http://www.databreaches.net/?p=8758
Blumenthal suspects HealthNet disk was stolen
December 7, 2009 by admin Filed under Healthcare Sector, U.S.
Attorney General Richard Blumenthal says a missing disk containing confidential data on almost 450,000 Health Net patients in Connecticut may have been stolen, rather than lost.
Blumenthal said today he is notifying federal criminal investigators, asking that they take a closer look into the matter.
Health Net got into hot water with AG’s office in mid-November when it belatedly disclosed the data breach six months after it first discovered the disk was missing. The missing disk contained health, personal and financial information.
Read more on HartfordBusiness.com
[Nothing in the article to suggest why he thinks they were stolen, but it should shake them up a bit. Bob]
Would it be so hard to say, “We'll keep the details to ourselves and the victims.” or “It could take a few days to organize all the data” Wouldn't that be better than guessing with a high probability of being wrong? NOTE: It couldn't hurt to provide some basic computer training too “This is a Delete key...”
http://www.databreaches.net/?p=8768
Update: St Albans laptop saga ‘gets worse and worse’
December 8, 2009 by admin Filed under Government Sector, Non-U.S., Theft
Alexandra Barham reports:
Sensitive data for a further 1,000 people was stored on a laptop thought to have been stolen from St Albans District Council, it has been revealed.
A review of data stored on the council’s missing electoral services computer revealed a file containing the confidential details of an additional 1,000 people, kept to verify postal votes in 2007 and 2008.
The district council’s chief executive Daniel Goodwin revealed the problem to a meeting of the audit committee last night, insisting the loss of further data had only come to light in the last three days.
[...]
An investigation continues into the loss of four laptops, one containing 14,673 names, addresses and signatures of postal voters, thought to have been stolen from the council offices last month.
The committee, which met at the district council offices last night to debate the alleged theft, identified serious flaws in the council’s data management procedures and its control of confidential information.
Asked why the names, addresses and signatures of postal voters had not been wiped from the database immediately after an election, Mr Goodwin said staff had no knowledge the details remained on the machine and admitted to remove them would be beyond them.
“There’s no clear instruction to manage that data,” he told the committee. “It’s a big issue for us.”
Read more on St. Albans Review.
Has he been reading my blog? Probably just a reasonably smart guy who thought about this for more than 30 seconds.
http://www.databreaches.net/?p=8760
The Merchants Strike Back?
December 7, 2009 by admin Filed under Commentaries and Analyses
David Navetta has a thought-provoking article over on InformationLawGroup that begins:
With the recent news of several restaurants teaming up to sue point-of-sale system provider Radiant Systems (a copy of the complaint can be found here) for failing to comply with the PCI Standard, it appears that some merchants may be in a mood to strike back in the aftermath of a payment card security breach. This lawsuit comes in the wake of a couple lawsuits against payment card security assessor Savvis for allegedly failing to properly validate a processors’ Visa CISP compliance (admittedly in this case it is the merchant bank suing the assessor, but a similar cause of action could exist for a merchant if its assessor makes a mistake in verifying PCI compliance). While two instances certainly don’t indicate a trend, they do indicate a potential route that merchants may consider to deflect liability arsing out of a payment card security breach.
It is possible that we will see more lawsuits by merchants against service providers, payment processors, and application/point-of-sale system providers in the coming months and years. Part of the reason is that the PCI regulatory system imposes a form of “strict liability” on merchants that suffer a security breach. Fines, penalties and the availability of recovery processes are contingent (in part) on whether or not a merchant was PCI-compliant at the time of the breach (see e.g. Visa’s ADCR). Thus, when a Qualified Incident Response Assessor (”QIRA”) comes in after a credit card breach to do an audit one of its main tasks (if not its primary goal) is to ascertain whether the merchant was PCI-compliant.
Lost in the shuffle sometimes, however, is the issue of “causation.” The question that is not being asked is whether or not PCI compliance would have prevented the breach, or whether the lack of PCI-compliance was the cause of the breach. In other words would PCI-compliance have made a difference. In some cases the answer is obvious. For example, if a merchant is holding onto sensitive authentication information, clearly PCI compliance (which requires the deletion of such data after a transaction) would have precluded a payment card breach. In other situations, however, the answer might not be as clear cut.
Read more here.
This is not amusing. How can statements like this not come back to bite you later? How can you have viable Privacy policies if you believe only criminals worry about privacy?
Google CEO Says Privacy Worries Are For Wrongdoers
Posted by kdawson on Tuesday December 08, @08:17AM from the get-over-it dept.
bonch writes
"In a surprising statement to CNBC, Google CEO Eric Schmidt told reporter Maria Bartiromo, 'If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place.' This will only fuel concerns about Google's behavior as it becomes an ever more powerful gatekeeper of information; though Google says it is aware of these concerns and has taken steps to be transparent to users about the information that is stored."
Oh look, another identity theft tool?
http://news.cnet.com/8301-13860_3-10410340-56.html?part=rss&subj=news&tag=2547-1_3-0-20
Microsoft labs tests a Wikipedia of average Joes
by Ina Fried December 7, 2009 11:09 AM PST
Think of Microsoft's latest labs effort as the software maker's attempt to give everyone their own Wikipedia entry.
Dubbed EntityCube and now live to try out, the research project pulls together biographical information on anyone found on the Web.
You know, it pays to read those policies. And lawyers gotta get educated!
http://www.pogowasright.org/?p=6032
Attorney-Client Privilege Waived by Imputed Knowledge of Employer E-Mail Monitoring
December 7, 2009 by Dissent Filed under Court, Internet, U.S., Workplace
Jeff Neuburger writes:
In August, we wrote about the ruling of a New Jersey appellate court in Stengart v. Loving Care Agency, Inc., in which the court took a very narrow view of the ability of employers to monitor the e-mail communications of employees over its computer networks. In that case, which is now on appeal to the New Jersey Supreme Court, the appellate court held that an employee did not waive her attorney-client privilege with respect to e-mails that she sent to her attorney while using the employer’s computer network, but via her personal Web mail account, despite the existence of a broadly worded communications policy giving the employer the right to access all communications occurring over its network. The appellate court court ruled that even if the employer’s policy applied to the employee (she disputed its applicability), the employer’s right to access to such communications pursuant to that policy was limited by the employer’s “legitimate business interests.” Such interests did not extend, the court concluded, to the employee’s communications with her attorney.
In contrast to the New Jersey court’s narrow view of the applicability of such policies, the district court judge in Alamar Ranch, LLC v. County of Boise, 2009 U.S. Dist. LEXIS 101866 (D. Idaho Nov. 2, 2009), held that knowledge of employer monitoring of employee communications over its network could be imputed, not only to the employee but to the employee’s attorney as well. As a result, the court held, the attorney-client privilege had been waived with respect to messages sent by the employee to the attorney using her employer-assigned e-mail account, and to messages sent to the employee at her employer e-mail address by the attorney.
Read more on Proskauer Rose Privacy Law Blog
Interesting. If it's a big project (or you hire lots of off-duty cops to direct traffic?) you can view police records.
http://www.pogowasright.org/?p=6090
AU: Contractors should not have access to police files
December 7, 2009 by Dissent Filed under Breaches, Non-U.S.
…. On Saturday The Age revealed that Victoria Police had agreed to hand over to Aquasure, the international consortium building a desalination plant near Wonthaggi, information about people involved in protests against the plant. In a 20-page memorandum of understanding, signed in August by Assistant Commissioner Paul Evans and the secretary of the Department of Sustainability and Environment, Peter Harris, the police agreed to release to Aquasure ”law-enforcement data” in the form of ”any text, images, audio and video … and includes (but is not limited to) data related to individuals, aggregated data, written reports and correspondence, memoranda, police diaries, official notebooks, running sheets and other data repositories”. In other words, anything at all.
Astonishingly, when asked about this memorandum, a spokeswoman for the department said that such agreements were common for major projects, and that ”the sharing of information will be done without breaching privacy laws”. This was evidently news to Victoria’s Privacy Commissioner, Helen Versey, who yesterday issued a terse statement announcing that she was ”not aware that Victoria Police had entered into this memorandum of understanding or other MoUs in relationship to major infrastructure projects”. Ms Versey said she was seeking an urgent briefing from the police and the department, as well she might.
Read more in the Brisbane Times.
With this wealth of information, we should be able to determine who has the best/worst policies and what data is kep for how long.
http://www.pogowasright.org/?p=6034
Cryptome posts more LEA guides, Wikileaks joins the fray
December 7, 2009 by Dissent Filed under Surveillance, U.S.
Cryptome.org has added more materials to its site on the policies and manuals for law enforcement agents seeking customer or subscriber data. Last week, it posted guides for Cox, SBC-Ameritech, Cingular, Cricket, Nextel, GTE, and PacTel. Newly added to the collection of compliance guides are:
Sprint’s Corporate Security Electronic Surveillance Manual (.zip), dated November 2002, and marked “For LEA use only;”
Sprint CALEA Delivery System (pdf), dated June 2002;
Verizon Law Enforcement Legal Compliance Guide, dated October 2002;
VoiceStream Law Enforcement Guide (.zip), dated December 2000 and marked “NOTICE: The information contained in this reference guide is of a sensitive nature. Distribution is restricted to bona-fide law enforcement personnel strictly in support of their official duties.”
AT&T’s Subpoena Response Cover Sheet; and
AT&T: a subpoena involving the records production of a named individual
As of the time of this publication, the Yahoo! compliance guide, which led to a DMCA takedown demand (pdf) from Yahoo!, remains on the site, with a separate page now devoted to the correspondence between Yahoo! and Cryptome over the guide’s publication on the site. It seems that Yahoo! is the only organization taking a copyright infringement approach, at least so far, to getting the material removed. Of course, anyone that knows anything about Cryptome’s history would have predicted that their threat would be both posted and useless in the short-term. Whether they created a Streisand Effect by the DCMA notice is unclear, but their litigious approach may help explain why Wikileaks has now mirrored the compliance guide in a number of countries. As of the time of this posting, Wikileaks does not seem to have uploaded the other carriers’ guides that are on Cryptome (at least, not yet), but they have posted MySpace.com’s Law Enforcement Investigators Guide dated 23 Jun 2006.
I suspect that this has not been a good week for the legal and security departments of all of the companies who may have no clue as to how their sensitive documents leaked to the public. Not only have their price lists and detailed explanations of what data they store become publicly available, but their restricted non-public phone numbers have also been exposed. I contacted Sprint to request a statement or comment, but as of the time of this posting, have not yet heard back from them.
Looks like I have an answer to the “Why are they doing this now” question I asked yesterday.
http://news.cnet.com/8301-1023_3-10410266-93.html?part=rss&subj=news&tag=2547-1_3-0-20
Yahoo adds privacy tool, in time for FTC meetings
by Kara Swisher, AllThingsD December 7, 2009 6:30 AM PST
… What fortuitous timing, since the first of three of the Federal Trade Commission's "Exploring Privacy: A Roundtable Series" begins Monday in Washington, D.C.
This should be amusing...
CRIA Faces $60 Billion Lawsuit
Posted by ScuttleMonkey on Monday December 07, @06:00PM from the turn-about-is-fair-play dept.
jvillain writes
"The Canadian Recording Industry Association faces a lawsuit for 60 billion dollars over willful infringement. These numbers may sound outrageous, yet they are based on the same rules that led the recording industry to claim a single file sharer is liable for millions in damages. Since these exact same companies are currently in the middle of trying to force the Canadian government to bring in a DMCA for Canada, it will be interesting to see how they try to spin this."
[From the article:
The claims arise from a longstanding practice of the recording industry in Canada, described in the lawsuit as "exploit now, pay later if at all." It involves the use of works that are often included in compilation CDs (ie. the top dance tracks of 2009) or live recordings. The record labels create, press, distribute and sell the CDs, but do not obtain the necessary copyright licences.
Lazy is the father of invention.
Hackers vs. Phishers
Posted by CmdrTaco on Monday December 07, @08:57AM from the better-than-predator-vs-alien dept.
An anonymous reader writes
""Some hackers out there don’t like to do all the hard work of running a successful phishing campaign. Instead, they developed a simple online service to ‘steal’ account details from the hard-working phishers. Named AutoWhaler, the service allows anyone to scan a phishing server for log files that contain juicy information such as usernames and passwords.""
Why didn't I think of this! Hacking in the cloud. (Hacking as a service)
WPA-PSK Cracking As a Service
Posted by kdawson on Monday December 07, @07:31PM from the get-out-of-the-cafe-quicker dept.
An anonymous reader writes
"Moxie Marlinspike, a security researcher well known for his SSL/TLS attacks, today launched a cloud-based WPA cracking service, where for $34 you can test the security of your WPA password. The WPA Cracker Web site states: 'WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes.'"
It's not bad enough that I can spend days browsing in the museums, now I can burn my spare time searching their database.
http://www.bespacific.com/mt/archives/022958.html
December 07, 2009
New Smithsonian Collection Search
The Collections Search Center provides easy "one-stop searching" of more than 2 million of the Smithsonian's museum, archives, library and research holdings and collections. The access to more Smithsonian collections via this Search Center is increasing over time. Collections currently available include: 265,900 images, video and sound files, electronic journals and other resources from the Smithsonian's museums, archives & libraries."
The countdown continues...
Microsoft urges XP users to migrate to Windows 7
… Microsoft is ending support for XP on July 13 of 2010.
Yeah, I should do this.
Transfer VHS Tapes to DVD
No comments:
Post a Comment