Saturday, June 07, 2008

Even those who know better can be breached. I hope they had a “What to do when (not if) we get breached” guideline written...

Stanford alerts employees that stolen laptop had personal data

Saturday, June 07 2008 @ 06:07 AM EDT Contributed by: PrivacyNews News Section: Breaches

Stanford University determined yesterday that a university laptop, which was recently stolen, contained confidential personnel data. The university is not disclosing details about the theft as an investigation is under way.

The university is sending e-mails and letters to current and former employees whose personal information may be at risk, as well as posting information on the Stanford homepage at:, and notifying the media. Officials estimate that the problem could extend to as many as 72,000 people currently or previously employed by Stanford.

Source - Stanford News Service Related - Mercury News

[From the article:

Livingston said: “The university has guidelines that prohibit keeping sensitive information on unsecured computers. [At once an admission that the policy had been violated and that there was no security on the laptop. Bob] This effort will be redoubled after this incident.” [“We're gonna write even more guidelines!” Bob]

It is embarrassing to discover that you have been breached. It is worse to have an outsider (police, credit card issuers, etc.) tell you about the breach. It must be really bad when the data turns up on eBay and your investors start screaming...

Personal data of thousands compromised

Friday, June 06 2008 @ 09:02 AM EDT Contributed by: PrivacyNews News Section: Breaches

Damac Properties has launched an investigation into how thousands of its customers personal details ended up for sale on Ebay for 750 pounds ($1,466), a senior company official told on Thursday.

Ten copies of a database with personal information on over 8,000 of the Dubai-based developer's customers were put on the website on May 28.

According to the posting, the database includes information such as email addresses and phone numbers of “investors, VIPs, agents and high net worth individuals based in Dubai and across the world”.

Source -

Long post (for this blog) pointing out some of the unanswered questions about this breach. Perhaps Wellpoint has learned too much from TJX?


Unanswered questions for WellPoint and Congress (commentary)

On April 7, exposed two previously unreported incidents involving WellPoint, Inc. The story was not the end of that site’s investigation, however, and subsequent statements by their spokespeople and a notification by UniCare’s lawyers to the New Hampshire Department of Justice only raised additional questions about what happened and why.

... These were WellPoint’s third and fourth incidents involving unencrypted files since October 2006. While WellPoint is not the only HIPAA-covered entity to experience breaches involving unencrypted data or breaches involving contractors, the four incidents of theirs that we know about comprise millions of records and affected approximately 400,000 people (or more). If the largest commercial health insurance company can keep experiencing problems in securing the privacy and security of our data, how is the public to have trust in the system?

This isn't the first state to run into this problem. Makes you wonder how the licenses were issued in the first place. If this problem is common in all 50 states, there could be thousands of illegal aliens in this country with drivers licenses!

BMV suspends license revocation letters

Saturday, June 07 2008 @ 06:06 AM EDT Contributed by: PrivacyNews News Section: REAL ID

Thousands of Indiana residents who lost their driving privileges appeared to win a reprieve Friday when judges temporarily blocked the state from revoking licenses that don’t match Social Security records.

The Indiana Court of Appeals granted a preliminary injunction staying the Indiana Bureau of Motor Vehicles’ invalidation of driver’s licenses or identification cards on the sole basis of mismatched records while a lawsuit challenging the policy works itself through appeals.

Source -

[From the article:

Falk said the state policy affects not only the plaintiffs’ legal right to drive but also their family lives, ability to support themselves, access to federal buildings and even their right to vote, given the U.S. Supreme Court’s April decision upholding an Indiana law requiring government-issued photo IDs at the ballot box.

“The impact is fairly broad,” Falk said.

We knew this was coming, but wasn't there a promise that it would be done openly and only to replace frisking travelers?

Full Body Scanners Installed In 10 US Airports

Posted by Soulskill on Saturday June 07, @12:00AM from the too-cheap-to-hire-superman dept.

Lapzilla brings word that airports around the US are beginning to use a new type of body-scanning machine which records pictures of travelers underneath their clothing. The process takes roughly 30 seconds, and the person viewing the pictures is located in a separate room. We've discussed similar scanners in the past. From USAToday:

"[Barry Steinhardt, head of the ACLU technology project] said passengers would be alarmed if they saw the image of their body. 'It all seems very clinical and non-threatening -- you go through this portal and don't have any idea what's at the other end,' he said. Passengers scanned in Baltimore said they did not know what the scanner did and were not told why they were directed into the booth. Magazine-sized signs are posted around the checkpoint explaining the scanners, but passengers said they did not notice them."

I guess we know who wrote this...

Leaked ACTA Treaty to Outlaw P2P?

Posted by ScuttleMonkey on Friday June 06, @05:37PM from the coming-at-you-from-every-side dept.

miowpurr writes to tell us that a draft of the ACTA (Anti-Counterfeiting Trade Agreement) has been posted on Wikileaks. Among others, Boing Boing's Cory Doctorow has weighed in on the possible ramifications of this treaty.

"Among other things, ACTA will outlaw P2P (even when used to share works that are legally available, like my books), and crack down on things like region-free DVD players. All of this is taking place out of the public eye, presumably with the intention of presenting it as a fait accompli just as the ink is drying on the treaty."

Related I'll repeat my forecast that cable monopolies need to be eliminated in favor of an independent (city/state owned?) “connection service” that reaches every house and is open to anyone for a nominal fee.

Is Streaming Video the Real Throttling Target?

Posted by Soulskill on Friday June 06, @07:08PM from the don't-give-them-too-much-credit dept. Networking Communications Media The Internet

snydeq writes

"Responding to legal pressure over its throttling of P2P traffic and other dubious practices, Comcast says it will now punish the most abusive users rather than particular applications. Yet its pilot tests in Pennsylvania and Virgina, which would 'delay traffic for the heaviest users of Internet data without targeting specific software applications,' raise greater concerns over net neutrality, ones that belie a potential preemptive strike against the cable company's chief future competition: streaming video. 'Despite the industry's constant invocation of the P2P bogeyman, at present, the largest bandwidth hog is actually streaming video,' writes Mehan Jayasuriya at Public Knowledge. 'Clearly, the emergence of online video is something that cable video providers find very threatening and by capping off bandwidth usage, they're effectively killing two birds with one stone; discouraging users from using their Internet connections for video while increasing the efficiency of the network. Is this anti-competitive? It sure seems like it.'"

For my Business Continuation class

US Website Down For Over 1 Hour

Posted by ScuttleMonkey on Friday June 06, @03:10PM from the there-goes-the-bottom-line dept. The Internet Businesses

CorporalKlinger writes

"CNET News is reporting that Amazon's US website,, has been unreachable since 10:30 AM PDT today. As of posting, visiting produces an 'Http/1.1 Service Unavailable' message. According to CNET, "Based on last quarter's revenue of $4.13 billion, a full-scale global outage would cost Amazon more than $31,000 per minute on average." Some of Amazon's international websites still appear to be working, and some pages on the US site load if accessed using HTTPS instead of HTTP."

What could possibly be better than an iPhone Software Developer's Kit?

IPhone Hacking 101: Xeni Takes One for the Team

Posted on Jun 6, 2008 03:07:44 PM

[The video is a pitch for O’Reilly’s new book, iPhone Hacks, but still interesting to see how easily the iPhone can be hacked. Bob]

When we start using Kindles for textbooks, we'll still need the ability to provide “handouts”

How to hack your Amazon Kindle to read all your ebooks and documents including .pdf, .doc, .xls, chm, .lit, etc..

By Mike on May 4, 2008

Want to hack further?

Amazon Kindle Review, Kindle Tips and Hacks (1 of 11)

Friday, June 06, 2008

This is the retail end of Identity Theft. Another car loaded with all the tools for identity theft. (Must be a shop somewhere where you can drive in and get loaded up...)

Question: Is anyone taking the victim data and tracing it back to the security breach where it was obtained? Would there be a demand for such a service?

Sheriff: Biggest identity theft bust I've ever seen; Lindale man charged

Thursday, June 05 2008 @ 05:00 PM EDT Contributed by: PrivacyNews News Section: Breaches

Smith County Sheriff J.B. Smith says it's the biggest identity theft bust he's seen in his 32 years as sheriff.

Smith County Sheriff's Deputies checked on a man sleeping in his car at Lindsey Park in Tyler Tuesday morning. When the man woke up, Sheriff Smith said he tried to drive off, but his car stalled. Smith says the man was arrested after he started a fight with deputies.

Deputies arrested 27-year-old Lucas George Cates of Lindale. Inside his car, they found nearly 500 stolen credit card numbers, fake checks and supplies to make more. They also found stolen identification, including driver's licenses, birth certificates and student ID's, from 200 people in Texas.

... Sheriff Smith said among the 500 stolen credit card numbers, 150 were from people that stayed at the Wingate Hotel in Las Colinas, a suburb of Irving.

Source - KETK

Consider this is light of the proposal to put this data online. Does the “we've been doing it for years” argument hold any weight?

Your private health details may already be online

Elizabeth Cohen writes for CNN: Jun-5-2008

Imagine my surprise when, in the course of doing research for this story, I stumbled upon my own personal health information online.

There it was in black, white, and hypertext blue. My annual mammograms; the visits to the podiatrist for the splinter in my foot; the kind of birth control I use — it was all on my health insurance company’s Web site. And that’s not all: The prescriptions drugs I use were listed on the Web site where I get my prescription drug insurance.

I had no idea this was all on the World Wide Web.

Full story – CNN

Tools & Techniques “What could possibly go wrong?” Skipper of the Titanic

NYPD Helicopter Views Faces from Miles Away

By Kim Zetter June 05, 2008 12:03:07 PM

An ubertech "verti-bird," as Fox News is calling it, is flying over the skies of Manhattan allowing police to see and recognize a face from two miles away, peer inside a building from three to four miles away, and track a suspect car from 12 miles away.

... Police insist they're only using the helicopter for legitimate law enforcement purposes in public places and would never peer inside someone's home, but privacy activists have concerns.

Tools & Techniques (Unfortunately, the site seems to have been overloaded before they were able to capture a mirror.) Interesting arguements though... If I create a pornographic image of a child from bits, am I a pornographer? If I create a similar image of a murder, am I a murderer? Would this logic make everything Hollywood does a crime?

Graphics Advances Make Identifying Real Images Difficult

Posted by timothy on Friday June 06, @09:06AM from the click-here-to-convict-your-enemy dept. The Courts Government Graphics

destinyland writes

"The FBI's geeks admitted they were nervous over computer-generated images at a recent forensics conference. In court they're now arguing that a jury 'can tell' if an image is real or computer-generated — which marks the current boundary between legal and illegal. But reporter Debbie Nathan argues that that distinction is getting fuzzy, and that geeks will inevitably make it obsolete."

Note: some of the linked (computer-generated) images may be disturbing.

[Related article from the comments:

June, 2008

Digital Forensics: How Experts Uncover Doctored Images

So what if the first trials didn't go so well – we'll just tweek it a bit and keep on trying.

Leaked Report: ISP Secretly Added Spy Code To Web Sessions, Crashing Browsers

Thursday, June 05 2008 @ 04:53 PM EDT Contributed by: PrivacyNews News Section: Internet & Computers

An internal British Telecom report on a secret trial of an ISP eavesdropping and advertising technology found that the system crashed some unsuspecting users' browsers, and a small percentage of the 18,000 broadband customers under surveillance believed they'd been infected with adware.

The January 2007 report (.pdf) -- published Thursday by the whistle blowing site Wikileaks -- demonstrates the hazards broadband customers face when an ISP tampers with raw internet traffic for its own profit. The leak comes just weeks after U.S. broadband provider Charter Communications told users it would be testing a technology similar to what's described in the BT document.

Source - Threat Level blog

As you would expect, this didn't take long...

UK: Call to prosecute BT for ad trial

Thursday, June 05 2008 @ 04:41 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

BT should face prosecution for its "illegal" trials of a controversial ad-serving technology, a leading computer security researcher has said.

Dr Richard Clayton at the University of Cambridge made his comments after reviewing a leaked BT internal report.

The document reveals details of a 2006 BT trial with the Phorm system, which matches adverts to users' web habits.

"It's against the law of the land, we must now expect to see a prosecution," he told BBC News.

Source - BBC

Is this a “Get out of jury duty free” card?

Do geeks make good jurors in tech cases? Not always

Federal judge says too much knowledge can be a dangerous thing for a jury

By Robert McMillan, IDG News Service June 06, 2008

I'm going to predict that electronic voting will make Florida's “hanging chad” debacle seem trivial. (Later I'll predict the opposite – one way or the other I'll look brilliant!) What happens to the people who buy these machines? Are they political appointees who keep their job until they are five years dead or can we fire (and prosecute) them?

ES&S E-Voting Machines Gave Votes To A Totally Different Election

from the i'd-say-that's-a-whoops dept

You may recall last year that when we had a series of posts about the fact that e-voting companies refused to let independent security experts review their machines, we had a representative from e-voting firm ES&S show up in the comments and repeatedly berate us for not knowing what we were talking about. That individual insisted that the machines were perfectly well tested. He also insisted that elections using e-voting machines were "extremely scrutinized and very reliable." Of course, we haven't heard from that individual lately -- not since an independent review of ES&S's machines found that security was seriously lacking leading various states to quickly decertify many ES&S machines. Oops.

Reader Jose Luis Campanello writes in to point out a story we missed from last week, about how some ES&S machines used in a state primary in Arkansas didn't just screw up counting the votes, it assigned votes to a totally different election -- and those "lost" votes changed the result of the election. No one seems to have any idea how this is even possible, let alone how it happened. Somehow, I get the feeling that no representatives from ES&S will show up this time to tell us how their machines are perfectly reliable and don't need any kind of independent review. Luckily, in this case there was a voter-verified paper trail (which some insist are a bad thing), which allowed election officials to backtrack and figure out what had happened and correct the mistake. Without the paper trail, there would have been no way to have even realized this mistake happened.

Related? At least another example where testing seems to be inadequate. Will the software vendor reimburse the power company for the additional cost incurred? (Might be an interesting contract clause to ensure more care in testing.) This reads like control is so bad the plant should be shut down until competent management can be found!

Cyber Incident Blamed for Nuclear Power Plant Shutdown

By Brian Krebs Staff Writer Thursday, June 5, 2008; 1:46 PM

A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. [Interesting that there were no redundant check. Bob]

... But she said the engineer who installed the update was not aware [Translation: 1) had no clue, 2) wasn't doing his job properly Bob] that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine.

"We were investigating cyber vulnerabilities and discovered that the systems were communicating, [What other minor items did they “discover?” Bob] we just had not implemented corrective action prior to the automatic [shutdown]," Phillips said. She said plant engineers have since physically removed all network connections between the affected servers. [Suggesting they were installed in error? Bob]

Another reason why frequent backups are a good idea. (Comments are worth reading too)

Sneaky Blackmailing Virus That Encrypts Data

Posted by timothy on Thursday June 05, @05:57PM from the ouch-and-double-ouch dept. Security Encryption Windows Worms

BaCa writes

"Kaspersky Lab found a new variant of Gpcode which encrypts files with various extensions using an RSA encryption algorithm with a 1024-bit key. After Gpcode.ak encrypts files on the victim machine, it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor. Is this a look into the future where the majority of malware will function based on extortion?"

Legal Hacking? Could this study be a defense against the RIAA? Certainly it should make a judge question the accuracy of their complaints.

How To Frame a Printer For Copyright Infringement

Posted by timothy on Thursday June 05, @02:34PM from the point-the-finger-point-it-well dept. The Internet The Courts

An anonymous reader writes

"Have you ever wondered what it takes to get 'caught' for copyright infringement on the Internet? Surprisingly, actual infringement is not required. The New York Times reports that researchers from the computer science department at the University of Washington have just released a study that examines how enforcement agencies monitor P2P networks and what it takes to receive a complaint today. Without downloading or sharing a single file, their study attracted more than 400 copyright infringement complaints. Even more disturbing is their discovery that illegal P2P participation can be easily spoofed; the researchers managed to frame innocent desktop machines and even several university printers, all of which received bogus complaints."

Hacking the cube

Rubik's Cube Algorithm Cut Again, Down to 23 Moves

Posted by timothy on Thursday June 05, @07:08PM from the at-this-rate-one-will-soon-be-enough dept. Math Puzzle Games (Games) Games

Bryan writes

"The number of moves necessary to solve an arbitrary Rubik's cube configuration has been cut down to 23 moves, according to an update on Tomas Rokicki's homepage (and here). As reported in March, Rokicki developed a very efficient strategy for studying cube solvability, which he used it to show that 25 moves are sufficient to solve any (solvable) Rubik's cube. Since then, he's upgraded from 8GB of memory and a Q6600 CPU, to the supercomputers at Sony Pictures Imageworks (his latest result was produced during idle-time between productions). Combined with with some of Rokicki's earlier work, this new result implies that for any arbitrary cube configuration, a solution exists in either 21, 22, or 23 moves. This is in agreement with informal group-theoretic arguments (see Hofstadter 1996, ch. 14) suggesting that the necessary and sufficient number of moves should be in the low 20s. From the producers of Spiderman 3 and Surf's Up, we bring you: 2 steps closer to God's Algorithm!"

Hacking toys..

How to Turn a PlayStation 3 Into a Linux PC

Posted by timothy on Thursday June 05, @11:58PM from the sleek-box-of-ubuntu dept. Operating Systems PlayStation (Games) Upgrades Games Hardware Linux

MahariBalzitch writes

"Popular Mechanics shows step by step guide on how to install Ubuntu Linux on a PlayStation 3 and still keep the PS3 gaming functionality. Now I just need to get my hands on a PS3."

Not bad specs for the price, either, since Blu-Ray players still aren't cheap. And though the article calls the procedure "somewhat complicated," it's a lot simpler than was installing Linux from floppies not so many years ago.

Hacking the magazine stand. (There were several variations of this article, this seems to be the easiest to follow...)

Read popular magazines on your PC for free

Published May 30th, 2008 in Money Saving Tips.

Amit Agarwal at Digital Inspiration shares a very simple hack that allows you to read a few popular magazines for free in digital format. The titles include Popular Mechanics, US News, Car and Driver, Macworld, Readers Digest, Penthouse, Playboy and a few more names.

The hack is based on the fact that Zinio Labs allows iPhone owners to browse these magazines for free from their phones. The ordinary folks without iPhone can enjoy the same privilege if they convince Zinio they are using the phone. How is that possible? In fact pretty simple. Switch the browser user agent settings and make Zinio web server think you are running a different browser brand/version than it really is, a trick very similar to referrer spoofing used for free access to the WSJ.

Thursday, June 05, 2008

Is “how big” really an important issue in breach disclosure?

Exclusive: AT&T notifies employees of laptop theft

Wednesday, June 04 2008 @ 08:12 AM EDT Contributed by: PrivacyNews News Section: Breaches has learned that a laptop containing an unencrypted file with names, Social Security numbers and salary and bonus payments for AT&T management employees was stolen from an employee's vehicle on May 15. No customer or client data were on the stolen laptop. The extent of the breach is currently unknown as AT&T repeatedly declined to disclose the number of employees affected "as a matter of policy."

AT&T also declined to divulge the location of the theft because law enforcement is still investigating and the company does not want to alert the thief that the laptop contains personal information. As of today, the laptop has not been recovered, but AT&T believes that the theft was a random theft for the hardware and not for the data.

Employees were first alerted to the theft on the evening of May 22nd by email from Bill Blase, Senior Executive Vice President - Human Resources. In a letter (page 1 of 2) and companion Q&A (.doc) provided the following day, AT&T indicated that the laptop was password-protected but that security protocols had not been followed. [Interesting that they give employees an option... Bob] AT&T spokesperson Walt Sharp confirmed to that the data should have been encrypted but had not been. The employee in question was disciplined by the company, but no further details were provided.

When asked whether the employees were all from one geographic area or location, Sharp replied that the employees were spread out across AT&T's locations.

AT&T is offering free credit monitoring to those affected, and states that it is reminding employees of their responsibilities to protect personal data. The telecom also says that it is "in the process of encrypting devices," but that may be small comfort to those whose data were on the stolen laptop.

"I'm very disappointed in my company," said one affected employee. "Eight days passed before we were notified. And, it took up to another ten days to be informed about requesting a fraud alert and to be given instructions for signing up for credit watch. It is pathetic that the largest telecom company (based on revenue) in the world doesn't encrypt basic personal information. I receive company internal emails reminding me to contact our legislators about relieving the company of the burdens of regulation. What happened here shows the company isn't ready to have those burdens lifted."

“Dude, we gotta work at our own pace!”

Ca: 32,000 farmers' data on stolen laptop

Thursday, June 05 2008 @ 06:22 AM EDT Contributed by: PrivacyNews News Section: Breaches

It took more than two months for a federal government agency to alert 32,000 farmers, including 7,000 Manitobans, that their private information was in unknown hands after a laptop was stolen.

... Although the theft happened March 30, Canadians weren't sent letters until last week informing them their social insurance numbers, bank account numbers and other data had been stored on a laptop stolen from the Canadian Canola Growers Association (CCGA).

Source - Winnipeg Free Press

[From the article:

The laptop was password-protected and secured with biometric fingerprinting, said CCGA general manager Rick White, but the data was not encrypted. He said the organization is now encrypting computer data in light of the theft. [They had months (years) to get this practice in place before the theft – now they've implemented it in mere weeks? Bob]

Is this the first “hardware virus?” Could China eventually use this technology to print robot spies anywhere they want? (Think miniature Mars rovers)

Machine Prints 3D Copies Of Itself

Posted by samzenpus on Thursday June 05, @07:57AM from the breed-like-robots dept. Robotics Technology

TaeKwonDood writes

"Automated machines have been around for decades. They have basically been dumb devices that do simple assembly tasks. But RepRap takes that a step further because, instead of assembling pre-fabricated parts, it creates 3-D objects by printing them — squirting molten plastic in layers — and then building them up as the plastic solidifies. It works on coat hooks, door handles and now it can even make working copies ... of itself. The miracle of additive fabrication, coming soon to a robotic overlord near you."

Because we can, we must. (Also known as the “Stand back! I've got my hands on technology and I know how to mis-use it!” syndrome.)

Study secretly tracks cell phone users outside US

Wednesday, June 04 2008 @ 01:27 PM EDT Contributed by: PrivacyNews News Section: Surveillance

Researchers secretly tracked the locations of 100,000 people outside the United States through their cell phone use and concluded that most people rarely stray more than a few miles from home. more stories like this

The first-of-its-kind study by Northeastern University raises privacy and ethical questions for its monitoring methods, which would be illegal in the United States.

Source -

[From the article:

The study, published Thursday in the journal Nature, opens up the field of human-tracking for science and calls attention to what experts said is an emerging issue of locational privacy.

... They started with 6 million phone numbers and chose the 100,000 at random to provide "an extra layer" of anonymity for the research subjects, he said. [So... They could have studied all 6 million? Bob]

Barabasi said he did not check with any ethics panel. Hidalgo said they were not required to do so because the experiment involved physics, not biology.

Looks like we are applying what we learned in Baghdad domestically...

June 4, 2008

Police to Seal Off D.C. Neighborhoods

Can you say Police State? The Examiner has the scoop on a controversial new program announced today that would create so-called "Neighborhood Safety Zones" which would serve to partially seal off certain parts of the city. D.C. Police would set-up checkpoints in targeted areas, demand to see ID and refuse admittance to people who don't live there, work there or have a “legitimate reason” to be there.

Several questions occur: Is this a bump that will fade with time? Is there a correlation between 'abstainers' and IQ? Will abstentions become probable cause?

Data Retention Proven to Change Citizen Behavior

Posted by samzenpus on Wednesday June 04, @10:04PM from the I-always-feel-like-somebody's-watching-me dept. Government Privacy

G'Quann writes

"A new survey shows that data retention laws indeed do influence the behavior of citizens (at least in Germany). 11% had already abstained from using phone, cell phone or e-mail in certain occasions and 52% would not use phone or e-mail for confidential contacts. This is the perfect argument against the standard 'I have nothing to hide' argumentation. Surveillance is not only bad because someone might discover some embarrassment. It changes people. 11% at least."

Questions: Is the “Factual Declaration of Innocence” an indication that the presumption of innocence is no longer in force and now we need proof of innocence?

Alaska's Personal Information Protection Act

Wednesday, June 04 2008 @ 04:22 PM EDT Contributed by: PrivacyNews News Section: State/Local Govt.

For the past four years we have worked together with other legislators in a true bipartisan effort to pass legislation to protect the identity of individual Alaskans. In the modern world of electronic commerce and massive databases, it is now common place to read headlines detailing the latest data breach and steps that can be taken by people to protect themselves. However, as the concern by Alaskan consumers grew, it became increasingly apparent that Alaska laws lagged behind most states when it came to personal information protection. With that in mind we set out to develop a solution to help you better protect yourself. These efforts resulted in the passage of House Bill 65 this year, and Alaska is now poised to become a leader in protecting individuals' personal information while allowing modern commerce to continue.

Source - Sen. Gene Therriault & Re. John Coghill

Was that ever the primary intent? I thought it was to allow the victims some notice before their credit went south?

Researchers say notification laws not lowering ID theft

Thursday, June 05 2008 @ 06:14 AM EDT Contributed by: PrivacyNews News Section: Breaches

Over the past five years, 43 U.S. states have adopted data breach notification laws, but has all of this legislation actually cut down on identity theft? Not according to researchers at Carnegie Mellon University who have published a state-by-state analysis of data supplied by the U.S. Federal Trade Commission (FTC).

"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.

Source - Computerworld Related - Do Data Breach Disclosure Laws Reduce Identity Theft? [pdf]

Related? (Or am I just trying to look smart by quoting a Harvard working paper?

Coming Clean and Cleaning Up: Is Voluntary Disclosure a Signal of Effective Self-Policing?

Published: June 4, 2008 Paper Released: May 2008 Authors: Michael W. Toffel and Jodi L. Short

Is this “caving in?”

Amazon collecting sales tax from New York customers

09:59 PM CDT on Monday, June 2, 2008 By MARIA HALKIAS / The Dallas Morning News is giving up its sales tax advantage in New York temporarily, while its edge in Texas continues to be investigated.

Is this an indication that activity in the identity spoofing (what would you call it?) area is heating up?

EFF Asks Judge to Block Unmasking of MySpace User

Thursday, June 05 2008 @ 06:19 AM EDT Contributed by: PrivacyNews News Section: In the Courts

The Electronic Frontier Foundation (EFF) asked a judge in Illinois Wednesday to reject an attempt to identify an anonymous MySpace user who allegedly posted fake profiles of an Illinois official because the request would violate both the First Amendment and federal statute.

In May, Cicero Town President Larry Dominick asked a Cook County Circuit Court judge to order the disclosure of the identities of the author of two MySpace profiles that allegedly included defamatory comments and unnamed privacy violations. In its amicus brief, however, EFF argues that the petition violates the First Amendment right to remain anonymous until a litigant can demonstrate a viable legal claim.

Source - EFF

Also good for creating logos that look like coats of arms? (White hat over crossed computers?) - Make Your Own Coat Of Arms

Make Your Coat of Arms is a site that allows you to do just that.

If you are interested in learning more about family crests and coats of arms, Make Your Coat of Arms offers an E-course you can take on the site to help give you more information.

You can have your coat of arms printed on a wide selection of merchandise from pet apparel to stationary.

A cute little hack...

How to Sneakily Read Books at Work [Awesome Website!] — The folks at the New Zealand Book Council have created a truly ingenious way to read more at work. Read At Work turns your desktop into a full screen, realistic PC looking desktop with folders, start button, recycle bin, the works. All the folders contain writings of famous authors and New Zealand locals. Your boss won't know you're reading a book!

Very cool! Something for my web site class, but you should at least give it a look. So easy even I can do it!

BeFunky helps people turn their offline personalities into powerful online visual expressions.

• Cartoonizer - an online application that allows users to turn images and videos into digital paintings, cartoons and comics.

• Uvatar – a digital visual identity tool that takes the avatar concept to an extraordinary new level by letting users create a more accurate digital representation of themselves.

At last, my blog has found a home! A tool for multi-taskers?

RSStroom Reader shows where you think blogs belong

Wednesday, June 04, 2008

I've found all of their publications to be interesting and worth reading.

Lack of basic privacy and security measures causing major data breaches, Privacy Commissioner says

Tuesday, June 03 2008 @ 11:08 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, says the Privacy Commissioner of Canada, Jennifer Stoddart.

The Commissioner's 2007 Annual Report on the Personal Information Protection and Electronic Documents Act (PIPEDA) was tabled today in Parliament.

Source - CNW Group

Related - Annual Report to Parliament 2007 — Report on the Personal Information Protection and Electronic Documents Act [pdf]

[From the article:

"Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops."

[and a passage from the PDF I just couldn't resist:

Not so long ago, a group of executives was debating the merits of delaying an upgrade of their company’s out-of-date computer security system.

One of them cautioned his colleagues in an e-mail:

It must be a risk we are willing to take for the sake of saving money and hoping we do not get


Those words were prescient.

They were written by a vice-president at TJX – a name which has become synonymous with data breach. The e-mail was released during legal proceedings against TJX.

Just a thought, but if you are the victim of identity theft, what are the odds that you have received a notice from someone – perhaps several someones, recently?

UnitedHealthcare data breach leads to ID theft at UC Irvine

Tuesday, June 03 2008 @ 05:54 PM EDT Contributed by: PrivacyNews News Section: Breaches

A data breach at United Healthcare Services Inc. has led to a rash of identity-theft crimes at the University of California, Irvine.

To date, 155 graduate and medical students at the school have been hit by the scam, in which criminals file false tax returns in the victim’s name and then collect their tax refunds. The breach affects 1,132 graduate students who were enrolled with the university’s graduate student health insurance program in the 2006-07 school year, said Cathy Lawhon, the university’s media relations director.

UC Irvine police and IT staff have been investigating the crime for several months, she said.

Source - ComputerWorld

You don't have to be a TJX to get hit this way – just bad at security.

Police investigate online thefts at Oregon State bookstore

Tuesday, June 03 2008 @ 06:22 PM EDT Contributed by: PrivacyNews News Section: Breaches

Oregon State officials say credit card scammers may have defrauded 4,700 online customers of the school's bookstore.

... State Police Lieutenant Jeff Lanz says the security breach appears to have originated outside the university, but where is unknown.

Source - kgw

[From the article:

Phone calls and e-mails started flooding into the bookstore from customers who noticed suspicious charges on their credit cards immediately after they'd placed online orders.


Oops! Verizon Sells 12,500 Unlisted Phone Numbers And Addresses

Tuesday, June 03 2008 @ 06:26 PM EDT Contributed by: PrivacyNews News Section: Breaches

Verizon announced last week that they accidentally sold over 12,500 private addresses and phone numbers to a phone book company in West Virginia. "We certainly apologize to those customers whose numbers were published. ... We're taking accountability for that," said a Verizon spokesman. Translation: they're calling customers to let them know what happened, offering to change their phone numbers for free, and offering to pay the fee to have an unlisted number ($1.98 a month) for a year. Since this is the second time Verizon has made this mistake in the past four years, we wonder if "accountability" can also include taking steps to find out how the numbers keep getting offered up for sale.

Source - The Consumerist

Remember. This is the bank that didn't know how many accounts were compromised. That's another way of saying you don't know how many are safe. Expensive, isn't it?

Indiana Bank’s Debit Card Breach Underscores Issuer Vulnerability (1st Source update)

Tuesday, June 03 2008 @ 03:04 PM EDT Contributed by: PrivacyNews News Section: Breaches

South Bend, Ind.-based 1st Source Bank is reissuing its entire portfolio of debit cards after a hacker or hackers broke into a bank server containing debit card data. No fraud has been discovered as a result of the intrusion, a bank executive tells Digital Transactions News.

The $4.5-billion-asset bank with 79 branches in northern Indiana and southern Michigan began alerting customers last month after an outside monitoring service it uses noticed on May 12 an unusual flow of data from a bank server containing debit card data, says James Seitz, senior vice president of consumer and electronic banking. “We immediately saw that and shut it down,” says Seitz.

... In addition to monitoring debit card transactions as they come through, the bank has “shut some things down, and we’re working with all of our vendors to strengthen our systems,” says Seitz. He adds that he couldn’t comment [Something else they don't know? Bob] about the state of the bank’s compliance with the Payment Card Industry data-security standard, or PCI.

Source - Digital Transactions

[From the article:

They did, however, get Track 2 data contained on magnetic stripes, including account numbers, according to Seitz, as well as PINs in at least some cases.

Networking for fun and profit. Not every “contact” is your friend...

Nigerian 419 Advance Fee Scammers Move To... LinkedIn?

from the suckers,-suckers-everywhere dept

It still seems difficult to believe that anyone falls for those "Nigerian" advance fee 419 scams, but time and time again we read about smart people who should know better who fall for them. And reports come in about just how much money these scams make. And, the really amazing thing, is that many of the victims are so convinced by the scam that even after it's all revealed, and they've lost all their money, they still believe the scammer's story. However, times are getting harder to convince people about these scams over unsolicited email, so apparently they're starting to move onto social networks, including business social networks like LinkedIn. Perhaps I just use LinkedIn in a very different manner than most people, but I find it hard to believe that if some random unknown person suddenly "connected" to you on LinkedIn and offered you a cut of a multi-million dollar stash, you wouldn't be suspicious.

Sort of a “What's hot and what's not” for lawyers?

June 03, 2008

New Resource Displays All U.S. Statutes Cited by Federal Prosecutors as Primary Charge in Prosecutions and Convictions

"TRAC [Transactional Records Access Clearinghouse, Syracuse University] has just added a unique new feature for displaying all the U.S. statutes cited by federal prosecutors as the primary charge in their prosecutions and convictions. For every law, there are case counts and the full text of the relevant statute, according to Congress. In addition, for those laws with a sufficient number of matters, there are links to exclusive TRAC reports on the prosecutions and convictions under the selected statute, as well as a link to a U.S. map showing the geographic distribution of convictions across the country. For free direct access to this new service, go to"

When fans become stalkers...

Paris Hilton & Lindsay Lohan Private MySpace Photos Exposed Through Yahoo Hack

Tuesday, June 03 2008 @ 11:06 AM EDT Contributed by: PrivacyNews News Section: Breaches

Everyone has a MySpace profile, and that includes celebrities, but due to privacy settings not everyone's profile is viewable to the general public. That, however, is apparently not the case as Canadian computer technician Byron Ng has discovered a security hole in Yahoo's integration with MySpace that makes it easy to view the photos for any profile.

To prove this was able to be done, Ng snagged some photos from both Lindsay Lohan and Paris Hilton's MySpace profiles.

Source - Cleveland Leader

[From the article:

Check out the full batch of photos snagged here at Valleywag.

And if you're looking to sneak a peek at your favorite celebrity's private photos, or your secret crush or enemies, Ng has posted instructions on how to take advantage of the security hole. But act fast because MySpace and Yahoo are sure to patch it up soon.

Related How “public” a figure must you be to be “fair game” for parody?

Fake Online Profiles Trigger Suits

Tresa Baldas The National Law Journal June 2, 2008

Phony profiles on social networking sites like MySpace and Facebook are triggering lawsuits by school officials and public figures who claim that their reputations are being damaged online.

Specifically, plaintiffs are suing individuals who are creating fake profiles of them, replete with derogatory comments, obscenities, unflattering photographs and, in some cases, sexually offensive information.

Related? Being the best (or at least well known) brings this kind of attention.

Hacker Hijacks Website of Hacking Tool Maker

By Ryan Singel June 02, 2008 6:24:53 PM

Being one of the baddest security researchers on the net can't be an easy job.

Take H D Moore, the creator of Metasploit Framework -- a widely-used open-source tool which hackers and developers alike use to find vulnerabilities in remote servers.

Good to see that someone understands that the IT world is changing.

IT Certifications Declining in Value

By Deb Perelman 2008-06-03

... David Foote, whose management consultancy Foote Partners has been tracking the value of IT certifications for years, argues that a shift away from certifications has to do with a shift away from purely technical roles in the IT department.

"Certifications were created by vendors to sell products. Once people were trained, these companies ended up with all of these specialists out there that didn’t work for them but advocated for them," said Foote.

Do you suppose this is related to the new iPhone (Getting ready for all those new features?)

.Mac mail down, speculations abound

Posted Jun 2nd 2008 9:00PM by Cory Bohon

Filed under: Internet, Internet Tools, .Mac

If you're a .Mac mail user, then you probably know that .Mac's mail system has been down for almost 6 hours. According to the .Mac system status, 100% of users are experiencing the problems.

Tuesday, June 03, 2008

How can you tell when you have an easier target than TJX? The lawyers start duking it out before they get to court.

Lawyers Vie To Lead Suit Over Hannaford Breach

Monday, June 02 2008 @ 12:53 PM EDT Contributed by: PrivacyNews News Section: Breaches

Nearly two dozen lawsuits arising from a computer security breach at Hannaford Bros. Co. are likely to be consolidated into a single class-action, with two competing groups of law firms vying to lead the case.

Source - WCSH

Too small to be interesting, except for the following article.

UK: Children find secret bank files in street

Monday, June 02 2008 @ 04:51 PM EDT Contributed by: PrivacyNews News Section: Breaches

An investigation is under way after bank details of Wigan customers were found dumped in Cheshire. The confidential 60-page sheaf of A4 documents, featured lists of customers of high street bank HSBC.

Among the information contained in the papers were credit card applications and overdraft review dates, photocopies of a passport, driving licences, a marriage certificate, bank account sort codes and account numbers.

Source - Wigan Today

This breach was from last week. Props to The Breach Blog for catching what we missed.

Simultaneous “discoveries” in both the UK and Canada? Perhaps this is a new bank policy?

Ca: Bag of HSBC client info found on side of the road

Monday, June 02 2008 @ 02:01 PM EDT Contributed by: PrivacyNews News Section: Breaches

A Richmond Hill man was driving in his neighbourhood Saturday night when he spotted a bank bag full of cancelled cheques on the side of the road.

He took the bag to a police station after a quick peek inside revealed the personal information of hundreds of bank customers.

Source -

...and this is even before employees start trading their laptops for iPhones in huge numbers!

Smart Phones "Bigger Security Risk" Than Laptops

Posted by kdawson on Monday June 02, @08:46PM from the low-hanging-fruit dept. Security IT

CWmike writes

"A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the surbey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"

We have the technology so we must use it in the most annoying way possible.

UK: 'We need your fingerprints if you want to pick up your children,' nursery tells parents

Tuesday, June 03 2008 @ 06:38 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

A nursery has told parents and staff they will need to use a fingerprint scanner to gain access to the building.

They must press their finger on to an electronic pad every time they arrive at one of two private nurseries in Kent.

The door will only open if they are on the biometric database.

Critics have condemned the use of such technology in a nursery. They warned that children will grow up thinking it is normal to provide a fingerprint to get into a building - without appreciating the dangers of a surveillance society.

Source - Daily Mail

Does this mean I can't wear my Yosemite Sam T-shirt?

Page last updated at 14:19 GMT, Monday, 2 June 2008 15:19 UK

Gun T-shirt 'was a security risk'

A man wearing a T-shirt depicting a cartoon character holding a gun was stopped from boarding a flight by the security at Heathrow's Terminal 5.

Brad Jayakody, from Bayswater, central London, said he was "stumped" at the objection to his Transformers T-shirt.

Mr Jayakody said he had to change before boarding as security officers objected to the gun, held by the cartoon character.

... A BAA spokesman said there was no record of the incident and no "formal complaint" had been made.

"If a T-shirt had a rude word or a bomb on it, for example, a passenger may be asked to remove it," he said.

"We are investigating what happened to see if it came under this category.

"If it's offensive, we don't want other passengers upset."

Killing Gutenberg: Will this technology doom publishers or only printers?

Electronic Device Stirs Unease at Book Fair

By EDWARD WYATT Published: June 2, 2008

LOS ANGELES — Is the electronic book approaching the tipping point?

That topic both energized and unnerved people attending BookExpo America, the publishing and bookselling industry’s annual trade show, which ended at the convention center here on Sunday.

Much of the talk was focused on the Kindle, Amazon’s electronic reader, which has gained widespread acclaim for its ease of use. Jeffrey P. Bezos, the founder and chief executive of Amazon, spent much of a packed session on Friday evangelizing about the Kindle, which he said already accounts for 6 percent of his company’s unit sales of books that are available in both paper and electronic formats.

Another industry is doomed...

Google to Offer Real-Time Stock Quotes

Posted by kdawson on Monday June 02, @10:38PM Google The Almighty Buck

Apro+im writes

"Today, Google announced that Google Finance will report real-time prices on NASDAQ-listed securities. While real-time stock quotes are not new, they have long encumbered with subscriptions, legal agreements, or pay software. This may be the first free source for real-time quotes."

Speaking of Google, something for the geeks! Very Cool!

goosh, the Unofficial Google Shell

Posted by kdawson on Monday June 02, @07:26PM from the land-a-gooshen dept. Software Google The Internet

ohxten writes

"Stefan Grothkopp has come up with a pretty neat tool called goosh. It's essentially a browser-oriented, shell-like interface that allows you to quickly search Google (and images and news) and Wikipedia and get information in a text-only format. This is quite possibly the coolest thing I've seen in a good while."

The whole world is moving into the cloud.

Adobe Launches Online Office Suite and New Flash-Enabled Acrobat 9

Written by Sarah Perez / June 1, 2008 9:01 PM / 11 Comments

Back in March, we said Adobe was slowly building an online empire. Today, that news turns out to be true. Adobe is has just launched their version of an online office suite available at, complete with word processor (Buzzword), web conferencing/whiteboard app (ConnectNow), online file sharing (Share), file storage, (My Files), and PDF converter. To complement this launch, Adobe has also announced a brand-new version of Adobe Acrobat, Acrobat 9, the biggest release since the initial one that introduced Acrobat to the world. The remarkable change in this new version is that Adobe is now incorporating Flash into the PDF experience.

Of course it works, it's digital after all...

Hiding Packets in VoIP Chat

Posted by CmdrTaco on Monday June 02, @12:40PM from the because-you-can dept. Security Encryption

holy_calamity writes

"Two Polish researchers say they have developed a system to hide secret steganographic messages in the packets of a VOIP connection. It exploits the fact VOIP uses UDP, not TCP; it is designed to tolerate some packets going missing so hijacking a few to transmit a hidden message is not a problem."

You may also be interested in reading the original paper.

For my hackers... Interesting stuff!

Creating malicous PDF files

Posted by Mikko @ 19:46 GMT

Yesterday's post discussed a mystery PDF file that was boopytrapped to drop a backdoor.

Today we'll look at how these documents are created.

The apparent purpose of this tool is to create trojanized PDF files. You select which EXE you want to embed, which PDF file you want to trojanize and which platform you expect the victim to be using.

Cool. Now, the real question is this: How an earth did we get our hands on such a tool?

You'd never guess it.

We received it inside a trojanized PDF file.

Here's what we believe happened:

A niche for the “shopping addicted?” - Post, Find Yard Sales

Summer is ideal for yard sales. There’s no school, the kids can set up lemonade stands, people actually come out of hiding and want to find a good bargain, the weather’s nice, etc. The question is, ‘How do I sell my yard sale?’ Certainly, there’s the old school cardboard sign along the side of the road, and a clever ad in the Sunday classifieds. But those don’t really guarantee anything. Now you can try another method: YardSaleAd. It’s a website that lets you post your yard sale and all the important details. For those looking for a good sale, YardSaleAd makes it easy. Just enter your search criteria (location, categories, date, etc) and YardSaleAd will help you find it. Simply register to get all access for free.

This would be more fun if each entry generated a letter from you lawyer... - Stop, Complain About Telemarketers

You hate telemarketers (even the charity calls). No-call lists seemingly haven’t done damage to the legions of robot machine services that have sprung up in place of the real thing. The calls keep coming. So what is a fellow citizen to do? One method is to turn to the internets and to sites like EveryCall, which specialize in getting your message heard. EveryCall in particular, is a site that lets you find out exactly who it is that’s calling you. Type in the number to find out and leave a comment. Expose the companies that are harassing you and help others to put a stop to those pesky telemarketers. Plus, you may win an iPod while you’re at it.