Why does anyone have 5000 employee names on their laptop? Why no encryption? (I am also startled to hear that MTV employees 5000 people. What do they do beyond putting DVD's into the player?)
5,000 MTV Networks' employees potential affected by breach
Someone apparently hacked into a computer belong to an employee of MTV Networks and possibly gained access to names, birth dates, social security numbers and compensation data of 5,000 employees.
MTV Networks, a unit of media conglomerate Viacom, notified employees of the security compromise on Friday and said that while the computer files pertaining to employees' private information were password protected, the company can't be sure they haven't been opened. [Much better than “Don't worry, they were password protected.” Bob]
Source - C|net
Why 40,000 people on a laptop?
NY: Missing Laptop Prompts ID Theft Concern at Blue Cross-Blue Shield of WNY
Thousands of Blue Cross-Blue Shield customers are being notified by mail that their identity could potentially be compromised.
A viewer called 2 On Your Side to tell us her son received a letter from the company telling him his information is on a company laptop computer that's missing.
Blue Cross-Blue Shield Spokesperson Karen Merkel-Liberatore tells 2 On Your Side 40 thousand current and former customers in the Buffalo and Albany areas are effected. The company is giving them one year of free Equifax credit protection.
Source - WGRZ
Should we call Guinness? (This could screw up their WHOLE life.)
MS: Head Start Burglary Leads To BIG ID Theft Operation
Police in Memphis and Mississippi may have cracked a major identity theft ring.
The files of 79 students were taken last month from the ICS Head Start Center in Mount Pleasant, in Marshall County, just south of the Tennessee state line.
We showed you the arrests but at the time, nobody was talking about what exactly they had..... Thieves got away with 79 files, many with multiple social security numbers on them.
... They're some of the youngest victims ever of identity theft. Criminals used school files on these children in what investigators call a huge scam.
... Officers from Memphis and Marshall County raided this house, and arrested an unidentified woman and her boyfriend. They also found many of the missing files, detectives believe were used in a big scam apparently run by the two.
. Here's our understanding of how this scam worked. Want to save some money on your taxes? No problem. Just buy a kid, or rather, rent their social security number and take the deduction. [Do people think they'll get away with this? Bob] The going rate? About 500 bucks.
Source - WREG
Interesting problem. Assume than an organized crime group has hundreds of thousands of “stolen identity” records – would it make sense for them to sort/sell them by location to create just this kind of confusion?
WI: Credit Card Information Stolen In Dunn County
Investigators are trying to figure out how thieves are getting credit card information from people in Dunn County.
Investigators say, since November, about 60 to 70 people have reported unauthorized charges and a total of about $75,000 has been stolen. Detectives say they have no leads at this point, and so far only people living in Dunn County have been affected.
Source - WEAU
Note: back in December, PogoWasRight.org covered another story out of Dunn County involving debit cards where police couldn't figure out what was going on. Whether this breach is related to the prior story or not is unknown to us, but is certainly curious -- Dissent.
We may never know what is going on here. How do you distinguish between an search for “Jane Doe” that is related to an ongoing investigation and one that is related to stalking? Would the same rules have applied when all records were paper and someone was scanning the mug shots?
UK: Officer admits taking personal data from police computer
A POLICE officer has admitted stealing personal data from a Northumbria Police computer. Simon Hindmarsh, 28, pleaded guilty to 13 charges of obtaining personal data without consent when he appeared at Newcastle Crown Court.
He also admitted two further offences of disclosing personal information without the consent of the data controller.
The offences relate to information regarding both individuals and addresses.
Michael Graham, prosecuting, said Hindmarsh was a police officer based in Wallsend.
"The penalty for these offences is restricted to a fine," [Pay 3 shillings, return to work, access more records? Bob] said Mr Graham.
Source - Guardian
If we start linking all these cameras (the Brits want to link to private cameras in stores and pubs) who is going to monitor them? This reads like they will be looked at ONLY when some other source (a 911 call) suggests they might provide information. But there is nothing to prevent browsing, is there?
Chicago Links School Cameras To Police
Posted by Soulskill on Friday March 07, @05:25PM from the i'll-be-watching-you dept.
Farakin brings us a story about how cameras in roughly 200 Chicago schools are being connected to police headquarters and the city's 911 emergency center. The goal of the effort is to "consolidate video surveillance," and it will involve both routine monitoring and real-time updates to officers on their way to a crisis. According the the Chicago Tribune, "The mayor acknowledged the cameras provide only limited security, citing a spate of shootings in recent days that have claimed young victims during after-school hours." The story also contains a video in which Mayor Daley indicated that he expects the cameras to serve as a deterrent now that people know they're under the eye of the police.
Related (and because Bruce actually seems to think about this stuff...
Transparency Isn't A Substitute For Privacy
from the power-imbalances dept
Slashdot points to a great Bruce Schneier article debunking the idea that "transparency" is better than privacy. People like David Brin argue that technological change is rapidly making the concept of privacy obsolete, and that instead of lamenting this fact, we should make sure that everyone, including the government, is subject to increased "transparency." But Schneier does a great job of explaining what's wrong with this theory: the less power you have, the more important your privacy is to you. If the government knows everything about you, and you know everything about the government, that's not a fair trade. The government can use its increased knowledge to coerce you in a variety of ways that you're not going to like. But even if you know about everything the government is doing, you're not going to have the power to stop it from doing things you don't like. Reduced privacy for everyone increases the power of those who already have power, and increases the vulnerability of those without power.
The other problem is that in the real world, accepting less privacy for ordinary citizens isn't going to lead to increased transparency in government. Government officials who might want to put more cameras up on public streets are not going to want cameras installed in police headquarters. The Bush administration wants our electronic communications to be more "transparent" to NSA eavesdropping, but they haven't reciprocated by giving us information about how those eavesdropping programs work. It's a mistake to equate government transparency with reduced privacy for private citizens because transparency of government activities and privacy for ordinary citizens are both ways of limiting the ability of the government to violate our rights.
Interesting new resource?
Chronology of Breaches for 2008 uploaded
Posted by Dissent on Mar 7, 2008
The chronology of medical- or health-related breaches that were published in 2008 is now available on this site for the first part of this year. It will be updated several times during the year.
So far, there are 26 incidents in the chronology.
Oh what a wicked web we weave...
March 7, 2008
Air Force DMCA-Bombs YouTube
Over at Wired’s Threat Level blog, Kevin Poulsen reports on a new DMCA overreach: the U.S. Air Force complained (via outside counsel) about his posting of their recruiting video. The post, Kevin says, was initially made at the Air Force’s invitation.
If the government created this work, then the DMCA claim is improper. Works of the U.S. government are not copyrightable. But the statute allows the government to receive copyright assignments, so if an independent contractor created the video, still available at the Air Force’s (non .mil) site, the government could meet that technical requisite of the DMCA.
The DMCA also requires that the notifier assert the posting was unauthorized. Poulsen’s article, however, says the Air Force sent Wired the ad and “thanked THREAT LEVEL for agreeing to run it.” That doesn’t quite square with the DMCA-required statement that the notice-sender “ha[s] a good faith belief that none of the materials or activities listed above has been authorized by the U.S. Air Force, its agents, or the law.”
Even if the Air Force’s DMCA claim is truthful, however, it’s still a policy overreach. Wired posted the video in order to report on government recruiting efforts; the video’s dissemination is part of that First-Amendment protected discussion, whether it happens on or off government websites.
As an auditor, I keep insisting that you must keep and review your logs. Here's a free tool to help you do that. (Now what's your excuse?)
What Are All Those Logs Trying to Tell You?
By Dana Gardner TechNewsWorld 03/06/08 5:00 AM PT
... Splunk's approach to this problem has been to index and make searchable the flood of constantly generated log files being emitted from IT systems, and then aligning the time stamps to draw out business intelligence inferences about actual IT performance.
The San Francisco company took the IT information assembly and digestion process a step further two years ago by creating SplunkBase, an open reservoir of knowledge about IT searched systems for administrators to share and benefit from.
... To kick-start the effort, the first Splunk-built application on the platform was announced this week. Splunk for PCI Compliance is available for download from SplunkBase.
The application provides 125 searches, reports and alerts to help satisfy PCI (payment card industry data security) requirements, including secure remote access, file integrity monitoring, secure log collection, daily log review, audit trail retention, and PCI control reporting, says Splunk.
Data-leak security proves to be too hard to use
Data-loss-prevention tools are a great idea to keep secrets from leaking out, users say, but they're too difficult to actually use
By Matt Hines March 06, 2008
Data-loss-prevention technologies promise organizations the chance to stop sensitive information from falling into the wrong hands. But the process of creating the rules necessary to use the systems' enforcement capabilities is proving extremely complex for customers.
... The fundamental barrier to getting DLP systems to enforce data-handling policies comes down to this: It takes a lot of time and effort to understand the dynamics of how an organization uses information. [Or you could look at what is going on based on the logs – if you keep the logs... (see previous article) Bob] And then it takes a lot more effort to write governance policies that adequately address all the areas of data risk — while not writing rules that get in the way of daily business operations, several companies using DLP told InfoWorld.
Sometimes useful insights come from pointing out the obvious... (or, as the great philosopher said, "You can observe a lot by watching" Y. Berra)
Almost Every Company Is A Software Company
from the customization dept
I noted last summer that the New York Times launched a new blog called Open about the use of open source technologies at the paper. On Tuesday the blog had a post about a new Perl profiler that they developed in-house and are releasing to the world. I'm not in the market for a Perl profiler, but I thought it was striking that the New York Times, a firm that a decade ago was totally clueless about the web, is now producing non-trivial free software projects. What I think this illustrates is that the common conception that software is something that comes in a box you buy at Best Buy is rather misguided. An enormous number of programmers are employed in organizations we don't think of as software firms, developing custom applications for the internal use of their employers. In a sense, every company of non-trivial size is a software company.
In fact, I'm composing this post in a custom CMS developed specifically for the Techdirt Insight Community. And this, I think, is one of the things that makes software patents so dangerous. A firm doesn't have to worry that its fleet of company cars infringe patents; that's generally the responsibility of the car manufacturers. In a healthy patent system, companies should only have to worry about patents in their own line of business. But when a company "manufactures" a software product for internal use, they suddenly have to worry about whether their internal software might be violating some patents. Indeed, the End Software Patents project has pointed out that companies as diverse as the Green Bay Packers, Kraft Foods, and Ford Motors have been hit by software patent lawsuits in recent years. The reality is that software isn't just an industry, it's becoming a fundamental tool for manipulating information about the world. Policies that implicitly assume that only a few companies in Silicon Valley and Seattle are "software companies" are going to cause major problems.
Another effort to segregate the second-class citizens from the important people...
New lanes may speed up airport security
By Thomas Frank, USA TODAY
WASHINGTON — The government said Wednesday that it's going to expand an airport security program that creates special checkpoint lanes for families and "expert" travelers.
Beginning in April, the Transportation Security Administration plans to launch the program in at least six new airports. "There's no real cap on the number of airports," TSA spokesman Christopher White said. "If this is well-received by the six airports, we'll continue to expand."
A test that began last month in the Denver and Salt Lake City airports found that segregating passengers speeds up security lines and eases traveler stress, [Unless you are in the segregated “against” line Bob] White said.
... In Denver and Salt Lake City, both the expert and family lanes are moving faster, [How could entire families be processed faster than individuals? Simple, skip a few steps! Bob] White said.
Buying the wine should be easy. Selling wine is more complicated than selling guns!
Amazon to enter US wine market
By Jonathan Birchall in New York Published: March 5 2008 02:00 | Last updated: March 5 2008 02:00
Amazon, the world's largest online retailer, is to start selling wine in the US, entering a business fraught with regulatory complexities and littered with the wreckage of previous failures.
Amazon is looking to recruit a senior wine buyer, whom it says will be responsible for "the acquisition of a massive new product selection" for its site. The wine sales will augment a rapidly expanding non-perishable groceries business that Amazon launched two years ago.
Something to go with your wine?
Food Blog Search
"Food Blog Search is a custom built search engine specifically for searching food blogs. It uses Google technology, through the Google Custom Search Engine program. Started in October 2006, Food Blog Search now searches over a thousand hand-selected, high quality food blogs. More and more food blogs are added to the list of sites searched every day."
Is there a “map war” going on?
Yahoo! Maps update includes more neighborhoods and worldwide coverage
Posted Mar 6th 2008 4:00PM by Simon Kerbel
Yahoo! has rolled out a major update to Yahoo! Maps, with expanded worldwide coverage, new and more focused neighborhood data, and many stylistic improvements.
The new neighborhood data allows you to get more specific information for any given location, with lower zoom levels and more localized data, including schools, rest areas, resorts, restaurants, and so on.
Tools & Techniques
March 7, 2008 12:01 AM PST
Convert any Office file to PDF for free
Recently an associate whose PC lacked Adobe Acrobat sent me a Word file via e-mail, asking if I could convert it to PDF and e-mail it back to her. Since the process took all of about 30 seconds, I was delighted to help. Then the next day she sent two more files in need of conversion to PDF, and a couple of days after than another. After her fourth request of the week I felt compelled to tell her about two ways she could have converted the files herself for free: Adobe's own Create Adobe PDF Online free trial, and Arco Software's great CutePDF Writer freebie.
If you use Office 2007 you can download Microsoft's free Save as PDF or XPS utility, which adds the ability to convert files to PDF or Microsoft's competing XML Paper Specification to all eight applications in the suite. The great thing about CutePDF Writer is that it works with programs other than Office 2007. See below for more.
NOW they tell us!
Vista And XP Users May Need Daylight-Saving Time Patch
To ensure Windows users aren't hit with a daylight time bug, Microsoft has launched an automated diagnostic and update service that installs patches on systems that need them.
By Paul McDougall InformationWeek March 7, 2008 11:12 AM