Saturday, May 09, 2009

Do you get the impression Berkeley doesn't check the logs after they set their security?

Hackers breach UC Berkeley computer database

By JASON DEAREN, Associated Press Writer - Fri May 8, 2009 3:05PM EDT


University of California, Berkeley, officials said Friday that hackers infiltrated restricted computer databases, putting at risk health and other personal information on 160,000 students, alumni and others.

… The server breach occurred on Oct. 6, 2008, and lasted until April 9, when campus staff performing routine maintenance found messages the school said were left by the hackers.

"Evidence uncovered to date suggests that this attack was launched by highly skilled criminal operations based overseas," the school said.

Former and current students did not receive e-mail notification of the hacks until Friday morning. The university said it took forensic technology experts until April 21 to figure out which databases were hacked.

… In March 2005, a thief walked into a UC Berkeley office and swiped a computer laptop containing personal information on nearly 100,000 alumni, graduate students and past applicants.

And six months earlier, a computer hacker gained access to UC Berkeley research being done for the state Department of Social Services. Those files contained personal information of about 600,000 people.

Think the FAA will bother notifying all 'frequent flyers?'

May 08, 2009

DOT OIG: Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems

Review of Web Applications Security and Intrusion Detection in Air Traffic Control Systems, May 04, 2009

  • "On May 4, 2009, we issued our report on Federal Aviation Administration (FAA) web applications security and intrusion detection in air traffic control (ATC) systems, requested by the Ranking Minority Members of the full House Transportation and Infrastructure Committee and its Aviation Subcommittee. We found that web applications used in supporting ATC systems operations were not properly secured to prevent attacks or unauthorized access. During the audit, our staff gained unauthorized access to information stored on web application computers and an ATC system, and confirmed system vulnerability to malicious code attacks. In addition, we found that FAA had not established adequate intrusion–detection capability to monitor and detect potential cyber security incidents at ATC facilities. Intrusion–detection systems have been deployed to only 11 (out of hundreds of) ATC facilities. Also, cyber incidents detected were not remediated in a timely manner."

This is going to take some serious interpretation. Is it okay to phish (pretend I'm someone else) as long as I'm wearing my uniform, or am I always a spy? Where will the e-Guantanamo be located? Who is this message directed to – China, North Korea, Osama, my hacker class?

Law of Armed Conflict To Apply To Cyberwar

Posted by Soulskill on Friday May 08, @07:14PM from the logic-bombs-vs-smart-bombs dept. Security The Military News

charter6 writes

"Gen. Kevin Chilton, the head of STRATCOM, just declared that the Law of Armed Conflict will apply to cyberwar, and that the US won't rule out conventional (read: kinetic) responses to cyber-attacks. This means that we consider state-supported 'hackers' to be subject to the Geneva Conventions and Customary International Law, including the rules of proportionality and distinction (i.e. if we catch them, we can try them for war crimes). [What is a cyberwar crime? Bob] Incidentally, it also means we consider non-state cyber-attackers to be illegal enemy combatants, which means we can do all kinds of nasty stuff to them."

Think of this as the government's playbook. They've already implemented the simple stuff (school closings) wait for the harder ones like mandatory flu shots...

May 08, 2009

CRS: The 2009 Influenza A(H1N1) Outbreak: Selected Legal Issues

CRS Report - The 2009 Influenza A(H1N1) Outbreak: Selected Legal Issues - May 4, 2009: "Recent human cases of infection with a novel influenza A(H1N1) virus have been identified both internationally and in the United States. Since there has been human to human transmission and the new virus has the potential to become pandemic, it is timely to examine the legal issues surrounding this emerging public health threat. This report provides a brief overview of selected legal issues including emergency measures, civil rights, liability issues, and employment issues."

Could Microsoft have thought any other way? Call it the curse of monopolistic culture.

Mozilla, Opera blast Microsoft over IE8 upgrade practice

Opera wants the EU to make Microsoft download other browsers to PCs with Windows Update

By Gregg Keizer

May 8, 2009 (Computerworld) Browser makers Mozilla and Opera accused Microsoft yesterday of force feeding Internet Explorer 8 (IE8) to users with Windows Update and silently changing the default browser on PCs.

Both companies, which make Firefox and Opera, respectively, are involved in the European Union's antitrust action against Microsoft, which was accused in January of "shielding" IE from competition by bundling the browser with Windows.

Close to my idea for replacing how charities are funded, but with some clear flaws...

Kachingle to 'sprinkle' dollars to online publishers

by Mats Lewan May 8, 2009 2:43 PM PDT

Newspaper and content providers on the Internet are getting increasingly antsy about how to make money. Kachingle announced its solution in February, and it has gained so much interest, the founders say, that the launch is being delayed while the team builds out the service so it can support what they think will be a popular offering.

Here's the basic idea of Kachingle: Users contribute a small amount, currently $5.00 per month, voluntarily. On registration, they indicate which content sites they like and want to support. At the end of the month, their monthly fee is distributed to their sites, based on how much time they spent on each site.

Another free DVD burner. (Can you have too many?)

How to Create a DVD from Any Video File

May. 8th, 2009 By Tim Watson

It used to be true that, to produce a DVD, one must have expensive equipment and machinery. Thanks to some nifty free software, the creation of a DVD suitable for play in your home theater is not only possible, but simple.

Today I’ll be showing you how to use the free DVD Flick to convert just about any video files to DVD format. DVD Flick supports a huge number of audio and video file formats. You may create DVDs from avi, vob, iso, wmv, mp4 and even Flash video (FLV) so that you may preserve that YouTube pirated movie cute cat video for generations.

For certain Internet workaholics (you know who you are...)

Minutes Please

Control your web time.

Friday, May 08, 2009

In case you thought it was just silly to phish the Facebook pond...

Phished Facebook accounts become spammer's tool

Friday, May 08 2009 @ 04:08 AM EDT Contributed by: PrivacyNews

Cybercriminals who went after Facebook users with a number of phishing attacks last week have now turned around and begun sending spam messages from the Facebook accounts they cracked.

Source - Computerworld

[From the article:

"Some of it points to a site where users are hit with drive-by downloads of adware," he said in an e-mail message. " We’ve started blocking all of this spam this morning, have been deleting it, and resetting the passwords of accounts that sent it." [That would be the users who were phished. Bob]

… but the company won't say how many users have been affected, because that would let the bad guys know how effective its security measures have been. [Let's calculate. If I phish 1000 accounts (a number Facebook can't know) and Facebook blocks 12 accounts, I would calculate that their security measures STINK! Bob]

The comments suggest that the judge could have been a bit more specific in his instructions (and that the commenters don't trust RIAA at all)

Court Sets Rules For RIAA Hard Drive Inspection

Posted by Soulskill on Thursday May 07, @01:51PM from the this-far-and-no-farther dept. Privacy Music The Courts

NewYorkCountryLawyer writes

"In a Boston RIAA case, SONY BMG Music Entertainment v. Tenenbaum, the Court has issued a detailed protective order establishing strict protocols for the RIAA's requested inspection of the defendant's hard drive, in order to protect the defendant's privacy. The order (PDF) provides that the hard drive will be turned over to a computer forensics expert of the RIAA's choosing, for mirror imaging, but that only the forensics expert — and not the plaintiffs or their attorneys — will be able to examine the mirror image. The forensics expert will then issue a report which will describe (a) any music files found on the drive, (b) any file-sharing information associated with each file, and any other records of file-sharing activity, and (c) any evidence that the hard-drive has been 'wiped' or erased since the initiation of the litigation. The expert will be precluded from examining 'any non-relevant files or data, including ... emails, word-processing documents, PDF documents, spreadsheet documents, image files, video files, or stored web-pages.'"

What are the strategic issues here? Cost of the laptop and numbers of students certainly. Would a textbook publisher use this to “lock in” their line of e-textbooks? Would Pepsi and Coke bit for the right to design the laptop color scheme?. Could I get rich running a foundation promising to “Give every Colorado school child a computer?”

South Carolina To Give 1 Laptop Per School Child

Posted by kdawson on Friday May 08, @08:57AM from the begins-at-home dept

ruphus13 sends in an OStatic article outlining the plans of the state of South Carolina, inspired by the One Laptop Per Child project, to provide laptops to local elementary school children.

"The South Carolina Department of Education and the non-profit Palmetto Project have teamed up to get a laptop in the hands of every elementary school student in South Carolina... The OLPC/SC hopes to distribute as many as 50,000 laptops this spring to eligible students. The effort is underwritten and managed by the Palmetto Project, whose mission is to 'put new and creative ideas to work in South Carolina.' While low-performing school districts with limited resources are a special focus for the OLPC/SC, the group is adamant on one point: There are no free laptops. In order to receive a laptop, children need to give a small monetary donation — the project coordinators say a dollar or two is sufficient."

It's not obvious from browsing around the OLPC/SC site what software the XO laptops will be running; but by following links one gets the impression that they will be powered by Linux, not XP.

I know I've posted articles on this before, but I'm just realizing that it would be much simpler if manufacturers built GPS trackers into the cars at the factory. Is that part of the “save the auto industry” deals? Question two: Does this require police to ensure that the driver of the car is the person of interest each time GPS data is recorded? After all “That's not our target” is also something visual surveillance would disclose.

WI: GPS tracking is not "search and seizure"

Thursday, May 07 2009 @ 03:09 PM EDT Contributed by: PrivacyNews

The District 4 Court of Appeals held that police can secretly attach a GPS to anyone's vehicle without a warrant because GPS tracking does not constitute a "search and seizure." Although their decision was unanimous, even the judges seemed to realize the potential for serious abuse and asked the state legislature to regulate its use.

Source - Associated Press, via Chicago Tribune

Defining Privacy What is Privacy? Is it the sum of all the privacy policies on the Internet? I hope not! Law School Students: Here's an easy and interesting paper – what do the top 100 sites agree on?

Why Facebook Shut Down the Only Useful App it Ever Had

Thursday, May 07 2009 @ 03:15 PM EDT Contributed by: PrivacyNews

It was inevitable, but we’re still disappointed.

Facebook has shut down the single most useful application ever to grace its tightly restricted platform. The Newsfeed RSS app was built using the recently unveiled Open Stream API, a set of tools developers can use to build apps that let users read, interact with and write to their Facebook stream.

.... According to the restrictions in the new Open Stream API, applications can not cache or otherwise store data. What this means is, according to Facebook, the simple act of keeping track of your friends through RSS is a violation of their privacy.

Source - webmonkey

Defining Privacy

AU: Commissioner publishes case notes

Friday, May 08 2009 @ 04:03 AM EDT Contributed by: PrivacyNews

The Office of the Privacy Commissioner of Australia has published its first six case notes/rulings for 2009.

As part of Privacy Awareness Week, they have also released the Autumn issue of Privacy Matters.

Source - Case Notes

Phishing for phemales? Do you believe these stats?

Women more affected by ID fraud, study finds

by Elinor Mills May 7, 2009 6:00 PM PDT

Women are more affected by identity fraud then men are, according to a new survey that also found that it takes women longer to restore their identities but they also tend to change their behavior afterward.

In a survey of 808 U.S. households, half of which reported fraud, 28 percent of women said they had been victims of identity fraud compared with 21 percent for men.

This corresponds with a report in February from Javelin Research that found that women were 26 percent more likely to be victims of identity fraud than men.

In the latest survey, from fraud protection service provider Affinion Security Center, 17 percent of women said they lost $1,000 or more from the fraud compared 10 percent for the men.

Wholesale destruction. It's not just the odd employee any more. Something for the risk analysis class.

When Hacked PCs Self-Destruct

Posted by timothy on Friday May 08, @03:26AM from the fate-blesses-you-with-a-chance-to-reinstall dept. Security Windows

An anonymous reader writes

"From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"

[From the article:

Researchers at the S21sec blog have their own theory: that maybe attackers wield the nuclear option to buy themselves more time to use the stolen data.

Once again Gary Alexander has “discovered” an article ripe with useful information – in this case, it's Security Frameworks.

Frameworks for IT Security

By Sean Doherty Law Technology News May 5, 2009

[N.B. The IT Governance Institute's "Control Objectives for Information Technology," [FOOTNOTE 9] is a collection of industry best practices to secure an organization's computer and network processes.

… COBIT version 4.1 is available as a free download, but to dive deep into the standard you may need to join the Information Systems Audit and Control Association for a nominal fee.

For the Hacker folder. Remember, these work best in series – put several anonymizers between you and your target.


This service allows you to surf the web without revealing any personal information. It is fast, it is easy, and it is free!

For the Swiss Army folder?


Converticious makes the conversion of units a snap. The newly launched service utilizes the power of Ajax to convert units, hence eliminating the need to reload the page. Categories of units are clearly displayed, and clicking on one will display a list of units, a textbox to enter the value you need to convert, and even a selector of the number of decimals to display.

Thursday, May 07, 2009

The FBI is increasingly being defined by what it does poorly...

Report: FBI Mishandles Terror Watch List

By Ryan Singel Email Author May 6, 2009 4:47 pm

The FBI can’t figure out the right way to add or remove suspected terrorists from the country’s unified terrorist watch list, subjecting citizens to unjustified scrutiny from government officials and possibly putting the country at risk, the Justice Department’s internal watchdog said Wednesday in a new report.

Trust us...

Secret APA torture e-mail list not so secret anymore

Just because that mailing list that you're participating in is secret doesn't mean that it'll always stay secret. Just ask the members of the American Psychological Association who used a (formerly) secret mailing list to develop the organization's controversial stance on its members involvement in military interrogations.

By Jon Stokes Last updated May 7, 2009 8:15 AM CT

… Witness the invitation-only e-mail discussion list created by the American Psychological Association and the Pentagon in order to host a dialogue between military and civilian psychologists on the profession's role in the interrogation side of the war on terror. The APA probably didn't expect the entire list archive [PDF] would ever get leaked to the press and follow its members around on Google for the rest of their careers. But that's exactly what happened.

Are the basis for these torts merging? Can you be libelous without breaching privacy?

UK: Ian Hislop: ‘Privacy is the new libel’

Wednesday, May 06 2009 @ 09:53 AM EDT Contributed by: PrivacyNews

The Culture, Media and Sport committee met yesterday in parliament where MPs quizzed key figures in the press such as Private Eye’s Ian Hislop and the Guardian’s Alan Rusbridger press standards, privacy and libel.

‘Privacy is the new libel,’ said Ian Hislop. ‘I am less sued,’ he continued. ‘There are fewer libels but each one is a lot more expensive and you can run into huge figures on one story.’ While libel is becoming harder to accuse privacy is not. Hislop attested to being sent fortnightly injunctions against privacy by the notorious Schillings law firm. He claimed to have had three privacy cases against him just this year. ‘It’s time to say: “What is privacy law?”’

Source - Katriona Lewis, on Free Speech Blog

What possible consequences? Blocking “private” email suggests some evil scenarios. Let's hope there was no lawyer-client communication...

Facebook’s E-mail Censorship is Legally Dubious, Experts Say

By Ryan Singel Email Author May 6, 2009 5:20 pm

When The Pirate Bay released new Facebook features last month, the popular social networking site took evasive action, blocking its members from distributing file-sharing links through its service.

Now legal experts say Facebook may have gone too far, blocking not only links to torrents published publicly on member profile pages, but also examining private messages that might contain them, and blocking those as well.

“This raises serious questions about whether Facebook is in compliance with federal wiretapping law,” said Kevin Bankston, a lawyer with the Electronic Frontier Foundation, responding to questions from a reporter about the little-noticed policy that was first reported by TorrentFreak.

Slippery slope? Oh, wait, that's pornographic in S. Carolina... If you had doubts about what was being offered, being flagged as a “paid ad” would eliminate any worries. As for the working number? Try the S, Carolina AG's office. That works.

Craigslist Threatened With Criminal Investigation

South Carolina AG Threatens Investigation Unless Craigslist Removes Ads That Allegedly Encourage Prostitution

By SCOTT MICHELS May 5, 2009

The South Carolina attorney general gave the management of the Web site Craigslist 10 days to remove postings that he said are pornographic or that encourage prostitution, or face a possible criminal investigation.

… Craigslist said it would take a number of steps to combat online prostitution, including charging people who post ads in the "erotic services" section $5 to $10 and requiring them to submit a working phone number to use the site. The information can be used by law enforcement to investigate suspected illegal activity.

Convergence. Somewhere there must be a legal maxim that states: “It's not the tool, it's what you do with it.” That's the only thing that keeps chef's from being arrested for possession of sharp knives. Eventually someone must realize that how you use a tool defines its taxability.

New Irish Internet Tax?

Posted by samzenpus on Wednesday May 06, @10:13PM from the new-pot-of-gold dept. The Internet The Almighty Buck

MarkDennehy writes

"The Broadcasting Bill 2009 (currently in the last stages of becoming the Broadcasting Act 2009 and then being commenced into law in Ireland) has thrown up a rather unpleasant little nugget for broadband users in Ireland. It now defines a television set as being an electronic apparatus able to receive TV signals or "any software or assembly comprising such apparatus" which would mean that even if you haven't got a television set, even if you don't watch streaming content from (the state broadcaster's website), you'd still have to pay 160 euro a year for a television license for your iPhone, or netbook, or laptop or desktop if you have fixed or mobile broadband."

See? It's only 12 years – not a lifetime. If you don't have contact with terrorists, don't commit crimes and don't vote for the other guy you record will be expunged.

Ministers keep innocent on DNA database

Thursday, May 07 2009 @ 04:07 AM EDT Contributed by: PrivacyNews

The genetic profiles of hundreds of thousands of innocent people are to be kept on the national DNA database for up to 12 years in a decision critics claim is designed to sidestep a European human rights ruling that the "blanket" retention of suspects' data is unlawful.

The proposed new rules for the national DNA databaseto be put forward tomorrow by the home secretary, Jacqui Smith, include plans to keep the DNA profiles of innocent people who are arrested but not convicted of minor offences for six years.

Source - Guardian Related - Telegraph

Hacker tools. Interesting hack one of my students gave his presentation on... Run the Revelation cursor over a password field and all those little asterisks are magically removed, revealing your “secret” password. (Very useful if you forgot the password.)

SnadBoy Software

SnadBoy Revelation

Wednesday, May 06, 2009

As RFID evolves, so does the risk.

Chipping away at security

Wednesday, May 06 2009 @ 05:40 AM EDT Contributed by: PrivacyNews

The same technological advances that are making personal computers smaller and phones more energy-efficient are turning gadgets that use radio frequency identification, or RFID, into appealing targets for hackers.

.... "It's a bit of an arms race," said Kevin Fu, who is investigating RFID attacks and countermeasures at the RFID Consortium for Security and Privacy, or CUSP, at the University of Massachusetts at Amherst. "The adversary doesn't get any dumber."

So far, however, the "enemy" appears to consist largely of Fu, and cryptography specialists such as Ari Juels, director of RSA Laboratories in Bedford, who has developed ways to hack into RFID payment devices such as MasterCard's PayPass.

Source - The Boston Globe

What takes over 100 days to produce? A government 60 review report.

Cybersecurity report delayed due to Swine Flu

May 5th, 2009 Rob Douglas

Over at the Identity Theft Assistance Center (ITAC) blog, they’ve made note of the continuing delay in the Obama administration’s much anticipated release of its review of U.S. Cybersecurity. ITAC hopefully proffers that the report may see the light of day this week.

As ITAC reports – based on a piece published by Federal Computer Week – the most recent delay in the report is being attributed to the outbreak of Swine Flu.

What does Apple see?

Apple set to buy Twitter for £460m?

The only question is: would it be called Twapple?

… The question would obviously remain, no matter who buys the company, how would it make any money? Twitter still has to define a business model that would generate the significant income a 6 million user base and over 1,300 per cent growth should be bringing.

An easier business model to comprehend? If so, should Comcast buy Hulu (or Hulu buy Comcast?

Why Comcast Has To Worry About Hulu (CMCSA)

Dan Frommer|May. 4, 2009, 2:20 PM

Here's a number that isn't making life easier for Comcast (CMCSA), Time Warner Cable (TWC), or the rest of the pay TV industry: More than 40% of U.S. households under age 35 watch Internet video on their TVs at least once a month, according to research firm In-Stat

That includes watching via game consoles, Web TV gadgets like the Roku box and Apple TV, and hooking up a laptop to the TV. Increasingly, it will include TVs with Web video built-in.


May 05, 2009

FTC Testifies on Data Security, Peer-to-Peer File Sharing

News release: "The Federal Trade Commission today testified on the Commission’s efforts to promote better security for sensitive consumer information and to prevent the inadvertent sharing of consumers’ personal or sensitive data over Peer-to-Peer Internet file-sharing networks. As part of these efforts, the agency also announced that it had reached an agreement with one of the largest privately held lenders [James B. Nutter & Company Bob] in the United States to resolve charges that the company violated federal law by failing to provide reasonable security for consumers’ sensitive information. In testimony before the House Energy and Commerce Committee Subcommittee on Commerce, Trade and Consumer Protection, Acting Director of the Bureau of Consumer Protection Eileen Harrington said the agency strongly supports the goals of H.R. 2221, the Data Accountability and Trust Act, which would require companies to put reasonable data security policies and procedures in place, and to notify consumers when there has been a data security breach that affects them. The legislation also would give the Commission the authority to obtain civil penalties for violations."

Unusual in that it mandates companies hire psychics...

Utah Court Mines Safe Harbor Rule 37(e) Into Oblivion - Part One

A new opinion by a Magistrate in Utah on Rule 37(e) FRCP will, unless reversed on appeal to the District Court Judge, endanger litigants for years to come. Phillip M. Adams & Associates, L.L.C., v. Dell, Inc., 2009 WL 910801 (D.Utah March 30, 2009). Two Taiwanese companies (ASUS) in this patent infringement case were sanctioned for spoliation because they did not implement a litigation hold and start preserving email in 1999. What makes this ruling so mind boggling is that the plaintiff did not even determine that it might have a claim against ASUS until 2005, did not send a demand letter until 2006, and did not sue ASUS until 2007.

Will this be the wooden spike? Let's hope so... SCO is tougher to kill than Rasputin!

US Trustee Asks To Send SCO Into Chapter 7

Posted by kdawson on Tuesday May 05, @11:33PM from the long-dark-teatime-drawing-to-a-close dept.

Several readers including Pop69 inform us that the US Trustee's office has asked to convert SCO's Chapter 11 bankruptcy to Chapter 7 — a.k.a. liquidation. Groklaw has the text of the filing: "...not only is there no reasonable chance of 'rehabilitation' in these cases, the Debtors have tried — and failed — to liquidate their business in chapter 11."

For Cindy's “Sex & Power” class.;_ylt=ArNEE420idJ_xMnemNjxoLKs0NUE;_ylu=X3oDMTFmYzhzNTUwBHBvcwMyMDUEc2VjA2FjY29yZGlvbl9vZGRfbmV3cwRzbGsDc2FmZXF1b3RzZXh0

Safe "sexting?" No such thing, teens warned

By Belinda Goldsmith Belinda Goldsmith – Mon May 4, 1:02 pm ET

CANBERRA (Reuters Life!) – Teens sending nude or suggestive photos of themselves over their mobile phones are being warned -- "sexting" can damage your future.

… In the United States, a survey last fall found one in five teenagers said they had sent or posted online nude or semi-nude pictures of themselves and 39 percent said they had sent or posted sexually suggestive messages, according to the National Campaign to Prevent Teen and Unplanned Pregnancy.

For the Swiss Army folder. When I get my scanner re-attached...

OCR Terminal

What is OCR Terminal?

OCR Terminal is a free online Optical Character Recognition service that allows you to convert scanned images and PDFs into editable and text searchable documents. It accurately preserves formatting and layout of documents.

Ditto In case my threats of naming a “Twit of the day” come true.

My Award Maker

Printing out elegant certificates has never been easier! It’s 100% free!

Interesting. Since they don't store your file, the file size is unlimited.


JetBytes is a file transfer service that allows the sharing of files without storing any data. This service is very simple to use, just select a file from your computer, and JetBytes will generate a URL that you can send out, which in turn allows the receiver to download the file.

Tuesday, May 05, 2009

What is your data worth? Initial reports indicated that this breach was of license data only – about 300,000 maximum. Don't believe that the state would have patient records (yet – electronic health records are coming)

Update: Virginia Health Data Potentially Held Hostage

May 4, 2009 by admin Filed under: Breach Reports, Government Sector, Hack, U.S.

Thomas Claburn of InformationWeek reports:

An extortion demand posted on WikiLeaks seeks $10 million to return over 8 million patient records and 35 million prescriptions allegedly stolen from Virginia Department of Health Professions.

The note reads: “ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(”

Read more on InformationWeek.

[From the article:

Extortion demands of this sort have become relatively common in data breach cases. Last October, for instance, Express Scripts, a prescription drug management company based in St. Louis, received a letter that threatened the release of millions of patient records. A month earlier, a man from Solana Beach, Calif., was arrested for allegedly hacking into a Maserati dealership Web site, accessing customer data, and then threatening to release the information unless the company paid him.

The attack technique -- capturing data, encrypting it, then selling access to the former owner -- has become popular enough to earn its own name: cryptoviral extortion.

The crime that keeps on taking? I would love to see the decision tree these banks use to determine when cards (they know are compromised) should be replaced.

Ohio Heritage Bank replaces cards due to HPY breach (updated)

May 4, 2009 by admin Filed under: Breach Types, Financial Sector, Government Sector, Hack, Healthcare Sector, ID Theft, Lost or Missing, Malware, Non-U.S., U.S.

Heartland Payment Systems may be back in VISA’s good graces as PCI-Compliant, but the impact of the breach continues to emerge.

Leonard Hayhurst of Coshocton Tribune reports that Ohio Heritage Bank was alerted over the weekend that 800 debit cards were compromised due to the breach. Of the 800 cards, 15 showed fraudulent charges.

VISA gave banks and credit unions until May 19 to file claims for reimbursement for part of any losses. It is not clear whether VISA is still notifying financial institutions of compromised card numbers. An inquiry to VISA has not yet been answered.

Update: According to a source close to VISA, Visa completed notifying financial institutions about card numbers at risk “a while ago.” It would seem then, that financial institutions claiming that they were “recently” or “just” notified are not referring to notification by VISA. These may be cases where financial institutions were monitoring numbers for signs of misuse and then either decided to replace cards before the May 19 deadline for submitting claims, or have only recently detected evidence of actual misuse of cards.

One excuse (any government makes) is that the process of protecting data is huge, expensive, and requires a highly trained staff. See the next article and judge for yourself.

NZ: Kiwis' personal details exposed

Tuesday, May 05 2009 @ 05:36 AM EDT Contributed by: PrivacyNews

The personal details of thousands of New Zealanders are at risk because Government departments have poor controls on how staff use portable storage devices, the Privacy Commissioner says.

A survey of the 42 main government agencies, undertaken by the Office of the Privacy Commissioner, shows 'portable storage devices' (PSDs) - such as USB memory sticks - are widely used but that there are "real gaps" in security procedures and practices, Privacy Commissioner Marie Shroff says.

Source - Stuff

Related - Press Release from the Privacy Commissioner and Results of the Survey (.doc).

Read the article. How difficult does this seem to you?

How To Hide Files Like a Super Villain

May. 4th, 2009 By Tim Watson

Got something to hide? The Colonel’s secret recipe? An advance screener DVD of Watchmen? Top-secret plans for world domination? If this sounds like you, and you want to hide something on your computer, really well, then please continue reading. Time for some magic; I’m gonna make your files disappear.

The potential of botnets. What is the average password worth? Pennies or pounds?

Researchers hijack botnet, score 56,000 passwords in an hour

Monday, May 04 2009 @ 03:27 PM EDT Contributed by: PrivacyNews

The Torpig botnet was hijacked by the good guys for ten days earlier this year before its controllers issued an update and took the botnet back. During that time, however, researchers were able to gain a glimpse into the kind of information the botnet gathers as well as the behavior of Internet users who are prone to malware infections.

Source - Ars Technica

Related - Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Chris Kruegel, Giovanni Vigna: Your Botnet is My Botnet: Analysis of a Botnet Takeover (pdf)

[From the article:

Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using "simple replacement rules" and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information.

… Of course, the primary goal of Torpig is to steal financial information like credit card numbers and bank logins. In just ten days, Torpig apparently obtained credentials of 8,310 accounts at 410 financial institutions, including PayPal, Capital One, E*Trade, and Chase. The researchers noted, too, that nearly 40 percent of the credentials stolen by Torpig were from browser password managers, and not actual login sessions, and that the Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period.

Too expensive to book a flight just to steal data, perhaps something at the airport or as the planes fly over? (Note this is how many home systems are set up and how TJX lost 95 million card numbers – no one ever learns.) .

Personal Computer Information Can Be Easily Hacked While in Flight

Monday, May 04 2009 @ 06:29 PM EDT Contributed by: PrivacyNews

Recently Netragard, LLC, The Specialist in Anti-Hacking, found that airline passangers' personal computer information can be easily hacked while in flight. The wireless inflight airline internet access service, GoGo Inflight Internet ("GoGo"), which enables travelers to access the internet while in flight does not encrypt communications between users (passengers )and the Wireless Access Points on the aircraft.

Source - News Blaze

Victim analysis continues...'

Consumer Reports Survey: One in Five Online Consumers Have Been Victims of Cybercrime

Monday, May 04 2009 @ 06:31 PM EDT Contributed by: PrivacyNews

It continues to be a boom time for cybercrime according to the latest Consumer Reports National Research Center "State of the Net" survey. Consumer Reports found that one in five online consumers have been victims of cybercrime in the last two years to the tune of an estimated $8 billion. And the overall rate of the crime has remained consistent over the five years that Consumer Reports has been tracking.

Source - News Blaze

[From the article:

Additionally, Consumer Reports estimates that 1.2 million consumers have had to replace their computers over the past two years due to software infections and an estimated 3.7 million households with broadband Internet access did not use a firewall to protect against hackers.

Why statistics matter when developing a security plan.

May 04, 2009

Would your employees sell out?

According to a new survey of 600 people, one third of employees would sell company secrets for compensation. The amount of compensation needed varied based on who was spoken to. This survey was done by the same people who famously got usernames and passwords from people in exchange for a chocolate bar last year.

… The vast majority (about two thirds) said it would be “easy” to get this information out of the organization. Eighty eight percent of them think that the information they have access to is valuable.

The respondents said they felt less secure in their jobs and had less loyalty to the employers than they did a year ago.

For those that had access to customer information such as credit or debit card information, most said they were less likely to sell that, and 4 out of 5 flat out refused at any price. For the 20 percent that were willing to do it, the price was far higher than other types of data.

Q: What will replace tax incentives for foreign investment? A: Foreign aid Q: Why? A: Because Government spending is good, business or individual investment is bad. Q: How can you tell that Bob is upset? A: Check his blood pressure.

May 04, 2009

Treasury: Leveling the Playing Field: Curbing Tax Havens and Removing Tax Incentives for Shifting Jobs Overseas

News release: "Today, President Obama and Secretary Geithner are unveiling two components [Fact Sheet and Backgrounder] of the Administration's plan to reform our international tax laws and improve their enforcement. First, they are calling for reforms to ensure that our tax code does not stack the deck against job creation here on our shores. Second, they seek to reduce the amount of taxes lost to tax havens – either through unintended loopholes that allow companies to legally avoid paying billions in taxes, or through the illegal use of hidden accounts by well-off individuals. Combined with further international tax reforms that will be unveiled in the Administration's full budget later in May, these initiatives would raise $210 billion over the next 10 years. The Obama Administration hopes to build on proposals by Senate Finance Committee Chairman Max Baucus and House Ways and Means Chairman Charles Rangel – as well as other leaders on this issue like Senator Carl Levin and Congressman Lloyd Doggett – to pass bipartisan legislation over the coming months."

For my Data Mining classes. Might be useful in e-discovery too. It's an overview, but contains many techniques for thinking a problem through.

May 04, 2009

CIA - A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis

A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis, Prepared by the US Government, March 2009

  • "Using the analytic techniques contained in this primer will assist analysts in dealing with the perennial problems of intelligence: the complexity of international developments, incomplete and ambiguous information, and the inherent limitations of the human mind. Understanding the intentions and capabilities of adversaries and other foreign actors is challenging, especially when either or both are concealed. Moreover, transnational threats today pose even greater complexity, in that they involve multiple actor —including nonstate entities—that can adapt and transform themselves faster than those who seek to monitor and contain them. Finally, globalization has increased the diversity of outcomes when complex, interactive systems such as financial flows, regional economies or the international system as a whole are in flux."

Got 3G?

Battle of the Carriers: Take’s 3G Smartphone Speed Test

By Brian X. Chen Email Author May 4, 2009 9:13 am

… Just which cellphone network is the best? Or better yet, which carrier is best for you in your particular area? In August, conducted a global study to investigate the iPhone 3G’s network issues, which concluded that connection problems were tied to AT&T rather than the handset itself. Following up on that survey, is inviting every 3G smartphone user in the United States to participate in a study to determine which carrier is the best overall in the country.

The process involves running a data speed test on your browser-equipped smartphone, followed by plotting your results on an interactive map with your computer. Ultimately, consumers will be able to view the results on the map to see how well each carrier performs in different parts of the country.

Because my Computer Security students must give two presentations on security software... And because it pays to have tools like these in your Swiss Army folder.

PassPub : Online Password Generator

Password Chart : Secure Password Creator

5 more

Five Best Free Data Recovery Tools

By Jason Fitzpatrick, 9:00 AM on Sun May 3 2009, 84,267 views

Monday, May 04, 2009

They must really hate these guys. They wouldn't treat (insert name of large, rich company here) like this!

FINRA Fines Centaurus Financial $175,000 for Failure to Protect Confidential Customer Information

May 3, 2009 by admin Filed under: Financial Sector, Other, U.S.

Earlier this week, FINRA fined Centaurus Financial, Inc., as described below in their press release. I’ve been searching, but do not see where the incident described below was ever reported in the media at the time. Interesting….

The Financial Industry Regulatory Authority (FINRA) has announced today that it has fined Centaurus Financial, Inc. (CFI), of Orange County, CA, $175,000 for its failure to protect certain confidential customer information. Centaurus was also ordered to provide notifications to affected customers and their brokers and to offer these customers one year of credit monitoring at no cost.

FINRA found that from April 2006 to July 2007, CFI failed to ensure that it safeguarded confidential customer information. Its improperly configured computer firewall - along with an ineffective username and password on its computer facsimile server - permitted unauthorized persons to access stored images of faxes that included confidential customer information, such as social security numbers, account numbers, dates of birth and other sensitive, personal and confidential data. The firm’s failures also permitted an unknown individual to conduct a “phishing” scam. When CFI became aware of the phishing scam, the firm conducted an inadequate investigation and sent a misleading notification letter to approximately 1,400 affected customers and their brokers.

… “When a firm becomes aware of an unauthorized access, it must conduct an effective review and provide customers with accurate information about that unauthorized access.”

… the unauthorized access was made possible by the inadequate firewall and weak username (”Administrator”) and password (”password”) on its computer fax server.

Again, it is obvious (from photos in the article) that the Denver skimmer would have been easily detected if someone bothered to look. The Pismo Beach skimmer required tools and time to install, but if it had been done correctly would not have been visible. Still, an “access door open” alarm would have notified the clerk...

Two more skimmers in the news this week

May 3, 2009 by admin Filed under: Financial Sector, Skimmers, U.S.

From the It-Could-Have-Been-Worse dept:

  • The Denver Post reports that a skimmer was found on the ground at a First Bank branch in Westminister. Apparently the adhesive didn’t work out that well. The skimmer was found April 23, and according to the report, the ATM was last serviced March 22. So far, no word on how long the skimmer may actually have been in operation.

  • The Tribune reports that Pismo Beach police said a skimmer uncovered last week had been installed at the Five Cities Drive Unocal 76 gas station. The device was not visible from outside the machine, and reportedly actually caused it to malfunction.

GCHQ is the UK's equivalent of NSA. It makes sense that these agencies are behind the “police” surveillance effort.

Warehouse or No, UK's Expensive Net Spying Plan Proceeds

Posted by timothy on Sunday May 03, @03:16PM from the man-vs.-the-state dept. Privacy Communications Government The Internet

Vincent West writes with this excerpt from The Register:

"Spy chiefs are already spending hundreds of millions of pounds on a mass internet surveillance system, despite Jacqui Smith's announcement earlier this week that proposals for a central warehouse of communications data had been dumped on privacy grounds. The system — uncovered today by The Register and The Sunday Times — is being installed under a GCHQ project called Mastering the Internet (MTI). It will include thousands of deep packet inspection probes inside communications providers' networks, as well as massive computing power at the intelligence agency's Cheltenham base, 'the concrete doughnut.'"

Related? Perhaps NSA held a training session for the FBI?

The F.B.I. is Following You (on Twitter) and Responding

Micah L. Sifry May 2, 2009 - 9:24am

For a federal agency that has struggled for years to modernize its computer systems, this is pretty impressive, and just a tad worrisome:

… Obviously, someone in the FBI Press Office is tracking references to the agency on Twitter and has the authority to respond, an echo of efforts in the private sector by companies like JetBlue to be more responsive to immediate complaints or issues raised by consumers. The agency is also using the service to track more serious matters, like this case of an Oklahoma man who was allegedly issuing violent threats around the "tea-bagging" protests a few weeks ago.

Keeping an eye on Congress?

May 03, 2009

THOMAS Launches First RSS Feed

"The Congressional Record Daily Digest is now available as the first RSS feed from THOMAS. The Daily Digest from THOMAS is one of five RSS feeds available from the Law Library of Congress as described on our RSS Feeds and Email Delivery page. To see a complete list of RSS feeds and email updates available through the Library of Congress, please visit Library of Congress RSS Feeds and Email Subscriptions. For help with subscribing and suggestions for news readers, please see Library of Congress RSS Feeds" [Emily Carr, Legal Reference Specialist, Law Library of Congress]

Might amuse my website class


Avatar creator and animator

Sunday, May 03, 2009

"It ain't over till it's over." - Yogi Berra, ball player and legal philosopher.

Pointer: The TJX Case: It Lives! With a New Theory of Liability: “Unfairness”

May 2, 2009 by admin Filed under: Breach Reports

David Navetta has an interesting piece on InfoSec Compliance that begins this way:

Little know (or at least discussed) fact: despite announcing settlements with VISA and Mastercard in 2007, the TJX data security litigation is still going. In fact most of the issuing banks impacted by the TJX breach are no longer pursuing TJX and/or have settled via VISA and Mastercard dispute resolution processes.

However, two financial institutions (Amerifirst Bank and SELCO Community Credit Union - hereinafter “Issuing Banks” or plaintiffs) have pressed forward with an appeal of various dismissals and class certification motions to the U.S Court of Appeals for the First Circuit (the “Appellate Court”). The 1st Circuit’s opinion sheds some more (high level) light on the liability risk of payment card data breach security cases. Ultimately, the Appellate Court allowed three theories of liability to proceed, including a previously dismissed theory alleging that TJX’s inadequate security amounted to an unfair business practices under Massachusetts’s unfair and deceptive business practices law.


Interesting failure. Based on the pictures of a skimmer attached to an ATM here in Denver, it should be easily visible on the surveillance videos, let alone to anyone servicing the ATMs. Are they not bothering to look? Perhaps a computer could compare “before” and “after” images of the ATM and flag any modification?

NY: Thieves raid accounts of Staten Island bank

May 2, 2009 by admin Filed under: Financial Sector, Skimmers, U.S.

Barton Horowitz of the Staten Island Advance reports:

An ATM security breach at SI Bank & Trust’s Oakwood branch that went undetected for more than a month is under investigation by the FBI. Apparently, bank officials were not aware of the crime until the stealth thieves began cashing in on the stolen data.

… Fifty of the bank’s customers were directly affected by the theft, and the bank made good the approximately $53,000 in total that was pilfered from their accounts, Armstrong said.

[From the article:

Upon learning of the theft, the bank scrutinized security tapes from the branch, working backwards to early March, Armstrong said.

Once the specific day of the March data theft was revealed, the bank blocked further use of all cards used at the ATM vestibule on that day, although it turned out only one of the machines had been tampered with.

Remember the name of every bone, muscle and nerve in the human body? No problem. Remember any ethical or regulatory duty? No way.

4 more employees gone after sneaking into octuplets’ files

May 2, 2009 by admin Filed under: Healthcare Sector, Insider, U.S., Unauthorized Access

Sarah Tully of The Orange County Register reports:

Four more hospital employees this week were forced out of their jobs for sneaking into the octuplets’ mother’s private medical records, a hospital spokeswoman confirmed today.

Previously, another 15 employees were terminated and eight were disciplined for improperly looking at mother Nadya Suleman’s documents at Kaiser Permanente Bellflower Medical Center. That brings to a total of 27 employees disciplined for accessing the files of the world-famous mother and Orange County resident.

Perhaps the computer isn't always right? What kind of certification would be required to avoid this in future? (The results of the NJ source code review were pretty damning.)

MN Supreme Court Backs Reasoned Requests For Breathalyzer Source Code

Posted by Soulskill on Saturday May 02, @01:27PM from the if-you-work-for-it dept.

viralMeme writes with news that the Minnesota Supreme Court has upheld the right of drunk-driving defendants to request the source code for the breathalyzer machines used as evidence against them, but only when the defendant provides sufficient arguments to suggest that a review of the code may have an impact on the case. In short: no fishing expeditions. The ruling involves two such requests (PDF), one of which we've been covering for some time. In that case, the defendant, Dale Underdahl simply argued that to challenge the validity of the charges, he had to "go after the testing method itself." The Supreme Court says this was not sufficient. Meanwhile, the other defendant, Timothy Brunner, "submitted a memorandum and nine exhibits to support his request for the source code," which included testimony from a computer science professor about the usefulness of source code in finding voting machine defects, and a report about a similar case in New Jersey where defects were found in the breathalyzer's source code. This was enough for the Supreme Court to acknowledge that an examination of the code could "relate to Brunner's guilt or innocence."

How to greatly irritate a Supreme: take him at his (non-judicial) word. (Anyone want a copy of this? It's pretty dull.)

Justice Scalia's Dossier: Interesting Issues about Privacy and Ethics

Saturday, May 02 2009 @ 07:04 AM EDT Contributed by: PrivacyNews

Dan Solove comments on Justice Scalia's comments about privacy and an assignment Professor Joel Reidenberg gave his students to compile a dossier on Justice Scalia.

Also see the professor's response and comments.

This is one of those articles that is just too absurd to believe. I tracked down what was actually said. I suspect there is some kind of “change to function” process that requires advance notice, proof of testing, training, etc. But this would have been a “return to original status” and there should have been a quick/cheap/simple protocol for that.

Feds' red tape left medical devices infected with computer virus

by Stephanie Condon May 2, 2009 9:29 AM PDT

… Rodney Joffe, one of the founders of an unofficial organization known as the Conficker Working Group, said that government regulations prevented hospital staff from carrying out the repairs.

… The devices were used in hospitals to allow doctors to view and manipulate high-intensity scans like MRIs and were often found in or near intensive care unit facilities, connected to local area networks with other critical medical devices.

"They should have never, ever been connected to the Internet," Joffe said.

Regulatory requirements mandated that the impacted hospitals would have to wait 90 days before the systems could be modified to remove the infections and vulnerabilities.

[Joffe's testamony:

For the “Someday I might want to be a stalker...” file.

How To Trace a Mobile Phone Location with Google Latitude

May. 2nd, 2009 By Ryan Dube

… The cool thing about Google Latitude is that there are really no fancy, expensive gadgets required. All you need is a mobile phone and you can build what’s essentially a GPS network of friends, without the need for GPS technology.

… The convenience of Google Latitude is that you don’t need GPS, and it’ll work on almost any mobile phone that can use Google Maps. According to Google, these include Android-powered devices, iPhone, BlackBerry, Windows Mobile 5.0+ and Symbian.

Another article for Cindy's “Sex & Power” class.

The In-House Decency Patrol at Facebook

Posted by timothy on Sunday May 03, @08:04AM from the keeping-the-milquetoast-lukewarm dept. Social Networks The Internet

theodp writes

"How'd you like a job where you get fired if you DON'T view porn at work? Newsweek reports on Facebook's internal police force of 150 staffers who are charged with regulating users' decorum, hunting spammers and working with actual law-enforcement agencies to help solve crimes. Part hall monitors, part vice cops, the $50,000-a-year 'porn cops' also keep Facebook safe for corporate advertisers."