Thursday, December 31, 2009

Small, but increasing in frequency. We even know why. At some point, it will become so expensive they will need to fix their security. (Perhaps a discount for good security and a penalty for bad?)

http://www.databreaches.net/?p=9222

Ca: Debit-card fraud hits Guelph bank customers

December 30, 2009 by admin Filed under Breach Incidents, ID Theft, Non-U.S., Skimmers

Vik Kirsch reports:

TD Canada Trust customers stood in long lineups in at least one Guelph branch Tuesday to replace debit cards after cash was stolen from their accounts or as a precaution against this high-tech theft.

“The lineup was just incredible,” customer Irene Hayes said after replacing her debit card to guard against further theft. She said she had $400 missing from her account, but was assured by bank staff it would be replaced within a few days.

“At least we’re getting it back, but I’m sure there are people who are going to be in dire straits about this,” Hayes said, noting she talked to one person in line, a student who said he had several thousand dollars missing from a school tuition account.

Bank branch staff run off their feet Tuesday were too busy to comment. And while TD Canada Trust corporate spokesperson Tashlin Hirani couldn’t readily provide details, she noted in an email response that “debit fraud is a growing problem that impacts all banks and their customers.”

It’s often due to “a compromised merchant terminal or PIN (personal information number) pad” at a retailer such as a gas station, restaurant or grocery store, Hirani said.

Read more on GuelphMercury.com.



At first, they didn't want to name the restaurant. Now they won't name the (assumption follows) credit card processor. Clearly this is bigger than some local teenage hacker.

http://www.databreaches.net/?p=9235

Update AK: Source of stolen credit information was a restaurant

December 30, 2009 by admin Filed under Business Sector, Hack, ID Theft, U.S.

James Halpin reports:

The source of the debit and credit card data stolen from hundreds of Anchorage residents in a sophisticated hacking attack [If history is any indication, probably not. Either a default password was still being used or the data was transmitted unencrypted. Bob] was Little Italy, a family-owned restaurant in South Anchorage, its owner said Tuesday.

Police say anywhere from 150 to 1,000 card numbers were stolen and used in the attack, which started generating reports of fraudulent purchases about a month ago. The scammers, in what appears to be a nationwide, [Suggests more than one? Bob] organized effort, have spent thousands of dollars on the East Coast with the stolen data, according to police.

[...]

According to the owners, the hack was actually perpetrated against a third-party network run by a nationwide corporation they wouldn’t name.

Read more in the Anchorage Daily News.

[From the article:

Mike Messick, chief technology officer for Digital Securus, a local firm that has been helping examine the network at Little Italy, said his group found hacker programs on the point-of-sale terminals at the restaurant.

"So what the bad guys did was, instead of trying to intercept that encrypted transmission, which they knew was futile, they came in and they installed a hacker program on the point-of-sale machines that actually intercepted that card number as it was being swiped," Messick said.



Not the greatest article of all time, but an increasingly common perspective. I would even postulate that TSA believes they can keep things private by fiat.

http://www.techcrunch.com/2009/12/30/we-all-live-in-public/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

We All Live In Public Now. Get Used To It.

by Erick Schonfeld on December 30, 2009

… It used to be that we lived in private and chose to make parts of our lives public. Now that is being turned on its head. We live in public, like the movie says (except via micro-signals not 24-7 video self-surveillance), and choose what parts of our lives to keep private. Public is the new default.

Stowe Boyd, along with others before him, calls this new state of exposure “publicy” (as opposed to privacy or secrecy).



A chain is only as strong as its weakest link. (See the TSA article, below) At least, that's how the TJX hacker operated.

http://it.slashdot.org/story/09/12/30/2118250/Quantum-Encryption-Implementation-Broken?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Quantum Encryption Implementation Broken

Posted by timothy on Wednesday December 30, @04:37PM from the but-this-was-a-quantum-drawing-board dept.

I Don't Believe in Imaginary Property writes

"Professor Johannes Skaar's Quantum Hacking group at NTNU have found a new way to break quantum encryption. Even though quantum encryption is theoretically perfect, real hardware isn't, and they exploit these flaws. Their technique relies on a particular way of blinding the single photon detectors so that they're able to perform an intercept-resend attack and get a copy of the secret key without giving away the fact that someone is listening. This attack is not merely theoretical, either. They have built an eavesdropping device and successfully attacked their own quantum encryption hardware. More details can be found in their conference presentation."



This is increasingly typical. How can you distribute non-classified data and expect it to remain confidential? Are the procedures used by the DHS “agents” also typical? I fear they are.

http://www.wired.com/threatlevel/2009/12/dhs-threatens-blogger/

TSA Threatens Blogger Who Posted New Screening Directive

By Kim Zetter December 30, 2009 3:53 pm

Two bloggers received home visits from Transportation Security Administration agents Tuesday after they published a new TSA directive that revises screening procedures and puts new restrictions on passengers in the wake of a recent bombing attempt by the so-called underwear bomber.

… The document, which the two bloggers published within minutes of each other Dec. 27, was sent by TSA to airlines and airports around the world and described temporary new requirements for screening passengers through Dec. 30, including conducting “pat-downs” of legs and torsos. The document, which was not classified, was posted by numerous bloggers. Information from it was also published on some airline websites.


(Related) “We don't need no stinking journalists!” (or Bloggers!) Would this software have found and re-published the TSA security procedures? If so, who would you subpoena?

http://news.slashdot.org/story/09/12/30/1559214/The-Rise-of-Machine-Written-Journalism?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The Rise of Machine-Written Journalism

Posted by CmdrTaco on Wednesday December 30, @02:08PM from the hey-that's-my-job dept.

Hugh Pickens writes

"Peter Kirwan has an interesting article in Wired UK on the emergence of software that automates the collection, evaluation, and even reporting of news events. Thomson Reuters, the world's largest news agency, has started moving down this path, courtesy of an intriguing product with the nondescript name NewsScope, a machine-readable news service designed for financial institutions that make their money from automated, event-driven trading. The latest iteration of NewsScope 'scans and automatically extracts critical pieces of information' from US corporate press releases, eliminating the 'manual processes' that have traditionally kept so many financial journalists in gainful employment. At Northwestern University, a group of computer science and journalism students have developed a program called Stats Monkey that uses statistical data to generate news reports on baseball games. Stats Monkey identifies the players who change the course of games, alongside specific turning points in the action. The rest of the process involves on-the-fly assembly of templated 'narrative arcs' to describe the action in a format recognizable as a news story. 'No doubt Kurt Cagle, editor of XMLToday.org, was engaging in a bit of provocation when he recently suggested that an intelligent agent might win a Pulitzer Prize by 2030,' writes Kirwin. 'Of course, it won't be the software that takes home the prize: it'll be the programmers who wrote the code in the first place, something that Joseph Pultizer could never have anticipated.'"

[From the article:

Journalists remain artisans in an era of industrialisation. Inside newsrooms, the old craft methods remain dominant. Outside, across the vast expanse of the web, algorithms are automating the information industry.



Lots of money waiting behind these rules, and only a few hundred pages to digest!

http://www.phiprivacy.net/?p=1734

Meaningful use’ criteria released

By Dissent, December 31, 2009 7:58 am

David Burda writes on ModernHealthcare.com:

HHS issued two sets of much-anticipated federal regulations that significantly further the government’s healthcare information technology adoption agenda. The first set of regulations lists the “meaningful use” criteria that healthcare providers must meet to qualify for federal IT subsidies based on how they use their electronic health records. The second set of regulations lays out the standards and certification criteria that those EHRs must meet for their users to collect the money

Read more here.



Because it's a list and it's free!

http://www.pcmag.com/article2/0,2817,2356301,00.asp

Top 20 Free Blackberry Apps



For all my students who expect instant understanding.

http://science.slashdot.org/story/09/12/30/2321238/The-Neuroscience-of-Screwing-Up?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

The Neuroscience of Screwing Up

Posted by samzenpus on Wednesday December 30, @07:45PM from the nobody-is-right-all-the-time dept.

resistant writes

"As the evocative title from Wired magazine implies, Kevin Dunbar of the University of Toronto has taken an in-depth and fascinating look at scientific error, the scientists who cope with it, and sometimes transcend it to find new lines of inquiry. From the article: 'Dunbar came away from his in vivo studies with an unsettling insight: Science is a deeply frustrating pursuit. Although the researchers were mostly using established techniques, more than 50 percent of their data was unexpected. (In some labs, the figure exceeded 75 percent.) "The scientists had these elaborate theories about what was supposed to happen," Dunbar says. "But the results kept contradicting their theories. It wasn't uncommon for someone to spend a month on a project and then just discard all their data because the data didn't make sense."'"

Wednesday, December 30, 2009

Apparently, there are ways around the notification laws. (Amazing what a smart lawyer and a dumb manager can do) More news leaks out. How many retailers were hacked? Will we ever know?

http://www.databreaches.net/?p=9211

Target Co was victim of hacker Albert Gonzalez

December 29, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Malware, Of Note, U.S.

Target Co said it was among the victims of computer hacker Albert Gonzalez, mastermind [...if someone who noticed that there is no WiFi security can be called a mastermind. Bob] of the biggest identity theft in U.S. history.

[...]

Target spokeswoman Amy Reilly said her company was among the victims, having had an “extremely limited” number of payment card numbers stolen by Gonzalez about two years ago.

She declined to say how many card numbers had been stolen, and described the term of the exposure as brief.

“A previously planned security enhancement was already under way at the time the criminal activity against Target occurred,” Reilly said. “We believe that, at most, only a tiny fraction [...of the millions and millions... Bob] of guest credit and debit card data used at our stores may have been involved.”

She said that Target had notified the card issuers, leaving them to tell their customers. [Is that legal? Bob]

Read more on Reuters.


(Related) There may be two other “double secret victims”

http://www.wired.com/threatlevel/2009/12/heartland-guilty-plea/

Albert Gonzalez Pleads Guilty in Heartland, 7-11 Breaches — Updated

By Kim Zetter December 29, 2009 3:39 pm

… Gonzalez, known by the online nicks “segvec” and “Cumbajohnny,” was charged in August in New Jersey, along with two unnamed Russian conspirators, with hacking into Heartland Payment Systems, a New Jersey-based card processing company, as well as Hannaford Brothers, 7-Eleven and two unnamed “major” national retailers identified only as Company A and Company B.

… On Monday, Company A filed a sealed motion in Boston and a request for oral argument in the case.

The court docket doesn’t indicate the nature of the filings, but in November, Company A filed a letter with the court indicating that it might intervene in the case to obtain a protective order to ensure the company’s “dignity, privacy and anonymity.”

Prosecutors told Threat Level in August that they were not identifying the two anonymous retailers because the companies have never acknowledged publicly that they were breached.



“You got mud on yo' face

You big disgrace

Kickin' your can all over the place

Singing

We will, we will, SUE YOU!”

http://www.databreaches.net/?p=9196

RockYou Sued for Failing to Protect the Personal Data of its 32 Million Customers

December 29, 2009 by admin Filed under Breach Incidents, Business Sector

From the press release:

An Indiana man filed a class action lawsuit Monday against RockYou, the developer of popular online applications and services for use with social networking sites such as Facebook and MySpace, after RockYou failed to safeguard the highly sensitive personal information of him and 32 million others.

The lawsuit alleges that RockYou maintained its customers’ email account and password information, as well as the login credentials for social networking sites, in an unencrypted and unsecured database. As a result, according to the lawsuit, hackers were able to harvest all of this information by utilizing a well-known and easy-to-prevent exploit.

The lawsuit is brought by Alan Claridge, Jr., of the Evansville, Ind., area. According to the suit, only after the media began reporting about the data breach did RockYou notify Mr. Claridge and others of the data breach.

“This alleged data breach was by no means unforeseeable. The means of attack has been well-documented for some time, as has been the means to prevent it,” explained Michael Aschenbrener, the lead attorney for the class action. “RockYou allegedly did nothing to prevent the attack or safeguard its customers’ sensitive personal information. How any company in possession of this much data could do nothing to secure it not only violates the law, but also basic common sense.”

The class action seeks injunctive relief and monetary damages for failing to protect RockYou user data.

On its site, RockYou had posted the following about the breach:

As we previously explained, one or more individuals illegally breached one of our databases that contained the usernames and passwords for about 32 million users in an unencrypted format. It also included these users’ email addresses. This database had been kept on a legacy platform dedicated exclusively to RockYou.com widgets. After learning of the breach, we immediately shut the platform down to prevent further breaches.

… However, because the platform breached contained user email addresses and passwords, we recommend that our RockYou.com users change their passwords for their email and other online accounts if they use the same email accounts and passwords for multiple online services.

… We are separately communicating with our users so that they take this step and are informed of the facts.

It’s hard to imagine the lawsuit prevailing. If anything, some regulatory agency might want to look at whether RockYou misled customers over its security and privacy protections, but I really don’t see how RockYou users are likely to get anywhere with this lawsuit in light of the bulk of court opinions about the need to demonstrate actual harm. Does any reader think this lawsuit has a snowball’s chance?



This could be another breach, or an organized crime group. It is becoming so common, I expect to see a late night info-mercial: “Make big bucks skimming credit card information in your spare time!”

http://www.databreaches.net/?p=9209

Skimmers hitting debit card customers across N.C.

December 29, 2009 by admin Filed under Breach Incidents, Financial Sector

Dan Bowens reports:

Cases in which debit card information has been stolen are cropping up across North Carolina, and officials said Tuesday that thousands of customers could be affected.

The State Employees Credit Union informed about 300 customers in recent days that their account information had been obtained by skimmers and used to make withdrawals and purchases.

[...]

Account information has been stolen from customers in Raleigh to Winston-Salem to Charlotte, according to SECU security officer Cory Mathes. He said the widespread nature of the thefts leads him to believe either a large skimming network is involved or someone has hacked into the computer system of a company that processes debit card transactions.

Read more on WRAL.



Satire is fine, parody too, but embarrass a politician and you guarantee an over-reaction in response. (And lots of media coverage – just what the activists wanted.)

http://yro.slashdot.org/story/09/12/29/1921257/Canadian-Censorship-Takes-Down-4500-Sites?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Canadian Censorship Takes Down 4500 Sites

Posted by timothy on Tuesday December 29, @03:00PM from the now-that's-what-I-call-political-science dept.

uncadonna writes

"According to activist group The Yes Men, the government of Canada has shut down two parody websites criticizing Canada's poor environmental policy. The article goes on to claim that 'In response to Environment Canada's request, Serverloft immediately turned off a whole block of IP addresses, knocking out more than 4500 websites that had nothing to do with the parody sites or the activists who created them. Serverloft was shown no warrant, and never called the web hosting company about the shutdown.'"


(Related) Censorship is not always based on what politicians want. Or even common sense. Could this be the basis for a stockholder's suit?

http://yro.slashdot.org/story/09/12/30/0027217/Following-In-Bings-Footsteps-Yahoo-and-Flickr-Censor-Porn-In-India?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Following In Bing's Footsteps, Yahoo! and Flickr Censor Porn In India

Posted by Soulskill on Tuesday December 29, @11:06PM from the searching-for-morality dept.

bhagwad writes

"Following recent news on how Bing decided sex was too sensitive for India, Yahoo! and its associated site Flickr have decided to do the same. While it's true that this is because of India passing laws that prohibit the publication of porn, no complaint was ever launched (and never will be), and glorious Google still continues to return accurate and unbiased results. So why is Yahoo! doing this? Is it because of its tie-up with Bing? I assume this is the case. Indian ISPs have already told the government and the courts that it's not their job to restrict porn and it's technologically infeasible too. In the absence of a complaint, I can only assume that Yahoo! has decided to do this of their own volition. Given that the 'sex' search term is searched more in India than in any other country, isn't it the duty of Yahoo! to provide accurate results to its customers? It can always plausibly deny control of its results and claim that filtering porn is infeasible. Since Yahoo! already has a low search market share in India, this will drive it even lower."


(Related) On the other hand, if you can mislead a politician or a court, censorship can be made to serve your purposes.

http://yro.slashdot.org/story/09/12/30/0240254/Italy-May-Censor-Torrent-Sites?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Italy May Censor Torrent Sites

Posted by Soulskill on Wednesday December 30, @05:11AM from the giving-them-the-boot dept.

An anonymous reader writes

"Following a Pirate Bay block more than a year ago, Italy continues its attempts to censor torrent sites. The Italian Supreme Court has ruled that copyright holders can now force ISPs to block BitTorrent sites, even if they are hosted outside Italy. The torrent sites which 'hold' copyrighted materials are accused of taking part in criminal activity. It seems someone should enlighten Italian jurists about technology." [That's my point. “Someone” already has... Bob]



Bruce thinks rationally. Would that any politician had the guts to listen.

http://www.cnn.com/2009/OPINION/12/29/schneier.air.travel.security.theater/index.html

Is aviation security mostly for show?

By Bruce Schneier, Special to CNN December 29, 2009 7:38 a.m. EST

... Our current response to terrorism is a form of "magical thinking." It relies on the idea that we can somehow make ourselves safer by protecting against what the terrorists happened to do last time.



