Tuesday, December 16, 2008

Familiar questions. Why is this computer attached to the Internet? No anti-virus detection for 8 months?

http://www.pogowasright.org/article.php?story=20081215095341629

NC: UNCG Discovers Security Breach; Employees Being Notified

Monday, December 15 2008 @ 09:53 AM EST Contributed by: PrivacyNews

Employees at The University of North Carolina at Greensboro have been notified about a security breach, with potential data loss from a computer which contained personal information used to process the institution’s payroll.

Notification was sent on Monday to UNCG’s faculty, staff and student employees, including former UNCG employees, who have received payment from UNCG since April of this year. All regular UNCG employees have direct deposit for their paychecks.

[...]

The situation was detected on Thursday afternoon (Dec. 11), when a payroll employee received a notification of a virus alert while attempting to access data. The computer was located in the Accounting Services office. It was discovered that the computer had been infected with a virus which may have allowed an unauthorized person to gain access to personal information.

Staff from UNCG’s accounting/payroll and information technology services areas are working to determine the level of access that unauthorized persons would have to employees’ personal information. Material on the affected computer included names, Social Security numbers, direct deposit routing and banking account information.

After checking, there is evidence that the virus has been on the workstation since April of this year. IT staff members have not been able to determine whether or not any personal data has actually been accessed.

Source - University of North Carolina at Greensboro Related - UNCG Incident FAQ

[From the related article:

When the security breach was discovered, UNCG technicians made a copy of the data on the affected workstation. They took the workstation offline, so the virus which had been detected could not access the network. [Normal procedure would be to take the computer offline, THEN work on cleaning the virus. Bob]



Even the AG can't keep up?

http://breachblog.com/2008/12/15/27breaches.aspx?ref=rss

27 Breaches reported on Maryland Attorney General’s Web site

The following breaches were added (in batch) to the Maryland Attorney General’s web site on or about December 5th, 2008. The breaches were all reported to the Maryland Attorney General, in accordance with the Maryland Personal Information Protection Act (PIPA), between the dates of October 6th, 2008 and December 4th, 2008.



Consequences? Should be interesting to follow...

http://www.pogowasright.org/article.php?story=2008121516331883

UAE: Police seize gang tied to US$62m credit fraud (follow-up)

Monday, December 15 2008 @ 04:33 PM EST Contributed by: PrivacyNews

Three members of a gang that allegedly stole US$62 million (Dh227.73m) in a month after obtaining credit information from thousands of UAE bank customers have been arrested, Dubai Police said last night.

An extradition warrant has been sought for a fourth gang member, they said.

The men allegedly obtained sensitive information from 16,975 bank cards by using a false website they created. They then illegally bought millions of dollars worth of goods on the internet.

Source - The National

[From the article:

Col al Mansouri said the gang, whose activities were uncovered on July 1, had been operating for a month before police were alerted. [Pretty quick work. Bob]


Related? Card skimming out of control?

http://www.pogowasright.org/article.php?story=20081216063917801

UK: Stores deny blame for bank card scam

Tuesday, December 16 2008 @ 06:39 AM EST Contributed by: PrivacyNews

Supermarkets and petrol stations have responded to people’s claims they are the source of a string of scam transactions being made with shoppers’ bank cards.

The Evening Post has been inundated with stories from Reading’s victims – customers of a range of banks including NatWest, Lloyds and Halifax – and several point the finger at big-name stores and garages.

Source - Get Reading



Self-Regulation – the good, the bad, the impossible?

http://www.pogowasright.org/article.php?story=20081216063005521

NAI Overhauls Privacy Principles For Online BT Ads

Tuesday, December 16 2008 @ 06:30 AM EST Contributed by: PrivacyNews

NAI is releasing updated BT principles tomorrow.

In the first major overhaul of its guidelines in eight years, the self-regulatory group Network Advertising Initiative today will issue new privacy principles for online behavioral advertising, or serving ads to people based on their Web history.

... the new guidelines differ in some respects from the older ones. For instance, Network Advertising Initiative members that serve ads based on so-called "sensitive" information--including social security numbers, financial account numbers, real-time geographic location and some types of medical data--must now first obtain users' explicit consent, even when the targeting is anonymous. Previously, there was a restriction on using sensitive information to target people when the data was considered "personally identifiable."

In addition, member companies that use behavioral targeting techniques on children under age 13 must first obtain the verifiable consent of a parent.

Source - MediaPost

[From the article:

The new code requires companies to give "clear and conspicuous" notice of behavioral targeting. The Network Advertising Initiative said via written comments that it believes that privacy policies are "the most effective and scalable approach," and that a clear and conspicuous link to a privacy policy on a Web site's home page will meet the group's standards. [We know how well that works! Bob]


Related

http://www.pogowasright.org/article.php?story=20081216062554495

BlueKai raises $10.5M to help sell consumer data

Tuesday, December 16 2008 @ 06:25 AM EST Contributed by: PrivacyNews

BlueKai, which runs a marketplace where advertisers can buy data about online shoppers, has raised $10.5 million in a second round of funding.

The Bellevue, Wash. startup allows shopping sites that have collected data about your interests and activities to sell that information to advertisers.

Source - Venture Beat



Arguing the fine points...

http://blog.wired.com/27bstroke6/2008/12/lori-drew-attor.html

Lori Drew Files New Bid for Dismissal on Grounds that MySpace Authorized Access

By Kim Zetter December 15, 2008 4:40:30 PM

Lori Drew, the woman convicted of three misdemeanors in the MySpace suicide case, can't be guilty of computer fraud, because gaining access to a computer under false pretenses is still "authorized access" as a matter of law, Drew's attorneys argued Monday in a new bid at clearing their client's name.

In a written motion, defense attorneys H. Dean Steward and Orin Kerr cite cases in which courts have concluded that if someone gains permission or access to something through trickery or misrepresentation, it is still considered authorization and does not constitute nonconsent. If, for example, someone tricks another party into willingly handing over the keys to a car, the trickster could not be considered guilty of stealing the car.



Is the certificate a good idea? Might be fun to see if they can be counterfeited...

http://www.pogowasright.org/article.php?story=20081215155948393

AU: The Victorian Government wants public feedback on a proposed new law, designed to tackle identity theft.

Monday, December 15 2008 @ 03:59 PM EST Contributed by: PrivacyNews

The law would allow victims of identity theft to obtain a court-issued certificate declaring that crimes have been committed in their name.

The Attorney-General, Rob Hulls says this would allow victims of identity theft to rebuild their lives.

Source - ABC (AU)

[From the article:

He says the law would also make it an offence to prepare to steal somebody's identity.

"Dealing in and possessing identity information, as well as possessing equipment for making identity documents with the intent to commit an indictable offence will now be crimes, very serious crimes," he said.

Assuming another person's identity is currently only an crime if a further offence is then committed.



“Ve vas just following procedure!”

http://www.pogowasright.org/article.php?story=20081215155352856

Web who's who botches secure sockets layer

Monday, December 15 2008 @ 03:53 PM EST Contributed by: PrivacyNews

New research has uncovered flaws in the encryption certificates used to protect the websites of hospitals, banks, and even top-secret government spy agencies, raising questions about whether they are complying with regulations requiring them to adequately safeguard their online visitors.

Rodney Thayer, a security researcher with Canola & Jones, spent a day and a half scoping out weak websites using nothing more than a handful of search queries typed into Google. What he found were 31 sites maintained by the US Central Intelligence Agency, NASA, the World Bank, and Fortune 500 companies that used flawed security sockets layer certificates for authentication.

Among the scofflaws was a page for partner accounts offered by technology website CNET and this application page offered by Gartner, a company that dispenses advice on a host of security issues. Other organizations using defective certificates included the US Computer Emergency Readiness Team, Advanced Micro Devices, and Microsoft.

Source - The Register

[From the article:

SSL was developed in the mid 1990s as a measure to prevent websites that transact commerce or other sensitive business from being spoofed by attackers intent on defrauding visitors. It uses cryptographic certificates that mathematically validate that the site is operated by a particularly company or organization. Few webmasters give proper time to implementing and maintaining SSL certificates, however, an oversight that reduces their effectiveness.

SSL "suffers from the fact that it's one of the exotic technologies that we all had to get working for the whole internet .com thing to happen," Thayer says. "Everybody basically for the last five years at least who's done this was just following a check list that got handed, so nobody's really been thinking of this as a security issue."

... The Federal Information Processing Standards (pdf), for example, require federal agencies to use valid SSL certificates for webpages that accept employee logins. The Health Insurance Portability and Accountability Act (pdf) and Payment Card Industry rules place similar requirements on health care providers and online merchants respectively.



All First Amendment?

http://www.pogowasright.org/article.php?story=20081215155810761

Court Narrows National Security Secrecy, Limits Oversight

Monday, December 15 2008 @ 03:58 PM EST Contributed by: PrivacyNews

A unanimous federal appeals court on Monday narrowed the scope of when telecommunications companies must keep secret so-called self-issued search warrants requested of them by the Federal Bureau of Investigation.

But the court limited when it was necessary for judges to review a secrecy order.

Source - Threat Level

[From the article:

"The nondisclosure requirement," Judge Jon O. Newman wrote (.pdf) for the appeals court, "is not a typical prior restraint or a typical content-based restriction warranting the most rigorous First Amendment scrutiny."

... But on Monday, the New York-based appellate court agreed with the government that it should not be required to "initiate litigation" and or to obtain judicial approval of every secrecy order (these number in the tens of thousands). Instead, the court noted that judges must review the validity of a secrecy order, in private if necessary, only when a telecommunications company challenges the gag order under what the court termed a "reciprocal notice procedure."

Yet the "reciprocal notice procedure" may have little value in the real world: Tens of thousands of customers may never know that personal information, including banking records, was disclosed to the FBI. As the appeals court noted, telecommunication companies have only challenged secrecy orders three times.



Why Computer Forensic is hot!

http://ralphlosey.wordpress.com/2008/12/15/krolls-report-and-analysis-of-the-most-significant-e-discovery-cases-in-2008/

Kroll’s Report and Analysis of the Most Significant e-Discovery Cases in 2008

Kroll Ontrack has just released a report analyzing 138 judicial opinions pertaining to electronic discovery issued from Jan. 1, 2008 to Oct. 31, 2008. The title of the report pretty much says it all: Year In Review: Courts Unsympathetic to Electronic Discovery Ignorance or Misconduct.

Kroll’s Statistical Analysis of 138 Cases in 2008

Going back to Kroll’s report, it claims that over half of the e-discovery cases this year have addressed court-ordered sanctions, data production, preservation, and spoliation issues. That sounds about right to me. According to Kroll’s analysis, the major issues in these cases can be broken down as follows:

25% of cases addressed sanctions

20% of cases addressed various production considerations

13% of cases addressed preservation and spoliation issues

12% of cases addressed computer forensics protocols and experts

11% of cases addressed discoverability and admissibility issues

7% of cases addressed privilege considerations and waivers

7% of cases addressed various procedural issues

6% of cases addressed cost considerations


Related? Or is this just a case of lawyers being paid a percentage of money extorted?

http://news.slashdot.org/article.pl?sid=08%2F12%2F16%2F0015248&from=rss

RIAA May Be Violating a Court Order In California

Posted by kdawson on Monday December 15, @07:48PM from the play-nice-now dept. The Courts

NewYorkCountryLawyer writes

"In one of its 'ex parte' cases seeking the names and addresses of 'John Does,' this one targeting students at the University of Southern California, the RIAA obtained an order granting discovery — but with a wrinkle. The judge's order (PDF) specified that the information obtained could not be used for any purpose other than obtaining injunctions against the students. Apparently the RIAA lawyers have ignored, or failed to understand, that limitation, as an LA lawyer has reported that the RIAA is busy calling up the USC students and their families and demanding monetary settlements."



“Let's pat ourselves on the back for doing in 5 years what any businesses should be able to do in 2 months!” That truly is an accomplishment in such a bloated government bureaucracy.

http://www.bespacific.com/mt/archives/020075.html

December 15, 2008

DHS OIG: Major Management Challenges Facing the Department of Homeland Security

OIG-09-08 - Major Management Challenges Facing the Department of Homeland Security (PDF, 39 pages), November 2008

  • "After just 5 short years, we are beginning to witness the positive effects of the department’s efforts and initiatives: tighter security at the borders; increased immigration enforcement; greater cooperation with our international partners; expanded partnerships with the private sector; better and more efficient passenger screening at our airports; and regenerated disaster response and recovery management. Despite these considerable accomplishments, DHS still has much to do to establish a cohesive, efficient, and effective organization."

No comments: