Saturday, April 04, 2009

What is proper to disclose? There is no adequate guidance, so the University's disclosure was based more on CYA than technology.

Ohio University Closes Door on Breach Saga With $90,000 Settlement

April 3, 2009 by admin Filed under: Education Sector, U.S.

Steve Kolowich reports:

Ohio University has settled a lawsuit with two former information-technology administrators, paying them a total of $90,000 because the university improperly failed to disclose some records related to an investigation of a data breach three years ago. Thus concludes a saga fraught with litigation, finger-pointing, and the perils of technology.

Read more in The Chronicle of Higher Education, where you’ll learn that the attorneys got the bulk of the settlement.

[From the article:

It fired the plaintiffs, Todd Acheson and Thomas Reid, after an audit from an independent company placed the blame on their shoulders.

However, a university Administrative Senate panel concluded after an investigation that the university had unfairly scapegoated the two administrators, and that William F. Sams, the vice provost for information technology, and other university officials were at fault in the breach.

… According to John J. Biancamano, general counsel to the university, administrators only redacted information they thought might expose the university to further data breaches. But Mr. Biancamano now admits that the university failed to disclose everything it should have.

Another area with little or no guidance? Policy shouldn't chase technology.

Facebook discipline may be illegal: expert

Saturday, April 04 2009 @ 04:49 AM EDT Contributed by: PrivacyNews

Firms who discipline or sack staff for comments made on Facebook and Twitter could be acting illegally, says a veteran lawyer.

Stories about NSW Department of Corrective Services threatening to sack prison officers over Facebook posts and Telstra disciplining employee Leslie Nassar for Twitter comments have provoked a series of other examples.

Source - The Age

[From the article:

He said employment contracts are unlikely to cover staff use of social networking sites.

"What employers are doing is they're scrambling and trying to make out that present policies can be stretched to cover these new areas, and in many respects they can't," Penning said.

… The growth of social networking sites like Twitter, Facebook and MySpace has meant people are having private conversations they would have at the pub in an online setting.

However, Penning said this was no longer considered private comment because the discussions are published and distributed publicly.

I thought this sounded like a privacy bomb. Now terrorists don't need to shut down US infrastructure, they just need to convince the President to do it for them.

New CyberSecurity Bill Raises Privacy Questions

Posted by kdawson on Friday April 03, @01:47PM from the picture-future-presidents dept.

Nicolas Dawson points out coverage in Mother Jones of the early stages of a new cybersecurity bill that conveys sweeping powers on the President. Quoting:

"The Cybersecurity Act of 2009 (PDF) gives the president the ability to 'declare a cybersecurity emergency' and shut down or limit Internet traffic in any 'critical' information network 'in the interest of national security.' The bill does not define a critical information network or a cybersecurity emergency. That definition would be left to the president. The bill ... also grants the Secretary of Commerce 'access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.' This means he or she can monitor or access any data on private or public networks without regard to privacy laws."

Related. Look at what they can do today without the “Cybersecurity” bill. Think of it as surrounding Colorado and making everyone show proof of citizenship.

FBI Seizes All Servers In Dallas Data Center

Posted by Soulskill on Friday April 03, @07:58PM from the surgical-precision dept. The Internet Government Privacy

1sockchuck writes

"FBI agents have raided a Dallas data center, seizing servers at a company called Core IP Networks. The company's CEO has posted a message saying the FBI confiscated all its customer servers, including gear belonging to companies that are almost certainly not under suspicion. The FBI isn't saying what it's after, but there are reports that it's related to video piracy, sparking unconfirmed speculation that the probe is tied to the leaking of Wolverine."

“Hey! We're entitled!” What if I choose to use a non-AT&T service?

Group Pushes FCC To Investigate Skype for iPhone

Posted by ScuttleMonkey on Friday April 03, @06:12PM from the making-the-network-crumble-crumble dept.

Macworld is reporting that an internet advocacy group has asked the FCC to investigate whether the WiFi-only restriction on the Skype for iPhone app is in violation of federal law.

"Since its release on Tuesday, Skype for iPhone has been downloaded more than a million times — that's a rate of six downloads a second, according to the company. All this despite the fact the software only works via the iPhone's Wi-Fi connection, and not AT&T's 3G network. [...] The letter cites the FCC's Internet Policy Statement (PDF link) which states that 'consumers are entitled to run applications and use services of their choice' in order to 'preserve and promote the open and interconnected nature of the public Internet.'"

Related. Advertise and sell ever more capable devices then implement ever more restrictive terms to hide the fact that your network dates back to the 1870s

AT&T Changes TOS, Limits Streaming, Tethering

Posted by Soulskill on Friday April 03, @10:01PM from the wait-this-could-cost-us-money dept. Wireless Networking Communications

MojoKid writes

"Just one day after announcing plans to subsidize netbooks, AT&T wised up to the fact that those netbooks and connections could be used to download movies and enjoy other bandwidth-intensive applications. Apparently trying to avoid bogging down their network, the company revised its data plan service terms to single out and prohibit 'downloading movies using P2P file-sharing services, customer initiated redirection of television or other video or audio signals via any technology from a fixed location to a mobile device, and web broadcasting...' The license agreement further prohibits tethering the device to PCs or other equipment. That's a pretty strict set of rules. After all, the new terms of service seems to limit applications such as SlingPlayer, Qik, Skype, and Jaikuspot, which many AT&T customers are currently using without issue."

Update — April 4, 02:50 GMT by SS: Reader evn points out an Engadget report that AT&T quickly retracted the changes.

Keep an eye on this. It is certain to be more politics than technology.

Cybersecurity review closely scrutinizing telecom policy

by Stephanie Condon April 3, 2009 4:20 PM PDT

The government may have to take a new approach to securing the nation's telecommunications infrastructure, two senior administration officials said Friday.

The intersection of military operations and telecommunications policy is just one of the many facets of cybersecurity currently under review by the administration as it wraps up its 60-day, government-wide review of cybersecurity programs.

Related? “Now that I work for Apple, I realize that the iPhone will stop Global Warming!”