Why was this allowed to fester in the first place? A simple code review should have disclosed that the code was (or looked like it had been) copied, and a patch could have been generated pre-release. But then, Microsoft is not known for avoiding legal battles.

http://yro.slashdot.org/story/09/12/30/0011258/MS-Issues-Word-Patch-To-Comply-With-Court-Order?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

MS Issues Word Patch To Comply With Court Order

Posted by Soulskill on Tuesday December 29, @08:02PM from the wrist-slap-complete dept.

bennyboy64 writes

"iTnews reports that Microsoft has begun offering what appears to be a patch for its popular Word software, allowing it to comply with a recent court ruling which has banned the software giant from selling copyright-infringing versions of the word processing product. The workaround should put an end to a long-running dispute between Canadian i4i and Redmond, although it has hinted that the legal battle might yet take another turn."



Towards the “universal translator” of Science Fiction fame. Note that this requires storage of three complete dictionaries and the related programming. Something we couldn't do 5 years ago.

http://mobile.slashdot.org/story/09/12/29/2338202/Toshiba-Intros-Trilingual-Translation-App-For-Cellphones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Toshiba Intros Trilingual Translation App For Cellphones

Posted by Soulskill on Tuesday December 29, @07:04PM from the like-a-liberal-arts-major-only-better dept.

MojoKid writes

"Shortly after hearing of a simple, two-way Spanish-to-English translator for the iPhone, Toshiba has announced that it has developed a new language translation system that requires no server-side interaction. The app is designed to be operated independently on a smartphone, which will eliminate costly data roaming fees that are generally incurred using systems that require an internet connection to retrieve translations. The system is trilingual in nature and enables users to translate freely between Japanese, Chinese and English."



Too late for another stocking stuffer? In my next Security Engineering class, I'll have my students design a detector to detect Decaff which detects Cofee. Think I'll call it Re-caff.

http://www.thetechherald.com/article.php/200953/5015/DECAF-no-stunt-developer-says-%C2%96-DECAF-2-launched

DECAF no stunt developer says – DECAF 2 launched

by Steve Ragan - Dec 29 2009, 20:30

DECAF has returned, and COFEE is not the only forensic set that it will monitor. After the first version of DECAF was pulled on December 18, with a notice that it was all a “stunt” and anyone who downloaded the software discovered it wasn’t working. Now it’s back, with new features, and an explanation as to why it was really pulled. Legal fears.

First, DECAF was not fake, the tool worked.


(Related) Another stocking stuffer. Available during the Consumer Electronics Show January 7-10

http://www.wired.com/gadgetlab/2009/12/blio-ray-kurzweil-book/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Singularity Proponent Ray Kurzweil Reinvents the Book, Again

By Priya Ganapati and Charlie Sorrel December 29, 2009 7:03 am

… Blio is not a device. Rather, it is a “platform” that could run on any device, but would be most obviously at home on a tablet. The software is free and available currently for PCs, iPod Touch and iPhone.

[Support site: http://www.blioreader.com/

Tuesday, December 29, 2009

If it's just a bunch of local crooks, this will end here. But, if it's a roving national gang, this could become more than an irritation.

http://www.databreaches.net/?p=9189

La. restaurants suffering credit card ‘nightmare’

December 28, 2009 by admin Filed under Business Sector, ID Theft, U.S.

Jason Brown of The Advocate has a story today about restauranteurs’ lawsuits against Radiant Systems and Computer World, a lawsuit covered previously on the blog. Of note, Brown cites a Secret Service agent involved in the case:

Luiz Velez, resident agent in charge of the Secret Service’s Baton Rouge office, said each hack involved restaurants using Internet-based computer systems. [Any restaurant attached to the Internet could be vulnerable. Bob]

Velez said more than 100,000 cards were exposed and conservatively placed the fraud loss for area banks at about $1.2 million.

Although 100,000 cards and $1.2 million might not sound huge when contrasted to mega-breaches like Heartland Payment Systems’ breach, this particular breach reportedly caused at least one restaurant to close its doors and another to give up taking credit cards. And of course, we only know about less than a dozen or so restaurants. Could there be other restaurants using this POS software that also had breaches that we haven’t learned about yet? It seems likely.

Charles Y. Hoff, general counsel for the Georgia Restaurant Association and one of the attorneys assisting in the Lafayette lawsuit, said he has received a multitude of calls from restaurant owners all over the country regarding similar claims.

It is not isolated and it is something that is a real concern on a national level,” Hoff said.



Intent” is not the same as “capability. “ I may intend to carve the Turkey, but when my crazy cousin Eddie pushes me over the edge, I suddenly find what my new electric carving knife is capable of.

http://www.pogowasright.org/?p=6667

Einstein and Citizens’ Privacy

December 28, 2009 by Dissent Filed under Govt, Surveillance

Einstein is an intrusion detection – and soon an intrusion prevention – system the government is deploying to safeguard government IT systems. Some cybersecurity experts contend Einstein has the potential to intrude on the privacy of individual Americans, a concern Philip Reitinger dismisses.

Reitinger, deputy undersecretary of the Department of Homeland Security’s National Protection and Programs Directorate and director of the National Cybersecurity Center, says the only purpose of Einstein is to protect government networks.

“To that end, it is not our intention to go out and seek things like personally identifiable information,” Reitinger said in the second of a two-part interview with GovInfoSecurity.com. “Our intent is instead, say, what constitutes an attack? What is malicious traffic? And when we see something that is malicious traffic, that is an attempt to compromise a government system, and quite conceivably impair the privacy of Americans who data is held or the people who are working on those government systems, that we can detect that and stop it, and do a better job of actually protecting privacy.”

Source: GovInfoSecurity. You can listen to Part 1 of Eric Chabrow’s interview with Reitinger here.



I haven't pointed to Bruce recently. But he still writes a good logical blog.

http://www.schneier.com/blog/archives/2009/12/separating_expl.html

Schneier on Security

A blog covering security and security technology.

December 26, 2009

Separating Explosives from the Detonator

… For years I've been saying this:

Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.

This week, the second one worked over Detroit. Security succeeded.

I wish that, just once, some terrorist would try something that you can only foil by upgrading the passengers to first class and giving them free drinks. [Amen Bob]


(Related) Follow-up on the over reaction to an inept terrorist. (I'll also use this in my Statistics class.)

http://www.fivethirtyeight.com/2009/12/odds-of-airborne-terror.html

The Odds of Airborne Terror

by Nate Silver @ 1:58 PM 12.27.2009

… Over the past decade, according to BTS, there have been 99,320,309 commercial airline departures that either originated or landed within the United States. Dividing by six, we get one terrorist incident per 16,553,385 departures.

There were a total of 674 passengers, not counting crew or the terrorists themselves, on the flights on which these incidents occurred. By contrast, there have been 7,015,630,000 passenger enplanements over the past decade. Therefore, the odds of being on given departure which is the subject of a terrorist incident have been 1 in 10,408,947 over the past decade. By contrast, the odds of being struck by lightning in a given year are about 1 in 500,000. This means that you could board 20 flights per year and still be less likely to be the subject of an attempted terrorist attack than to be struck by lightning.


(Related) More fun facts! Make you want to buy more life insurance?

http://johnbakersblog.co.uk/odds-of-dying-in-a-terrorist-attack/

Odds of Dying in a Terrorist Attack

john baker, March 28th, 2009.

You are 12,571 times more likely to die from cancer than from a terrorist attack

You are 11,000 times more likely to die in an airplane accident than from a terrorist plot involving an airplane

You are 17,600 times more likely to die from heart disease than from a terrorist attack

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are eight times more likely to be killed by a police officer than by a terrorist



Could this happen here?

http://entertainment.slashdot.org/story/09/12/29/0110253/UK-Consumers-To-Pay-For-Online-Piracy?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

UK Consumers To Pay For Online Piracy

Posted by samzenpus on Tuesday December 29, @01:51AM from the music-rolls-down-hill dept.

Wowsers writes

"An article in The Times states that UK consumers will be hit with an estimated £500m ($800m US) bill to tackle online piracy. The record and film industries have managed to convince the government to get consumers to pay for their perceived losses. Meanwhile they have refused to move with the times, and change their business models. Other businesses have adapted and been successful, but the film and record industries refuse to do so. Surely they should not add another stealth tax to all consumers."

[From the article:

The Digital Economy Bill would force internet service providers (ISPs) to send warning letters to anyone caught swapping copyright material illegally, and to suspend or slow the connections of those who refused to stop. ISPs say that such interference with their customers’ connections would add £25 a year to a broadband subscription.

Ministers have not estimated the cost of the measures but say that the cost of the initial letter-writing campaign, estimated at an extra £1.40 per subscription, will lead to 40,000 households giving up their internet connections. Impact assessments published alongside the Bill predict that the measures will generate £1.7 billion in extra sales for the film and music industries over the next ten years, as well as £350 million for the Government in extra VAT.

[I'm not sure any of those numbers have a basis in reality. Bob]



This kind of article makes for great projects in my Computer Security class.

http://www.pogowasright.org/?p=6664

Code That Protects Most Cellphone Calls Is Divulged

December 28, 2009 by Dissent Filed under Featured Headlines, Other

Kevin J. O’Brien reports:

A German computer engineer said Monday that he had deciphered and published the secret code used to encrypt most of the world’s digital mobile phone calls, in what he called an attempt to expose weaknesses in the security of the world’s wireless systems.

The action by the encryption expert Karsten Nohl aimed to question the effectiveness of the 21-year-old GSM algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of the world’s mobile calls.

“This shows that existing GSM security is inadequate,” Mr. Nohl, 28, told about 600 people attending the Chaos Communication Congress, a four-day computer hacker’s conference that runs through Wednesday here. “We are trying to push operators to adopt better security measures for mobile phone calls.”

Read more in The New York Times.



Not the first to recognize this. Will the Anti-trust lawyers beat the Class Action lawyers to the punch? Or is the Copyright lobby too powerful for both of them?

http://www.eff.org/deeplinks/2009/12/doctorow-how-destroy-book

Doctorow, How to Destroy the Book

Commentary by Fred von Lohmann December 28th, 2009

… When I buy an audiobook on CD, it’s mine. The license agreement, such as it is, is “don’t violate copyright law,” and I can rip that CD to mp3, I can load it to my iPod or any number of devises—it’s mine; I can give it away, I can sell it; it’s mine. But when you buy an audiobook through Audible, which now controls 90 per cent of the [downloadable] audiobook market, you get a license agreement, not a property interest. The things that you can do with it are limited by DRM; the players you can play it on are limited by the license agreements with Audible. Audible doesn’t do this because the publishers ask them to. Audible and iTunes, because Audible is the sole supplier to iTunes, do this because it’s in their own interest....



I haven't played with this one yet, but I plan to.

http://www.makeuseof.com/tag/fix-common-windows-problems-in-a-snap-with-fixwin/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

How To Fix Common Windows Problems In A Snap With FixWin

By Varun Kashyap on Dec. 28th, 2009

Monday, December 28, 2009

"All your blood are belong to us!” It's not unethical if you never ask yourself if it's unethical.

http://www.pogowasright.org/?p=6631

Ie: Hospital keeps secret DNA file

December 27, 2009 by Dissent Filed under Breaches, Featured Headlines, Other

Mark Tighe reports:

A Dublin hospital has built a database containing the DNA of almost every person born in the country since 1984 without their knowledge in an apparent breach of data protection laws.

The in Temple Street is under investigation by the Data Protection Commissioner (DPC) since The Sunday Times discovered it has a policy of indefinitely keeping blood samples taken to screen newborn babies for diseases.

Unknown to the DPC, the hospital has amassed 1,548,300 blood samples from “heel prick tests” on newborns which are sent to it for screening, creating, in effect, a secret national DNA database. The majority of hospitals act on implied or verbal consent and do not inform parents what happens to their child’s sample.

Read more in The Times Online.

T.J. McIntryre comments on the story on IT Law in Ireland:

…. In light of these controversies elsewhere, the lack of informed consent and the fact that there is no legal basis for the heel prick tests (a point confirmed in North Western Health Board v. HW and CW) it’s hard to see how Temple Street could have believed that it was entitled to hold onto these samples indefinitely – and it is remarkable that this point appears to have been missed by the ethics committee on four separate occasions.



Worth reading! Makes you wonder if any social network user can read.

http://www.techcrunch.com/2009/12/27/privacy-theater/

Privacy Theater: Why Social Networks Only Pretend To Protect You

by Guest Author on December 27, 2009

… With apologies to Bruce Schneier’s brilliant coinage, “security theater” (e.g. the magical thinking behind forcing passengers to sit down and shut up for the last hour of international flights), social networks have been dogged by one disaster after another in 2009 because they pursue policies that provide the “feeling of improved privacy while doing little or nothing to actually improve privacy.”

… It’s not like lawsuits are being filed, as Marissa Mayer announced by going after work-from-home scam artists in an interview with Mike Arrington at LeWeb. It’s not like this is Scamville 2.0, since this isn’t stealing users’ cash, only their dignity. It’s not like there’s a legal spotlight on the issue, since there’s only $9M set aside for a hazy new privacy foundation in the latest Facebook class-action settlement. It’s not like it’s a political issue in the headlines, since a Facebook Chief Privacy Officer is running for Attorney General, the top law-enforcement office in California. It’s not like it’s as complicated as “don’t be evil,” since I can give you one simple tip to eliminate privacy theater: enforce your ToS and obey others’ ToS — or else stop setting unrealistic expectations and just let users have their data back!


(Related) The (double-secret) TSA regulation requires everyone to be searched and all carry-ons to be inspected. Looks like another major victory for Al Qaeda, and I doubt this guy had any contact with Al Qaeda except in his dreams.

http://www.pogowasright.org/?p=6638

TSA Security Directive SD-1544–09-06

December 28, 2009 by Dissent Filed under Surveillance

Over on The Volokh Conspiracy, Randy Barnett has posted a TSA security directive that was implemented on December 25, following the failed terrorist attack over Detroit. The directive seems to be circulating on the web, but I have not yet been able to confirm that this is, indeed, an official TSA directive because it is not on any government site that I have found as yet.

Of note, the directive does include the types of precautions described on Air Canada’s original travel advisory. From the directive:

2. IN FLIGHT

1. During flight, the aircraft operator must ensure that the following procedures are followed:

1. Passengers must remain in seats beginning 1 hour prior to [scheduled or actual? Bob] arrival at destination.

2. Passenger access to carry-on baggage is prohibited beginning 1 hour prior to arrival at destination.

3. Disable aircraft-integrated passenger communications systems and services (phone, internet access services, live television programming, global positioning systems) prior to boarding and during all phases of flight. [Cell phone blockers? Bob]

4. While over U.S. airspace, flight crew may not make any announcement to passengers concerning flight path or position over cities or landmarks.

5. Passengers may not have any blankets, pillows, or personal belongings on the lap beginning 1 hour prior to arrival at destination. [Air crew must remove them? Bob]

The directive expires on December 30. You can read the whole thing here.

[From “the whole thing”:

1. Perform thorough pat-down of all passengers at boarding gate prior to boarding, concentrating on upper legs and torso.

2. Physically inspect 100 percent of all passenger accessible property at the boarding gate



(Related) Better than nothing, but not by much.

http://www.techcrunch.com/2009/12/27/twitter-banned-passwords/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

370 Passwords You Shouldn’t (And Can’t) Use On Twitter

by Robin Wauters on December 27, 2009

… It just so happens that Twitter has hard-coded all banned passwords on the sign-up page. All you need to do to retrieve the full list of unwelcome passwords is take a look at the source code of that page.

Do a simple search for ‘twttr.BANNED_PASSWORDS’ and voilà, there they are, all 370 of them.

This isn’t a security issue, of course, and in fact it’s helpful to distribute the list so you can check if your favorite password that you use for other services might not be as fail-proof as you’d like to think. For the full list, simply download this TXT file, but here are a couple:

password testing naked stupid twitter 123456 secret

please beavis butthead internet hooters



My students discovered this over a year ago.

http://tech.slashdot.org/story/09/12/27/1526256/Security-In-the-Ether?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Security In the Ether

Posted by Soulskill on Sunday December 27, @12:15PM from the less-likely-than-ether-in-the-security dept.

theodp writes

"Technology Review's David Talbot says IT's next grand challenge will be to secure the cloud — and prove we can trust it. 'The focus of IT innovation has shifted from hardware to software applications,' says Harvard economist Dale Jorgenson. 'Many of these applications are going on at a blistering pace, and cloud computing is going to be a great facilitative technology for a lot of these people.' But there's one little catch. 'None of this can happen unless cloud services are kept secure,' notes Talbot. 'And they are not.' Fully ensuring the security of cloud computing, says Talbot, will inevitably fall to emerging encryption technologies."



Well, there's Reality and eReality, see. And sometimes technology that works in Reality doesn't work in eReality, see.

http://www.techcrunch.com/2009/12/27/att-iphone-new-york-city/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Relax, You Can Still Buy An iPhone In New York City. Just Not Online.

by Erick Schonfeld on December 27, 2009

If you live in the New York City metropolitan area, as I do, and try to buy an iPhone from AT&T’s website, you will probably get the same message I did after I entered my zipcode: “Sorry this package is not available in your area.” Apparently, this is a big story. (Hey, it’s the tail end of a long holiday weekend, and there is nothing else going on). For instance, the Consumerist called some hapless AT&T customer service rep who confirmed that “the phone is not offered to you because New York is not ready for the iPhone.”



A very useful resource for my Business Continuity class

http://www.makeuseof.com/dir/ground-zeroii-nuclear-strike-map/

Ground Zero II: Analyze nuclear explosions on a nuclear strike map

By Israel Nicolas on Dec. 20th, 2009

www.carloslabs.com/node/20

Similar tool: NukeoMeter and Impact Calculator.

Sunday, December 27, 2009

Strange that only two cases made the top 10 this year.

http://www.databreaches.net/?p=7691

Top 10 Worst Data Losses or Breaches, updated

December 26, 2009 by admin Filed under Breach Incidents, Of Note

It’s been a while since I last revised my list of the largest breaches or data loss incidents worldwide, and the end of the year seems like a good time to look back at what may have been the worst incidents ever in terms of numbers.

Remember when the stolen V.A. laptop made headlines in May 2006 as the biggest breach ever? Now they’re down at #7 on my list.


Rank

# of Records or People

Entity

Date of Incident or Report

Type of Incident

1

130,000,000

Heartland Payment Systems

2009-01-20

Hack, Malware

2

94,000,000

TJX, Inc.

2007-01-17

Hack, Malware

3

90,000,0001

TRW/Sears Roebuck

1984-06-22

Hack

4

70,000,0002

National Archives and Records Administration

2009-10-01

Disposal

5

40,000,000

CardSystems Solutions

2005-06-17

Hack

6

30,000,0003

Deutsche Telekom

2008-11-01

Exposure

7

26,500,000

U.S. Department of Veterans Affairs

2006-05-22

Stolen Laptop

8

25,000,000

HM Revenue and Customs / TNT

2007-10-18

Lost Tapes

9

18,000,0004

Auction.co.kr

2008-02-17

Hack

9

18,000,0005

National Personnel Records Center

1973-07-12

Fire

10

17,000,000

Countrywide Financial

2008-08-01

Insider

10

17,000,000

T-Mobile

2008-10-06

Lost or Stolen Disk

Notes:

1 TRW’s database held credit information on 90,000,000 and was being accessed for over a year before the company became aware of the problem. The number of records actually accessed is unknown.

2 NARA does not consider this a breach (.doc)

3 The number of records actually accessed is unknown.

4 Auction.co.kr said their number is 10.8 million and not 18 million as reported by other sources.

5 This incident, involving the loss of paper records in a fire, affected many veterans who were unable to establish their right to receive benefits. Fifteen years later, duplicates of some of the records were located elsewhere and some veterans were first able to get benefits. I’m including it on my list because NPRC was warned about fire concerns during the building’s design and planning stages, but did not implement sufficient precautions to protect the data.

Notice what incidents the list doesn’t include. It doesn’t include:

  • A Taiwanese hacking ring that affected over 50,000,000 people by hacks involving a number of organizations or databases,

  • The recent RockYou.com hack where a hacker gained access to login details including 32,603,388 passwords in plain text, and

  • An AOL incident where names and email addresses of 30,000,000 customers were stolen and sold for spamming purposes.

Have I missed any really large data loss incidents or breaches involving personal information that should have made the Top 10 list, or did I include something that you think shouldn’t be included? If so, let me know.


(Related)

http://www.pogowasright.org/?p=6614

Ca: Information and Privacy Cases of the Year

December 26, 2009 by Dissent Filed under Court, Non-U.S.

Dan Michaluk writes:

I’ve always loved year-end lists. Here’s a Canada-centric top ten “information management and privacy cases” list for 2009. Endorsement and criticism invited!

#1 Grant v. Torstar. The Supreme Court of Canada recognizes a new defamation defence – the “responsible communication on matters of public interest” defence. Truly novel and highly relevant. Is the dialog on the kind of information that must flow in the name of the public interest also a building block for the privacy tort? From just days ago.

#2 R. v. McNeil. This unanimous Supreme Court of Canada judgement broadens the scope of the Crown’s duty of disclosure to an accused person and facilitates an accused person’s right to third-party production. Significant changes to critical criminal procedure doctrine. From January.

Read more on Slaw.


(Related) Another list to keep close.

http://www.pogowasright.org/?p=6605

Resolve to Be A Privacy Advocate in 2010

December 26, 2009 by Dissent Filed under Other

From the good folks over at the Privacy Rights Clearinghouse:

We at the Privacy Rights Clearinghouse wish you a happy, prosperous and private new year. For 2010, resolve to be a privacy advocate. Use our 10 tips below to minimize your risk of identity theft, protect your personal information and assert your rights to privacy.

1. Be assertive in guarding your privacy when you are asked to provide sensitive information that you do not feel is necessary. If someone (including healthcare providers, government agencies and employers) asks for your personal information, ask these 5 questions:

A) Is providing my information required or voluntary? (Provide only the minimum information necessary.)

B) Why do you need this information and how will it be used?

C) Do you have a written policy regarding the request for information?

D) Who will have access to my information and how will it be protected from unauthorized access? (Remember to ask about third parties!)

E) If, when and how will the records be discarded when they are no longer needed?

If you are not satisfied with how your information is handled or the answers that you receive, take your business elsewhere. If you are concerned about a government agency’s use of your personal information, contact your city council-member, state legislator or Congressperson to voice your concern.

2. Guard your mail. Your mailbox often may contain letters which if lost or stolen can result in identity theft. Try to pick up your mail as soon as possible after delivery. If this is not possible, purchase a locking mailbox. Open all your mail including envelopes that include only a P.O. Box as a return address. Credit card companies that send you replacement cards or convenience checks may try to disguise the mailing by including only a limited return address. For additional tips on how to avoid identity theft, read our guide “Coping with Identity Theft: Reducing the Risk of Fraud” at www.privacyrights.org/fs/fs17-it.htm.

3. Check your credit reports. You are entitled to a free report from each of the three national credit bureaus once every 12 months. For more information, see the Federal Trade Commission’s Facts for Consumers at www.ftc.gov/freereports. PRC's guide to credit reporting is another source of useful information at www.privacyrights.org/fs/fs6-crdt.htm.

4. Find out what?s in your consumer specialty reports. You have the right to free copies of numerous so-called specialty consumer reports which report on such matters as your medical conditions, insurance claims, check writing history, rental history, and employment history. You can find out more by reading our guide to specialty reports at www.privacyrights.org/fs/fs6b-SpecReports.htm.

5. Check your Social Security Earnings Statement for any signs of fraud. You should receive one from the Social Security Administration every year about 3 months before your birthday. Look for earnings that exceed the amount you earned. It could be a sign that someone is using your SSN for employment. Also make sure that your employer has correctly reported your earnings. If you did not receive an earnings statement in 2009, contact the Social Security Administration to request one. You may do this online at www.ssa.gov/online/ssa-7004.html.

6. Avoid using debit or check cards. Credit cards provide better consumer protections, and help protect your bank account from fraudulent activity. Ask your bank to replace your debit card with an ATM card. Our guide “Paper or Plastic: What’s the Best Way to Pay?” explains the advantages and disadvantages of paying by debit card (check card) and credit card. Read it at www.privacyrights.org/fs/fs32-paperplastic.htm.

7. Shred any unnecessary documents that contain personal information. Always use a cross-cut, diamond or confetti shredder. Never use a strip shredder. It’s too easy for a crook to piece the strips together. Before you shred anything that you might need, double check with your accountant, attorney, or tax preparer. For a guide to tax recordkeeping, see IRS Publication 552, Recordkeeping for Individuals at www.irs.gov/pub/irs-pdf/p552.pdf or call 1-800-TAX-FORM (800-829-3676) to obtain a free paper copy.

8. Sign up for the National Do-Not-Call List to limit unwanted telephone solicitations. (888) 382-1222 or www.donotcall.gov. Read our guide at www.privacyrights.org/fs/fs5-tmkt.htm#part1.

9. Stop pre-approved credit and insurance offers in the mail. Call (888) 5-OPT-OUT / (888) 567-8688, or opt out online at www.optoutprescreen.com. You can choose to opt out of credit offers for 5 years by phone through the website. Or you can opt out permanently by mailing the Permanent Opt-Out form, available on the website.

10. Understand the benefits and risks of social networking. When you post information or pictures on a social networking site, understand who might see it without your permission. Ask yourself “Would I give this information to a stranger over the phone?” If the answer is “no,” think twice about posting it online. Read website privacy policies to find out how your information may be shared. For security tips on social networking read http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/security_guide_to_social_networks.pdf

For more tips on preserving your privacy and protecting your identity in 2010 please read our guides:

– PRC Fact Sheet 1, Privacy Survival Guide, www.privacyrights.org/fs/fs1-surv.htm

– PRC Fact Sheet 1(a), Privacy Basics and Opt-Out Strategies, www.privacyrights.org/fs/fs1a-basics.htm



Knee-jerk regulation? Sure sounds like the commenters don't like it (and I suspect it won't last.)

http://tech.slashdot.org/story/09/12/27/0635254/TSA-Wants-You-To-Keep-Your-Seat-and-Your-Hands-In-Sight?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

TSA Wants You To Keep Your Seat, and Your Hands In Sight

Posted by timothy on Sunday December 27, @02:30AM from the ex-post-facto dept.

An anonymous reader excerpts from an AP story as carried by Yahoo News about changes stemming from yesterday's foiled bombing attempt of a Northwest Airlines flight:

"Some airlines were telling passengers on Saturday that new government security regulations prohibit them from leaving their seats beginning an hour before landing. The regulations are a response to a suspected terrorism incident on Christmas Day. Air Canada said in a statement that new rules imposed by the Transportation Security Administration limit on-board activities by passengers and crew in US airspace. ... Flight attendants on some domestic flights are informing passengers of similar rules. Passengers on a flight from New York to Tampa Saturday morning were also told they must remain in their seats and couldn't have items in their laps, including laptops and pillows."

The TSA's list of prohibited items doesn't seem to have changed in the last day, though.


(Related) Or perhaps Rupert Murdock has been lobbying again.

http://www.techcrunch.com/2009/12/26/airplane-electronics-ban/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

TSA To Save Print Media? No Electronics On International Flights? What A Joke.

by MG Siegler on December 26, 2009

Saturday, December 26, 2009

Laws, as they are bought and paid for...

http://www.bespacific.com/mt/archives/023107.html

December 25, 2009

MAPLight.org - Money and Politics: Illuminating the Connections

"MAPLight.org, a groundbreaking public database, illuminates the connection between campaign donations and legislative votes in unprecedented ways. Elected officials collect large sums of money to run their campaigns, and they often pay back campaign contributors with special access and favorable laws."



Where to backup that PhD dissertation and all the research supporting it. (Perhaps the Climate Change guys could have used this?)

http://www.killerstartups.com/Web-App-Tools/load2all-com-taking-care-of-multiple-uploads-easily?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Load2All.com - Taking Care Of Multiple Uploads Easily

http://www.load2all.com/

If you were to back up vital information, uploading it to more than one file hosting service would be a sound thing to do. The one deterrent you will have for sure is that doing it manually would take far too long, not to mention that you would have to be very careful as regards the maximum size of the file or files you are uploading.

Both shortcomings are dealt with by this application. Named Load 2 All, it is a tool for uploading a file (any file) to as many service providers as you might feel like. For example, you can upload to sites such as Rapidshare, Megaupload and DepositFiles at the same time. You can actually upload files to 8 simultaneous mirrors, and you are clearly informed about the maximum capacity of each and every service. In the event that any of your files exceed these limits, the file will be automatically split in smaller .RAR files.

Files can be uploaded both locally and remotely, too, so that you will be able to take care of any backup process both from your home and from anywhere an Internet connection is available. [Great for the wholesale stealing of identities! Bob]



Because I love lists...

http://www.time.com/time/specials/packages/completelist/0,29569,1918031,00.html

50 Best Websites 2009

http://www.time.com/time/specials/packages/completelist/0,29569,1879276,00.html

25 Best Blogs 2009