Saturday, May 16, 2009

Yes, it is that easy. Without proper training and discipline, this can happen anywhere, anytime. (Good reason to make employees change their passwords every 30-60 days.

Ie: 3,000 email accounts compromised by hackers

May 15, 2009 by admin Filed under: Hack, Non-U.S., Other

Conall O Fátharta of Irish Examiner reports:

Up to 3,000 Irish people have had their email accounts compromised by international hackers, it has emerged.

The hackers managed to access the private emails of thousands of individuals whose details were then put on an Arabic website.

A number of Irish banking institutions, county councils, universities, the HSE and anti-virus software company Symantec were also on the list.

[From the article:

It is thought that hackers were accessing the accounts by tracing passwords.

People signing up to websites often use the same password for their email account.

By finding a vulnerable website, hackers can then trace the passwords back to an email account which can then be accessed.

… Mr Fleming said the hacker then contacted his girlfriend through the email account asking for personal and financial details.

"When he was in, he made attempts to get at my PayPal details. He reset my Facebook password, my LinkedIn password, pretty much every account under the sun that I have.

It's easy actually. When the SPAM flag goes up, check each e-mail for a pre-existing relationship (have you been spammed before and replied?) and block any mail that fails the test. Fortunately(?) NSA already knows who everyone talks to)

US Military Looks For Massive Spam Solution

Posted by ScuttleMonkey on Friday May 15, @02:46PM from the always-declaring-war-on-something dept.

Several users have pointed out a recent request to technology companies from the Defense Information System Agency for ideas on how to build an e-mail defense system to catch spam. The solution would have to scan about 50 million inbound messages a day across some 700 unclassified network domains.

"Defense currently scans e-mails for viruses and spam coming into systems serving the military services, commands or units. DISA wants to extend the protection to the interface between the Internet and its unclassified network, the Non-classified Internet Protocol Router Network. The agency also wants the ability to scan all outbound e-mails from the 5 million users. [...] DISA's request ties in with recommendations that the Defense Science Board issued in April that said Defense is more vulnerable to cyberattacks because of its decentralized networks and systems. The board envisioned a major role for DISA in developing the architecture for enterprise-wide systems."


New Technique’s Gonna Find Out Who’s Spammy or Nice

By Lizzie Buchen Email Author May 15, 2009 5:30 pm

I'm gonna look up Harry Truman...

KGB Material Released By Cold War Project, Available Online

Posted by ScuttleMonkey on Friday May 15, @05:44PM from the fewer-redactions-than-a-foia-request-about-yourself dept. Government Politics

pha7boy writes

"The Cold War International History Project just released the 'Vassiliev Notebooks.' The notebooks are an important new source of information on Soviet intelligence operations in the United States from 1930 to 1950. Though the KGB's archive remains closed, former KGB officer turned journalist Alexander Vassiliev was given the unique opportunity to spend two years poring over materials from the KGB archive taking detailed notes — including extended verbatim quotes — on some of the KGB's most sensitive files. Though Vassiliev's access was not unfettered, the 1,115 pages of densely handwritten notes that he was able to take shed new and important light on such critical individuals and topics as Alger Hiss, the Rosenberg case, and 'Enormous,' the massive Soviet effort to gather intelligence on the Anglo-American atomic bomb project. Alexander Vassiliev has donated his original copies of the handwritten notebooks to the Library of Congress with no restriction on access. They are available to researchers in the Manuscript Division."

Inevitable? The problem will be people who write Harry Potter books and call them science...

New Science Books To Be Available Free Online

Posted by ScuttleMonkey on Friday May 15, @01:08PM from the free-as-a-business-model-not-dead dept. The Internet The Almighty Buck

fm6 writes

"Bloomsbury Publishing, best known for the Harry Potter books, has announced a new series of science books that will be available for free online. Bloomsbury thinks they can make enough money off of hard-copy sales to turn a 'small profit.' The online version will be covered by a Creative Commons license which allows free non-commercial use. They've already had some success with the one book they've published this way, Larry Lessig's 'Remix: Making Art and Commerce thrive in the Hybrid Economy.' The series, 'Science, Ethics and Innovation,' will be edited by Sir John Sulston, Nobel prize winner and one of the architects of the Human Genome Project."

Got smarts? - Find Online Classes & Video Podcasts works as an online open market where users can trade their know-how about many matters through very interesting media, namely online classes and video podcasts. Users are given the possibility to create their classes and share them with many people, in a simple and fast way.

This is my WOW from yesterday. It is up and running. You're gonna love it!


Making the world's knowledge computable

[Don't take my word for it, watch this video:

Friday, May 15, 2009

Interesting details and several new terms...

Operation Plastic Pipe Line” nabs 45 in massive international ring

May 14, 2009 by admin Filed under: Financial Sector, ID Theft, U.S.

Queens District Attorney Richard A. Brown announced today that an international forged credit card and identity theft ring based in the New York metropolitan area has been successfully dismantled following the indictment this week of forty-five individuals.

The full press release can be found here (pdf)

[From the press release:

Account preparers – responsible for activating the accounts, which usually involved placing a phone call to a financial institution and impersonating the account holder by pretending to be calling from the account holder’s home phone. This was accomplished by using a Spoof Card, which allows a person to change the number that appears on the receiver’s caller ID and can make a man’s voice sound like a woman’s and vice versa. The account preparer would also change a PIN number, change the mailing address, add a secondary card user and/or increase the account’s credit limit;

Account maintainers – responsible for paying off accounts in order to avoid fraud detection and increase credit lines. The maintainer would use funds from one account to pay off another account to keep it viable and to steadily increase its credit limit, at which point all the funds from the account would be drained; or

Account washers – responsible for obtaining as much pedigree information on an account holder as possible so that other account preparers could then use the information to access the victim accounts in order to take over the accounts.

Interesting. Their security wasn't breached but so many userid/passwords were compromised it looks like it was. (Phishing scam? Other?) How would you address that in your “guidelines?”

Amway responds: “Our house has not been broken into”

May 14, 2009 by admin Filed under: Business Sector, Other, U.S.

Yesterday, I posted an entry about a recent breach reported by Amway Global that seemed essentially identical to a breach that they reported last year. I questioned whether Quixtar/Amway had correctly identified the source of the earlier breach and perhaps failed to address it. I had called Amway to discuss the breaches, but had not received any return call. Yesterday afternoon, Amway did return the call, and I put the question to them. Here is their response, in its entirety, which I received this morning, and I am pleased to give them the opportunity to explain and defend their security:

Are they saying they treat everyone like terrorists?

May 14, 2009

Statistics on Terrorism Arrests and Outcomes Great Britain

Home Office Statistical Bulletin: Statistics on Terrorism Arrests and Outcomes, Great Britain 13 May 2009 - 11 September 2001 to 31 March 2008.

  • "For the period between the start of the data collection on 11 September 2001 to 31 March 2008: There were 1,471 terrorism arrests. This excludes 38 arrests made between the introduction of the Terrorism Act 2000 on 19 February 2001 and 11 September 2001 and 119 stops at Scottish ports under Schedule 7 of the Terrorism Act 2000."

[From the article:

The proportion of those arrested (35%) who were charged is similar to that for other criminal offences with 31% of those aged 18 and over arrested for indictable offences prosecuted.

Let me explain about backups. This is not a backup. A backup is stored AWAY from the operations area to ensure you can recover from a disaster. This is a disaster, they couldn't recover – QED these ain't backups!

Hacker Destroys, Along With Its Backups

Posted by timothy on Friday May 15, @01:17AM from the giving-you-the-benefit-of-their-bad-childhoods dept. Security Data Storage Technology

el americano writes

"Flight Simulator community website Avsim has experienced a total data loss after both of their online servers were hacked. The site's founder, Tom Allensworth, explained why 13 years of community developed terrains, skins, and mods will not be restored from backups: 'Some have asked whether or not we had back ups. Yes, we dutifully backed up our servers every day. Unfortunately, we backed up the servers between our two servers. The hacker took out both servers, destroying our ability to use one or the other back up to remedy the situation.'" [So would have any other “room wide” disaster. Bob]

Our water is polluted with prescription drugs flushed into the system, now I hear I can't even breath? Are you sure Global Warming is our biggest problem?

Study Shows Cocaine And Other Drugs In Spanish Air

Posted by samzenpus on Thursday May 14, @02:41PM from the can-you-smell-the-party dept.

If you live in Madrid or Barcelona, you might not notice the air pollution due to your contact buzz according to a new study. The Superior Council of Scientific Investigations found the air in those cities to be laced with at least five drugs: amphetamines, opiates, cannabinoids, lysergic acid and most prominently cocaine. Researchers found cocaine in concentrations between 29 and 850 picogram per cubic meter of air. The group stresses that the air samples were taken in high drug areas and don't represent most of the air in the cities.

Be aware Microsoft, Google (and cloud computing) is coming...

With Valeo deal, Google Apps gains business cred

by Dave Rosenberg May 13, 2009 1:22 PM PDT

Gmail may not yet have the same footprint as Microsoft Exchange, but megadeals such as a recently announced 30,000-seat installation at Valeo prove that large enterprises are comfortable running applications in the cloud.

Related The downside of Cloud Computing. (Maybe not, they're probably better at keeping their systems running than you are...)

Google suffers major failure

Various Google Apps start kicking back in after widespread outage this morning

By Sharon Gaudin May 14, 2009 01:12 PM ET

The next big boondoggle? Nothing attracts the sharks like cash in the water...

Tech giants line up for e-health dollars

by Ina Fried May 14, 2009 12:18 PM PDT

With billions in stimulus dollars available to help doctors and hospitals digitize their health records, it stands to reason that tech companies want to make spending that money as easy as possible.

President Obama's stimulus package provides on the order of $20 billion for health care technology, with the central focus being nudging hospitals and doctors to move their records from manila folders to computers. Even with the money, though, it's seen as a daunting task.

Attention Class Action lawyers: I am not leasing these books (unlike my software). Some stranger (claims to be the publisher) has just made my purchase worthless. Sic 'em!

Remote Kill Flags Surface In Kindle

Posted by CmdrTaco on Thursday May 14, @10:14AM from the because-they-can dept. Media Books

PL/SQL Guy writes

"The Kindle has a number of 'remote kill' flags built in to the hardware that, among other things, allow the text-to-speech function to be disabled at any time on a book-by-book basis. 'Beginning yesterday, Random House Publishers began to disable text-to-speech remotely. The TTS function has apparently been remotely disabled in over 40 works so far.' But what no one at Amazon will discuss is what other flags are lurking in the Kindle format: is there a 'read only once' flag? A 'no turning the pages backwards' flag?"

Related? One of those minor glitches that need to be ironed out. Perhaps I should add my blog at $1.99 a month?

How The Kindle Now Lets You Steal This Blog

by Erick Schonfeld on May 14, 2009

Amazon’s new blog publishing program has a major flaw: it lets anyone steal other people’s blogs and charge readers for them.

Yesterday, Amazon opened up the ability to publish a blog on the Kindle to anyone who sets up an account. Today, anyone can claim a blog even if it is not theirs, charge a subscription fee for it, and collect the proceeds. In fact, somebody already did just this with TechCrunch.

They don't look like tools I'll use, but you never know what you can add to the Swiss Army folder.

35 Online Tools That Make Your Freelance Career Easier

Posted May 14, 2009

Simple Hacks

Youtube Videos Not Available In your Country? Watch Blocked Youtube Videos

May 15, 2009

Simple Hack

How to View Private Facebook Profiles

May. 14th, 2009 By Ryan Dube

This site has a lot of potential for my website classes. CAUTION: It's in Beta, so it's a bit twitchy...


what ecoder is

ecoder is an open-source web-based code editor, with real-time colour syntax highlighting, which allows multiple documents to be edited directly online at the same time.

Swiss Army folder Has potential. Not for my students but it would make my handouts seem more professional. - Create Your Own PDFs

Do you want to create your own PDF files? PDF files are extremely useful when it comes to giving a more professional look to all your works, as well as to being protected from unwanted copies or modifications.

… This solution has many advantages like the fact that you do not need to install or purchase any software.

WOW! You should take a look at this one. Might be more useful than Google in many areas! (Don't let the headline bother you, this isn't a geeky thing.)

What if there was a Google for Math?

What if you could go to a free and readily available website and enter an equation, an expression, a question about math, a request to analyze data, or anything else, and the site would answer your question, elaborate on it, give you all the steps for the mathematical work, etc.?

Did that make you uneasy or excited?

Well, ready or not, it’s going online at 7pm CST today, and I think we ought to pay some attention to this.

It does have the potential to seriously wreak havoc on the way we teach math today if students can simply copy all their work from an A.I. website.

[At least watch this screencast:

Thursday, May 14, 2009

A more active hack?

Deja vu all over again: Amway Corp. reports second security breach

May 13, 2009 by admin Filed under: Business Sector, U.S.

In a breach report that is eerily reminiscent of an incident last year, Amway Corp. has reported a web site breach that has enabled fraudsters to obtain some Amway independent business owners (IBOs)’ personal information and attempt to divert bonus payments by altering their banking information.

In a notification to the New Hampshire Attorney General’s Office dated May 6, Thomas Curran, Associate General Counsel for Amway reported (pdf) that on April 28, the company discovered unauthorized access to some user accounts. In some cases, user IDs and passwords had been changed, as had banking deposit information for bonus payments.

According to Curran, Amway’s investigation indicated that the breach did not originate with the web site, also known as The company does not know where the breach originated, how many individuals were affected, or even when the breach occurred. [“We don't know” syndrome. Bob]

In response to the incident, Amway has scrambled affected users’ passwords and password hints, and is requiring them to call in to re-establish access. The company is also offering those whose Social Security numbers were accessed free credit monitoring services and has modified the web site to remove access to Social Security numbers. [“Barn door” syndrome. Bob]

In all major respects, this newest incident is seemingly identical to an incident reported by Quixtar in May 2008, [“Failure to learn from your mistakes” syndrome. Bob] except in that incident, no Social Security numbers were reportedly involved. Quixtar North America became Amway Global.

Amway Global’s web site says:

Protecting Your Information

We acknowledge your trust and are committed to take reasonable steps to protect Personally Identifiable Information you provide online from loss, misuse, and unauthorized access. We employ physical, electronic, and managerial processes to safeguard and secure your information.

It is your responsibility to safeguard the password you use to access our Site, and to promptly advise Amway or your IBO if you ever suspect that your password has been compromised. We strongly encourage you to change your password regularly to prevent unauthorized access. Because your identification number and password are specific to you, you acknowledge sole responsibility for any and all use of our Site conducted with your identification number and password.

Amway Global did not return a phone call requesting a statement about the two breaches, leaving unanswered questions as to whether Quixtar erred in concluding that its breach did not originate with its site last year, and whether Quixtar/Amway failed to adequately secure their site before and after the first breach.

Does anyone else run a “certification” program on whim?

RBS Gets an OK on PCI, But Is It Back in Visa’s Good Graces?

May 13, 2009 by admin Filed under: Financial Sector, Hack, Malware, U.S.

Digital Transactions reports:

RBS WorldPay Inc., the other big merchant acquirer besides Heartland Payment Systems Inc. to report a major data breach in recent months, this week announced that it has attained validated compliance with the Payment Card Industry data-security standard, or PCI.

[From the article:

After their breaches, Visa declared RBS and Heartland out of compliance with PCI and removed them from its list of validated processors. The network, however, allowed them to continue submitting Visa card transactions into the VisaNet network (Digital Transactions News, March 14).

It was probably the NSA demonstrating why they should be in charge of Computer Security

DHS: Information-sharing platform hacked

May 13, 2009 by admin Filed under: Government Sector, Hack, U.S.

Ben Bain of FederalComputerWeek reports:

The Homeland Security Department’s platform for sharing sensitive but unclassified data with state and local authorities was hacked recently, a DHS official has confirmed.

The intrusion into the Homeland Security Information Network (HSIN) was confirmed to Federal Computer Week by Harry McDavid, the chief information officer for DHS’ Office of Operations Coordination and Planning. McDavid said the U.S. Computer Emergency Readiness Team reported an intrusion into the system in late March. The initial hack was brief and limited, and it was followed by a more extensive hack in early April, McDavid said.


The files that were accessed contained administrative data such as telephone numbers and e-mail addresses of state and federal employees. However, an investigation into the incidents has found that no Social Security numbers, driver’s license numbers or financial data were obtained, McDavid said.

Always a great source of Privacy guidance...

Ca: Commissioner Cavoukian lays out path for increased privacy protection & accountability – doing battle with Victoria University

Wednesday, May 13 2009 @ 08:14 AM EDT Contributed by: PrivacyNews

Commissioner Ann Cavoukian released her 2008 Annual Report - Access and Privacy: The Challenges and Opportunities - this morning, along with a news release and an online adjunct publication, A More Detailed Look at Compliance Rates and other 2008 Access and Compliance Statistics.

Source - Information and Privacy Commissioner of Ontario

We can, therefore we must.

Ca: ICBC admits snooping into jurors' private files

Thursday, May 14 2009 @ 05:15 AM EDT Contributed by: PrivacyNews

A B.C. Supreme Court judge has chastised the Insurance Corporation of B.C. for checking the accident claims histories of jurors in a recent civil court case.

The checks, which breached the province’s freedom of information and privacy laws, prompted Justice Malcolm Macaulay to schedule a hearing next Tuesday with ICBC’s corporate lawyer and the defence lawyer who requested the information.

Source - Vancouver Sun

[From the article:

Jan Vrem said the corporation has an internal audit system in place, but the violation was detected by a manager who questioned why the files were being pulled. [...and that's exactly how it is supposed to work! Bob]

This is management indifferent to what is happening on their systems. Was this three separate hacks or simply the hackers coming back for more data?

Newton Manufacturing discovers hackers acquired customer data in repeated intrusions

May 13, 2009 by admin Filed under: Breach Reports, Business Sector, Hack, U.S

In what was likely a nasty shock for Iowa-based Newton Manufacturing, Jnc., a recent security audit revealed that the company’s databases had been breached in September 2008, October 2008, and February 2009. Hackers apparently accessed and acquired customers’ personal information including names, addresses, and Social Security numbers.

According to a notification (pdf) filed by the firm’s lawyers with the New Hampshire Attorney General’s Office, the company’s initial investigation has traced the attacks to Canada.

The company has referred the matter to the FBI as well as local enforcement, and is advising affected customers to place fraud alerts on their credit files. The total number of customers affected was not reported in the notification.

Failure to convert “We need access” into a plan for secure access?

Financial districts a wireless hacker's paradise

Wednesday, May 13 2009 @ 06:26 PM EDT Contributed by: PrivacyNews

The majority of wireless access points located in seven metropolitan financial centers have easy-to-break or nonexistent security, according to a survey conducted by security firm AirTight Networks and published on Wednesday.

The survey, which summarized more than 30 scans in six U.S. cities and London, found that 57 percent of the access points had no security or used Wired Equivalent Privacy (WEP), an older and easy-to-hack form of encryption.

Source - Security Focus

[From the article:

Almost 40 percent of the insecure wireless networks used enterprise-grade hardware from major vendors, suggesting that they were deployed by companies, not consumers, said Mike Baglietto, director of product marketing for AirTight Networks.

… Surprisingly, the distribution of security technologies varied tremendously by city. New York's financial district had the largest proportion of open and WEP-enabled access points — about 60 percent — while insecure wireless networks in London's financial district only accounted for 25 percent of the total.

I can't wait to see how this will be hacked.

May 13, 2009

Secretary Clinton Launches the Virtual Student Foreign Service Initiative

"Virtual Student Foreign Service (VSFS) Internships, announced by Secretary Clinton at the 2009 New York University commencement speech, are part of a growing effort by the State Department to harness technology and a commitment to global service among young people to facilitate new forms of diplomatic engagement. The VSFS Internships will be developed over the next year and will seek to harness the energy of a rising generation of citizen diplomats."

Something for the Swiss Army folder

SearchMyFiles lets you Search Windows without Leaving Traces

May. 13th, 2009 By Karl L. Gechlik

I recently had to perform a search on a computer that is not connected to our network and I was not allowed to leave any trace behind that I was there, installed any applications or ran any searches on the machine. I had to search the machine for all files created in the last 5 days and save my results.

I accepted my James Bond-esque task equipped only with a memory stick and a very small application called SearchMyFiles from my favorite handy dandy developer NirSoft.

… You can download the application from here.

Related. A whole list of Swiss Army websites?

13 Useful And Free Websites To Make Your Lives Easier

Posted by AN Jay May 13, 2009


OpenWith provides detailed information about most file extension and links to free programs that can open and create each type of file.

Wednesday, May 13, 2009

How long does it take to settle all aspects of an Identity Theft case? I wonder if I could find enough detail to set my statistics students on the question?

New deal backed for ID theft case

May 12, 2009 by admin Filed under: Financial Sector, Hack, U.S.

Virgil Larson of World-Herald News Service reports on the tentative approval of a settlement in the class action lawsuit against TD Ameritrade resulting from a hack in 2006 and 2007 that affected customer contact information on 6.3 million clients.

The settlement will not result in any money for class members but the lawyers get almost $2 million. Indeed, it’s not clear to me that the class members get anything at all out of this settlement. I guess we’ll have to wait and see the actual terms when the deal is approved.


Most of Hannaford breach lawsuit tossed out by judge

May 13, 2009 by admin Filed under: Breach Reports, Business Sector, Hack, U.S.

Trevor Maxwell of The Portland Press Herald reports that Judge D. Brock Hornby of the U.S. District Court in Maine has dismissed nearly all of the claims filed again Hannaford Bros. for the massive breach they suffered in 2007 and early 2008. Only consumers who were not reimbursed by their banks for fraudulent charges on their accounts will be allowed to proceed with their claims. Maxwell quotes the ruling (which is not yet available online):

“There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent,” Hornby wrote.

“Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence. Maine law requires that there be a way to attach a monetary value to a claimed loss. These fail that requirement.”


Impact of Heartland Payment Systems breach continues to emerge

May 13, 2009 by admin Filed under: Breach Reports

Yesterday, Marc Stewart of WSMV reported on how a number of Tennessee banks had been affected by the Heartland Payment Systems breach. Today, Todd Wallack of The Boston Globe has some data and figures on banks in Massachusetts affected by the Heartland Payment Systems breach.

Some of the figures may be a bit surprising to those who anticipated even larger numbers. Wallack reports:

For instance, Rockland Trust Co. told the state it was forced to reissue nearly 19,000 MasterCard debit cards and 64 Visa credit cards to customers this spring, while East Boston Savings Bank said it replaced the debit cards for as many as 7,600 customers. Salem Five Cents Savings Bank said the debit cards for 7,200 of its customers, mostly Massachusetts residents, were “compromised” by the breach and issued new cards to customers with active accounts earlier this year.

Many of the banks included in these two recent news stories do not appear on’s list, which had already identified over 625 financial institutions affected by the breach. Visa gave financial institutions until May 19 Visa to file claims for reimbursement for part of any losses. It would be nice if they released some numbers after that deadline, even some simple figures such as the number of institutions that filed claims based on the breach.

In the interim, reports of actual fraud as a result of the breach continue to be relatively sparse for a breach of this supposed magnitude, but given what happened in the aftermath of the RBS WorldPay breach, any statements about little fraud might be very premature. Hopefully, those financial institutions that decided to just “monitor” card numbers will not regret their decision.

Too much? Perhaps all DA's should take this approach (because the expansion of the prison system would be an economic stimulus?)

Prosecutor will seek life sentence for ID theft

May 13, 2009 by admin Filed under: Commentaries and Analyses, ID Theft, U.S.

As a follow-up to a case reported in a recent “Bits ‘n Pieces” post: Jim Dooley of The Honolulu Advertiser reports that the prosecutor will be seeking a life sentence for Susan Shaw, who is charged with stealing some $160,000 from at least 11 victims from January 2008 through last month.

Dooley quotes prosecutor Christopher Van Marter: “We will be seeking a life term in prison based on the sheer magnitude (of the scheme) and the harm she has caused her victims.”

A life sentence? Shaw reportedly had a prior felony conviction for theft in 1994, and I deplore ID theft as much as the next advocate, but even so, a life sentence seems disproportionate. But then again, what should sentencing guidelines look like for recidivists?

Global companies will have a global impact. Nation wide card processors will impact nationally.

Report: ATM/Debit Card Fraud On The Rise

May 12, 2009 by admin Filed under: Breach Reports, Financial Sector

This will be no surprise to anyone who really reads all the breaches reported on this site, but Kelly Jackson Higgins of Dark Reading reports:


Nearly 70 percent of the [161 financial services] respondents to the survey, conducted by antifraud firm Actimize, said they had experienced an increase in ATM/debit card fraud claims in 2008 compared to 2007.

Around 23 percent said those claims jumped by 5 to 9 percent;

around 16 percent, by 10 to 14 percent;

17.5 percent, by 15 to 19 percent;

nearly 9 percent, by 20 to 24 percent;

11 percent, by 25 to 49 percent; and

5 percent, by a whopping 50 to 74 percent.

Half of the institutions had been hit with fraud complaints that came out of some of the major data breaches, with more than 30 percent saying they had seen fraud incidents as a result of the TJX hack, and 30 percent out of the Heartland Payment Systems hack.

From the “Allow us to demonstrate stupidity” department: “Our security is so good, we don't even bother to listen to anyone who says otherwise...”

Woman Finds Credit Card Statements Unprotected Online

May 12, 2009 by admin Filed under: Breach Reports, Exposure, Financial Sector, U.S.


A major credit card company is investigating how more than a hundreds statements were made available online after an Indiana woman alerted them to the problem.

Constance Wilson had logged in to pay her Aspire Visa card bill when she instantly had access to 120 other statements from people in Indiana and 31 other states.


When Wilson called CompuCredit, the Atlanta-based company that manages the Aspire card, they told her what she was describing wasn’t possible.

Company officials changed their tune when Call 6 contacted them regarding the breach.

For those into self-inflicted surveillance... Several tools listed.

Record Your Skype Calls On Windows and Mac

May. 12th, 2009 By Simon Slangen

Everyone ought to record their incoming and outgoing calls, as well as keep chat logs. Why should we let homeland security have all the fun?

That's not what the WI court said last week ( ). Perhaps we could have a debate? (The main dissent is interesting.)

NY: GPS monitoring a vehicle's movements without exigent circumstances violates state constitution

Tuesday, May 12 2009 @ 10:22 AM EDT Contributed by: PrivacyNews

The New York Court of Appeals today decided Weaver v. People, No. 53 (May 12, 2009), holding that the NY Constitution prohibits the use of GPS transmitters on vehicles without a warrant, following other state courts analyzing the issue under their constitutions.

Source - Related - Newsday

[From the article:

"The massive invasion of privacy entailed by the prolonged use of the GPS device was inconsistent with even the slightest reasonable expectation of privacy," Chief Judge Jonathan Lippman wrote.

Be aware. This is another “If you're innocent, you have nothing to worry about” arguments. That means they don't want to put the real reasons on record. (“We want the ability to overrule our political opponents.)

Government in secret: Lisa Madigan targets privacy exemption in Illinois' public-records law

Wednesday, May 13 2009 @ 04:58 AM EDT Contributed by: PrivacyNews

Illinois Atty. Gen. Lisa Madigan wants to force public agencies throughout Illinois -- from town halls to school boards -- to report to her office every time they cite privacy as an excuse to withhold public records.

"It is by far the most broadly abused exemption to the state records law," said Cara Smith, Madigan's deputy chief of staff. "We think that is far less likely to happen if they know they have to report it to us every time they use it. If they have a valid reason, then they will have nothing to worry about."

Source - Chicago Tribune


May 12, 2009

CDT Recommends Standards for Use of Analytics Tools on Federal Web Sites

News release: "The Center for Democracy & Technology (CDT) and the Electronic Frontier Foundation (EFF) today released a report examining the use of analytics tools on federal agency Web sites. The report analyzes existing policy and makes recommendations for how federal agency Web sites can use analytics – a useful tool in developing open government strategies – while protecting citizen privacy... Recommendations for federal agencies include crafting robust policies to ensure that data collected for measurement purposes is adequately protected and updating current federal policy on persistent tracking technologies, such as cookies. Current federal policy requires, among other things, that the agency head authorize each use of these technologies. This has resulted in a near prohibition of persistent tracking technologies. While the policy should remain extremely protective of privacy, it should also allow federal agencies to take advantage of advances in Web technology."

It's not getting on the list, it's downloading all you want while staying off the list!

MIT Harbors The Most P2P Pirates

Written by Ernesto on May 13, 2009

College students have always been prime targets for anti-piracy outfits such as the RIAA. Despite inundating students with mountains of threats and legal action, the number of copyright infringements committed by them have not declined. What did change though is the positioning of various universities in the list of most infringing establishments.

There are many school selection guides on the Internet, but none of them lists universities ranked by the number of recorded copyright infringements. Thanks to the copyright infringement “Trends & Insights” report published by BayTSP today, we can construct such a list.

In the United States, MIT is leading the list for the second year in a row, followed by the newcomer University of Washington. Purdue University dropped 4 spots and is now ranked 8th, but this could be due to the fact that students at Purdue launched their own private P2P network.

EU wide notification rules... Guidance or contrast?

Pointer: European Parliament Adopts Position on Data Breach Notification Requirement for Telecoms and ISPs

May 12, 2009 by admin Filed under: Breach Laws, Business Sector, Commentaries and Analyses, Non-U.S

The Privacy and Security Law Blog has a nice article by Hunton & Williams LLP on the new European Parliament position on data breach notification requirement for telecoms and ISPs.

As the authors note, “For the first time in EU law the amendments [to the e-Privacy Directive] introduce a definition of “personal data breach” and a data breach notification requirement.”

The full article is here, and the position paper can be found here.

Sweat equity and high speed Internet...

Norwegian ISP: dig your own fiber trench, save $400

Lyse has become the largest fiber-to-the-home provider in Norway thanks to an innovative business model that asks customers to preregister before any fiber is dug, then offers them a $400 savings if they dig their own trench from the street to the home. So far, 80 percent of Lyse's customers have broken out the shovels.

By Nate Anderson | Last updated May 11, 2009 12:22 PM CT

… Only when 60 percent of the people in an area sign up in advance for the service does Lyse start the actual fiber install.

Sixty percent sounds like a tough threshold, but the company says that it has been "very successful" so far by offering people far greater Internet speeds for the same price they are currently paying. Lyse's Altibox service offers 10Mbps, 30Mbps, or 50Mbps connections—all of them fully symmetrical (upload and download speeds are identical). In many areas, the uptake rate tops 80 percent, though competitors have boosted speeds and started deploying fiber of their own in an effort to retain customers.

Oh look, they're from Nigeria, Maybe they will send me $20,000,000...


GeoIPTool is a useful tool to lookup the geolocation of an IP address. The use of the tool is straight forward, simply enter an IP address, and you will get the location of that IP on a Google map. Other relevant info such as host name, country, city, postal code, calling code, and latitude/longitude coordinates, are displayed on the left of the map.

From one of the blogs I follow...

100 Innovative Blogs for Education

This blog is honored to be included in the list (at #57) of 100 Most Inspiring and Innovative Blogs for Educators, especially because I’ve been kind of bad about posting during my dissertation writing.

Tuesday, May 12, 2009

Notification done right?

Breach handling done right: Johns Hopkins Hospital

May 11, 2009 by admin Filed under: Breach Reports

In 2007, when Johns Hopkins learned that backup tapes had been lost in transit, I complimented them for their handling of the incident. They’ve managed to impress me yet again — which is no small feat — by their handling of a recent incident….

In February, this site posted a story about a breach that may have involved an employee at Johns Hopkins Hospital in Baltimore and a fraudulent driver’s license ring operating in Virginia. In its notification (pdf) to the Maryland Attorney General’s Office of April 3, the hospital provides more information on what happened and their response [SEE CORRECATION BELOW: these incidents may be unrelated].

Are breaches too common (too small) to be news? Or is there a disclosure process designed to keep them quiet?

A few more breaches that didn’t make the news

May 11, 2009 by admin Filed under: Breach Reports

Thanks to those states who post notifications online….

  • TravelCLICK, Inc. reported (pdf) that customers who used their web site to book hotel reservations may have had their data accessed by unauthorized others during the period February to March of this year. Reservation data included names, full credit card numbers, expiration date, but no CVV or CID, and in some cases, telephone numbers and email addresses. No details were provided other than their statement that the data were “inadvertently accessible.” They did not offer affected customers any free services.

  • Starwood Hotels & Resorts Worldwide reported (pdf) that the Westin Grand Hotel in Washington D.C. inadvertently attached information on some customers, including their credit card numbers, in an email sent to other guests who had made reservations. They, too, did not offer those affected any free services.

  • Experian reported (pdf) that a client, Newburyport Capital, had accessed consumer information without authorization. Experian was notifying those affected and had suspended Newburyport Capital’s access. Why Experian advised those affected to notify all three credit reporting agencies instead of offering to just take care of the Experian notification themselves is a bit of a puzzle to me.

  • Liberty Mortgage, a subsidiary of BB&T Financial, reported (pdf) that it accidentally mailed credit reports to the wrong customers. The company offered those affected two years of free credit monitoring. While their letter is somewhat forthright about their error, it suggests that there was only one client affected, whereas the notification to the state suggests that there were a number of misdirected credit reports.

Guidance for your security policy. (list of cases omitted)

FTC enforcement of data protection

May 11, 2009 by admin Filed under: Breach Reports

Since 2001, the FTC has filed charges against 25 businesses for failure to protect consumers’ information. The cases were cited in their May 5th testimony and comments (pdf) in Congress about two bills being considered: H.R. 2221, the Data Accountability and Protection Act, and H.R. 1319, the Informed P2P User Act.

The cases fall into five major types:

  1. Businesses that allegedly misrepresented their own security procedures by claiming that they had strong security protection when they failed to employ even basic security protections: Microsoft, Petco, Tower Records, Life is good, and Premier Capital Lending.

  2. Businesses that failed to protect consumer data from simple and well-known type of attacks such as an SQL injection (Genica Corp., Guidance Software) or businesses that failed to implement simple technologies to counteract basic security threats (TJX, Reed Elsevier and Seisint).

  3. Businesses that failed to use reasonable procedures to verify the legitimacy of its customers or those accessing consumer data: Choicepoint.

  4. Businesses that retained sensitive consumer information that they no longer needed: BJ’s Warehouse, DSW Shoe Warehouse, and CardSystems Solutions.

  5. Businesses that did not dispose of sensitive consumer information properly: CVS Caremark.

The 25 cases were:

The Electronic Police State

Posted by kdawson on Monday May 11, @11:54PM from the watching-you dept.

gerddie writes

"Cryptohippie has published what may be called a first attempt to describe the 'electronic police state' (PDF). Based on information available from different organizations such as Electronic Privacy Information Center, Reporters Without Borders, and Freedom House, countries were rated on 17 criteria with regard to how close they are already to an electronic police state. The rankings are for 2008. Not too surprisingly, one finds China, North Korea, Belarus, and Russia at the top of the list. But the next slots are occupied by the UK (England and Wales), the US, Singapore, Israel, France, and Germany."

This is a good start, but it would be good to see details of their methodology. They do provide the raw data (in XLS format), but no indication of the weightings they apply to the elements of "electronic police state" behavior they are scoring.

Related: We'll just pass a little radiation through your brain...

Brain Scanning May Be Used In EU Security Checks

Posted by timothy on Tuesday May 12, @08:59AM from the who-do-you-think-you-are? dept.

An anonymous reader writes with this excerpt from the Guardian:

"Distinctive brain patterns could become the latest subject of biometric scanning after EU researchers successfully tested technology to verify identities for security checks. The experiments, which also examined the potential of heart rhythms to authenticate individuals, were conducted under an EU-funded inquiry into biometric systems that could be deployed at airports, borders and in sensitive locations to screen out terrorist suspects."

The same article says that "The Home Office, meanwhile, has confirmed rapid expansion plans of automated facial recognition gates: 10 will be operating at major UK airports by August." I wonder what Bruce Schneier would have to say about such elaborate measures.

Related: Anti-social-networking? Perhaps we could add videos from the cell phone? - Report Bad Drivers & Track Their Licenses

They say it is a jungle out there, and any person who spends just one hour in the streets and roads of any American city can tell you he sometimes feels like committing a crime. If you ever feel like that, calm down for a minute and do the right thing – report the bad driver and let others know about the wrongdoer. This website is there to let us all “bring accountability to our streets the Web 2.0 way” by not simply reporting bad drivers but also tracking license plates and zapping tags.

The main page will let you pick the City and State in question, and furnish a plate and add the pertinent details and comments for all to see. As it is the case with sites such as this one, a Google Map is featured in order to put everything into context.

All in all, this site will let you get even online and (hopefully) enhance road security at the very same time. Check it out at the provided address and see how it works in person.

Of course, all my access is under an assumed name...

What Google knows about you

Google may know more about you than your mother does. Got a problem with that?

By Robert L. Mitchell

… If you use Google's search engine, Google knows what you searched for as well as your activity on partner Web sites that use its ad services.

If you use the Chrome browser, it may know every Web site you've typed into the address bar, or "Omnibox."

It may have all of your e-mail (Gmail), your appointments (Google Calendar) and even your last known location (Google Latitude).

It may know what you're watching (YouTube) and whom you are calling. It may have transcripts of your telephone messages (Google Voice).

It may hold your photos in Picasa Web Albums, which includes face-recognition technology that can automatically identify you and your friends in new photos.

And through Google Books, it may know what books you've read, what you annotated and how long you spent reading.

Related Now Google connects the e-dots for you... Is research now too easy? (Not based on what my students turn in...)

May 11, 2009

Google News Search Results Now Providing More Content Options

Google News Blog: "Last Thursday we launched a new format for story pages on Google News. These are the pages you see when you click the "all [#] news articles" link of each cluster of articles which cover the same news event--or "story," as we say on the Google News team. The story page includes timely and relevant information from different sources indexed in Google News. Depending on the most recent coverage and materials available for a given story, the page features top articles, quotes from the people in the story, and posts from news blogs. You'll also find image thumbnails, videos, articles from sources based near the story, and a timeline of articles to trace media coverage of the story."

Interesting study in reducing bureaucracy?

UK: Making European data protection law fit for the 21st century

Tuesday, May 12 2009 @ 04:40 AM EDT Contributed by: PrivacyNews

The Information Commissioner’s Office (ICO) is today publishing the review of the strengths and weaknesses of the EU Data Protection Directive which it commissioned from RAND Europe. The RAND study concludes that, in an increasingly global, networked environment, the Directive will not suffice in the long term.

Source - Information Commissioner's Office press release (pdf)

RAND report: Review of the European Data Protection Directive (pdf)

Statistics to quote?

Kiwi disclosure law could boost security, says Symantec

Tuesday, May 12 2009 @ 04:46 AM EDT Contributed by: PrivacyNews

A new survey of small and medium sized businesses shows 58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance.

The survey, by security company Symantec, found 69% of these organisations reported losses due to systems breakdown or hardware failure, 49% through onsite and natural disasters, 47% through human error, 45% through a lost or stolen laptop or other protable device and 39% through deliberate sabotage by an employee.

Source - Computerworld

[From the article:

The ANZ loss rate is well above the global average of 41% and even further away from the US rate of 29% and Canada's loss rate of 27%.

Related How to lose the geek vote?

NZ: Massive holes in Brash security

Monday, May 11 2009 @ 11:11 AM EDT Contributed by: PrivacyNews

Police have concluded there were so many holes in security surrounding National Party offices in opposition that it would be impossible to establish how former leader Don Brash's private emails were made public.

Source - Stuff

Should we expect to see the nose camera videos on Youtube?

CIA: Our Drones are Killing Terrorists. Promise.

By Noah Shachtman May 11, 2009 12:08 pm

Al Qaeda is so spooked by CIA drone attacks that Osama’s crew is staging spectacular bombings in Pakistan, in an attempt to get America to call off its unmanned attack fleet, former U.S. officials and counterterrror advisers say. And the CIA is apparently so spooked about the possibility of a withdrawal that they’re spilling details about their supposedly-secret drone strikes to the New York Times.

It used to be difficult for a mere employee to commit the company to anything. How could this have been avoided?

"For a good time, call..." Is Yahoo liable for sex graffiti?

Monday, May 11 2009 @ 03:16 PM EDT Contributed by: PrivacyNews

When someone posts fake Yahoo profiles of his ex-girlfriend and passes them out in chat rooms so that anonymous men will harass her for sex, does the company have any duty to take them down in a timely matter? A federal court says no... except for the fact that a Yahoo employee verbally promised to do so.

Source - Ars Technica Related - Barnes. v. Yahoo (pdf), Opinion

Do I want a separate app for each newspaper/magazine/blog/website I read?

NYTimes Reader Shows Graceful Future of Online News

By Ryan Singel May 11, 2009 3:39 pm

I read the news today in a whole new way. And I’m betting you will too, soon.

Journalism’s grey lady, the New York Times just threw down her cane and sprinted to the forefront of online newspapers with the release of version two of the Times Reader — a downloadable application built on Adobe’s AIR framework.

For the Swiss Army folder?

Also for the Swiss Army folder. How my students will be notified that their pages have been updated... - Monitor Your Wiki Pages

I must admit that more than often I have considered making a contribution of my own to Wikipedia, yet something has always stopped me: the fact that the addition I could make could be so easily modified by others. Of course, I am missing the boat altogether – the idea of a wiki is exactly that. You make a contribution, and then others are inspired by it and add their own input. Your original data is bound to be modified, yet I think you get what my concern is – are you going to labor hard over something only to have modified by someone who might not have done his homework? That is where a tool like the one under review right now comes in handy.

Generally speaking, WikiAlarm will notify you whenever any of your pages on Wikipedia is modified. It lets you track as many pages as you wish, and these are monitored every hour of the day during the whole week. The e-mails themselves come complete with full visibility on the changes that have been made, too, so that you don’t have to start opening windows manually like crazy in order to keep everything in sight.

When all is said and done, this is useful both for individual users and for enterprises that wish to have a better online reputation management tool. After all, Wikipedia is the port of call for the vast majority of internauts looking for information, and if something therein is wrong it should be rectified as soon as possible.

Amusing. USB drives as advertising toys?,1206,l%253D240154%2526a%253D240155,00.asp

10 Wacky USB Flash Drives

An inspiration for my Computer Security class final exam?

NSA Wages Cyberwar Against US Armed Forces Teams

Posted by ScuttleMonkey on Monday May 11, @05:18PM from the next-time-take-the-gloves-off dept.

Hugh Pickens writes

"A team of Army cadets spent four days at West Point last week struggling around the clock to keep a computer network operating while hackers from the National Security Agency tried to infiltrate it with methods that an enemy might use. The NSA made the cadets' task more difficult by planting viruses on some of the equipment, just as real-world hackers have done on millions of computers around the world. The competition was a final exam for computer science and information technology majors, who competed against teams from the Navy, Air Force, Coast Guard and Merchant Marine as well as the Naval Postgraduate Academy and the Air Force Institute of Technology. Ideally, the teams would be allowed to attack other schools' networks while also defending their own but only the NSA, with its arsenal of waivers, loopholes, and special authorizations is allowed to take down a US network. NSA tailored its attacks to be just 'a little too hard for the strongest undergraduate team to deal with, so that we could distinguish the strongest teams from the weaker ones.' The winning West Point team used Linux, instead of relying on proprietary products from big-name companies like Microsoft or Sun Microsystems."

How can I resist?


… was founded upon the principles that we should all embrace our inner and outer geek and have fun while doing it. As individuals who love learning, innovating and believe in possibility as well as change, the second step of responsibility is to “be the geek that keeps on giving”. As a member of SGA, we work together as a global community to provide the tools and help others realize their true potential too!