Saturday, February 07, 2009

More in the continuing story of a massive security failure...

More Heartland Details Leak Out (And Some May Be Trying To Leak Back In)

Posted February 6th, 2009 by admin

Evan Schuman reports:

Details surrounding the Heartland data breach continue to dribble out, with one respected payment systems newsletter reporting that the forensic investigators Heartland brought in were Cybertrust and Neohapsis.

Heartland had tried keeping those names confidential, an effort that was succeeding prior to the Wednesday, Feb. 4 issue of The Nilson Report. That newsletter also quoted from a MasterCard alert, which provided new details about what was taken and when.

“According to a MasterCard alert, this sniffer program stole card numbers and expiration dates from credit and debit cards processed by Heartland from May 14, 2008, through Aug. 19, 2008, as the information entered Heartland’s payment switch,” the Nilson story said. “Only an estimated 5 percent of the stolen card numbers also included names. [100 million per month times 3 months times .05 = 15 million. That makes me feel so much better! Bob] The malware was likely deactivated when Heartland conducted regular system upgrades as part of its PCI Data Security Standards (PCI DSS) compliance program, although it’s possible that the hackers shut it down to try and avoid being traced.”

Read more on StorefrontBacktalk

Related There is a risk in being too quick to respond when you are not positive you know the source of the breach has been identified and closed! NOTE: At the time of the first letter, HPS had no idea its data was being stolen in wholesale quantities.

Add Dime Savings Bank of Williamsburgh to list….

Posted February 7th, 2009 by admin

Kid #1 came in last night and threw the letter down on my desk in disgust. For the second time since June, Dime Savings Bank of Williamsburgh had notified him that his debit card was being replaced due to a breach and that he would have to personally come in to the bank to activate the new card.

The bank’s notification letter was even less helpful than the uninformative one he had received in June. At least that one had a phone number on the letterhead if anyone actually wanted to call. This letter was the June letter verbatim with only the dates replaced, and had no phone number on it all.

Looking back at that June letter, I see that I had wondered at the time what breach it might be connected to, but never heard anything more. Now that we know that the Heartland breach seems to have occurred as early as May, is it possible that the June letter was actually a result of Heartland, too? Do we actually know how early misuse of debit cards or credit cards started in the Heartland breach?

Somebody probably knows, but we’re not being told much.


Huge bank card scam hits Bermuda

Posted February 7th, 2009 by admin

How curious…. Canadian Tire had told me that 2% of their customers’s cards had been misused as a result of the Heartland Payment Systems breach. Now another non-US entity mentions 2%. Have we gotten reports from any UK banks yet?

Hundreds of debit and credit card customers in Bermuda have been dragged into one of the world’s biggest security breaches.

Bank of Bermuda and Butterfield Bank are warning customers to be on guard after cyber-crooks hacked into the computer system of an overseas payment company.

Individuals and businesses with Visa and MasterCard cards are said to be at risk from the data breach at Heartland Payment Services.


The widespread security breach has affected fewer than two per cent of Bank of Bermuda’s card users and “a small number” of Butterfield Bank customers.

Read more on BDA Sun


Quick Poll: Many Smaller Banks Hit By Heartland Breach

Posted February 6th, 2009 by admin

Brian Krebs reports:

In another sign that the recently disclosed data breach at credit card processing giant Heartland Payment Systems may indeed be one for the record books, a quick survey of community banks indicates that a majority of institutions have been notified that at least some of their debit or credit cards were compromised in the breach.

Read more in The Washington Post

[From the article:

The Independent Community Bankers of America, a trade group that includes some 5,000 banks representing 18,000 locations nationwide, took an informal poll of its members recently to find out how many were contacted by Heartland. According to the ICBA, 83 percent of the 512 member banks that responded said they had credit and/or debit cards affected by the Heartland breach. Thirteen percent said they didn't know yet.

… So far, most of the information we have about the size of the breach has come from the Open Security Foundation. OSF maintains, which has collected a list of news stories about specific banks that have acknowledged receiving notice from Heartland about compromised accounts. According to OSF, as of this writing, 79 banks have reported being affected by the Heartland breach, with a known total of 276,066 cards affected.

Small, but another amazed group of managers...

CA: Personal Info On 1,000s Of Kaiser Employees Stolen

Posted February 6th, 2009 by admin

CBS reports:

Thousands of northern California Kaiser employees are being notified that their personal information including social security numbers was stolen from the company.

Kaiser has set-up a Employee Security Support Line for the 29,500 employees whose information was stolen to handle the situation. A recorded message on the line says that the stolen information was found in the possession of a criminal [So, 1) their security didn't detect it and 2) they have no idea how he got the data Bob] who has since been arrested. The information included employee names, social security numbers and birthdates. And that so far, only a ‘few employees had been impacted’.

Kaiser says it is working with law enforcement to discover how their computer system was breached. But it does not say when the information was actually stolen or recovered.


This is Kaiser’s second known breach in the past six months. In August, Kaiser Foundation Health Plan of Mid-Atlantic States notified (pdf) the Virginia Attorney General’s Office that an employee had stolen and misused patient information from patients at the Kaiser Permanente Falls Church Medical Center. Kaiser notified 5,200 members in that breach, which was never reported in the media. [like this Blog, 5200 is too trivial to bother reporting... Bob] In the most recent incident, no patient data was reportedly involved.

Related An editorial sparked by the HPS breach. If even the media is noticing the “breach situation” is it possible we'll start seeing stronger laws?,0,1229378.story

Once the information is exposed on the Internet, are all future efforts at confidentiality now worthless? It will certainly be difficult to say, “I don't have that information,” when everyone in the audience does.

Confidential LAPD misconduct files mistakenly posted on Internet

Posted February 7th, 2009 by admin

Joel Rubin reports:

The Los Angeles Police Commission violated its own strict privacy policy — and perhaps state law — on Friday, releasing a confidential report on the Internet that contained the names of hundreds of officers accused of racial profiling and other misconduct.

The blunder, which police officials attributed to a clerical error, marks an embarrassing misstep for a police department that has staunchly rebuffed efforts by the public to learn the identities of accused officers and gain greater access to the discipline process.

Read more in The Los Angeles Times

[From the article:

The commission and department staff had reviewed a paper copy of the report that did not contain the confidential information and assumed the electronic version would be the same, Tefank said. [“We reviewed a picture of the Titanic and thought it was only six inches long.” “The map is not the territory,” Alfred Korzybski Bob]

ATTABOY! A school that did not automatically assume their students were terrorists! Bravo. (However, they seems to assume that parents are somehow not worthy...)

WA: Student finds ‘back door’ in YCS program

Posted February 6th, 2009 by admin

Megan Hansen reports:

Yelm Community Schools shut down its computer account system Skyward after a student discovered a potential security breach.

“A student showed us a back door,” said Director of Technology Dennis Wallace. “We immediately shut down access to Skyward.”

Skyward is a computer account system that the school, students and parents can access which contains the students’ personal information, schedule, grades and lunch balance.

Wallace said the student found a way to gain access into the account system and immediately informed his teacher.

The district’s technology department called the student in to question the breach. [How are you feeling today, Mr Breach? Bob]

They then fixed it and had the student try and gain access again. He did and the school had to go back in and fix it again. [Perhaps they don't understand the definition of “fixed it” Bob]

Read more in Nisqually Valley News

[From the article:

He also said he did not feel the situation required notification to parents.

“We went in and fixed the problem,” Wallace said. “We weren’t even sure there had been a breach.”

[There's a lot they don't seem to know. Bob]

Sometimes I ponder what the world would be like if Darwin's observations applied to the Internet. Survival of the fittest can also be stated as “Death to dummies!” If this was a “real” danger, it would quickly kill off all of its customers and be abandoned as an evolutionary dead end. (Perhaps I should write an e-Darwin manifesto!)

Privacy Group Calls Google Latitude a Real 'Danger'

Posted by Soulskill on Friday February 06, @07:58PM from the no-latitude-for-latitude dept. Google Privacy

CWmike writes

"Privacy International is calling Google's new mapping application an 'unnecessary danger' to users' security and privacy. The criticism follows the unveiling this week of Google Latitude, an upgrade to Google Maps that allows people to track the exact location of friends or family through their mobile devices. Google Latitude not only shows the location of friends, but it can also be used to contact them via SMS, Google Talk or Gmail. 'Many people will see Latitude as a cool product, but the reality is that Google has yet again failed to deliver strong privacy and security,' said Simon Davies, director of London-based Privacy International, in a statement. The group's chief concern is that Google Latitude lacks sufficient safeguards to keep someone from surreptitiously opting into the tracking feature on someone else's device."

Political advantage (this includes appearing cool) outweighs security every time. (On the other hand, it might be a clever play on the part of the Secret Service to see if anyone has developed a Blackberry targeting missile – before they let the President use his.)

Congressman Twitters secret trip to Iraq

Posted by Rafe Needleman February 6, 2009 8:11 PM PST

For security reasons, the congressional delegation led by House Minority Leader John Boehner to Iraq today was supposed to be secret. Everything had been going fine in that regard. Even media outlets which knew of the trip, like the Congressional Quarterly, kept a lid on the news.

That was, until Representative Peter Hoekstra Twittered his arrival into Baghdad. "Just landed in Baghdad. I believe it may be first time I've had bb service in Iraq. 11 th trip here," he sent from his Blackberry.

Strategy: Isn't this crazy? I already have a problem with cable “monopolies” and this suggests the same thought(less) process is coming to the Internet.

ESPN to ISPs: Pay for Your Customers to Play Video

By Eliot Van Buskirk February 05, 2009 8:18:06 PM

Not much detail here, but I suspect some of my website students might like to add a chat room to their sites. Behind a “sign in” wall, this could be useful.

99Chats.Com - Create Your Own Chat Room

Are chat rooms still relevant? Well, apparently, yes, according to With the site, you’ll be able to create your own chat room, to which you’ll be able to invite your friends

… You can add chat rooms to your MySpace, Orkut, Friendster, Hi5, Tagged, WordPress, and Blogger profiles.

What’s that good for? Well, that’s up to you. You can use it to have your blog readers interact, to have your friends write on your profile (like they do through Facebook’s wall), or any other thing you can think of.

Tools & Techniques: This is interesting and a little spooky. Note that if you click on their link, the URL changes to indicate they are ready to track you! - Measuring Digital Word Of Mouth

Born out of the merging of Reach Machines and Fyreball, Meteor Solutions is a company that provides a concise service, specially suited to the digital times we live in. In essence, it enables any publisher, marketer or agency to track digital content as it traverses the web. Think of it as a solution for tracking word of mouth in the online channels we all are familiar with.

This system is implemented through tracking scripts that are added to the site itself, like identifying tags for monitoring the path it trails through the web. Some of the events that are monitored include links on web pages, e-mails, bookmarks and instant messaging

Furthermore, a graph is generated for identifying each unique visitor and visualizing each single source and the role it plays in the process as a whole. Meteor Tracker is also capable of tracking individual actions, and this is very useful for webmasters that aim to drive visitors to click on specific portions of their sites.

By way of conclusion, the provided service stands as a thorough option when it comes to gauging the impact that digital content is having on the Net at large. If you want to ensure that you are reaching the right public, this solution might be just what you need.

Friday, February 06, 2009

Update, with some interesting comments from the analysts. Heartland closed at $9.17, down from a 52 week high of $33 – obviously not all of the drop was due to the breach as it was trading in the high teens at the start of the year.

Susquehanna Upgrades Heartland Payment Systems (HPY) to Neutral

Posted February 5th, 2009 by admin

Susquehanna analyst says, “We are upgrading HPY to Neutral from Negative, as it has achieved our price objective. Although considerable risk persists related to the credit/debit card data breach disclosed last month, we believe such penalties are contemplated in the current valuation. We consulted a range of experts, including reformed hackers, data security auditors (PCI DSS), and competing ISOs. Although we think we understand the mechanics of a prospective penalty, these sources suggest a range of outcomes that is frankly too broad to reasonably base (from tens of millions to billions of dollars). It seems no one (outside the FBI and organized crime, perhaps) knows the extent of the breach (Did they get the coveted magnetic stripes? Was the data encrypted?) These details will likely dictate the penalties, the difference between going concern and back to business. We are reducing our estimates sharply on a “best guess” assumption regarding merchant flight, increased capex, and association penalties toward $25 mln.”

Source -

Trivial in comparison, but so were the changes that would have prevented it.

phpBB hacked, 400,000+ account details intercepted

Posted February 5th, 2009 by admin

The online bulletin board phpBB (php Bulletin Board) was taken offline on Sunday, following a security breach that allowed access to user account details. phpBB is an open-source software package used to run discussion forums on web sites. The breach was caused when the attacker gained access through an unpatched security bug in PHPlist, a third-party open source email application, used for managing newsletters. The attacker had access for more than two weeks before the breach was discovered.

Read more on Heise Online. The Register also has coverage.

Thanks to Brian Honan for the links.

[From the Heise article:

The writer also claims to have created a script that was able to break more than 28,000 passwords which were hashed using an unsalted MD5 algorithm. According to The Register, the blogger then posted the password details to the internet. [Many users use the same password on several account... Bob]

[From the Register article:

Sadly, the attack could have been prevented by adding a single line to an administrator's index file.

There are several interesting points, including what the CISO isn't responsible for...

Financial institutions brace for rise in security breaches

Thursday, February 05 2009 @ 08:25 AM EST Contributed by: PrivacyNews

Financial institutions are facing an increased risk of security breaches this year owing to budgetary constraints and an increased threat of insider misconduct, according to the latest annual Global Security Survey from Deloitte.

The research found that internal and external security breaches at financial institutions worldwide actually fell over the past year, but that employee misconduct is a growing concern.

Source - IT News

[The survey is here:

The Information Systems Audit and Control Association has a new exposure draft out. Might be useful for your Security Manager... If nothing else, can we agree on their definition of IT Risk? (page 11)

Enterprise Risk: Identify, Govern and Manage Risk The Risk IT Framework Exposure Draft

This IT enterprise risk management framework was designed to allow business managers to identify and assess IT-related business risks and manage them effectively.

Download (1.2M PDF)

Once again the evil troll in Marketing out-technos the Security elf. Perhaps I could charge rent for using my screen real-estate – double if you don't have a contract?

Why Your Pop-Up Blocker Doesn't Work Anymore

Posted by CmdrTaco on Thursday February 05, @09:59AM from the hate-them-so-much dept. Spam

An anonymous reader writes

"If you've noticed that pop-up ad windows seem to have made an unwelcome return into your life, it's because they're not using the same easily blockable technology as before. The Adimpact system uses DHTML to annoy you, and there's no immediate prospect of a solution."

The new trend. Force anyone who still thinks 15MB is “good enough” to move to a faster (more expensive) service. NOTE: It has nothing to do with volume. By the time a 15MB subscriber has downloaded their 100Gigabytes, the faster user will have downloaded 4 times as much.

Charter Cable Capping Usage Nationwide This Month

Posted by timothy on Thursday February 05, @02:23PM from the coming-soon-to-you-from-them dept.

An anonymous reader writes with this snippet from DSL Reports, with possible bad news for Charter customers who live outside the test areas for the bandwidth caps the company's been playing with:

"Yesterday we cited an anonymous insider at Charter who informed us that the company would very soon be implementing new caps. Today, Charter's Eric Ketzer confirmed the plans, and informed us that Charter's new, $140 60Mbps tier will not have any limitations. Speeds of 15Mbps or slower will have a 100GB monthly cap, while 15-25Mbps speeds will have a 250GB monthly cap. 'In order to continue providing the best possible experience for our Internet customers, later this month we will be updating our Acceptable Use Policy (AUP) to establish monthly residential bandwidth consumption thresholds,' Ketzer confirms. 'More than 99% of our customers will not be affected by our updated policy, as they consume far less bandwidth than the threshold allows,' he says."

But if they're lucky, customers will be able to hit that cap quickly.

Related An alternative, but the site has already been overwhelmed (slashdotted), but of course Google had already archived it at:

WISPS Mean Cable and DSL Aren't the Only Choices

Posted by timothy on Friday February 06, @07:33AM from the ephemeral-connection dept. Wireless Networking The Internet Technology

Brett Glass writes

"Feel like you're stuck with a no-win choice between expensive cable modem service and slow DSL for Internet? Currently using satellite, with long latencies that make it impossible to do VoIP or interactive gaming? One of America's best kept secrets, so it seems, is the wide coverage of WISPs — terrestrial (not satellite or cellular) wireless broadband Internet providers. The linked article gives an overview of WISPs and provides a handy map showing their nationwide coverage (more than 750,000 square miles of the continental US — and only about one third of the WISPs in the US are on the map so far). Most WISPs are small, independent, consumer-friendly, and tech savvy, making them a better choice than big, corporate ISPs who can't even tell a penny from a dollar."

“Now you can use technology to increase revenue!” Red Light Camera salesmen...

Italian Red Lights Rigged With Short Yellow Light

Posted by timothy on Thursday February 05, @09:42PM from the decent-pellet-gun-might-help dept.

suraj.sun writes with an excerpt from Ars Technica which brings to mind the importance of auditable code for hardware used in law enforcement:

"It's no secret that red light cameras are often used to generate more ticket revenue for the cities that implement them, but a scam has been uncovered in Italy that has led to one arrest and 108 investigations over traffic systems being rigged to stop sooner for the sole purpose of ticketing more motorists."

[from the article:

… some speculating that up to a million Italian drivers have been unfairly slapped with fines.

No bias here! Try getting a grade lower than “A” without cutting taxes...

February 05, 2009

Rescuing the American Economy A Guide to How the Stimulus Works

Center for American Progress. Rescuing the American Economy - A Guide to How the Stimulus Works, by Michael Ettlinger | February 5, 2009.

  • "The economy was already performing badly by many measures before the recession started in December 2007, but the poor economic performance was partially camouflaged by rising asset values—especially home values. Those rising asset values made many people and businesses feel well off and comfortable going into debt. Rising asset values, consumer overconfidence, and borrowing fueled economic activity and gave the economy a veneer of well-being, even though real family income remained lower than it had been before the recession of 2001."

Related Pick your cause(s) from the list!

February 05, 2009

Recent CRS Reports: Causes of the Financial Crisis, Alternative Fuels and Advanced Technology Vehicles

I don't know... Perhaps rewarding students for taking/posting notes will work, but are the students who don't take notes likely to want these? - College Class Notes

Keeping college life balanced is not really easy. In actuality, that is the fun of it – provided you don’t go too far in any direction. Relaxation is a vital part of hard work, so that if you missed a class because you couldn’t make it since you were too knackered to get there in time, or if you made it there only to sleep through it then this site will come to the rescue.

In a nutshell, it stands as a portal where notes can be both downloaded and uploaded. The ones who use the site – the ones who do the hard work, IE the uploaders of contents – earn points for their contributions, and these can later be redeemed for prizes at stores such as Victoria’s Secret and Nike. A rewards catalog is likewise featured, so you can see what’s in store before signing up.

Thursday, February 05, 2009

Sounds startling, until you remember that sending a copy of my medical records to you is counted a one breach and TJX is counted as one breach.

Most Data Breaches Involve Paper

Wednesday, February 04 2009 @ 09:07 AM EST Contributed by: PrivacyNews

If current headlines are to be believed, data breaches involving electronic devices occur with mind-numbing frequency. Stories about missing laptops and stolen passwords appear daily, yet a recent study debunks the conventional wisdom that the majority of data breaches occur electronically.

"The Security of Paper Documents in the Workplace" study, commissioned by the Alliance for Secure Business Information (ASBI), reveals that most breaches involve paper. In fact, 49 percent of respondents whose companies have been affected by a data breach said that one or more of the breaches involved the loss or theft of paper, not electronic, documents. Even more surprising, 80 percent of respondents polled indicated their company had experienced one or more data breaches in the past 12 months alone.

Source - Top Tech News

[The study:

Related? This one “involves paper” in a way I haven't seen before...

Malware Spreading Via ... Windshield Fliers?

Posted by timothy on Wednesday February 04, @01:12PM from the right-at-home-with-the-bug-guts dept. Security IT

wiedzmin writes

"Another interesting article published by the SANS ISC Handler's Diary is describing a very unusual vector for malware distribution — windshield fliers and fake parking tickets. A website URL provided for "disputing a ticket" actually leads to a malicious website, and a "toolbar" required to find the photo of your violation is, you guessed it, a trojan posing as a fake antivirus. The best part is — according to the VirusTotal report, it doesn't look like most antiviruses have signatures for this one yet."

I haven't seen many of these cases...

Woman Sentenced For Unlawful Access To Stored Communications.

Posted February 4th, 2009 by admin

This was a January 12th press release that never got picked up in my usual searches…

United States Attorney Karen P. Hewitt announced that today Tina Kafka pled guilty and was sentenced in federal court in San Diego by United States District Judge M. James Lorenz to serve two years of probation, and a special assessment of $25. Judge Lorenz accepted Ms. Kafka’s plea of guilty to a charge of unlawful access to stored communications, in violation of Title 18, United States Code, Section 2701.

According to Assistant U.S. Attorney Nicole Acton Jones, who prosecuted the case, in connection with her guilty plea Ms. Kafka admitted that between December 2006 and November 7, 2007, she intentionally accessed Explorer Elementary Charter School’s email server without authorization. Specifically, Ms. Kafka admitted that she accessed the email server by logging into email accounts assigned to at least 16 other employees, without their permission. Ms. Kafka further admitted that after she gained unauthorized access to the email server, she obtained access to both opened and unopened email messages that were stored on the server.

Source - U.S. Attorney’s Office, Southern District of California

For my Security students: Who needs this access? When do they use it? Do you match use of the Admin logon to specific problems being worked? (or do they always use that logon?) Simple concept.

Users' Admin Logins Make Most Windows Malware Worse

Posted by samzenpus on Thursday February 05, @01:09AM from the protect-yourself-at-all-times dept. Microsoft Security Windows

nandemoari writes

"A new analysis claims that over 90% of the Windows security vulnerabilities reported last year were made worse by users logged in with administrative privileges — an issue Microsoft has been hotly debating recently. According to BeyondTrust Corp., the result of the analysis of the 154 critical Microsoft vulnerabilities indicated that a full 92% could have been prevented if users were not logged into their systems with administrator status. BTC believes that restricting the number of users who can log in with these privileges will 'close the window of opportunity' for attackers. This is particularly true for users of Internet Explorer and Microsoft Office."

[A cute comment:

"Polite []", a virus for Microsoft Word, already did this back in the mid 90's! When you try to save a file the virus macro asks "Shall I infect the file?", and kindly refrains from doing so if you click say no.

Obviously, the larger the database you match against the better your odds of finding a match. This is related to the face recognition software used (with little or no success) at the SuperBowl.

CA: DMV proposal for face-detection technology irks privacy groups

Thursday, February 05 2009 @ 07:46 AM EST Contributed by: PrivacyNews

Even as cost-conscious Gov. Arnold Schwarzenegger looks to trim state spending every way he can, officials at the Department of Motor Vehicles are planning to spend tens of millions of dollars on new driver's license technology.

And privacy advocates say finances are the least of the plan's problems.

Source - Mercury News

Related - EFF: California Action Alert - Say No to Biometrics in CA Driver's Licenses Related - Consumer Federation of California: Dmv End Run Threatens Our Privacy

[From the article:

Similar software is used in Oregon, New Mexico, Texas, Colorado and Georgia. California DMV officials say that by flagging applicants who already have a license under a different name, the software has led to a reduction in fraudulent licenses and identification cards by as much as 10 percent in those states. [Is that the same as saying: It doesn't work 90% of the time? Bob]

ATTABOY! It's rare that I have anything good to say about Microsoft, but this looks like a great idea! (Rather than the phrase “We can, therefor we must!” that I use to deride managers who don't think of implications, here I would suggest the phrase “We can, so why don't we?” as an innovation model.

Microsoft offers to just 'Fix it'

Posted by Ina Fried February 5, 2009 4:00 AM PST

When people encounter a problem with their PC, they often go to the Web and do a search to see if others have had the problem. If they are lucky, someone has found a fix and listed the steps on either a support document or within a user forum.

Now, they may have an even better option.

Over the past six weeks, Microsoft has quietly added a "Fix it" button to a few of the thousands of help documents on its Web site. When clicked, the computer then takes all the recommended steps automatically.

… The "Fix it" option is still fairly rare, showing up in around 100 different help documents. The effort is growing rapidly, though, up from just four such fixes when the program quietly began in December.

Why do I get the distinct impression that failure to be on the White List (and assuming I'm not on the Black List) leaves me in a gray area? Must the government always work at the extreme ends of the bell curve?

House Approves Whitelist of People Who Aren't Terrorists

By David Kravets February 04, 2009 4:02:24 PM

… Under the new plan, approved late Tuesday 413-3, innocent victims of the terrorist watchlist must prove to the Department of Homeland Security, through an undetermined appeals process, that they are not terrorists. They would then get their names put on what the legislation calls the "Comprehensive Cleared List."

Perhaps they could ask for help from the public?

UK Can't Read Its Own ID Cards

Posted by samzenpus on Thursday February 05, @04:11AM from the forest-for-the-trees dept. Security IT

An anonymous reader writes

"Despite the introduction of ID cards last November, it has emerged that Britain has no readers that are able to read the cards' microchips, which contain the person's fingerprints and other biometric information. With cops and border guards unable to use the cards to check a person's identity, critics are calling the £4.7bn scheme 'farcical' and a 'waste of time.'"

Related. For terrorist who want to find the weak link in the EU's border security? (Will this lead to standards? Probably not.)

Disparate privacy features devalue ID cards, warns EU security agency

Thursday, February 05 2009 @ 07:25 AM EST Contributed by: PrivacyNews

The failure of European Union nations to co-ordinate the privacy features of identity cards will be a major barrier to their usefulness, an EU agency has said. The EU's network security agency hopes countries will co-ordinate cards' privacy features.

The European Network and Information Security Agency (ENISA), which is funded by the EU, has studied all 10 ID card systems in the EU and the 13 in development and has found that they each adopt different standards of privacy and methods of protecting it.

Source -

Do we risk losing a whole generation of gamers who believe they can defy the laws of physics because their game avatars can?

First-Person Shooter Modified For Fire Drill Simulation

Posted by Soulskill on Thursday February 05, @06:52AM from the crap-where's-a-medkit dept. First Person Shooters (Games) The Military United States Games

Hugh Pickens writes

"Researchers at Durham University have modified a video game and turned it into a fire drill simulator using the Source engine (the 3D game engine used to drive Half-Life 2), and created a virtual model of one of the university's departments. Dr. Shamus Smith said that although 3D modeling software was available, modifying a video game was faster, more cost effective, and had better special effects. 'We were interested in using game technology over a customized application and the Source Engine, from Half-Life, is very versatile,' said Smith. 'We used the simulation to see how people behaved in an actual fire situation and to train people in "good practice" in a fire.' The team says the virtual environment helped familiarize people with evacuation routines and could also help identify problems with a building's layout. One problem, however, was that while the simulation worked for most people, those who played a lot of video games did some unusual things when using the simulation. 'If a door was on fire, [the gamers] would try and run through it, rather than look for a different exit,' said Smith."

This makes me wonder to what extent entertainment software will fill the role of non-entertainment software as the tools and engines become more and more powerful. Ars mentions related news that the US Dept. of Naval Research is dumping millions of dollars into "virtual reality-like simulations of small-scale urban conflicts." It's unclear whether this is related to the US Army's similar program.

Keeping up with technology

Inside the Rise of the Warbots

By Noah Shachtman February 04, 2009 2:16:58 PM

Peter Singer's Wired for War has been praised by everyone from former National Security Advisor Anthony Lake to Jon Stewart as a definitive look at the growing use of robots on the battlefield. Just before his talk at TED 2009, we chatted with Singer, a Brookings Institution senior fellow and Danger Room contributor, about the rise of the machines. [Why does that phrase ring a bell? Bob]

Gates demonstrates new way to spread computer virus!

Gates spreads malaria message with mosquitoes

Posted by Steven Musil February 4, 2009 10:20 PM PST

Bill Gates opened a jar of mosquitoes on stage at an elite tech conference Wednesday to draw attention to the plight of malaria victims.

For my website students. Very interesting. - Fillable Documents Made Easy

This is a new service enabling any person who has a website to add forms that can be filled out online by his visitors by providing embeddable PDF documents. Whenever anyone completes any of these forms, they will receive a PDF download that can be printed easily, whereas the information is stored securely on the webmaster’s account.

In addition to that, whenever a form is completed a notification is sent to the webmaster, so that he can be ready to process it straightaway. This makes for easily tracking, managing and processing form entries, and the implementation of such a system doesn’t entail any significant structural change to the way a business is run.

Moreover, these forms are entirely customizable, so that the webmaster can make them match the style and design of his site in a more or less immediate way, and reflect his brand as much as possible.

Lastly, it must be mentioned that a quote for a custom built template can be requested through the site in order to have the team handle the process. Check the site out if you wish to see some template examples for yourself, and how they could complement your website.

Cute, but not as useful - Turn Your Handwriting Into Fonts

Is your handwriting something to be proud of? Well done, I wish I could tell a similar story – if only because I am a writer myself, and it is a bit embarrassing to create manuscripts that only I can understand. In a certain sense, it makes me feel like someone who can speak without talking. It is a bit hard to explain – I am afraid only those who are in a similar position will understand it.

Coming back to this site, the ones who have been bestowed with a fine calligraphy can turn it into a TrueType font using the provided service. The one use of such a solution is giving any blog or website a more affable (or at least personalized) touch, and establishing a different connection with visitors.

Other than that, the service is somehow limited in its appeal, yet the ones who can put it to good use are going to be truly satisfied. If you wish to see where it stands for you, you can start by directing your web browser to and start drawing away.

Wednesday, February 04, 2009

Sounds to me like they agreed to follow the law and pay for the Connecticut AG's cell phone. i.e. This is not a huge settlement, but after all the fuss Connecticut has to make it look big.

State Reaches Settlement With BNY Mellon

Posted February 3rd, 2009 by admin


BNY Mellon was directed to immediately notify each affected bank customer by mail and provide 24 months of credit protection for the financial accounts that might be affected by the data breach.

In addition, BNY Mellon was presented and complied with numerous subpoenas from the Department of Consumer Protection concerning its actions before and after the data loss occurred.

Officials said BNY Mellon will also reimburse customers for any funds stolen from their accounts as a direct result of the data breach.

Finally, the bank will pay $150,000 to the State of Connecticut General Fund.

Read more on WFSB

Interesting! Perhaps a new field for Psychiatrists? Identity Theft anxiety?

Watch out! Privacy litigation damages becoming more viable

Tuesday, February 03 2009 @ 08:47 AM EST Contributed by: PrivacyNews

Until now, lawsuits seeking to recover significant damages based on the loss of, or unauthorized access to, sensitive personal information have not been especially successful for plaintiffs. Most companies suffering data breaches have escaped by offering affected consumers inexpensive credit monitoring services.

But two recent cases show plaintiffs a way to expose many previously safe companies to substantial claims for damages.

Source - WTN News

[From the article:

Two recent cases may make such circumstances much more dangerous. In Pinero v. Jackson Hewitt Tax Service, Inc., No. 08-3535 (E.D. La. Jan. 7, 2009), a U.S. federal court refused to dismiss a claim for damages by a consumer whose tax returns were found by a third party in an unsecured dumpster outside a tax preparer's office.

… But the Court left standing Pinero's allegations that using false promises of data protection to lure customers to enter into a consumer services contract was an unfair trade practice under the Louisiana “Little Federal Trade Commission” law. The court also recognized that a claim based on a common law “fraudulent inducement” theory could stand, if properly pled.

The second case, In Department of Veterans Affairs Data Theft Litigation, No. 06-0506, (D. D.C. Jan. 27, 2009), involves the settlement of multiple consolidated class action lawsuits against the U.S. Department of Veterans Affairs.

The suit settled in late January with an agreement that the Veterans Administration would create a $20 million fund to pay the expenses of anyone directly affected by the breach, including credit-monitoring expenses and mental health costs for those who found themselves in extreme emotional distress as a result of the breach.

There's gold in them there tills... (I blogged on this back on Dec 24th so I'm glad the FBI “discovered” it.)

FBI Investigates $9 Million ATM Scam

Last Edited: Tuesday, 03 Feb 2009, 12:08 PM EST Created On: Monday, 02 Feb 2009, 9:15 PM EST

Reported by John Deutzman

According to the FBI , ATMs from 49 cities were hit -- including Atlanta, Chicago, New York, Montreal, Moscow and Hong Kong.

… The computer system for a company called RBS WorldPay was hacked. One service of the company is the ability for employers to pay employees with the money going directly to a card, called payroll cards, a lot like a debit card that can be used in any ATM. The hacker was able to infiltrate the supposedly secure system and steal the information necessary to duplicate or clone people's ATM cards.

… "Over 130 different ATM machines in 49 cities worldwide were accessed in a 30-minute period on November 8," Agents Rice said. "So you can get an idea of the number of people involved in this and the scope of the operation."

Here is the amazing part: With these cashers ready to do their dirty work around the world, the hacker somehow had the ability to lift those limits we all have on our ATM cards. For example, I'm only allowed to take out $500 a day, but the cashers were able to cash once, twice, three times over and over again. When it was all over, they only used 100 cards but they ripped off $9 million.

The RBS Web site says that card holders will not be responsible for any unauthorized transactions. But there is fear that the hackers might have had access to sensitive information used in identity theft for a potential 1.5 million customers -- including their including Social Security numbers.

RBS WorldPay told Fox 5 the company has hired a security firm to try to figure out what happened and to prevent it from happening again.

Yet another demonstration that passwords alone do not provide adequate security.

Hackers break into AT&T e-mail accounts

Posted February 4th, 2009 by admin

Hackers broke into AT&T Inc.’s Worldnet e-mail accounts that “use easy-to-guess user passwords,” a spokesman confirmed Tuesday.

The hackers took over a few hundred accounts [Not an isolated incident Bob] and began sending out large amounts of spam during the past three weeks, said Mike Barger, AT&T spokesman. AT&T disabled those accounts.

AT&T also sent notices to all of its 600,000 e-mail customers notifying them to strengthen their passwords to a “complex password” by Feb. 15 to better protect their account. A complex password is a combination of letters and numbers that does not contain a person’s first or last name or any sequential numbers like 1-2-3.

Source - San Antonio Express

Most parents probably purchased the pictures without thinking of privacy.

European court expands image privacy rights

Wednesday, February 04 2009 @ 05:43 AM EST Contributed by: PrivacyNews

The European Court of Human Rights has expanded the reach of privacy rights by ruling that a photographer breached someone's privacy just by taking a photograph, even though that photograph was never published.

Privacy law expert Rosemary Jay of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the ruling increased the reach of privacy law, but would not create a US-style image right, which is a commercial right rather than a privacy-related one.

Source -

[From the article:

The case concerned a newborn baby, Anastasios Reklos, who was put into a sterile unit when born. As a commercial service operated by the hospital his photograph was taken.

His parents objected and asked for the negatives to be given to them. The hospital refused, and the Greek courts would not hear the case.

The European Court of Human Rights (ECHR) has now ruled that the taking of the photograph without the baby's parents' permission was a violation of his rights to privacy. The ruling is available only in French.

For my Security students. When I discuss Controls, this document explains the absolute minimum. After all, who is less innovative and further behind the times than the government?

February 03, 2009

New from GAO: Federal Information System Controls Audit Manual

Federal Information System Controls Audit Manual (FISCAM), GAO-09-232G, February 02, 2009.

  • "FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards. This version supersedes the prior version, Federal Information System Controls Audit Manual: Volume I Financial Statement Audits, AIMD-12.19.6, January 1, 2001. The FISCAM is designed to be used primarily on financial and performance audits and attestation engagements performed in accordance with GAGAS, as presented in Government Auditing Standards (also know as the "Yellow Book")."

Have we reached saturation? Possibly...

Future looks gloomy for cellphone market

By Matt Richtel Published: February 3, 2009

SAN FRANCISCO: Cellphone sales are falling, manufacturers have announced thousands of layoffs and wireless carriers are finding it harder to acquire and keep customers.

It sounds like another tale of "recession bites industry," but there are signs that this downturn is masking something more fundamental, that the cellphone industry's best days are behind it.

Lest we forget that the law business is a business.

February 03, 2009

Hildebrandt and Citi Private Bank 2009 Client Advisory on Trends in Legal Market

"Hildebrandt and Citi Private Bank...present this 2009 Client Advisory highlighting the trends that we perceived in the legal market in 2008, as well as the trends that we believe will impact the market in 2009."

  • "...firms have turned to fairly aggressive measures to reduce their costs, improve their cash positions, and shore up their capital base. In recent months, firms have imposed strict controls on discretionary spending, cut bonuses, frozen associate salaries, postponed new initiatives, and engaged in a number of layoffs of both professional and administrative staff. Some firms have revamped their partner compensation schedules to slow distributions and improve their cash positions. And many firms have embarked on serious efforts to winnow out underperforming lawyers andunprofitable practices."

There are differences...

February 03, 2009

Characteristics of New Firms: A Comparison by Gender

News release: "While the country's 6.5 million privately held, women-owned firms generated an estimated $940 billion in sales and employed 7.1 million people in 2002, according to the U.S. Census Bureau, a Kauffman Foundation research report released today indicates that women-owned firms have relatively underperformed men-owned firms in a number of measures. The Kauffman Foundation research tracked new businesses' performance measures from 2004 to 2006 and correlated the data to gender based on primary owner characteristics, firm characteristics, industry and outcomes."

Nobody gets my piggy bank unless they are on this list!

February 03, 2009

The 2008 Bank Performance Scorecard: America's Top 150 Banks

Bank Direct Magazine: "There is not much flash and glitz among this year’s crop of top-performing U.S. banks and thrifts. But given all that’s occurred in the last six months, maybe slow and steady really is the name of the game. In fact, over a recent 12-month period, as the credit and financial markets came unhinged and some of the country’s best-known depository financial institutions teetered on the brink of collapse, “steady at the helm” was the governing mantra for the highest-ranked banks. That is just one salient feature of this year’s class of top performers among banks and thrifts, according to our annual Bank Performance Scorecard. Based on measurement criteria and analysis compiled by Sandler O’Neill & Partners L.P., a New York-based investment banking firm that specializes in the financial services industry, the scorecard features the institutions that maintain top standing in good times and bad—often with recurring high scorers."

Once you have firmly established your brand name, you can begin to exploit it!”

NASA and Google To Back New "Singularity University"

Posted by kdawson on Tuesday February 03, @06:45PM from the can-that-be-taught dept.

Slatterz and Keith Kleiner were among several readers to send in word of Singularity University, announced at TED today by Ray Kurzweil. He and X Prize founder Peter Diamandis began talking about creating the school last year, after Diamandis read Kurzweil's 2005 book The Singularity is Near. NASA and Google are both supporting the project, NASA with space and Google with cash. The school aims to foster "disruptive innovation." As envisioned, Singularity U. will sponsor 3-day and 10-day courses for executives year-round, and its main offering will be a single 9-week course of study over the summer for 120 students, each of which will pay $25,000 for the privilege. Announced faculty so far includes Nobel Prize winning physicist George Smoot, NASA Ames chief scientist Stephanie Langhoff, Vint Cerf, and Will Wright, creator of the video games Spore and The Sims.

Don't let your kids see this!

Judge rules TV essential, awards damages

Tue Feb 3, 3:04 pm ET

SAO PAULO (Reuters) – A Brazilian judge awarded $2,600 in damages to a man who sued a store for not replacing his faulty television set, ruling that it was an "essential good" needed to watch soccer and a popular reality TV show.

No disclosure for this type of breach.

Comcast Apologizes For Super Bowl Porn Glitch

Posted by kdawson on Tuesday February 03, @02:59PM from the pay-per-view-malfunction dept. Television Entertainment

DrinkDr.Pepper writes

"Just after the last touchdown by the Cardinals, with 3 minutes to go in the game, approximately 30 seconds of pornographic material was shown, seen by an unknown number of Comcast customers in Tucson, Arizona who were watching the game in standard definition. Comcast has apologized (they used the word 'mortified') and is issuing a $10 credit to any customer who claims to have been impacted. Various news accounts suggest that the incident was a malicious act, but no one knows how it was done or by whom."

Worth a mention to my Database students...

Open-source database market shows muscles

Posted by Matt Asay February 3, 2009 5:07 PM PST

While Sun Microsystems' MySQL gets the limelight, with its 55 percent quarterly billings increase, other open-source database competitors like Ingres and Enterprise are also doing well.

Ingres on Tuesday reported a significant uptick in its 2008 revenue, climbing 32 percent to $68 million over $52 million in 2007. EnterpriseDB didn't provide revenue numbers, but it also recently reported a banner year, with greater than 50 percent growth in new customer accounts and "comparable bookings growth."

Tools & Techniques We could hack this by adding sensors so that any car getting too close would be hit by the full force of the lasers... Think of it as a big bug zapper!

LightLane's Lasers Make an Instant Bike Lane

By Keith Barry February 03, 2009 5:37:18 PM

… Their bike-mounted gadget, called LightLane, beams two bright red lines and the universal symbol for cyclist on the pavement, neatly delineating a bike lane to remind motorists to yield a little space.

Our friend in Anchorage sent the link to this website. She is purchasing dust masks, eye protection, and other Volcanic Ash defensive tools. Redoubt is about 100 miles from Anchorage. (About as far as Vail) Might be useful in my Business Continuity class.

Alaska Volcano Observatory