Gore: Wireless access to info means power

by Tom Krazit April 3, 2009 11:16 AM PDT

LAS VEGAS--Former Vice President Al Gore sought to link the democratic effects of information sharing with the growth of the wireless industry as the solution to all of life's problems.

Also a way to fry every computer in the neighborhood? Another stop on my paranoid worry beads.

DIY 'e-bombs' a threat to airliners

by Mark Rutherford April 3, 2009 5:36 PM PDT

… The world's major military powers have tinkered with EMP warheads that broadcast radio-frequency shockwaves of hundreds of thousands of volts per meter. But now, any crackpot can build one of these "e-bombs" with low-cost equipment purchased online.

In analyzing electromagnetic weapons currently in development, the International Institute for Counter-Terrorism in Herzliya, Israel, discovered that there is plenty of information and affordable equipment available on the Net that could be used by terrorists to build a weapon strong enough to fry nearby electrical systems, including the ones keeping civil airliners aloft. Popular Mechanics estimated the cost of building just such a weapon at $400.

Something for the Anthropologists?

The dark secrets of Whopper Sacrifice

by Caroline McCarthy April 3, 2009 1:19 PM PDT

SAN FRANCISCO--"I don't know how many of you actually got sacrificed out there, but condolences to you," said Matt Walsh, head of the Interaction Design department at ad agency Crispin Porter & Bogusky, as he surveyed the audience at his Friday morning talk at the Web 2.0 Expo.

CP&B, after all, was the creator of the "Whopper Sacrifice" phenomenon, a Burger King ad campaign on Facebook that promised a coupon for a free hamburger if participants deleted 10 people from their friends lists on the social network. It was a wild success: the Facebook application was installed nearly 60,000 times in a matter of days, nearly 20,000 Whopper coupons were sent out, and well over 200,000 Facebook friends were deleted. Facebook members even created unofficial groups, offering to let other members add them as friends and then delete them for Whopper Sacrifice purposes.

But Facebook disabled the campaign after ten days, claiming that it was a violation of user privacy because Whopper Sacrifice notified friends if they had been deleted. "(It) challenged the very concept of Facebook," Walsh said. "Whopper Sacrifice had been sacrificed." In an ironic twist, that just led to even more buzz for the campaign.

… "Some people thought it was a little brutal because we did send notifications," Walsh admitted. "If I defriended you, you would get a message saying that you were worth less than one-tenth of a Whopper."

I'm thinking I should do this for Computer Security and Hacking 101. But since Apple is giving the tools away for free, perhaps I should stick to the iPhone?

Apple, Stanford Teaching iPhone Development for Free

By Brian X. Chen April 02, 2009 4:45:22 PM

… Video recordings of Stanford's 10-week computer science class, taught by two Apple employees, will be freely downloadable through Apple's iTunes U educational channel. The course's syllabus and slides will be freely available on iTunes as well.

… The removal of the NDA led to the launch of Apple's iPhone University program, giving instructors and students all the software needed to code for the iPhone for free.

For Cindy's “Sex & Power” class. Funny how many articles fall into this category now that I'm looking for them. Not so funny, how people treat anything to do with sex like it was a live bomb.

Judge won't dismiss lawsuit over nude pictures on phone

Saturday, April 04 2009 @ 05:21 AM EDT Contributed by: PrivacyNews

A judge on Friday denied a motion to dismiss a lawsuit filed against McDonald's after a woman's nude pictures - left on her husband's cell phone - were posted on the Internet.

Source - Northwest Arkansas Times

Previous coverage

[From the article:

Phillip Sherman on July 5 left his cell phone in the McDonald's restaurant on Martin Luther King Jr. Boulevard in Fayetteville. His wife had previously sent nude pictures of herself to his cell phone for his own use, according to the complaint.

The Shermans seek more than $3 million in damages after nude photos of Tina Sherman were posted on a Web site and she received threatening and harassing text and phone messages, according to the lawsuit.

Tina Damron, attorney for the Shermans, argued Friday against allowing attorneys in the case from releasing information about her witnesses in the case and other details to prevent further embarrassment or harassment of her clients.

She said more than 1 million people have searched Google looking for information about the case after the story about her clients' lawsuit made international news.

"You're asking these lawyers to prepare this case and never tell their clients what it's about?" 4th Judicial Circuit Judge Mary Ann Gunn asked

Another article for Cindy's “Sex & Power” class.

'Sexting' Hysteria Falsely Brands Educator as Child Pornographer

By Kim Zetter April 03, 2009 9:41:16 AM

… Rumors had been flying at Freedom High School in South Riding, Virginia that students were distributing nude pictures of each other on their cell phones. It's a phenomenon, known as "sexting," that's become increasingly worrisome to educators across the country, and Ting-Yi Oei, a 60-year-old assistant principal at the school, was tasked with checking it out.

… Even in this environment of prosecutorial excess, Oei's case stands out as likely the first to entangle an adult who came in possession of an image that even police admit wasn't pornographic, and who did so simply in the course of doing his job.

… "If someone were to Google me, why would you want to touch someone who had [this trouble], even if I had the charge dismissed?" he says. "I don't think you'd necessarily want that baggage."

This might be a tool for the White Hat Hacker Club.or the Privacy Foundation - Print Your Magazines

Printcasting is the app you need to convert your blog or publication into a printed one. What printcasting aims to do is empower everyone who has some sort of publication to turn it into a printed publication, and enable them to begin making some money from it. The whole thing works in a very easy way which in many ways resembles podcasts. What you do is subscribe your blog or internet publication on the site and automatically the site’s engine will make a document that will look very appealing to your prospective readers.

The coolest thing about the whole interface is how they have developed the location-based ads system. This will allow small publishers to make a profit out of their hard work and also allow publishers a valuable new mean to communicate their messages at a very competitive cost. The service for advertisers will be free to begin with, so that they can get a feel of how the system works and from there onwards the service will be a paid one. It is worth noting that at the time of this review the site is still in a beta stage and that new features are being tested to incorporate them to the site.

Friday, April 03, 2009

This is interesting. Since countries like the UK won't stop the surveillance, I suspect they will consolidate it under a single agency (perhaps the “Citizen Well Being Assurance Agency”), with other agencies getting a “license” to operate as that agency.

MEPs urge governments to produce surveillance register

Friday, April 03 2009 @ 05:42 AM EDT Contributed by: PrivacyNews

Governments should create a list of all organisations that track internet use and produce an annual report on internet surveillance, the European Parliament has said.

The Parliament also said that users' online activity should not be monitored in the fight against piracy.

Members of the European Parliament (MEPs) voted by a huge majority to adopt a policy statement on the freedoms citizens do and should have online. The statement calls on the European Commission and national governments to take action to protect free speech and halt the intrusion of criminals and industry into private communications.

Source -

Related? Comments point out several flaws in this story, including the “one day does not a trend make” and “what is confiker gonna do” questions. We need to revisit this later.

After Sweden's New Law, a Major Drop In Internet Traffic

Posted by timothy on Friday April 03, @02:36AM from the back-to-corked-bottles dept. The Internet Privacy Politics

iamnot writes

"The new IPRED law came into effect in a big way in Sweden on April 1st. A news report has come out showing that internet traffic dropped by 30% from March 31st to April 1st. A lawyer from the Swedish anti-piracy agency was quoted as saying that the drop in traffic 'sends a very strong signal that the legislation works.' Is the new law, which allows for copyright holders to request the identification of people sharing files, truly curing people of their evil ways? Or perhaps it is just taking some time for Swedish downloaders to figure out the new IPREDator VPN system from The Pirate Bay."

Government websites can be useful, and we should probably point them out when they make the attempt.

FTC Offers ‘Red Flags’ Web Site

Friday, April 03 2009 @ 05:48 AM EDT Contributed by: PrivacyNews

The Federal Trade Commission has launched a Web site to help entities covered by the Red Flags Rule design and implement identity theft prevention programs. The Rule requires “creditors” and “financial institutions” to develop written programs to identify the warning signs of ID theft, spot them when they occur, and take appropriate steps to respond to those warning “red flags.”

Source - Kansas City InfoZine

Similar to unique variables in paper copies. That always told us which politician leaked Top Secret documents, but clearly didn't stop the leaks.

Studio: Good chance FBI can trace 'Wolverine' leak

by Greg Sandoval April 2, 2009 5:45 PM PDT

FBI agents have started looking for whoever is responsible for uploading to the Internet an incomplete version of the unreleased movie "X-Men Origins: Wolverine" on Tuesday evening.

… However, studio representatives told news agency Reuters because of forensic marks, the authorities would be able to trace "the source of the leak."

Studios embed identification marks on prints and film copies and that's how authorities tracked down Kerry Gonzalez, the New Jersey man who leaked the superhero film "Hulk" to the Web weeks before its theatrical release. Gonzalez was caught and pleaded guilty to felony copyright infringement charges. He was sentenced to six months house arrest and ordered to pay a $7,000 fine.

Gonzalez is an example of how hard it is for studios to protect their multimillion-dollar products, according to a film industry insider. Gonzalez had nothing to do with the movie business. He told FBI agents that he obtained a videotape copy of the film print from a friend who worked at an advertising agency connected with the movie. [Note that the “forensic marks” didn't point to Gonzalez but to his friend. Perhaps the friend ratted him out when the FBI threatened to ship him to Guantanamo? Bob]

Here's an idea I'll have to build on for my Business Continuity class.

FDA tests internal cloud for disaster recovery

by Dave Rosenberg April 2, 2009 2:58 PM PDT

The U.S. Food and Drug Administration is looking at using an internal (or private) cloud to manage disaster recovery.

In early testing, Joe Klosky, a senior tech adviser at the FDA, was able to successfully restart applications and services within 45 minutes onto other, differently configured servers in their environment without issues using Cassatt Active Response, not people or outsourced services.

… Find out more about the FDA's disaster recovery results here.

Related Something for my Computer Security class to kick around.

Telcos said testing plan to offer PCs to businesses

by Charles Cooper April 3, 2009 4:00 AM PDT

Telecommunications providers on four continents are testing a plan to provide so-called virtual desktop computing to their business customers.

People familiar with the outlines of the pilot program say the idea is to offer Internet access to companies via dumb terminals connected through the so-called cloud. The tests are said to involve companies in the United States, Europe, Australia, and China.

The testing period is slated to run through the middle of the year. If it works out to participants' satisfaction, the pitch to customers will be why it makes more sense in an economic recession to outsource their computing infrastructure to the telcos, according to the sources. The hope is that more companies now have an extra incentive to turn over the costs and complexity to outsiders.

I would have guessed this was available years ago. I wonder what other little bits haven't been digitized yet?

April 01, 2009

Institute of Advanced Legal Studies - Flare Index to Treaties

"The Flare Index to Treaties [was recently launched] by the Institute of Advanced Legal Studies (IALS). The Index is a searchable database of basic information on over 1,500 of the most significant multilateral treaties from 1856 to the present, with details of where the full text of each treaty may be obtained in paper and, if available, electronic form on the Internet. The Index includes only those treaties where there are three or more parties to the instrument. The selection has been based on entries in Multilateral Treaties: index and current status, compiled and annotated within the University of Nottingham Treaty Centre by M.J. Bowman and D.J. Harris (London: Butterworths, 1984, ninth supplement, 1992) and International Legal Materials (Washington, D.C., American Society of International Law, 1962-).

How interesting. Now whole states hate Microsoft. Very “Central Planning”-like of Texas. Perhaps they could force Steve Ballmer out? (Or is this all an April Fool joke?)

Texas Senate Proposes a Budget With a No-Vista-Upgrades Rider

Posted by timothy on Thursday April 02, @06:22PM from the macro-vs.-micro dept. Windows Government United States Upgrades

CWmike writes

"The Texas state Senate yesterday gave preliminary approval to a state budget that includes a provision forbidding government agencies from upgrading to Windows Vista without written consent of the legislature. Sen. Juan Hinojosa, vice chairman of the Finance Committee, proposed the rider because 'of the many reports of problems with Vista … We are not in any way, shape or form trying to pick on Microsoft, but the problems with this particular [operating] system are known nationwide,' Hinojosa said during a Senate session debating the rider (starting at 4:42 of this RealMedia video stream). 'And the XP operating system is working very well.' A Microsoft spokeswoman said in response, 'We're surprised that the Texas Senate Finance Committee adopted a rider which, in effect, singles out a specific corporation and product for unequal treatment. We hope as the budget continues to go through the process, this language will be removed.'"

I doubt this translates to students surfing in the classroom, but no doubt I'll hear this quoted for years!

Australian Study Says Web Surfing Boosts Office Productivity

Posted by timothy on Thursday April 02, @03:50PM from the it-wasn't-just-the-office-doors dept. Businesses The Internet Science

Hugh Pickens writes

"Dr Brent Coker, professor of Department of Management and Marketing at Melbourne University, says employees who surf the internet for leisure during working hours are more productive than those who don't. A study of 300 office workers found 70 percent of people who use the internet at work engage in Workplace Internet Leisure Browsing (WILB). 'People who do surf the internet for fun at work — within a reasonable limit of less than 20 per cent of their total time in the office — are more productive by about nine per cent than those who don't,' said Coker. 'People need to zone out for a bit to get back their concentration. Think back to when you were in class listening to a lecture — after about 20 minutes your concentration probably went right down, yet after a break your concentration was restored. It's the same in the workplace.' However, Coker warns that excessive time spent surfing the internet could have the reverse effect."

I've used Opera. I like the download handling. Not sure what it buys Ford.

Ford picks Opera for in-dash Web browsing

by Antuan Goodwin April 2, 2009 4:20 PM PDT

Al Gore, Jupiter is calling! Global Warming! Global Warming! (Just not our globe)

Jupiter's Great Red Spot Is Shrinking

Posted by CmdrTaco on Thursday April 02, @11:22AM from the like-my-will-to-live dept.

cjstaples noted a CNN story proclaiming that Jupiter's signature red spot is shrinking. Over a 10 year study, the giant storm lost just over half a kilometer per day for a total loss of about 15%. Scientists know about shrinkage, right?

Thursday, April 02, 2009

Perhaps this could relate to the “no damages? Punitive damages are still possible.” case I posted Sunday? Still, it's another expense related to a data breach...

Judge to decide if Hannaford data breach should go to trial

April 2, 2009 by admin Filed under: Business Sector, Hack, ID Theft, U.S.

Trevor Maxwell of the Portland Press Herald reports:

A federal judge said he will decide in the next few days whether supermarket giant Hannaford Bros. is potentially liable for damages because of a data breach that exposed more than 4 million credit and debit card numbers to computer hackers.

Judge D. Brock Hornby heard arguments on Wednesday at U.S. District Court. Attorneys for Hannaford asked the judge to dismiss the lawsuit, which was filed against the Scarborough-based company last year. Attorneys for the plaintiffs said Hornby should certify the case as a class-action suit and let it proceed toward trial.

[From the article:

The case boils down to a couple of central questions: To what extent are merchants responsible for securing the electronic data that gets processed with every noncash purchase, and what should the consequences be when that data is stolen?

… Attorneys for the plaintiffs seek additional damages because Hannaford allegedly knew about the security breach at least three weeks before making a public announcement.

"Rather than lose sales, it allowed customers to continue making purchases by debit and credit card, knowing that its electronic payments system was not secure, and that it was exposing these customers' accounts to fraud," lawyers Peter Murray, Thomas Newman and Lewis Saul wrote in their opposition to Hannaford's motion to dismiss the case.

Interesting article about a potential breach caused when a vendor changed the functions of a program without notifying their customer. (Think Microsoft, Adobe, Java, etc.)

Diary of a Data Breach Investigation

Wednesday, April 01 2009 @ 10:07 AM EDT Contributed by: PrivacyNews

When the CISO asks to speak to you with that look on his face, you know the news isn't good. We were contacted by one of our third-party vendors, whom we had hired to do analysis on our website traffic.

It appears that we have been passing sensitive information to them over the Internet. This sensitive information included data, such as customer names, addresses and credit card information. Because we are a public company, there are many regulatory guidelines that we have to follow like Sarbanes-Oxley (SOX) and the Payment Card Industry's (PCI) data security standard.

Source - CIO

Shouldn't a health firm report generally to an employer? If your employees are getting cancer at a rate far above the local norm, wouldn't it be prudent to find out why? How secret would that information be if the organization had only 25 employees?

NL: Occupational health firm criticised on privacy

Thursday, April 02 2009 @ 06:11 AM EDT Contributed by: PrivacyNews

Private occupational health advice firm Tredin has been strongly criticised for passing on confidential information about workers' health to employers, the Telegraaf reports on Thursday.

The privacy watchdog CBP says that despite previous warnings Tredin had not changed its procedures. The company now faces a €1,000 every time it breaks privacy laws, up to a maximum of €120,000. [If they can spread that among 1000 employers, the fine is a joke. Bob]

Source -

I try to stay away from future/proposed/let's-run-it-up-the-flagpole legislation. This one I expect will happen in some form – eventually. Comments are universally scornful. Looks like the Computer Security Major could get a bit more popular.

New Legislation Would Federalize Cybersecurity

Posted by samzenpus on Thursday April 02, @12:27AM from the big-brother-security dept. Security Politics

Hugh Pickens writes

"Senators Jay Rockefeller and Olympia J. Snowe are pushing to dramatically escalate US defenses against cyberattacks, crafting proposals, in Senate legislation that could be introduced as early as today, that would empower the government to set and enforce security standards for private industry for the first time. The legislation would broaden the focus of the government's cybersecurity efforts to include not only military networks but also private systems that control essentials such as electricity and water distribution. "People say this is a military or intelligence concern, but it's a lot more than that," says Rockefeller, a former intelligence committee chairman. "It suddenly gets into the realm of traffic lights and rail networks and water and electricity." The bill, containing many of the recommendations of the landmark study "Securing Cyberspace for the 44th Presidency" (pdf) by the Center for Strategic and International Studies, would create the Office of the National Cybersecurity Adviser, whose leader would report directly to the president and would coordinate defense efforts across government agencies. The legislation calls for the appointment of a White House cybersecurity "czar" with unprecedented authority to shut down computer networks, including private ones, if a cyberattack is underway. It would require the National Institute of Standards and Technology to establish "measurable and auditable cybersecurity standards" that would apply to private companies as well as the government. The legislation also would require licensing and certification of cybersecurity professionals."

Related As Aesop once related, in the race between the tortoise and the TSA, the tortoise's grandchildren get to watch TSA approach the finish line. Meanwhile, has anyone actually looked into the effectiveness of this program? I didn't think so...

Feds Begin Post-9/11 Airline Watchlist Takeover

By Ryan Singel April 01, 2009 | 5:53:18 PM

The federal government is finally beginning to take over the job of comparing U.S. airline passengers against its terrorist watchlist, more than six years after it announced its post-9/11 plans to relieve airlines of that duty.

Now four unnamed small airlines are uploading passenger lists to the Transportation Security Administration for comparison against the approximately 16,000 names on the TSA's two watchlists, the agency announced this week.

The rest of the nation's airlines will continue to compare passenger names themselves using the lists provided to them by the feds, until they too switch to the new method in the coming months and years.

How embarrassing must it be to have your security breach rated “So easy, a caveman could do it!”

April 01, 2009

Hacker Difficulty Level

In the 2008 Data Breach Investigation Report by the Verison Business Risk Team, they determined the attack difficulty for attackers to exploit the systems that resulted in the data breach.

The chart and commentary follows a “path of least resistance” philosophy subscribed to by most security professionals. As they specify in the report, hacking is really quite easy and the chart speaks to that. More than half of attacks had no difficulty or low difficulty. Only 17% were considered High Difficulty.

Wednesday, April 01, 2009

Another one for the “Ooo! I wish I had said that” file.

NZ: Massey University Experiences Serious Breach Of Security

March 31, 2009 by admin Filed under: Education Sector, Exposure, Non-U.S.

The Massey University intranet system utilised by students from all across New Zealand, MyMassey, is under scrutiny after a severe breach of security left thousands of students able to access other people’s highly sensitive information.

Rawa Karetai, President of the Albany Students’ Association, was one of the first students to notice this critical error: “I was first made aware that the website started giving out personal information about other students at about 10.40pm. I immediately went and found a computer that was free and started to check to see if I was experiencing the same issues.”

Karetai, like many other students, now had access to a variety of highly sensitive personal information that was not his own. Information at his disposal included, but was not limited to, the following: Massey ID numbers; Full names; Date of Birth; IRD Number; Academic transcripts as well as contact addresses and phone numbers. Students who had discovered this fault were also able sign the person whose information they could now access up for new papers or amend any of their contact details.


[From the article:

In a written statement released earlier today, Chief Information Officer Gerrit Bahlman attributed the incident to "an operating system patch release". [Patches rarely turn off the security. Bob]

If someone is shifting the responsibility (risk) to you, shouldn't you ensure that you have addresses it?

Retailers: Credit card data inadequately protected

Tuesday, March 31 2009 @ 09:59 PM EDT Contributed by: PrivacyNews

The self-regulatory system credit card companies have created to protect consumer data sacrifices some consumer protections for the sake of conveniencing the credit card companies and their financial institution partners, retail representatives told Congress Tuesday.

In light of recent data breaches that have compromised consumer information, such as the potentially massive 2008 Heartland Payment Systems breach, some congressmen are questioning whether the Payment Card Industry Data Security Standards, created and regulated by credit card companies, are sufficiently protecting information.

Source - Cnet Related - Forbes: Visa, MasterCard In Security Hot Seat

[From the Cnet article:

Yet representatives of the retail industry told a panel of the House Homeland Security Committee that when the credit card industry established the PCI standards in 2004, it did so mainly to reallocate its own fraud costs.

"In our view, if you peel off all the layers around PCI data security standards, you will see it for what it is," said Dave Hogan, senior vice president and chief information officer for the National Retail Foundation. "In significant part, (it is) a tool to shift risk off the banks' and credit card companies' balance sheets and place it on others."

Michael Jones, the CIO for Michaels Stores, backed up Hogan's comments with the fact that the credit card companies' financial institutions do not accept encrypted transactions, even though the PCI standards generally call for all credit card data to be encrypted.

Transferring this data unencrypted can lead to breaches like the Heartland breach, or the 2007 TJX breach that compromised 45.7 million customer accounts, Jones said. Michaels has been asking for the past three years for the ability to encrypt transaction information, he said.

[From the Forbes article:

Given that both Hannaford and Heartland had complied with PCI rules, the congressional panel turned the spotlight on the credit card companies, arguing that their security measures need to be redesigned or supplemented with federal laws--a potential crackdown that could require changes on the part of both retailers and financial services companies.

"I don't believe that PCI standards are worthless," said Rep. Yvette Clark, D-N.Y., who led the hearing. "But I do want to dispel the myth once and for all that PCI compliance is enough to keep a company secure. It is not."

Related If these laws are wrong, what is right?

Mass., Nev. data protection laws wrong, ineffective (opinion)

Tuesday, March 31 2009 @ 08:35 AM EDT Contributed by: PrivacyNews

Massachusetts and Nevada have joined the list of states with bills legislating steps businesses must take to protect personal information such as Social Security numbers and financial account numbers. These state regulations represent exactly the wrong kind of laws to be passing, but legislators compelled to take on identity theft seem intent on establishing legal requirements for technical solutions.

Source - Eric Ogren,

[From the article:

While Nevada Revised Statutes Title 597, Section 970 (NRS 597.970) calls for personal information to be encrypted when transferred over public networks, Massachusetts 201 CMR 17.00 Standards for The Protection of Personal Information of Residents of the Commonwealth is even more encompassing. When MA 201 CMR 17.00 goes into effect in January of 2010, all non-government entities that handle personal information must document and follow a set of security procedures that appears to have been heavily inspired by the PCI DSS.

… Merchant Warehouse Inc. and ProPay Inc. are two leading vendors that offer secure credit card handling services for merchants. These two organizations present examples of the types of alternatives that become more attractive as the liabilities of handling personal information increase. Both vendors illustrate end-to-end, swipe-through payment systems:

  1. Encrypt credit card data at the swipe. The merchant is never in possession of clear text credit card information as it is encrypted before even entering the point-of-sale (POS) system.

  2. Securely pass transactions onto card processors. The business transaction remains secure from the POS application all the way through delivery to the credit card processing companies. While the merchant has transaction receipts, they are not in possession of personal information that must be secured.

  3. Provide automated credit card on file services. Merchants with subscription services, such as newspapers that bill monthly, can have the service handle the transaction and provide the merchant with business intelligence reports. Expensive investments in security products and audits are shared among all service members.

  4. Report all transaction information to merchants. Merchants need the intelligence of customer lists and profiles to run a competitive business.

Guidelines! Or at least they are taking a stab at guidelines.

AU: Surveillance questions in Victoria raise issues for us all.

Tuesday, March 31 2009 @ 11:12 AM EDT Contributed by:PrivacyNews

The Victorian Law Reform Commission has released a Discussion Paper on Surveillance in Public Places. Chairperson of the commission, Neil Rees, said “surveillance affects all Victorians whether we are shopping, catching public transport, driving on major roads, or attending a sporting event”.

Source - Open and Shut

[The paper: Surveillance in Public Places: Consultation Paper (PDF 4.7MB)

Related Valid use of surveillance? Sounds like this one will spread quickly!

FBI Nabs Robbers With Google Map, Spycam Mashup

By Noah Shachtman March 31, 2009 2:36:00 PM

… FBI agents in Arkansas are enlisting the online public's help in catching the thieves. And it appears to be working. Four bank robberies have been solved in the past six months, thanks in part to tips collected from, Little Rock special agent Steven Burroughs tells the Arkansas Democrat-Gazette. In all, 10 suspected robbers featured on the site are now behind bars.

… Law enforcement agencies have longed relied on the press and the public to help catch crooks, of course. And some departments, like the NYPD, upload their "wanted" posters. But — and its sister site for Texas, — are a little different and a little more sophisticated. Descriptions of the suspect and the crime are paired with pictures from the bank's surveillance cameras, both indoor and out. The whole thing is then plotted on a Google Map.

Security at home. Security Managers might want to pass this to all employees.

Rid your computer of the Conficker virus

by Seth Rosenblatt March 31, 2009 5:53 PM PDT

… First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them.

… Assuming you've got the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos' Conficker Cleanup Tool.

You can't keep a good (defined as: makes money) idea down.

Spam Back Up To 94% of All Email

Posted by kdawson on Tuesday March 31, @05:19PM from the rust-never-sleeps dept. Spam

Thelasko writes

"A NYTimes blog reports that the volume of spam has returned to its previous levels, as seen before the McColo was shut down. Here is the report on Google's enterprise blog. Adam Swidler, of Postini Services, says: 'It's unlikely we are going to see another event like McColo where taking out an ISP has that kind of dramatic impact on global spam volumes,' because the spammers' control systems are evolving. [True throughout the criminal industry. Spam increases, cattle rustling decreases. Bob] This is sad news for us all."

Sign of the economic times or another example of techno-greed?

Cellular Repo Man

Posted by kdawson on Tuesday March 31, @06:57PM from the new-low-for-crippleware dept

LateNiteTV sends in news of a "kill pill" from LM Ericsson AB that a wireless carrier could use to remotely disable a subsidized netbook if the customer doesn't pay the monthly bill or cancels their credit card.

"...the Swedish company that makes many of the modems that go into laptops announced Tuesday that its new modem will deal with [the nonpayment] issue by including a feature that's virtually a wireless repo man. If the carrier has the stomach to do so, it can send a signal that completely disables the computer, making it impossible to turn on. ... Laptop makers that use Ericsson modules include LG Electronics Inc., Dell Inc., Toshiba Corp., and Lenovo."

The feature could also be used to lock thieves out of the data on a stolen laptop.

Another update for Cindy's “Sex and Power” class.

Federal judge blocks teen "sexting" charges

Tuesday, March 31 2009 @ 11:11 AM EDT Contributed by: PrivacyNews

A federal judge has issued a temporary restraining order that prevents an overzealous prosecutor from charging three teens as child pornographers. The girls were found scantily-clad in photos circulated by "sexting" students.

Source - Ars Technica

[From the article:

Monday, a federal judge issued a temporary restraining order, finding that the girls (and their mothers) were likely to prevail in a civil rights lawsuit against Wyoming County District Attorney George Skumanick, and enjoining Skumanick from making good on his threat to file felony charges against the girls unless they agreed to participate in a five-week "educational" program.

… First, because the photos so obviously did not qualify as child porn under state law—and because it would be perverse in any event to consider the girls culpable for photographs circulated by others without their consent—Skumanick's threat amounted to retaliation for engaging in speech protected by the First Amendment. Second, the use of that frivolous threat to attempt to bully the teens into an education program—a threat that was effective in compelling the participation of the other boys and girls Skumanick targeted—encroached upon the constitutionally protected rights of parents to direct their children's upbringing. Finally, the requirement within that program that the girls write an essay explaining “what you did” and “why it was wrong" amounted to compelled speech, again a First Amendment violation.

… Skumanick himself has voluntarily agreed to provide the photographs at issue in the case to the teens' lawyers. He had previously refused to hand them over on the grounds that he would himself be guilty of distributing child porn if he did so.

There's lots of money in politics... - For Local Candidates

If you intend to become an elected representative, it goes without saying that you must be fully abreast of the latest developments in the technological world, and apply them to your knowledge. This could hardly have been vetoed a few years back. Today, after Obama’s phenomenal campaign on the WWW and the results it yielded, this is more evident than it ever was.

As such, having a good political campaign website is the first thing that has to be dealt with if you intend on traversing that pathway.

… All you have to do is submit some information as regards your principles [There's a major stumbling block... Bob] and proposals through a content management system, and include a photograph. The company then takes care of the rest.

The finished site also includes a wealth of interactive features. For instance, contributions can be taken via PayPal, whereas mailings can be handled through the site. Visitor statistics are also very easy to access, as it is only fit.

Somehow I don't think my Blog subscribers are into Twitter, but I could be wrong. - Publish RSS Feeds On Twitter Accounts

If you want to keep your Twitter following as posted as you can, you might as well give this site a try. You see, TweetMyFeed will empower you to take your existing RSS feed and publish it on a Twitter account. This way, those who follow you on Twitter will be able to learn all about any new content that you are adding to your website.

Using this service is as simple as it gets – there is no need to download or install anything, all that has to be done is to fill in a short form and then you are ready to start tweeting your site or blog away. In addition to furnishing your Twitter username you are requested to provide your password, and that might be a problem for some people who are understandably reticent to give such information away. Other fields that have to be filled out include the name of the website and one that reads “Define what your site is about”.

[From the web site:

Most people don't subscribe to your RSS feeds anymore so this helps get your blog posts to the wider, more active twitter audience.

Tuesday, March 31, 2009

A truly un-thought-through security process. Why would all of this data be on an Internet accessible database?

NL: Bike locker codes - and bank account info - up for grabs

March 31, 2009 by admin Filed under: Business Sector, Exposure, Non-U.S.

Karin Spaink reports:

The personal details - name, home address, bank account, card number and unlock code - of the 50.000 people who have a subscription with OV-fiets, where they rent a bike locker at train stations, were available through the OV-fiets website. To retrieve personal data from the website, no password was needed, only a ‘personal’ number. By typing in subsequent numbers, other people’s data were freely available.

“A+” for stick-to-it-ness, “F-” for “I-know-where-my-data-is-ness”

Genica/ still identifying new victims of 2007 hack

March 31, 2009 by admin Filed under: Business Sector, Hack, U.S.

Genica/ was in the news last month when they settled charges with the FTC concerning their database security. Less than two weeks later, they were notifying at least one state attorney general that they had identified yet more victims of the breach that occurred in 2007.

By letter dated February 16, 2009 to Maryland, Genica’s Chief of Security, Jerry Harken, reported (pdf) that they would be notifying those affected.

I hope they changed their consumer notification letter before they sent out, as the Feb. 16 2009 letter begins, “The purpose of this letter is to notify you that Genica dba (”Genica”) recently discovered on December 5, 2007 that information….. ”

Because this is all part of the same incident that the FTC investigated, no new charges are likely, but this incident does raise an eyebrow about how long it has taken Genica to determine the full scope of how many people were affected. [Perhaps the fines should be based on how long it takes to identify and notify victims? Or would that cause organizations to stop looking once the easy ones are identified? Bob]

Economics of a security breach. Are customers getting spooky? This was clearly not the reaction to TJX (but then TJX was a place to shop, not a place to keep your money safe.)

More than half of British savers would switch banks if their provider suffered a data breach

Tuesday, March 31 2009 @ 07:10 AM EDT Contributed by: PrivacyNews

More than 20 million British savers would move their money if their provider lost personal customer details.

A survey by Ipsos MORI for information risk management company, ArmstrongAdams found that 55 per cent, around 23 million, of British bank account holders would change banks.

Nineteen per cent of bank account holders were ‘certain' to switch accounts, with 22 per cent saying they were ‘very likely' to switch, and 14 per cent ‘fairly likely'.

Source - SC Magazine

I was going to skip the first report, but I now suspect these are only the tip of the iceberg. Who (besides suspicious spouses) takes the time to search all friends/relatives/associates/neighbors/etc. for a wayward spouse/child/employee?

Google cheat view

Tuesday, March 31 2009 @ 05:43 AM EDT Contributed by: PrivacyNews

A furious wife has called in divorce lawyers after spotting her husband’s car parked outside another woman’s house — on Google.

She saw the Range Rover while using the internet giant’s new Street View service to snoop on a female friend’s home.

The hubby had claimed he was away on business, but his missus recognised his motor immediately because of its blinged-up hubcaps.

The love cheat is not the only husband trapped by Google’s controversial new 360-degree photo search which covers 25 cities and towns throughout the country.

Top media lawyer Mark Stephens said: “I was talking about the Range Rover case when another divorce lawyer came up to say his firm was dealing with the same sort of thing. People are getting caught out on Google.

Source - The Sun

an 'e' version of an old union tactic? Accuse the company of something impossible to disprove and remind your union members that 'everyone does it.”

De: DB boss quits over email snooping scandal

Tuesday, March 31 2009 @ 06:25 AM EDT Contributed by: PrivacyNews

Deutsche Bahn (DB) CEO Hartmut Mehdorn has quit over allegations that the rail company spied on staff emails.

Mehdorn announced he would step down at a press conference in Berlin yesterday (31 March) but denied any wrongdoing.

He said the “snooping” allegations were groundless and accused his critics of turning DB’s attempts to fight corruption into a data protection scandal.

Source - ifw

So, how can we do this?

Supreme Court Lets Virginia Anti-Spam Law Die

Posted by kdawson on Tuesday March 31, @05:20AM from the escaping-from-the-can dept. Spam The Courts United States

SpuriousLogic sends in a CNN report that begins

"The Supreme Court has passed up a chance to examine how far states can go to restrict unsolicited e-mails in efforts to block spammers from bombarding computer users. The high court without comment Monday rejected Virginia's appeal to keep its Computer Crimes Act in place. It was one of the toughest laws of its kind in the nation, the only one to ban noncommercial — as well as commercial — spam e-mail to consumers in that state. The justices' refusal to intervene also means the conviction of prolific commercial spammer Jeremy Jaynes will not be reinstated."

Jaynes remains behind bars because of a federal securities fraud conviction unrelated to the matter of spamming.

Strategically, it's a good move that doesn't cost too much.

Who’s Messing With the Google Book Settlement? Hint: They're in Redmond, Washington

By Steven Levy March 31, 2009 6:52:30 AM

Some sectors of the economy are still growing...

March 30, 2009

FBI's Internet Crime Complaint Center - 2008 Internet Crime Report

"In December 2003, the Internet Fraud Complaint Center (IFCC) was renamed the Internet Crime Complaint Center (IC3) to better reflect the broad character of such criminal matters having a cyber (Internet) nexus. The 2008 Internet Crime Report is the eighth annual compilation of information on complaints received and referred by the IC3 to law enforcement or regulatory agencies for appropriate action. From January 1, 2008 – December 31, 2008, the IC3 website received 275,284 complaint submissions. This is a (33.1%) increase when compared to 2007 when 206,884 complaints were received. These filings were composed of complaints primarily related to fraudulent and non-fraudulent issues on the Internet."

We're the government. We know how to run your business better than you do. It's all part of our central planning. Want to see our five year plan?

On the other hand, neither he nor the board apparently have a way to get GM out of the mess they're in.

On yet a third hand, now he can become Secretary of Commerce (if he's been paying his taxes)

Obama Tells GM Boss, 'You're Fired'

By Tony Borroz March 30, 2009 2:31:03 PM

The Obama administration, as part of the government's ongoing bailout of the auto industry, has ushered General Motors CEO Rick Wagoner out of the building and replaced him with board member Fritz Henderson.

… The press is going nuts with the story. The New York Times said the administration's move "amounts to a do-or-die ultimatum for the struggling automobile industry." The Detroit News is blunt in saying, "Obama tells automakers: No more excuses." In an editorial, the News slammed the ouster as a political move by a president who "needs a scalp to wave before both a Congress growing queasy about federal bailouts and the automaker's bondholders, who aren't happy about granting a huge discount on their GM debt."

I mentioned yesterday that YouTube has an education channel. Some of those videos are over an hour long. This could save my students a lot of time! (Look at the URL they generate to learn how to do this yourself.)


YouTubeTime is a cheatsheet for linking to a specific time in a YouTube video. It also strips out unnecessary bits of the supplied URL to keep it compact and clean.

So, in case you just want to show someone the part of a video that matters most and “cut to the chase”, then YouTubeTime is the the tool to use.

For my web site students - Impartial Web Hosting Comparison

This website stands as a simple and effective way to compare different hosting services on the web today. This site was created by a group of professionals that are specialized in IT and that already know the many benefits a service like this entails.

In case you want to choose your own hosting service and weigh up as many aspects as you can, this site gives you a good chance to do that. You need to know all the details about the service you are getting and not just get a service because that company has bought the largest banners in order to get your attention. This is about inner quality and not the package.

This company gives you all the information you need about all the providers in the market that are specialized in hosting services. The aim is to give you the resources to make a better-informed decision.

An interesting way to build an outline? At least insure that most meanings are addressed. Also an interesting Javascript for my class)


Lexipedia is a great language tool that visually displays, the nouns, verbs, adverbs, adjectives, fuzzynyms, synonyms, and antonyms of any word you type in the search box, all displayed on a single page. Hovering over any spoke will bring up it’s definition and usage.

Lexipedia is available in English, Spanish, German, French, Dutch, and Italian. This service is powered by iSeek.

Monday, March 30, 2009

For your Security Manager

Taming Conficker, the Easy Way

Posted by kdawson on Monday March 30, @08:07AM from the scanner-lightly dept. Security

Dan Kaminsky writes

"We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."

Another Obama appointee with no qualms about warrantless wiretaps?

Navy Secretary Nominee Drew Notice Over Divorce

Monday, March 30 2009 @ 04:33 AM EDT Contributed by: PrivacyNews

President Obama’s nominee for secretary of the Navy was involved in a divorce that drew national attention for his secret taping of a conversation between his wife and his family priest that he used against her in court proceedings.

Source - NY Times

The process of learning everything about a public company is virtually the same as that used to stalk someone. Think of this as a “Guide for Stalkers.” Add the links to your Research bookmark folder.

March 29, 2009

Competitive Intelligence - A Selective Resource Guide

Competitive Intelligence - A Selective Resource Guide: Sabrina I. Pacifici's completely revised and updated pathfinder focuses on leveraging selected reliable, focused, free and low cost sites and sources to effectively profile and monitor companies, markets, countries, people, and issues. This guide is a "best of list" of web, database and email alert products, services and tools, as well links to content specific sources produced by governments, academia, NGOs, the media and various publishers.

This is an interesting way to present data. Could be a useful example for my Data Analysis class.

March 29, 2009

More Interactive State Law Maps Available Online Posted by Highway Safety Organization

"The Insurance Institute for Highway Safety (IIHS) continues to enhance its online presentation of state laws with interactive US maps. The latest series of state law maps includes those for cellphones, safety belt use, child restraints, minitrucks, and low-speed vehicles. The maps help illustrate the extent to which US states are addressing these highway safety concerns."

For my students (and me)

March 29, 2009

YouTube Launches Educational Hub

YouTube Blog: "Earlier this week, we announced the launch of YouTube EDU, a hub for videos from over 100 of our leading university and college partners. Think campus tours, news about cutting-edge research, and lectures by professors and world-renowned thought leaders. There are also 200 full (and free!) courses, in a range of subjects, from some of the world's most prestigious universities, including IIT/IISc, MIT, Stanford, UC Berkeley, UCLA, and Yale. There are over 20,000 videos on YouTube EDU and growing."

This could be worth visiting every now and again to see software changes over time.


Wappalyzer is an interesting service that tracks the distribution of software on the web. So, if you are interested to know what are the most used apps in analytics, blogging, CMS or even message boards, Wappalyzer would answer that for you.