Friday, February 13, 2009

This continues to look like a real Titanic level event, and yet the I don't see much in the mainstream news. Perhaps because we haven't reached 800 Billion , yet.

http://www.databreaches.net/?p=1465

Heartland Data Breach: Maine Credit Union Says Reported Fraud has Tripled

Posted February 12th, 2009 by admin

Some interesting insights into the impact of the Heartland breach on a small credit union are provided in a BankInfoSecurity story:

Last week [HealthFirst Credit Union of Waterville] in Maine thought it had seen the last of the Heartland Payment Systems data breach that had affected 261 of its members’ credit cards. Officials now report they weren’t as lucky as they thought. The number of compromised cards now has tripled, and the fraud reported may top $70,000. Heartland Payment Systems data breach coverage

[...]

Quirion expresses frustration at what the credit union’s members and employees are being subjected to because of this breach. “The cost of replacing the cards is around $2,500, and we are a tiny credit union, and our employees ‘wear many hats,’ We’ve all been involved in blocking compromised cards, ordering new cards, and calling members regarding the breach since January 12,” she says.

Quirion estimated that the employees at the credit union have spent about 300 hours to date working on containing the breach’s fallout among its members.


Related

http://www.bankinfosecurity.com/articles.php?art_id=1200

Heartland Data Breach Update: Now More Than 160 Institutions Impacted

Bermuda, Canada and Guam Now Report Effects from Breach

February 12, 2009 - Linda McGlasson, Managing Editor



When you try to make things effective/efficient without thinking about the impact on your customers?

http://www.pogowasright.org/article.php?story=20090213061145281

DVD Planet's Automatic Account Creation Raises Security, Privacy Issues

Friday, February 13 2009 @ 06:11 AM EST Contributed by: PrivacyNews

Joel says when he ordered a disc from DVD Planet via Amazon, the company automatically created an account for him on their website. The problem is that the default password they used was so easy to guess that he figured it out on the second try, and he suspects it's the same password they use on every account. Once you guess it, you can see the customer's past orders and credit card billing address. When Joel contacted them to have the account removed, he was told that wasn't possible. [“We'll get to the Delete key as soon as we find the 'Any Key.'” Bob]

Source - The Consumerist blog



I haven't seen any hospital sanctions before this one. But it does reinforce my opinion that “the states are waking up!”

http://www.databreaches.net/?p=1452

Maine cites hospital for data breach

Posted February 12th, 2009 by admin

It’s not often that we learn of any really serious consequences to hospitals that have suffered a data breach, but a previously reported breach has contributed to problems for Down East Community Hospital in Maine. Eric Russell of the Bangor Daily News reports:

In the latest of a series of incidents, Down East Community Hospital has been disciplined by state and federal agencies for a number of serious violations within the last year.

The Maine Department of Health and Human Services recently ordered the hospital to operate on a conditional state license, an action deemed “necessary to protect the interests of the general public,” said Catherine Cobb in DHHS’s Licensing and Regulatory Services division.

Additionally, the Center for Medicare and Medicaid Services, a federal agency that oversees health care coverage at U.S. hospitals and ensures compliance with certain federal regulations, has threatened to sever ties between Down East Community Hospital and Medicare. The hospital can avoid that action if it corrects certain deficiencies within a set period of time.

One of the issues in the state’s report was data protection:

Clinical records — In November 2008, the hospital discovered that numerous confidential patient files had washed up in a nearby waterway. The documents had been stolen from the hospital, which the state determined was a breach in confidentiality. All hospital documents now must be kept in a more secure location. Dodwell said an investigation is still continuing to determine who stole the files and why.

I seriously doubt that the data breach alone would have resulted in such severe measures, but it’s nice to see states stepping up and saying that such breaches are unacceptable and that hospitals need better security or they may not maintain their license.



Another result of the HPS breach – overreaction by card issuers.

http://www.wjla.com/news/stories/0209/593699.html

On Your Side: American Express Squeeze

posted 02/10/09 5:57 pm

... Pamela Herndon came to 7 On Your Side frustrated. She wanted to show us this: her American Express card has been denied.

Card Machine:"We are unable to complete this transaction."

"I was furious," Herndon said.

Not just because her card had been canceled but because what they were asking of her to keep it open.

"They asked for a copy of my drivers license, a copy of my Social Security card, a copy of a utility bill -- not a phone bill -- and a notarized signature from any bank," Herndon said.

What? A cold call asking for that kind of information sounds like a scam. But it wasn't.

"Credit card companies are freaking out and they're doing things that years ago they were warning people not to do," said Evan Hendricks of Privacy Times.



Interesting. They still need a search warrant.

http://www.pogowasright.org/article.php?story=20090212151432506

Ca: New law to give police access to online exchanges

Thursday, February 12 2009 @ 03:14 PM EST Contributed by: PrivacyNews

The Conservative government is preparing sweeping new eavesdropping legislation that will force Internet service providers to let police tap exchanges on their systems - but will likely reignite fear that Big Brother will be monitoring the private conversations of Canadians.

