Friday, December 04, 2009

They probably scanned the documents to make storage easier. It is also easy to find and read a single record, but reviewing all of them is like looking at paper documents.

http://www.databreaches.net/?p=8715

Health Net notifies New Hampshire that 504 residents affected

December 3, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Lost or Missing, U.S.

Health Net’s notification to the New Hampshire Attorney General’s Office is now available online (pdf). Dated November 23, the letter states that although the files on the lost portable hard drive were not encrypted as they should have been, because they were image-only format files of scanned documents, they would be difficult to view. [If memory serves, these were scanned documents. Like those prepared for electronic discovery, they were most likely TIFF files. I just did a Google search on “TIFF viewer” and got 2.9 million hits, the first of which was a plugin for browsers. Bob] The files contained names, addresses, phone numbers, Social Security numbers, and possibly protected health information and financial information of 504 New Hampshire residents.

Health Net noted that because of the image format, it had taken them a long time to identify whose records were involved and that as of November 23, the process was still not complete.



Less quantity, more quality?

http://www.databreaches.net/?p=8691

Many More Government Records Compromised in 2009 than Year Ago, Report Claims

December 3, 2009 by admin Filed under Commentaries and Analyses, Government Sector

Hilton Collins reports:

If you’re bummed about the data in your department that just got breached, you have some cold comfort. Although the combined number of reported data breaches in the government and the military has dropped in 2009 compared to last year, many more records were compromised in those breaches, according to recent figures compiled by a California nonprofit.

As of Tuesday, Dec. 1., the Identity Theft Resource Center (ITRC) reported 82 breaches in U.S. government and military organizations. Although the year isn’t over, that’s fewer than the 110 that occurred in 2008.

But here’s the catch: The breaches so far in 2009 have compromised more than 79 million records, whereas fewer than 3 million were hacked in 2008. A sobering upswing, to say the least.

Read more on Government Technology.


(Related) Letting the computer do the work...

http://www.databreaches.net/?p=8717

Malware rebounds as cause of data loss

December 4, 2009 by admin Filed under Commentaries and Analyses, Malware

The 2009 CSI Computer Crime and Security survey identified a number of shifts in significant cybersecurity threats this year. Malware infections jumped to 64% from 50%, reversing a dip in the number of companies experiencing malware infections that started in 2005. That year, the figure was 74%.

Other significant changes were an almost doubling in the percentage of companies that experienced password sniffing attacks, from 9% last year to 17% this year. And the percentage of respondents reporting financial fraud increased from 12% last year to one in five companies in 2009.

Read more on InfoSecurity.com


(Related)

http://www.databreaches.net/?p=8698

Top Experts Examine Causes Of Breaches In Spy Museum Forensics Panel

December 3, 2009 by admin Filed under Commentaries and Analyses

Tim Wilson writes:

Here at the U.S. Spy Museum, breaches are taken seriously. And in a panel held here last night, four top security experts had some serious advice for enterprises and security professionals.

[...]

If companies are going to defend themselves against the onslaught of attacks, panelists said, they need to change the way they approach the security problem. Carr observed that the Heartland breach — which turned out to be one of some 300 compromises orchestrated by a single group of attackers — might have been detected and stopped much earlier if companies and law enforcement agencies had shared the information they had about the SQL injection malware that was responsible for the leaks.

“After it happened, I contacted the other payment systems companies and offered to share the malware with them so that they would know what to look out for,” Carr said. “That was the beginning of something. We’re now sharing data between us, even though many of us are bitter competitors in the market. Some of them ran scans for the malware and found it on their systems. We’ve had the FBI come to us and share malware with us, as well. These are things that might never have happened a year ago.”

[...]

Companies also should be prepared for the possibility that even their best defenses will be compromised, the experts said. “At Heartland, we built a transaction network that was completely separate from our corporate network,” Carr said. “But we were breached from the corporate network. It took the hackers about six months to find a way to get into our payment network from our corporate network, but they found it.” [Interesting. Isn't this a change of tune? I thought they had been had through the aggregators (where the card swipe machines were routed to their headquarters.) Bob]

Read the full story on Dark Reading.



Probably too boring to watch, but we could record the webcast and cut to the good parts (if any)

http://www.pogowasright.org/?p=5953

FTC To Host Privacy Roundtable

December 4, 2009 by Dissent Filed under Govt, Other

WHAT: The Federal Trade Commission will host the first of three public Roundtables to explore the privacy challenges posed by technology and business practices that collect and use consumer data. This first roundtable will focus on the benefits and risks of information-sharing practices, consumer expectations regarding such practices, behavioral advertising, information brokers, and the adequacy of existing legal and self-regulatory frameworks. The updated agenda and other information about the Roundtable is at http://www.ftc.gov/bcp/workshops/privacyroundtables/index.shtml

WHEN: Monday, December 7, 2009 8:30 AM – 6:00 PM

WHERE: FTC Conference Center 601 New Jersey Avenue N.W. Washington, DC 20580

The Roundtable is free and open to the public. Pre-registration is not required. Members of the public and press who wish to participate but cannot attend can view a live Webcast.



Automating the complaint process should ensure that more Privacy complaints are filed but will that have an impact?

http://www.pogowasright.org/?p=5935

CDT makes it easier to file privacy complaints

December 3, 2009 by Dissent Filed under Businesses, Featured Headlines, Internet

As part of its new “Take Back Your Privacy” privacy initiative, CDT has launched a Privacy Complaint Tool to facilitate consumers filing complaints with the Federal Trade Commission about web sites or products or services that they believe are violating privacy.

[From the CDT website:

When you join the privacy campaign, we’ll keep you informed about the major developments in Internet user privacy – whether they occur in Capitol Hill meeting rooms or Silicon Valley boardrooms. We’ll also tip you off to opportunities to make your voice heard, both by lawmakers and by the companies that collect our personal information.



For some reason, we've been seeing lots of detail about the type and amount of information telecoms and Internet providers keep and are sharing with law enforcement.

http://www.pogowasright.org/?p=5926

Yahoo!’s guide for LEAs revealed

December 3, 2009 by Dissent Filed under Featured Headlines, Internet, Surveillance

Cryptome has posted a number of compliance guides for law enforcement agents seeking customer or subscriber information from Cox, Cricket, GTE, and Yahoo!, and other providers. While some of the files may be outdated by now, the Yahoo! guide is from December 2008, and Yahoo is trying to get it removed from Cryptome’s site.

Yesterday, Yahoo!’s lawyers sent a DMCA take down notice to Cryptome setting noon today as the time by which the file must be removed. As of the time of this posting, which is after their “high noon” deadline, the file is still available on the site.

Although I don’t spot any “smoking guns” in Yahoo!’s guide, it does reveal exactly what kinds of information Yahoo! retains and can make available to law enforcement and what they charge for particular services. As noted yesterday, Chris Soghoian had attempted to obtain some of the pricing information under freedom of information requests and Yahoo! had strongly objected, citing not only trade secrets arguments but the notion that Chris would use the information to “shame” them or attempt to shame them.

In any event, it seems that this particular kitty’s out of the bag now, as Cryptome is not the only site hosting the compliance guide and it’s probably been downloaded by numerous people by now as links to the sites have been posted around the web and on mail lists.

While it may be small consolation to Yahoo!, compared to other guides from other providers, theirs is pretty clearly written and designed to be actually helpful to law enforcement in terms of describing exactly what kinds of data they have available and for how long, etc. As to their prices, well, if you need information from a provider because that provider has information on an individual, does a competitor’s pricing really even come into play?



Not a typical article for this blog, but I asked myself if technology (in this case the Internet) changes the impact of certain crimes or violations of law or regulation? Is this young man's harm greater because this disclosure is “global?”

http://www.pogowasright.org/?p=5949

Teen sues over ID in online arrest log

December 4, 2009 by Dissent Filed under Court, Internet, Youth

Amanda Pinto reports:

In what may be the first lawsuit of its kind in the state, a Rhode Island man is suing the town because he was listed in an online arrest log when he was 17 years old, which is not permitted by law.

The plantiff, now 18, is identified in the suit as John Doe to protect his privacy. State law mandates that arrest records for people under the age of 18 “shall be confidential and shall not be open to public inspection,” his attorney, Diane Polan of New Haven, wrote in the suit.

Polan and other law scholars said the case is unique.

“In my experience, (police) are scrupulous about this, following the state law,” Polan said. “I’ve never heard of this happening.”

Once it did happen, in this “age of Internet privacy invasion” police could not put the genie back in the bottle, Polan said.

According to the lawsuit filed in Superior Court in New Haven, the information remained on the Web site for nearly one year, and is now available on other Web sites.

Read more in the New Haven Register.



Unlikely, but a possibility. Won't that drive the telecoms crazy!

http://www.livescience.com/technology/091202-google-phone-free-service-voip.html

Google Phone Could Mean Free Mobile Phone Service

By Leslie Meredith, TopTenREVIEWS posted: 02 December 2009 05:06 pm ET



We had the same thing when I was growing up, but we called it mooning.

http://www.wired.com/threatlevel/2009/12/sexting-survey?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Survey: One-Third of Youths Engage in Sexting

By Kim Zetter December 3, 2009 7:00 am



For the Swiss Army folder, my statistics students and perhaps a few climate change politicians?

http://www.wired.com/wiredscience/2009/12/download-robot-scientist/

Download Your Own Robot Scientist

By Brandon Keim December 3, 2009 1:35 pm

… Eureqa, a program that distills scientific laws from raw data, is freely available to researchers.

… Lipson made Eureqa available for download early in November, after being overwhelmed by requests from scientists who wanted him to analyze their data.



For the Hacking folder.

http://it.slashdot.org/story/09/12/04/0413235/Malware-Could-Grab-Data-From-Stock-iPhones?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Malware Could Grab Data From Stock iPhones

Posted by timothy on Friday December 04, @01:20AM from the swamp-of-bog-standard dept.

Ardisson writes

"Swiss iPhone developer Nicolas Seriot presented last night a talk on iPhone Privacy in Geneva. He showed how a malicious application could harvest personal data on a non-jailbroken iPhone (PDF) and without using private APIs. It turns out that the email accounts, the keyboard cache content and the WiFi connection logs are fully accessible. The talk puts up several recommendations. There is also a demo project on github."



Also for the Hacking folder.

http://www.thetechherald.com/article.php/200949/4879/New-software-will-break-BitLocker-encryption

New software will break BitLocker encryption

by Steve Ragan - Dec 3 2009, 17:00

The protection offered by Microsoft’s BitLocker technology might be for naught, if a password recovery and decryption vendor has their say. Passware, who counts Microsoft, Apple, Intel, and the IRS among their clients, has released a new version of Passware Kit Forensic, and one of the new features is the ability to take down BitLocker in minutes.

… “Full-disk encryption was a major problem for investigators,” said Dmitry Sumin, Passware President. “We have been able to provide police, law enforcement, and private investigators [And hackers! Don't forget us hackers! Bob] with a tool that allows bypassing BitLocker encryption for seized computers.”

… Moreover, the software is available for anyone who wants it, if they spend almost $800.00 USD for it.

No comments: