Saturday, April 19, 2008

Looks like the SunGard breech jumped from colleges 3 to 15..

NY: 12 SUNY colleges affected by stolen Sungard laptop

Friday, April 18 2008 @ 03:50 PM EDT Contributed by: PrivacyNews News Section: Breaches

It appears Buffalo State College isn't the only school affected by the theft of a laptop computer.

Officials at Fredonia State College say nearly one-thousand current and former students may be affected by the security breach. Fredonia uses the same computerized records system as Buffalo State College, which announced yesterday that the names and Socuial Security numbers of up to 16,000 students may be at risk after a laptop belonging to a company called SunGard was stolen.

Fredonia and Buffalo State are apparently among 12 SUNY colleges affected by the theft.

Source - WNED

[Details(?) on the SunGard site: ]

... The nature of that employee’s job included analysis of customer data as part of software implementation and upgrade projects.

... More than 1,600 institutions worldwide rely on us to help them measurably improve performance. [So this could be much bigger... Bob]


Security breach hits more area colleges (Sungard update)

Saturday, April 19 2008 @ 06:30 AM EDT Contributed by: PrivacyNews News Section: Breaches

The stolen laptop that contained Social Security numbers for 16,000 former and current students at Buffalo State College is causing problems for four other area colleges, as well.

Fredonia State, Niagara County Community, Genesee Community and Jamestown Community colleges are among 13 state schools that had private student information on that laptop.

... The theft may have affected as many as 1,202 at NCCC, 930 at JCC and 18 at GCC, although those schools are either still trying to figure out what data was on the laptop, or found the actual number of students affected to be much lower, officials from the State University of New York said Friday.

... Other SUNY schools involved are: Adirondack Community College, Brockport State College, Binghamton University, Downstate Medical Center, Dutchess Community College, Herkimer County Community College, Monroe Community College and Orange County Community College.

Source - The Buffalo News

[From the article:

Hefner, who is unhappy with how SunGard has handled the situation, wondered why Fredonia files had been left on the laptop.

“I’m also concerned I didn’t know that our campus might have been involved until this Monday,” Hefner said. “I understand why they might not be able to notify us the first day, but to find out four weeks later is very, very disappointing.”

Locked doors and passwords give the appearance of security.

IN: 700,000 people could be affected by security breach

Friday, April 18 2008 @ 07:44 PM EDT Contributed by: PrivacyNews News Section: Breaches

A collection agency announced a security breach Friday that potentially compromises the personal information of 700,000 people.

The Central Collection Bureau said the breach happened on March 21, 2008. The company said thieves broke into its offices and stole eight computers, as well as one of its servers. The server, which was password protected and protected by three locked doors, contained the personal information. The eight computers did not contain personal information.

The company said the personal information potentially exposed includes names, contact information, Social Security numbers, dates of birth, dates of service, and medical procedure codes. The people whose data may have been exposed were referred to CCB for debt collection purposes by around 100 Indiana businesses on or before March 20, 2008.

Source - WTHR

[From the article:

The collection company was hired by hundreds of doctors and even utility companies to collect on delinquent bills. [Long list included Bob]

...Klene says all the computers need passwords to break in to the info. [or one of my hacking students Bob]

Attacks by methods other than war? At what point do hackers cross into cyberwar?

CNN Website Targeted by DoS

Posted by CmdrTaco on Saturday April 19, @08:37AM from the different-kind-of-d-o-s dept. Security The Internet

antifoidulus writes

"CNN is reporting that they were the target of a Denial of Service attack yesterday. According to the article, there have been reports on Asian tech sites that Chinese hackers were targeting CNN for their coverage of the unrest in Tibet. One has to wonder if this hacking attempt was government sponsored or not. The Chinese government hasn't been very happy with CNN, in fact Beijing Bureau Chief has been summoned about a day before this happened."


Cyberprotest of CNN called off (for now)

Posted by Robert Vamosi April 19, 2008 5:45 AM PDT

Late Friday, leaders of the Revenge of the Flame called off a planned denial-of-service attack on, according to The Dark Vistor, a Web site that follows Chinese computer hacker activity.

"Our original plan for 19 April has been canceled because too many people are aware of it, [Huh? Isn't that the point? (and if not, what is?) Bob] and the situation is chaotic," cyberprotest organizers said in a statement. "At an unspecified date in the near future, we will launch the attack. We ask that everyone remain ready."

However, early Saturday morning, a post on The Dark Vistor contained detailed plans for various Revenge of the Flame participants, as though the attack were continuing.

Tools & Techniques: Perhaps a more carefully thought out method is in order?

Tough cookies for Web surfers seeking privacy

Saturday, April 19 2008 @ 06:47 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

For consumers trying to protect their privacy on the Internet, it's a Catch-22.0.

Advertisers often track Web surfers' activities so they can deliver targeted ads. One of the best ways to avoid this is to install a tiny piece of software that lets computer users opt out of the practice.

But the trouble is that the digital stop sign is often wiped out by other programs designed to protect people's privacy and security.

This little-known flaw in the system highlights the increasing complexity of safeguarding personal data as companies collect more and more information about people's digital footprints: Even the solutions have problems.

Source - Los Angeles Times

For your Security Manager...

Security Bites Podcast: What's on your network?

By CNET Staff Published: April 18, 2008 3:47 PM PDT

It may be that what you don't know won't hurt you, but in the case of enterprise networks, that simply isn't true. In a report (registration required), based on traffic from 350,000 users in 20 organizations, Palo Alto Networks found that 90 percent of the sites they looked at had peer-to-peer applications such as eMule and BitTorrent on individual desktops, while Web video and streaming content was present on 95 to 100 percent of the desktops, potentially draining network bandwidth.

... Palo Alto Networks also has an Applipedia where you can look up more than 500 desktop applications and learn what ports are used, if any malware's been associated with it, and how else it might otherwise affect your company.

[Listen to the podcast at Download mp3 Bob]

Debate starter or non-starter? How does one obtain 'freedom of the seas' on the Internet?

Cybersecurity and Piracy on the High Seas

Posted by ScuttleMonkey on Friday April 18, @02:37PM from the not-one-cent-in-tribute dept.

Schneier points out an interesting article comparing modern cybersecurity to piracy on the high seas in the early 1800s. The article extends the comparison into projected action based on historical context.

"Similarly, in many ways, current U.S. policy on the security of electronic commerce is similar to Adams' appeasement approach to the Barbary pirates. The U.S. government's inability to dictate a consistent cyber commerce protection policy is creating a financial burden on the U.S. private sector to maintain a status quo, when those resources could be used to mount a more-effective Internet-focused defense. In the case of financial fraud on the Internet, the costs associated with fraudulent transactions are currently borne by private companies, which then have to pass those costs on to their customers. This basically creates a system in which the financial institutions are paying a type of "tribute" to the cyber criminals, just as Adams did to the Barbary pirates."

Oh surprise, surprise! That never happens in the US... (Except by my hacking students.)

Reports: Wi-Fi users to be monitored in Russia

Business travellers to Russia beware: A recently formed regulatory super-agency si requiring registration for every Wi-Fi device and hotspot

By Matthew Broersma, Techworld April 18, 2008

Business travellers to Russia might want to keep their laptops and iPhones well-concealed - not from muggers,necessarily, but from the country's recently formed regulatory super-agency, Rossvyazokhrankultura (short for the Russian Mass Media, Communications and Cultural Protection Service).

... Aside from public hotspots, the registration requirement also applies to home networks, laptops, smart phones and Wi-Fi-enabled PDAs, Karpov reportedly said. Registration only permits use by the owner.

Would they feel better if the League of Women Voters did the background check?

Fresno chamber seeks data for candidate checks

Friday, April 18 2008 @ 11:34 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

The Fresno Chamber of Commerce is causing a stir -- and apparently plowing new political ground -- by asking candidates who want its support to reveal their Social Security and driver's license numbers.

Chamber officials asked for the information so they could conduct background checks on candidates.

[...]Fresno County Supervisor Susan B. Anderson, who is seeking re-election, provided the information sought by the chamber, "but it does make me feel a little bit uncomfortable. I don't think that people who are running for office should have to give their personal information for endorsements, [Cash should be sufficient Bob] and no other group has asked for that."

The chamber's request is not new. It has asked candidates for this information for at least the past four years, Smith said. But this is the first time anyone has objected, likely because of the increased attention being given to identity theft, he said.

Source - Fresno Bee hat-tip, The California Majority Report

Customer Service, DotCom style?

Microsoft to halt Hotmail access via Outlook Express

Microsoft is ending Outlook Express access to Hotmail on June 30 and is urging [not the word I'd use Bob] Express users to switch to Windows Live Mail

By Eric Lai, Computerworld April 18, 2008

In the latest death knell for Outlook Express, Microsoft announced Thursday that it will turn off access to its Web-based Hotmail service from the desktop e-mail software at the end of June.

Now here is an action that may have potential – beyond the potential to cost them customers.

PayPal to block users with old browsers to stem phishing attacks

eBay's electronic payment service will lock out people using versions of Web browsers with no phishing filters, which could mean trouble for users of Apple's Safari

By Jeremy Kirk, IDG News Service April 18, 2008

... PayPal said a "significant" group of people still use Microsoft's Internet Explorer 3, released in 1996, and IE 4, which debuted in 1997. Those browsers lack a phishing filter, which can block users from accessing a reported phishing Web site.

“Strategy is as strategy does” F. Gump

MPAA Decides Doesn't Have Enough Publicity

from the definition-of-insanity dept

The MPAA really is somewhat dense sometimes, isn't it? Despite the fact that every time it sues some website for linking to unauthorized content, that site ends up with a ton more traffic, the MPAA keeps on suing. These lawsuits don't slow the pace of unauthorized sharing one bit, but they do generate a ton of publicity for the activity the MPAA thinks it's "cracking down" on. The latest is It's a site I've never heard of, but thanks to a brand new lawsuit from the MPAA, plenty of people are learning all about the site. Even worse, like some of its ilk, Pullmylink appears not to actually host any infringing content. It merely links to it -- which makes the claims of copyright infringement even more questionable. Surprisingly, even the Reuters report notes how questionable this is, quoting people pointing out that making linking illegal has all sorts of unintended consequences. In the meantime, the folks at Pullmylink should be happy. They're about to get a ton more traffic.

Open Source pharmaceuticals?,23414,1136070,00.html

Whiten Your Teeth the Natural Way

by Karina Timmel

White teeth and strawberries may not sound like they go hand in hand, but it turns out the berries can actually lighten your smile.

A niche for everything. (Didn't they used to call the California?) - Create and Explore Fictional Cults

At, you can create your own parody religion, become a cult leader, and even blog “holy texts.” The site offers itself up as a forum to “share serious thoughts on religion, make a complete mockery of an existing religion, or do anything in between.” Most users seem to be going the parody route, with registered cult names like “First Church of Giving Me a Dollar,” “The Grand Circle of Eternal Bacon,” and “The Cool Pope’s Church of Some Ancient Dude.” Cult leaders can add photos or an anthem to their group, and Cultspace users can leave comments on these items or on the holy text blogs. There is a forum where Cultspace members can connect and converse. While you can subscribe to someone else’s cult if its content interests you, you cannot actually join other cults. However, each cult has a fictional population number based on its overall popularity and other factors. For instance, forming a political alliance with another cult will help your population grow, while waging a holy war will decrease the population on both sides of the conflict.

Friday, April 18, 2008

This was on the blog yesterday. I wonder how many schools are impacted? This is #2

Buffalo State College will notify students about security breach

Thursday, April 17 2008 @ 03:04 PM EDT Contributed by: PrivacyNews News Section: Breaches

Buffalo State College will be sending out notices to students about what could be a major security breach.

The school was notified on April 11, 2008, that a laptop containing about 16,000 Buffalo State current and former students' private information had been stolen.

The laptop was owned by a consultant from SunGard, the company that provides Banner®, the records system used at Buffalo State.

Source - WIVB

This is probably related to the breach reported here

Related #3

MO: Laptop theft may have compromised student info

Thursday, April 17 2008 @ 08:06 PM EDT Contributed by: PrivacyNews News Section: Breaches

The theft of a laptop computer in New York could potentially put personal information about Northwest Missouri State University students and alumni in the wrong hands.

SunGard Higher Education has notified Northwest of the theft of a laptop computer owned by one of SunGard’s employees that may have put the personal information of students and former students at risk.

While it is not believed identity theft was the motive behind the incident, which occurred in March on a college campus in New York, Northwest moved immediately to inform those who might be affected.

Source - Maryville Daily Forum

Related - Laptop stolen with student data, contained personal information of 3,400 CSU System pupils
Related - Buffalo State College will notify students about security breach

Tools & Techniques A Halloween tale? “As soon as you die, cancel all your credit cards.”

Feds Charge California Woman With Stealing IDs From the Dead

Thursday, April 17 2008 @ 05:04 PM EDT Contributed by: PrivacyNews News Section: Breaches

Federal prosecutors this week charged a Southern California woman with aggravated identity theft and other crimes for allegedly using a popular genealogy research website to locate people who had recently died, and then taking over their credit cards.

Tracy June Kirkland, 42, allegedly used to find the names, Social Security numbers and birth dates of people who, shall we say, had no further need for their consumer credit lines. She then "would randomly call various credit card companies to determine if the deceased individual had an … account," according to the 15-count indictment (.pdf) filed in federal court in Los Angeles Tuesday.

Source - Threat Level blog

How to convince your CEO that security education is worth while?

Identity Theft Smash & Grab, CEO Style

Thursday, April 17 2008 @ 02:43 PM EDT Contributed by: PrivacyNews News Section: Breaches

Tens of thousands of corporate executives were the target of a series of identity-theft scams this week, e-mail-borne schemes that appear to have netted close to 2,000 victims so far. [10% is higher than the average phishing success rate. Interesting. Bob]

Early Monday morning, according to two security experts with firsthand knowledge of the attacks, nearly 20,000 executives received an e-mail purporting to be a subpoena ordering each recipient to appear in court for legal violations leveled against their company. The messages addressed each executive by name, and included their phone number and the name of their company.

Source - Security Fix blog

[From the article:

(the malicious add-on only installed for users visiting the site with Microsoft's Internet Explorer Web browser). Approximately half of the recipients of the e-mail messages were executives at major financial institutions.

... Richard said the group responsible for this attack is based in Romania and is thought to have masterminded nearly two dozen similar attacks over the past year that netted the group millions of dollars.

“We have the technical ability – all other considerations are unimportant” This is going to be controversial at best, and the opportunity for offense is staggering: “Welcome to (insert name of religious site here)' but first a word from our sponsor Hustler Magazine...” We already have cable systems doing it, but I suspect they have contracts specifying how it can be done.

Study Confirms ISPs Meddle With Web Traffic

Posted by Soulskill on Friday April 18, @12:15AM from the you-wouldn't-like-me-when-i'm-angry dept

Last July, a research team from the University of Washington released an online tool to analyze whether web pages were being altered during the transit from web server to user. On Wednesday, the team released a paper at the Usenix conference analyzing the data collected from the tool. The found, unsurprisingly, that ISPs were indeed injecting ads into web pages viewed by a small number of users. The paper is available at the Usenix site. From PCWorld:

"To get their data, the team wrote software that would test whether or not someone visiting a test page on the University of Washington's Web site was viewing HTML that had been altered in transit. In 16 instances ads were injected into the Web page by the visitor's Internet Service provider. The service providers named by the researchers are generally small ISPs such as RedMoon, Mesa Networks and MetroFi, but the paper also named one of the largest ISPs in the U.S., XO Communications, as an ad injector."

No evidence, no crime.

Congress Won't Fund Paper Backups For E-Voting Machines

from the we-broke-it...-but-don't-expect-us-to-pay-you-to-fix-it dept

It was Congress that first mandated that polling places needed to start using e-voting machines a few years back, which has led to the ridiculously long trail of stories concerning buggy machines with questionable results and no way to go back and check to see how accurate the results are. It appears that politicians have finally been realizing that the lack of a paper trail (even if just to confirm the results) is problematic. So they're pushing states to make sure they use e-voting machines that also include a paper trail. But, when it comes to paying to make those changes, the states are apparently on their own. Congress has rejected a plan to fund the states in making sure a paper backup was available. Why? Well, as Rep. Vernon Ehlers says: "I think there are other methods of achieving redundancy" though he conveniently leaves those out. He then notes: "hand counting is not as accurate as almost any machine counting that I have seen." It's true that hand counting has its problems too. No one denies that. But the point isn't that hand counting is perfect, but that there's a way to go back and compare the results to make sure they're correct and accurate. Without that in place, we're simply relying on the machines to work perfectly, and we know that doesn't work.

Sometimes you can figure out what concerns governments by their (not so) subtle actions.

GSM Security Researcher Targeted in Airport Shakedown

By Kim Zetter April 17, 2008 | 2:45:00 PM

A security researcher on his way this week to speak at a conference about mobile phone security was stopped by British authorities at Heathrow Airport and questioned before being relieved of his Nokia phone, SIM card and USRP (Universal Software Radio Peripheral).

The researcher was on his way to Dubai to deliver a talk at the Hack-in-the-Box security conference about cracking GSM encryption to intercept mobile phone calls and text messages and track the location of users using less than $1,000 in equipment.

As a rule, if you make an “unbreakable system” someone will break it.

NULL Pointer Exploit Excites Researchers

Posted by Soulskill on Friday April 18, @05:18AM from the ruh-roh-shaggy dept. Java Security

Da Massive writes

"Mark Dowd's paper "Application-Specific Attacks: Leveraging the ActionScript Virtual Machine" has alarmed researchers. It points out techniques that promise to open up a class of exploits and vulnerability research previously thought to be prohibitively difficult. Already, the small but growing group of Information Security experts who have had the chance to read and digest the contents of the paper are expressing an excited concern depending on how they are interpreting it. While the Flash vulnerability described in the paper[PDF] has been patched by Adobe, the presentation of a reliable exploit for NULL pointer dereferencing has the researchers who have read the paper fascinated. Thomas Ptacek has an explanation of Dowd's work, and Nathan McFeters at ZDNet is 'stunned by the technical details.'"

This might be fun to watch. It should give some advanced notice of the tools DHS plans to use.

April 17, 2008

House Homeland Security Committee Newsletter Focuses on Opportunities for Small Business Contractors

Chairman, Rep. Bennie G. Thompson: "I began this newsletter to alleviate the gap that exists between the need for information about opportunities available at the Department and the ability to locate and disseminate that information in a timely and user-friendly manner. Similarly, my experience has taught me that the gap between need and ability also affects businesses in their quest to interact with the Department. A small business owner may have a concept for a product that will address an important homeland security need, but lack the resources necessary to bring the product on-line. A large company may not have developed the original concept, but may possess the resources necessary to transform a prototype into an available product. The gap between concept and production can be bridged by providing each party with the type of information they need to create a product that fills a critical need. This newsletter is intended to bridge the gaps that keep information unavailable, sidelines worthwhile businesses, discourages full participation, and permits vulnerabilities to continue."

This could be useful, I'll have to play around with it some more... - Interactive Test Prep and Assessment is a web-based test preparation and assessment platform. Based in Boston, Socrato’s Beta version includes practice tests for Massachusetts state exams, as well as the U.S. citizenship exam. There are also vocabulary tests for the SAT and GRE, and users can upload their own practice tests or study materials to share publicly or amongst a private group. These ‘study groups’ can be set up by classmates or teachers, or even by school administrators for use across a district. Socrato also features tools for assessing a student’s learning styles, strengths and weaknesses, progress, etc., which can be used by the student or by their parents, teachers, and tutors. Currently, all tests on this site are multiple-choice, true or false, or fill in the blank – essays are not supported.

I need this. I just found out that the big red “S” on my chest has already been copyrighted. - Design A Unique Logo

Whether you are a company making a logo for your business or you are an individual who wants to make a symbol for your work, your brand image is your logo and that is important. You want a unique logo that represents your mark and your vision, something that stands out from the rest. There are many free logo design services available on the web and if you are very creative you can try to make a logo with those tools that is unique. Making a unique logo from the tools provided is a challenge because everyone is provided with the same shapes to choose and the same editing tools. Logo Ease provides users with two options. The first option is the free option where you can choose from an array of shapes which include categories such as: mountains, transport, eye, sports, religious, space, music, celebration, and more . You can then edit by adding up to five lines of text, choosing fonts, adjusting the scale, rotating, and changing the color. You then save your finished logo and you are done. Anyone can use the free logo editor and therefore you run the risk of creating a logo that is similar to someone else’s. Logo Ease gives users the opportunity to use professional logo design software so that you can make a unique logo. The software costs $149 and you can revise your logo as many times as you want. Logo Ease offers logo options for all the different needs users may have.

Thursday, April 17, 2008

“They're only backup tape, no need for security.”

FL: Information on thousands of UM patients stolen

Thursday, April 17 2008 @ 10:26 AM EDT Contributed by: PrivacyNews News Section: Breaches

The confidential information of tens of thousands of University of Miami patients was stolen last month when thieves took a case out of a vehicle used by a private off-site storage company, UM said Thursday morning

'' Anyone who has been a patient of a University of Miami physician or visited a UM facility since Jan. 1, 1999, is likely included on the tapes,'' the university said in a news release. `` The data included names, addresses, Social Security numbers or health information. The university will be notifying by mail the 47,000 patients whose data may have included credit card or other financial information regarding bill payment.''

The information was in a container holding computer back-up tapes. The container was removed from a vehicle in downtown Coral Gables on March 17, the storage company told UM.

Source - Miami Herald

[From the article:

''Shortly after learning of the incident, the university determined it would be unlikely that a thief would be able to access the backup tapes because of the complex and proprietary format in which they were written,'' UM said in the statement. [Very unlikely to be true. Bob]

Outside contractor who kept the data too long...

Laptop stolen with student data, contained personal information of 3,400 CSU System pupils

Thursday, April 17 2008 @ 06:31 AM EDT Contributed by: PrivacyNews News Section: Breaches

The Connecticut State University System announced Wednesday a laptop computer that was stolen from a vendor contained the data of about 3,400 current and former students from the four state universities, including Western Connecticut State University.

The computer was password-protected but contained unencrypted files with personally identifiable data, including names and Social Security numbers for certain students who attended Central, Eastern, Southern and Western Connecticut State universities between September 2001 and December 2004.

Source - The News-Times

Related - Personal data of Connecticut students on stolen laptop

[From the first article:

SunGard Higher Education, provider of the state system's student data management software, informed officials April 9 that a laptop computer owned by SunGard and in the possession of one of its employees had been stolen.

The data was originally provided for SunGard to perform various services for the university system, but it was apparently retained longer than necessary to perform those services, Kavaler said.

[From the second article:

State officials say a company has waited nearly a month before telling Connecticut State University System officials that personal information on students is on a stolen laptop computer.


Students’ personal data lost in laptop theft

By Mark Zaretsky, Register Staff Posted on Thu, Apr 17, 2008

... The stolen laptop contained data from projects with a number of customers. SunGard suggested on its Web site that the security breach goes beyond four universities in Connecticut.

... The attorney general said he has seen “no evidence yet that any of the information has been used,” although “commonly, confidential, private information is used for identity theft only after a number of months because the identity thieves often wait for the victims to be complacent” [Now there's a quote I can use! Bob] and “for there to be a false sense of security.”

Almost no detail...

Company warns of security breach

Wednesday, April 16 2008 @ 12:53 PM EDT Contributed by: PrivacyNews News Section: Breaches

Customers of Brookings-based Fishback Financial Corporation are getting letters advising them to watch their accounts for identity theft.

The company says a third party recently had unauthorized access to a computer database that includes people's names, addresses and Social Security numbers.

Source - KXMB

[Link that works:

We just love to know what everyone else is doing...

Senator Proposes To Monitor All P2P Traffic for Illegal Files

Posted by Zonk on Thursday April 17, @09:19AM from the kind-of-strains-the-mind-to-think-about-huh dept. Privacy The Courts The Internet Government United States Politics

mytrip writes

"Senator Joe Biden (D-Del) has proposed an ambitious plan, costing on the order of $1 billion, aimed at curtailing illegal activities via P2P networks. His plan involves utilizing new software to monitor peer-to-peer traffic on an ongoing basis. 'At an afternoon Senate Judiciary subcommittee hearing about child exploitation on the Internet, Sen. Joe Biden (D-Del.) said he was under the impression it's "pretty easy to pick out the person engaged in either transmitting or downloading violent scenes of rape, molestation" simply by looking at file names. He urged use of those techniques by investigators to help nab the most egregious offenders."

Put your money where the crime is, join my “Cameras in Congress” campaign.

Lawmakers Proposing Millions for Elementary School Surveillance Cams - UPDATE

By Ryan Singel EmailApril 15, 2008 | 7:06:07 PM Categories: Surveillance

Call it the No Child Left Unsurveilled Act.

... In what seems a plain attempt to arise the ire of Bruce Schneier, the bill would bar schools from using the money for actually assessing what the threats and weaknesses to the school are.

“Stupidity is a right!”

Some 12% of Consumers 'Borrow' Unsecured Wi-Fi

Posted by Zonk on Thursday April 17, @10:27AM from the other-88-percent-are-lying dept. Wireless Networking The Internet Security Networking

alphadogg writes

"Despite the fact that it's often considered an illegal act, a sizeable percentage of the UK/US internet-using population 'borrows' unsecured Wi-Fi access. This is according to a study conducted by the group Accenture. 'The Accenture study found that computer users are still engaging in some unsafe computing practices. Nearly half of all respondents said that they used the same password for all of their online accounts, and only a quarter of them have ever encrypted files on their computers.'"

My guess is the actual figure is higher than that.

Interesting. I wonder if they have real lawyers?

Oregon Using Copyright Law To Prevent Other Sites From Publicizing Oregon Law

from the just-as-the-law-intended dept

Well here's a story about copyright that's so bizarre it makes you think that there must be a mistake somewhere -- but it seems to be completely true. Apparently, Oregon is complaining to sites like Justia (which publish public domain legal documents) that they are violating copyright by republishing some of Oregon's laws. The state admits that the text of the laws are not covered by copyright, but that everything else about the way the law is presented is covered by copyright (such as the numbering, the notes and annotations). This is an accurate portrayal of copyright law, which does allow such things to be covered by copyright (though, the "numbering" part seems questionable), but it's difficult to see how the state could possibly get upset that someone is trying to better publicize Oregon's laws. The state does make one good point: Justia adds its own copyright notice to the text, which is bad form, but was probably just a template issue. Either way, it's difficult to see what Oregon could possibly gain in trying to force copies of its laws off of public resource legal sites.

Interesting test of 'fair use?”

Publishers Sue Georgia State on Digital Reading Matter

By KATIE HAFNER April 16, 2008

Three prominent academic publishers are suing Georgia State University, contending that the school is violating copyright laws by providing course reading material to students in digital format without seeking permission from the publishers or paying licensing fees.

... The lawsuit, which may be the first of its kind, raises questions about digital rights, which are confronting many media companies, but also about core issues like the future of the business model for academic publishers.

... The case centers on so-called course packs, compilations of reading materials from various books and journals. The lawsuit contends that in many cases, professors are providing students with multiple chapters of a given work, in violation of the "fair use" provision of copyright law.

May revel some interesting details...

Computer tech pleads guilty to stealing ID's

Wednesday, April 16 2008 @ 03:05 PM EDT Contributed by: PrivacyNews News Section: Breaches

A Los Angeles computer security consultant pleaded guilty today to using spyware that turned thousands of computers into "zombies" so he could steal their owners' identities.

John Schiefer, 26, admitted using "botnets" -- armies of infected computers -- to steal the identities of victims nationwide by extracting information from their personal computers and wiretapping their communications, according to the U.S. Attorney's Office.

... This is the first time someone in the United States has been charged under the federal wiretap statute for conduct related to botnets, prosecutors said.

Source -

[From the article:

This is the first time someone in the United States has been charged under the federal wiretap statute for conduct related to botnets, prosecutors said.

More quotable (but debatable) quotes.

One-third of breach victims walk away from company, survey

Wednesday, April 16 2008 @ 05:14 PM EDT Contributed by: PrivacyNews News Section: Older News Stories

Nearly one-third of consumers notified of a security breach terminate their relationship with the company, according to a recently released survey by the Ponemon Institute.

The Consumer's Report Card on Data Breach Notification, sponsored by ID Experts, also revealed that 63 percent of survey respondents said notification letters they received offered no direction on the steps the consumer should take to protect their personal information.

The survey interviewed 1,795 people across the United States to find out if consumers notified about a data breach involving their personal information were satisfied with the company's response, according to Larry Ponemon, founder of the Ponemon Institute.

Source - SC Magazine The report is available as a free download with registration

Quotable quotes (Remember, 86.2% of statistics are made up as needed.)

New Spam Site Found Every Three Seconds

Posted by samzenpus on Wednesday April 16, @10:24PM from the spam-sausage-spam-spam-spam-mail-and-spam dept. Security Spam

Stony Stevenson writes

"New figures suggest that 92.3 percent of all email sent globally during the first three months of 2008 was spam. The data from Sophos also indicated that 23,300 new spam-related web pages were created every day during the period, or one about every three seconds. For the first time Turkey's contribution to the global spam problem puts it in the top three offending countries. Compromised computers in Turkey are now responsible for relaying 5.9 percent of the world's junk email, compared to 3.8 percent in the final quarter of 2007."

Seems these are always mind expanding...

Open-source economics from watch! — Law professor Yochai Benkler explains how collaborative projects like Wikipedia and Linux represent the next stage of human organization. By disrupting traditional economic production, copyright law and established competition, they're paving the way for a new set of economic laws, where empowered individuals are put on a level playing field...

Blogs may be good for something after all (even if they do ramble a bit). This one raises an interesting question and there is a (probable) answer in to comments. Note to Comcast: I have no special animosity toward you – I'll happily blog about and incompetent organization.

A new reason to hate Comcast

Wednesday, April 16, 2008 by Dave Winer.

... Then this morning around 9AM the service went down. I called the service number, and was quickly directed to call a special number. I couldn't record the call because I didn't have Skype working, but I wish I had found a way. The recording said I was talking to their legal services department, Press 1 if you are stealing content, 2 if you are using too much bandwidth, 3 if Comcast hates your guts, 4 if you're a criminal. (I don't remember the exact wording, this wasn't it, but the implication was that I was guilty of abuse, me, a paying customer, in good standing. By pressing a button I was admitting to doing something wrong.)

... Then he threatened me. He told me I was in the top 1/10th of 1 percent of all their Internet users and that if I didn't immediately stop using so much bandwidth they would suspend my service for 12 months. I asked if I could get this in writing, he said no. I asked how much bandwith would be acceptable, he wouldn't say. I told him this wasn't much of a threat if they weren't willing to put it in writing, and I wasn't intimidated. I also told him I was a blogger and would be writing it up. He didn't care.

[From the comments...

Kevin Hart 16 hours ago

... What Ive dug around and seems to be the reason is this. Some people on your node in your neighborhood called and complained things were slow. if they get a few of these calls they go into the node and check the logs. Then they blanket call everyone in the top '10%' there and threaten them. Its not an automated system, they wait for some complains, more than one, and then they call. Or that seems to be the common consensus around the net.

Another phone company, another self-serving “policy”

Verizon cell customers last to know when their data pinched

Thursday, April 17 2008 @ 06:46 AM EDT Contributed by: PrivacyNews News Section: Breaches

In case you Verizon customers ever wonder what will happen if the company discovers that your cell phone data has been pinched, the wireless giant recently filed a summary of its procedures with the Federal Communications Commission. Here is the rundown:

First, Verizon will contact not you, but the United States Secret Service (USSS) and the Federal Bureau of Investigation (FBI). These two agencies will be notified "as soon as practicable," but no more than seven days after Verizon figures out that the theft took place. [“and if we never figure it out...” Bob]

Source - Ars Technica

[From the article:

"If an unauthorized individual has gained access to personal telephone records involving victims of stalking or spousal violence," Copps warned, "it won’t be the carrier or the law enforcement agency—but the victims—who are in the best position to know when and how harm may be heading toward them."


April 16, 2008 9:09 PM PDT

Darwin's private papers go digital

Posted by Desiree Everts

The works of one of the most towering figures of modern science are now available to anyone on the Web.

The Darwin Online Project is releasing on Thursday more than 90,000 online pages of Charles Darwin's photographs, sketches, and manuscripts, including the first draft of his theory of evolution.

Wednesday, April 16, 2008

Always worth attending (and a bargain to boot!)


Morning/Lunch Seminar FRIDAY, MAY 2, 2008

Reservations required, contact:

Diane Bales, Law Coordinator 303.871.6580; Email:

Little detail (so far)

UVa laptop stolen, had sensitive data

Wednesday, April 16 2008 @ 07:49 AM EDT Contributed by: PrivacyNews News Section: Breaches

A laptop stolen from a University of Virginia employee contained sensitive information about more than 7,000 students, staff and faculty members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers.

Source -


Corrections Web glitch shows state IDs to bloggers

Wednesday, April 16 2008 @ 08:07 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recent glitch in the state Corrections Department's Web site allowed bloggers to access the Social Security numbers of violent offenders in Oklahoma.

Bloggers from a computer programming Web site found the information and alerted the department, said agency spokesman Jerry Massie. The list contained the names, addresses and Social Security numbers of some 6,000 people.

So far, there is no evidence that identities have been stolen from the convicted felons and sex offenders on the list. Sex offenders are required to register their addresses with local authorities.

Source -

hat-tip, The Corrections Connection blog

[From the article:

Massie said the discovery was the result of "weaknesses in the application” on the state's Web site. [The computer decided to put DoC data on someone else's server... Right... Bob]

A lot of effort for a dumpster...

UK: Student files are lost

Tuesday, April 15 2008 @ 11:10 AM EDT Contributed by: PrivacyNews News Section: Breaches

HUNDREDS of files containing information about students applying for loans were stolen from a secured skip destined for the shredder..... It was the first time Havering Council used a skip to store information awaiting destruction - and it proved to be the last time this method was adopted, confirmed the Town Hall.

...It is thought a large specialist truck broke into the locked yard of the Broxhill Centre in Havering-atte-Bower and lifted the 30-foot steel skip onto its base.

A council spokesman said the thieves were "most likely" interested in the expensive container, as opposed to the files, since they arrived in a truck designed to lift it. [On the other hand, this was clearly the container with the most valuable information... Bob]

Source - Romford Recorder

VPNs are no protection? Interesting that they included a long list of changes they made – looks like they had practically no security in place prior to the incident.

Stryker Instruments reports network intrusion, possible access of employee info

Tuesday, April 15 2008 @ 01:25 PM EDT Contributed by: PrivacyNews News Section: Breaches

On Feb. 18, Stryker Instruments discovered that there had been unauthorized access to its virtual private network multiple times over a period of months. One of the medical technology firm's servers involved contained a database of Social Security numbers of certain employees in 48 states plus Puerto Rico.

Stryker's investigation led them to conclude that the intruder was a former employee but they were unable to determine if any personal data were actually accessed. They were also unable to confirm that it was the particular former employee they suspect.

In its April 10th letter to the New Hampshire DOJ, Curt Hartman, President of Global Instruments and Jud Hoff, Vice-President, describe how on March 4, they requested that the Minneapolis office of the FBI investigate the matter, but the FBI declined to go forward with a criminal investigation on March 20.

In response to the breach, Stryker took a number of steps to harden its access, authentication measures, and internal audit procedures, as described in their letter. They also sent notification letters to those affected and arranged for credit monitoring and credit restoration services, if needed.

[From the article:

Stryker immediately disabled the domain administrator service account through which the unauthorized user had accessed the VPN. [Anyone want to bet this was the default ID and password? Bob]

Not enough facts! Probably stolen by a gang of wholesale computer thieves, but I'd like to know if the business associate's headquarters was in New Hampshire. If so, were most of their patients non-residents and therefore they didn't need to report them?

Stolen computers contained patient data from EHS patients

Tuesday, April 15 2008 @ 11:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

Elliott Health Systems, Inc. (EHS) in New Hampshire has notified the New Hampshire Department of Justice that on February 22, 2008, 10 computers were stolen from the headquarters of a business associate, Advanced Medical Partners, Inc. (AMPI).

By letter dated March 3, 2007 (sic), EHS reported that the computers may have contained ePHI on 6 NH residents such as names, dates of service at EHS, the name of their insurance company and the patients’ date of birth. EHS reports that they were told by AMPI that the computers have safeguards in place, including password against access to this information.

Source -

Good news: CEOs (or their secretaries) are too smart to click on these links. Bad news: They forward the e-mails to their lawyers...

Fake Subpoenas Sent To CEOs For Social Engineering

Posted by kdawson on Tuesday April 15, @06:38PM from the whale-fishing dept. Security The Courts News

An anonymous reader writes

"The Internet Storm Center notes that emails that look like subpoenas are being sent out to the CEOs of major US corporations. The email tries to entice the victim to click on a link for 'more information.' According to the ISC's John Bambenek: 'We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via email ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's [totally] bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his email directly. It's very highly targeted that way.'"

They are not amused...

Look Ma, I'm on

By Ryan Singel April 14, 2008 | 2:26:05 PM

In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.

Free speech? Giving Darwin a hand?

France to crack down on "pro-anorexia" Web sites

Tue Apr 15, 2008 5:00pm EDT

PARIS (Reuters) - French politicians called on Tuesday for stiff penalties of up to three years jail and heavy fines against "pro-anorexia" Web sites and publications that encourage girls and young women to starve themselves.

This is interesting. Expect at least a full Division of lobbyists...

Consumer groups urge "do not track" registry

Wednesday, April 16 2008 @ 08:12 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Two consumer groups asked the Federal Trade Commission on Tuesday to create a "do not track list" that would allow computer users to bar advertisers from collecting information about them.

The Consumer Federation of America and the Consumers Union also urged the FTC to bar collection of health information and other sensitive data by companies that do business on the Internet unless a consumer consents.

Source - Reuters

When all you have is a hammer, every problem looks like a nail...

UK: More RIPA Creep

Tuesday, April 15 2008 @ 01:23 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

I previously blogged about the UK's Regulation of Investigatory Powers Act (RIPA), which was sold as a means to tackle terrorism, and other serious crimes, being used against animal rights protestors. The latest news from the UK is that a local council has used provisions of the act to put a couple and their children under surveillance, for "suspected fraudulent school place applications"

Source - Schneier on Security blog

I'll be looking for details...

Germany moves ahead with computer surveillance guidelines

Tuesday, April 15 2008 @ 01:12 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Germany's top security and law officials agreed Tuesday to new guidelines regarding the surveillance of personal computers in cases of terrorism or other serious crimes, the Interior Ministry said.

Interior Minister Wolfgang Schaeuble and Justice Minister Brigitte Zypries agreed upon the new framework to conform with a legal ruling from the country's highest court. It was the last stumbling block in putting together new guidelines for Germany's national intelligence services, which will now be sent to the country's states for further discussion.

Source - International Herald Tribune

[From the article:

In February, Germany's Constitutional Court in Karlsruhe established the privacy of data stored or exchanged on personal computers as a basic right protected by the nation's constitution, allowing surveillance only in exceptional cases.

The court ruled online surveillance could only be used when it could be established that there was a concrete danger, such as the planning of terrorist acts or other attacks on life or freedom.

What they want is a “Bill of Wrongs”

Comcast wants 'Bill of Rights' for file-sharers, ISPs

Posted 17h 54m ago By Peter Svensson, Associated Press

NEW YORK — Comcast, under federal investigation for interfering with the traffic of its Internet subscribers, said Tuesday it wants to develop a "Bill of Rights and Responsibilities" for file sharing.

Less than it appears at first sight?

Did DirecTV Hire Satellite Hackers To Leak Dish TV Smart Cards?

from the seems-a-bit-extreme dept

I had missed this story when it came out last week, but thanks to a reader (who prefers to remain anonymous) for sending it in. Apparently, Dish Network is suing DirecTV, claiming that DirecTV (and its parent News Corp) hired notorious satellite TV hackers to break Dish's encryption and "flood the market" with hacked smart cards. That's quite a claim, and it will be interesting to see what evidence the company has to back it up. After all, reverse engineering a product is perfectly legal -- and, indeed, DirecTV claims that's all it did. Furthermore, it seems doubly strange that DirecTV would go down this route after so thoroughly pissing off smart card hackers of all kinds a few years ago by accusing them all of stealing DirecTV signals with almost no evidence, and then pushing many to pay up to avoid a lawsuit. It's also hard to see what the real benefit to DirecTV is of such a plan. Making it easier to get Dish for free shouldn't increase DirecTV's market at all. One would hope that Dish actually has some serious evidence to go along with these claims.

Advertising on the cheap?

Pirate Bay Wants IFPI To Pay Up For Danish ISP Block

from the poking-ifpi-with-a-stick dept

The folks behind the Pirate Bay certainly aren't ones to shy away from a fight. In fact, they seem to enjoy it. The latest is that they're demanding compensation from the IFPI for downtime associated with the IFPI's successful efforts to force Danish ISPs to block access to The Pirate Bay. The Pirate Bay says it will ask for a "reasonable" sum, rather than an extraordinary amount as is typical of the entertainment industry. It also says it will use any money it gets from the IFPI to fund Danish artists who want to give away their works online. While the guys at the Pirate Bay reasonably complain that the entire lawsuit between the IFPI and Danish ISPs never involved The Pirate Bay or gave the site a chance to make its own argument (despite being entirely about the site), this request for compensation may be pushing the boundaries a bit -- especially considering that even The Pirate Bay folks have admitted that the ban eventually resulted in more traffic. Perhaps they should send some money to the IFPI to thank them for all that "free" advertising.

For my Computer Security class...

Malware Analysis Course Coming to a Close

Posted by Antti @ 11:56 GMT

We've been running a course at the Helsinki University of Technology covering malware analysis and antivirus technologies

As soon as we announced that we were running such a unique course, we received lots of questions about the material. So now we're happy to announce that all the course material from the lectures are publicly available from the course webpage.

... You can try your own skills on the homework assignments here. Do note that all the test samples available for download are harmless.

To what end? Ringtones?

April 15, 2008

NORAD/USNORTHCOM Tapes from 9/11 Posted Online

"The North American Aerospace Defense Command and the United States Northern Command have released a copy of their audio files, telephone conversations and situation room discussions, from the terrorist attacks on September 11, 2001. The files are posted on via this link.

  • "NORAD-USNORTHCOM 9-11 audio recordings – Over 100 hours of audio recordings of various military communications channels on September 11, 2001. Made available in multiple mp3 files."