The goal of the move, which would require police to obtain court approval, is to close what has been described as digital "safe havens" for criminals, pedophiles and terrorists because current eavesdropping laws were written in a time before text messages, Facebook and voice-over-Internet phone lines.

Source - Globe and Mail Thanks to Brian Honan for sending this link.



“Now that the law is in effect, let us tell you what we think it means...” They require encryption where “technically feasible.” I assume that means “no matter what it costs” unless bankruptcy is a technicality?

http://www.pogowasright.org/article.php?story=20090212152940404

MA: Tough Massachusetts data-privacy regulation facing revision

Thursday, February 12 2009 @ 03:29 PM EST Contributed by: PrivacyNews

The Massachusetts data-privacy regulation that went into effect Jan. 1st is now undergoing revisions that are expected to go into effect May 1st, according to the state agency in charge of issuing the rules.

Source - Network World



Either you believe that NSA et. al. can capture and read everything or you don't. I lean towards the “Don't” camp simply because of the volume issue. That's not to say they can't capture and read everything from a specified address.

http://www.pogowasright.org/article.php?story=20090213055703654

NSA offering 'billions' for Skype eavesdrop solution

Friday, February 13 2009 @ 05:57 AM EST Contributed by: PrivacyNews

News of a possible viable business model for P2P VoIP network Skype emerged today, at the Counter Terror Expo in London. An industry source disclosed that America's supersecret National Security Agency (NSA) is offering "billions" to any firm which can offer reliable eavesdropping on Skype IM and voice traffic.

The spybiz exec, who preferred to remain anonymous, confirmed that Skype continues to be a major problem for government listening agencies, spooks and police. This was already thought to be the case, following requests from German authorities for special intercept/bugging powers to help them deal with Skype-loving malefactors. Britain's GCHQ has also stated that it has severe problems intercepting VoIP and internet communication in general.

Source - The Register



If you “own” the security software, you can “own” their clients.

http://www.databreaches.net/?p=1474

Physician, heal thyself? Hackers continue exposing vulnerabilities in security firms’ databases

Posted February 12th, 2009 by admin

First it was Kaspersky. Then it was BitDefender Portugal. Today it’s F-Secure, but no personal data was accessible.

F-Secure posted a response on their site:

[...]

During the last few days a Romanian group has been doing SQL injection attacks on several security vendor’s websites and early this morning they hit us. One of our servers used in gathering malware statistics had a page that didn’t properly sanitize input and was therefore vulnerable to attack. Fortunately we utilize defense-in-depth strategies so the attack was only partly successful.

Although the attackers were able to read information from the database they couldn’t write or manipulate it. And they couldn’t access any other data on that server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages. So while the attack is something we must learn from and points at things we need to improve, it’s not the end of the world.

The malware statistics are something we publish anyway at worldmap.f-secure.com and because of our IT security strategy, the impact was minimal.



Nothing signals the death of the Gutenberg Age more than liquidating its assets.

http://www.washingtonpost.com/wp-dyn/content/article/2009/02/12/AR2009021200587.html

Google Buys A Paper Mill?

Robin Wauters TechCrunch.com Thursday, February 12, 2009; 12:22 AM

Consider it a sign of the times when internet company Google acquires the buildings and premises of a mill site from a paper, packaging and forest products company that caters to the print industry.



Well, there goes the neighborhood!

http://themonarchist.blogspot.com/

Thursday, 12 February 2009

Buckingham Palace Website Is Relaunched

Her Majesty The Queen updated Her website today. You can see what Her Majesty has done, with the assistance of one Sir Tim Berners-Lee, by clicking on here. Her Majesty has even created a special section dedicated entirely to Her British Commonwealth.



Another consideration for my Computer Security class

http://news.cnet.com/8301-13505_3-10162439-16.html?part=rss&subj=news&tag=2547-1_3-0-5

Open data is the antidote to closed clouds

by Matt Asay February 12, 2009 7:20 PM PST

Open source is particularly well-suited to create cloud computing systems, but such open-source ingredients won't necessarily result in open clouds. Indeed, cloud computing has the potential to lock users in as much or more than desktop computing.

… But it's not really the hardware or software at issue here. It's the data. Free software doesnt necessarily translate into free data, which is arguably the technology industry's next big battleground. "Data is the new Intel-inside," proclaims Tim O'Reilly, the source of lock-in and hence profit for technology companies like Google, Yahoo, Digg, and more.



For truly obsessive multi-taskers?

http://news.cnet.com/8301-17939_109-10163152-2.html?part=rss&subj=news&tag=2547-1_3-0-5

Double Vision lets you watch Hulu in Excel

by Josh Lowensohn February 12, 2009 3:32 PM PST

Double Vision (download) is the latest tool for people who don't like doing work while at work. This small piece of software lets you casually surf the Web inside of other programs, then hide the window with a simple keyboard shortcut.

No comments: