA's system uses woefully weak security, and rather than doing anything to strengthen it, it has to threaten some bright MIT students and get a court order to pretend the such security vulnerabilities don't exist. And, of course, in doing this, all the MBTA has really done is painted a huge target on its back. Perhaps it should have just focused on making its system a bit more secure instead.


Related

http://blog.wired.com/27bstroke6/2008/08/eff-to-appeal-r.html

Federal Judge in DefCon Case Equates Speech with Hacking

By Kim Zetter EmailAugust 10, 2008 | 6:55:40 AM

... Opsahl said the judge, in making his decision, misinterpreted a part of the federal Computer Fraud and Abuse Act that refers to computer intruders or hackers. Such a person is described in part in the statute as someone who "knowingly causes the transmission of a program, information, code, or command to a computer or computer system."

Opsahl says the judge, during the hearing, likened the students' conference presentation to transmitting code to a computer.

... "Basically, what the court is suggesting here is that giving a presentation involving security to other security researchers is a violation of federal law," she said. "As far as I know, this is completely unprecedented, and it has a tremendous chilling effect on sharing this sort of research. . . . And we intend to fight it with everything we've got."

... They say the MBTA did ask for some material -- not a copy of their conference presentation -- which they provided on Friday at around 4:30 pm, which they say was around the same time the MBTA was heading to the courthouse to request the restraining order.

That material was a confidential vulnerability assessment report (.pdf) describing, in a more substantial way than the conference presentation slides do, the flaws in the MTBA payment system. The report became a public document on Saturday when the MBTA included it among other papers it submitted to the court on Saturday.



Related (and inevitable)

http://digg.com/security/MIT_student_newspaper_publishes_the_banned_DEFCON_slides

MIT student newspaper publishes the banned DEFCON slides

tech.mit.edu — The Massachusetts Bay Transportation Authority has sued three MIT students — Zackary M. Anderson '09, Russel J. Ryan '09, and Alessandro Chiesa '09 — and MIT to prevent the disclosure of security weaknesses in subway ticketing systems.

http://www-tech.mit.edu/V128/N30/subway/Defcon_Presentation.pdf



Hacking the TSA

http://www.infoworld.com/article/08/08/11/Flying_to_Defcon_with_no_ID_1.html?source=rss&url=http://www.infoworld.com/article/08/08/11/Flying_to_Defcon_with_no_ID_1.html

Flying to Defcon with no ID

Hacker finds that Logan International Airport's procedure for handling people without an ID has a few security problems

By Robert McMillan, IDG News Service August 11, 2008

... For one, thing Davidoff didn't need to know much in order to establish her identity: She had to provide her name along with both a street and a state where she'd previously resided.

She said that this kind of basic information is pretty easy to dig up.

Another problem was that the TSA's first screener marked up her home-printed boarding pass with a red Sharpie pen. This was the sign for the workers at the metal detector to give here a more thorough screening.

She believes that If she had simply printed two copies of her boarding pass, she could have handed in an unmarked copy and skipped this secondary screening, which included a pad-down and a test for explosives.



Perhaps not the best method available, but better than simple passwords alone?

http://it.slashdot.org/article.pl?sid=08/08/10/186203&from=rss

Moving Beyond Passwords For Security

Posted by Soulskill on Sunday August 10, @02:41PM from the asdf1234 dept.

Naturalist writes with an excerpt from a New York Times story about the need for a more secure method for identification than the password-based system almost everyone currently uses. The article also discusses the weaknesses of the OpenID initiative to simplify the process.

"The solution urged by the experts is to abandon passwords -- and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties' authenticity, using digital keys that we, as users, have no need to see. ...OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else's Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory."



“Come join me on this slippery slope.”

http://www.pogowasright.org/article.php?story=20080811060019886

UK: Watchdog encourages more snooping

Monday, August 11 2008 @ 06:00 AM EDT Contributed by: PrivacyNews

SPYING watchdog Sir Paul Kennedy has called on councils to step up their use of powers to snoop on the public, despite concerns that local officials struggle to comply with the law.

The Interception of Communications Commissioner said authorities could "make much more use" of phone and computer records to catch criminals.

But critics are already concerned about the use of other surveillance powers by Westcountry councils to investigate minor offences like littering and dog fouling.

Source - thisiswesternmorningnews.co.uk


Related?

http://www.pogowasright.org/article.php?story=20080811060411249

UK: Only the public interest can justify invasions of privacy (commentary)

Monday, August 11 2008 @ 06:04 AM EDT Contributed by: PrivacyNews

... Following the [Max Mosley] judgment, elements of the media became extremely vocal. The central theme of most arguments was that Britain now has a privacy law “by stealth” and that this judgment heralds the end of freedom of speech. For the record, I am not against free speech.

So, what are we to make of this judgment? Is it really game over for the press? And is democracy really at risk? Of course not. The judgment is unremarkable in all but the amount of damages awarded. Even the judge points out that there is nothing “landmark” about it, and that it cannot reasonably be suggested that it will inhibit serious investigative journalism.

Source - TheLawyer.com



The next 'reality' TV show?

http://science.slashdot.org/article.pl?sid=08/08/10/1849255&from=rss

Medical Consultations With Webcams Extremely Successful

Posted by Soulskill on Sunday August 10, @03:43PM from the video-killed-the-radio-doc dept. Medicine Communications

AgaveNectar writes

"Doctors are far from being early adopters, so they have just gotten around to publishing a report that webcams help immensely with making the right decision when someone shows up to a rural emergency room suffering from a stroke. Using clot-destroying medications like alteplase is really risky, and it should only be given in acute cases. In a study of 222 patients, rural ER doctors consulted with faraway stroke specialists. They made the right decision 98 percent of the time when the expert examined the patient with a webcam, and only 82 percent of the time when they just talked to each other on the phone. Perhaps this report will finally convince the medical community that telemedicine is important."



I haven't read this one yet.

http://news.slashdot.org/article.pl?sid=08/08/10/1458231&from=rss

Economic Gridlock – the Invisible Cost of IP Law

Posted by timothy on Sunday August 10, @11:22AM from the let's-all-say-it-together dept. Businesses The Almighty Buck The Courts United States

smellsofbikes writes

"This week's New Yorker magazine has a financial article, 'The Permission Problem,' discussing the hidden cost of patent, trademark and copyright laws. It's a subject anyone here already knows well, but he brings up two interesting points: 1) He uses the term 'tragedy of the anticommons.' Instead of depletion of a shared resource, this describes under-use of hoarded resources: areas that can't be explored because they're encumbered by patent/copyright issues. As he points out, the result of this is an invisible loss: drugs not made, software not written. The loss is impossible to quantify and difficult to see. I like the term 'tragedy of the anticommons' because it encapsulates a long-winded explanation into a pithy, memorable phrase that will stick with people unfamiliar with the topic. 2) He also cites a study by Ben Depoorter and Sven Vanneste that discusses why anticommons effects are seen, beyond mere competition. Individual right holders value their contribution to the overall project as a significant fraction of the project value, so if there are more than three or four right holders, their perceived value can far exceed the total value of the project, making it uneconomical."



Tools & Techniques Cute, but hardly covert. (Although I bet owners of those unsecured networks wouldn't suspect they were being scanned...)

http://tech.slashdot.org/article.pl?sid=08/08/10/179253&from=rss

Defcon "Warballoon" Finds 1/3 of Wireless Networks Unsecured

Posted by Soulskill on Sunday August 10, @01:35PM from the floating-point-operation dept. Networking Security

avatar4d writes

"Networkworld is reporting about a warballooning operation (similar to wardriving) that was disallowed by the management at the Riviera Hotel in Las Vegas, but was covertly launched anyway. The team found approximately 370 networks, and about a third of those were unsecured. In addition to that, the project managed to show how trusting the local law enforcement agencies really were: 'Near the end of the operation, a Las Vegas Metropolitan Police cruiser drove by the parking lot to see what was going on. Hill and his team waved. The police officers waved back and drove off.'"

No comments: