Saturday, December 12, 2009

...and these are the minor leaguers, aspiring to move to the bigs and pitch to the TJXs of the world.

http://www.databreaches.net/?p=8838

Bank firewalls cracked by cyberhackers

December 11, 2009 by admin Filed under Breach Incidents

Joseph Menn reports that according to the FBI, cyberhackers were able to directly drain $40 million from bank accounts so far this year, “primarily targeting the small and mid-sized businesses that are themselves customers of small and mid-sized banks.” Jeffrey Troy, chief of the FBI’s cybercrime section, told the Financial Times that online bank thefts in 2009 had seen “a very dramatic increase from past years”.

Read more on Financial Times.



Now what would possibly cause Facebook to recant? Absent the Spanish Inquisition. Do you think they would like (and when I say like, I mean pay) a group of Privacy professionals to review these policy changes before they stick their feet in their mouths?

http://www.pogowasright.org/?p=6229

Facebook backtracks on public friend lists

December 11, 2009 by Dissent Filed under Featured Headlines, Internet

Caroline McCarthy writes:

It’s been a matter of days since Facebook’s new privacy controls went into place, and the company is already making modifications in response to user complaints that they expose too much information. Namely, the company has made it easier to prevent people from seeing who your friends are.

For one, Facebook no longer makes a link to a list of your friends publicly available, and it has added an option for members who want no one at all–including other friends–to see their connections. Third-party applications, however, can still access it.

“In response to your feedback, we’ve improved the Friend List visibility option,” an update to Facebook’s blog post about the new privacy settings read. “Now when you uncheck the ‘Show my friends on my profile’ option in the Friends box on your profile, your Friend List won’t appear on your profile regardless of whether people are viewing it while logged into Facebook or logged out. This information is still publicly available, however, and can be accessed by applications.”

Read more on Cnet.


(Related) Some days you find the answer to your questions instantly.

http://www.pogowasright.org/?p=6220

Zuckerberg pictures exposed by Facebook privacy roll-back

December 11, 2009 by Dissent Filed under Internet

John Leyden reports:

Illuminating pictures of Facebook chief exec Mark Zuckerberg have been exposed by Facebook’s privacy roll back.

Back in October, the world at large could see only one photo of the Facebook co-founder via the social networking site. Facebook’s controversial privacy shake up this week means that world+dog can now obtain access to a cache of 290 previously private shots featuring Zuckerberg. These pictures were uploaded either by Zuckerberg himself or by people who tagged him in images they posted onto the social networking site.

Gawker – which carries a selection of pictures of Zuckerberg in a story here – describes them as showing him as “shirtless, romantic, clutching a teddy bear, and looking plastered” though not all at the same time, we’d hasten to add.

“We just knew this new system would be a boon to gossips like ourselves,” Gawker enthusiastically reports.

Read more in The Register.


(Related)

http://gawker.com/5424532/facebookarazzi-stalking-celebrities-just-got-a-whole-lot-easier?skyline=true&s=x

Facebookarazzi: Stalking Celebrities Just Got a Whole Lot Easier


(Related) and timely

http://news.cnet.com/8301-1009_3-10414010-83.html?part=rss&subj=news&tag=2547-1_3-0-20

Note to Silicon Valley: How not to manage privacy

by Larry Downes December 11, 2009 11:44 AM PST



Looks like the DC court is reversing and earlier reversed decision. (What decisions deal with wiretapping a work phone?)

http://www.pogowasright.org/?p=6251

District Court Finds Personal E-Mail From Work Still Privileged

December 12, 2009 by Dissent Filed under Court, Workplace

Tresa Baldas reports:

A federal prosecutor has won his fight to conceal e-mails he sent to his attorney over the government’s computers, contradicting a popular belief that employees have no expectation of privacy on work computers.

The U.S. District Court for the District of Columbia ruled on Dec. 10 that Assistant U.S. Attorney Jonathan Tukel had a reasonable expectation of privacy in those e-mails because federal prosecutors were allowed to use work e-mail for personal matters. Therefore Tukel’s messages to his private lawyer sent from work are covered by the attorney-client privilege and can remain confidential.

Read more on The Blog of Legal Times.

FourthAmendment.com also covers the decision.



Isn't this a clear example of Identity Theft? Spamming for lobbyists. (Lamb? Splobby?) Deceptive and one would think counter productive if the politician had an ounce of brains. (I'll give them an ounce.)

http://politics.slashdot.org/story/09/12/11/210218/Virtual-Money-For-Real-Lobbying?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Virtual Money For Real Lobbying

Posted by ScuttleMonkey on Friday December 11, @05:22PM from the sheeple-happy-to-be-paid-shills dept.

ogaraf writes

"Silicon Alley Insider is reporting that health-insurance industry group 'Get Health Reform Right' paid Facebook users with virtual currency to be used in Facebook games in exchange for lobbying their Congressional Rep. 'Instead of asking the gamers to try a product the way Netflix would, "Get Health Reform Right" requires gamers to take a survey, which, upon completion, automatically sends the following email to their Congressional Rep: "I am concerned a new government plan could cause me to lose the employer coverage I have today. More government bureaucracy will only create more problems, not solve the ones we have."'"



Similar but different? Not putting words in your mouth, putting your words in an advertisers database.

http://www.pogowasright.org/?p=6234

WideOpen West spyware funnelled data to NebuAd – lawsuit

December 11, 2009 by Dissent Filed under Breaches, Court, Featured Headlines, Internet

Maria Dinzeo reports:

Internet service provider WideOpen West installed spyware on its broadband networks that “funneled all users’ Internet communications – inbound and outbound, in their entirety – to a third-party Internet advertisement-serving company, NebuAd,” a class action claims in Chicago Federal Court. “NebuAd and WOW used the intercepted communications to monitor and profile individual users, inject advertisements into the Web pages users visited, transmit code that caused undeletable tracking cookies to be installed on users’ computers, and forge the ‘return addresses’ of user communications so their tampering would escape the detection of users’ privacy and security controls,” the class claims.

Read more on Courthouse News. The case is Valentine v. WideOpen West, and a copy of the lawsuit can be found here.



Should a ruling like this extend to other social networks that call the same feature by another name?

http://yro.slashdot.org/story/09/12/11/1846208/Judges-Cant-Friend-Lawyers-in-Florida?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Judges Can't "Friend" Lawyers in Florida

Posted by ScuttleMonkey on Friday December 11, @03:58PM from the lawyers-don't-have-friends-anyway dept.

Hugh Pickens writes

"The NY Times reports that Florida's Judicial Ethics Advisory Committee has found in a recent opinion that judges and lawyers can no longer be Facebook friends. The committee says that when judges 'friend' lawyers who may appear before them, it creates the appearance of a conflict of interest, since it 'reasonably conveys to others the impression that these lawyer "friends" are in a special position to influence the judge.' Stephen Gillers, a legal ethics expert at New York University, says the Florida rule goes too far. 'In my view, they are being hypersensitive because in the case of a truly close friendship between a judge and a lawyer involved in a case, the other side can simply seek to disqualify the judge. Judges do not "drop out of society when they become judges," Gillers says. "The people who were their friends before they went on the bench remained their friends, and many of them were lawyers." Still, legal sycophants can take heart: lawyers can declare themselves Facebook "fans" of judges, the committee says, "as long as the judge or committee controlling the site cannot accept or reject the lawyer's listing of himself or herself on the site."'"



The flip side of AT&T's “bad users” argument?

http://www.techcrunch.com/2009/12/11/att-outage/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

It’s Raining FAIL. Widespread AT&T Outages Reported In San Francisco.

by MG Siegler on December 11, 2009

… Calls are working sporadically, but the AT&T data network in San Francisco seems to be completely borked right now. There is obviously a lot of talk on Twitter about this right now. Everyone, it seems, has the same problem, “Could not activate cellular data network.”

… To be blunt, as paying customers, with contracts, we don’t need to change shit. What we need is a reliable network. We’re all paying around $100 or more a month for a service that remains unbelievably unreliable.



For your Security Manager It's not what we meant when we suggested you secure your files.

http://news.cnet.com/8301-13860_3-10414220-56.html?part=rss&subj=news&tag=2547-1_3-0-20

Bug keeps some Office users from their files

by Ina Fried December 11, 2009 2:29 PM PST

… Starting on December 11, 2009, customers using Office 2003 will not be able to open Office 2003 documents protected with the Rights Management Service (RMS) or save Office 2003 documents protected with RMS. The following error message may be displayed when attempting to Open RMS Documents using Office 2003:

"Unexpected error occurred. Please try again later or contact your system administrator"



e-wills Now there's a business model to die for!

http://www.mail.com/Article.aspx/tech/0/APNews/Tech/20091211/U_EU-Sweden-Web-Wills?pageid=1

Swedish service performs your last online wishes

AP - Friday, December 11, 2009 2:26:30 AM By LOUISE NORDSTROM

… A handful of services, such as Legacy Locker Inc., Deathswitch and Slightly Morbid, tend to the virtual afterlife by sending posthumous emails to friends and family. But Granberg and co-founder and childhood friend Elin Tybring, 27, say My Webwill is unique in actually entering accounts and "managing" them according to a person's last wishes.



Extending the copyright wars to your home bookshelf. I want one! (Just to make a backup copy you understand.)

http://www.wired.com/gadgetlab/2009/12/diy-book-scanner/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

DIY Book Scanners Turn Your Books Into Bytes

By Priya Ganapati December 11, 2009 7:42 pm

… Reetz went on to upload a 79-step how-to guide for building a book scanner (.pdf). The guide has sparked more than 400 comments. It has also spawned a website, DIYbookscanner.org, where more than 50 independent book scanners spread across countries such as Indonesia, Russia and Britain have contributed hardware refinements and software programs.


(Related) but opposite? How large is your ego? (You just can't make this stuff up.)

http://www.killerstartups.com/Web20/tweetbookz-com-print-your-tweets-for-posterity?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

Tweetbookz.com - Print Your Tweets For Posterity

http://www.tweetbookz.com/

The existence of a service like TweetBookz could be explained if we bear in mind Samuel Taylor Coleridge’s concept that anything which is narrated verily is appealing in itself. You see, what TweetBookz does is to come up with a printed copy of your tweets. Such a copy can be devised as a paperback or as hardbound book that has 20 pages, and two tweets are featured in each page.



Cute, but I just use multiple tabs

http://www.makeuseof.com/dir/googlegooglegooglegoogle-opens-four-google-frames-at-once/

Googlegooglegooglegoogle: Opens Four Google Frames At Once

www.googlegooglegooglegoogle.com



Google is starting to add phone features that have been possible for years, but traditional phone companies never bothered to implement. This is another reason we think Google is about to drive a stake through the heart of the phone industry. (You need to watch the video to appreciate how different this is from “normal” 411 services.

http://www.bespacific.com/mt/archives/022993.html

December 11, 2009

Google's new 411 service

"GOOG-411 is Google's new 411 service. With GOOG-411, you can find local business information completely free, directly from your phone. You can access 1-800-466-4411 from any phone, anywhere, at anytime."



For my website students. This keeps getting easier.

http://howto.wired.com/wiki/Make_a_Podcast?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Make a Podcast



Think of this as an automatic batch file! (or a Macro Maker)

http://www.makeuseof.com/tag/haunted-by-repetitive-tasks-then-doitagain-is-the-perfect-tool-for-you/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

Haunted By Repetitive Tasks? Then DoItAgain Is The Perfect Tool For You!

Dec. 12th, 2009 By Karl L. Gechlik

… I always said it would be great to have this ability to automate repetitive tasks inside windows so I can use it with any application or several applications at the same time.

Start off by visiting this site and download DoItAgain for Windows XP, Vista or even Windows Seven.

Friday, December 11, 2009

We leave this to the Justice system (see yesterdays blog, where the judge tossed out the suit against Heartland) Perhaps the judges could suggest something like this?

http://www.databreaches.net/?p=8819

Ca: Alberta health board cleared in records breach

December 10, 2009 by admin Filed under Commentaries and Analyses, Financial Sector, Non-U.S., Of Note

Because we don’t have a privacy commissioner who actually — gasp — investigates breaches and issues findings, and all we have is HHS which doesn’t publish its findings and leaves us generally in the dark, this report out of Canada is especially interesting.

The Alberta privacy commissioner’s office has found that the province’s health board had reasonable security measures in place when a virus targeted a computer network in July, potentially affecting the personal health information of thousands of people.

“AHS [Alberta Health Services] had an anti-malware system, firewalls and an intrusion detection system in place. In my opinion, these are reasonable controls to protect health information against malware,” report author Brian Hamilton writes.

“I noted some areas for improvement … but it is important to understand the HIA [Health Information Act] holds custodians to a standard of reasonableness, not perfection.”

The virus was a Trojan horse program known as “Coreflood.” It targeted Alberta Health Services’ Edmonton computer network and captured information from some clients’ Netcare electronic health records and transmitted them to a external server.

[...]

Read more from CBC News.



I wonder why?

http://www.databreaches.net/?p=8825

Court Rejects Request to Consolidate TJX Hacker Cases

December 11, 2009 by admin Filed under Hack, Of Note

Kim Zetter of Threat Level reports that:

A federal judge in Massachusetts has rejected a request from U.S. attorneys to consolidate a New Jersey case against Albert Gonzalez, who has admitted hacking more than 120 million credit card numbers from Heartland Payment Systems, with two other cases against him in Massachusetts.

[...]

The case was transferred to Massachusetts on Tuesday, but Judge Patti Saris rejected the consolidation request. This means that the New Jersey case will stay in Massachusetts, but Gonzalez will be sentenced in that case separately by a different federal judge, District Judge Douglas Woodlock. Judge Saris indicated that she would be willing to delay her sentencing hearing in the Massachusetts and New York cases to coordinate with sentencing in the New Jersey case if Judge Woodlock requests it.

More here. I suspect a number of us who have been following this case are surprised by the judge’s refusal to consolidate the cases.



More on the Google and Facebook kerfuffles.

http://www.techradar.com/news/internet/why-facebook-and-google-hate-privacy-657232

Why Facebook and Google hate privacy

The more you share, the more data can be mined

By Gary Marshall Thursday at 12:36 GMT



For my stats class. You could make a case that people who go with the default don't understand computers and by extension don't understand computer security.

http://www.techcrunch.com/2009/12/10/microsoft-users-gullible-advertising/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Are Microsoft Users More Gullible When It Comes To Online Advertising?

by Erick Schonfeld on December 10, 2009

… Earlier this week, we noted that people coming to Websites from Bing are about 75 percent more likely to click on an ad than those coming from Google.

Following that post, Chitika ran some analysis on browsers and operating systems, and it found that users of Microsoft’s Internet Explorer are about 40 percent more likely to click on an ad than Firefox users, about 50 percent more likely than Apple Safari users, and 80 percent more likely than Google Chrome users. The numbers are based on Chitika data from 134 million across 80,000 sites.



We have no idea how to secure our data, let's pass a law that makes it look like someone else is to blame!”

http://www.wired.com/threatlevel/2009/12/tsa-leak-2?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Lawmakers Want to Bar Sites From Posting Sensitive Government Docs

By Kim Zetter December 10, 2009 2:10 pm



If you were going to compete in any industry, you would need to research your competitor's business models looking for vulnerabilities. Note that some of the ISPs mentioned here can offer all services for the price Qwest charges for each service, proving that your costs are much lower if you skip the copper wire landlines? Perhaps the next generation will start ISPs rather than kool-aid stands.

http://arstechnica.com/tech-policy/news/2009/12/the-coolest-isp-in-the-world.ars

How to be the world's greatest ISP

We're not always aware of it here in the USA, but there are many ISPs out there in the world who do things quite differently than what we're used to. Some of these ISPs ideas are even really good. Ars surveys the global ISP landscape and paints a picture of what a dream ISP might look like.

By Rudolf van der Berg | Last updated 2 days ago

It seems that almost all of them offer the exact same thing; Internet access and telephony, often combined with television and some generic services like e-mail and space for a website. Some ISPs can offer hundreds of different combinations by varying speeds, prices, and content packages, but it's essentially the same "triple play" offer.

It's surprising (and refreshing), then, to find a quite different business model like plus simple operated by French ISPs. French broadband providers like Free.fr, Numericable, and SFR have just one offer. It costs €30/$45, and for that you get everything:

Cable and DSL internet at 20-30Mbps (and DOCSIS3 or fiber at 100Mbps in some towns)

Free telephony to 100 nations (mostly to fixed lines; calling mobiles costs more)

HDTV with a HD-DVR

(Some ISPs like Numericable and France Telecom/Orange have offers for €20 for Internet + telephony, or Internet + TV, but the majority of customers choose a €30 pack.)

This isn’t all you get. More is included, like free access to WiFi hotspots, music jukeboxes, computer games, your own personal television channel for live TV, etc. We'll touch upon these innovations in more depth below.

[The article includes this little aside that seems to toss cold water on AT&T's “We need limits” arguments. Bob]

But what good is bandwidth if you're stuck with a download (or upload cap) so you can’t actually use it? The OECD once published a table (PDF) with burnrates, which showed that in countries like Australia, customers could actually burn through their purchased amount of bytes in under a minute. Interestingly enough, the countries that have high bandwidth networks available don’t have heavy caps. For instance, NTT in Japan has a 900GB upload limit but no download limit.

… User generated content has been all the rage on the 'Net in recent years, but there seems to be only one ISP who has truly embraced user-generated content. The often mentioned Free.fr enables its users to become their own broadcasters. A user can attach any analogue video feed (like a simple camcorder) to the DVR and have it converted into an IP-TV feed that is broadcasted live over its IP-TV platform. This has sparked quite some controversy, as people could literally broadcast anything. But it has also added new meaning to YouTube’s slogan of "Broadcast Yourself," because now people can do so live and on TV.



For the Forensic folder

http://howto.wired.com/wiki/Find_Your_Phone%27s_IMEI_Number?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

Find Your Phone's IMEI Number



I can't help it, I'm addicted to lists.

http://www.bespacific.com/mt/archives/022991.html

December 10, 2009

Guardain UK: The 100 essential websites of 2009

"Here we go again … our latest list of the 100 best websites sees short attention spans, the rise of Twitter, more browser wars and celebrity gossip sites setting the news agenda."



For my students (and certain professors I know) This is how I get 150 articles a day.

http://howto.wired.com/wiki/How_To_Consume_News_Media?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+wired%2Findex+%28Wired%3A+Index+3+%28Top+Stories+2%29%29

How To Consume News Media

… What you need is a healthy dose of RSS.



Now this is interesting.

http://entertainment.slashdot.org/story/09/12/10/2231237/Universal-Jigsaw-Puzzle-Hits-Stores-In-Japan?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

"Universal Jigsaw Puzzle" Hits Stores In Japan

Posted by timothy on Thursday December 10, @06:02PM from the fools-the-eye dept.

Riktov writes

"I came across this at a Tokyo toy store last week, and it's one of the coolest things I've seen in a long time. Jigazo Puzzle is a jigsaw puzzle, but you can make anything with it. It has just 300 pieces which are all just varying shades of a single color, though a few have gradations across the piece; i.e., each piece is a generic pixel. Out of the box, you can make Mona Lisa, JFK, etc, arranging it according to symbols printed on the reverse side. But here's the amazing thing: take a photo (for example, of yourself) with a cell-phone, e-mail it to the company, and they will send you back a pattern that will recreate that photo. This article is in Japanese, but as they say, a few pictures are worth a million words. And 300 pixels are worth an infinite number of pictures."

Thursday, December 10, 2009

I guess the argument that Visa retroactively revoked their PCI Certification is not the same as certifying that they were not secure.

http://www.databreaches.net/?p=8806

Judge dismisses shareholder lawsuit against Heartland (updated)

December 9, 2009 by admin Filed under Financial Sector, Hack, Of Note, U.S.

Dan Kaplan reports:

A U.S. District Court judge in New Jersey has tossed out a class-action lawsuit filed by shareholders against Heartland Payment Systems, the credit card processor announced Wednesday.

The judge granted Heartland’s motion to dismiss the action, which was filed in the wake of Heartland’s massive breach that was reported earlier this year, according to a company statement. No reason was given for the dismissal.

Read more on SC Magazine.

Kaplan makes some statements in the story that are not consistent with other reports on the breach. For example, he writes:

Heartland revealed the breach on Jan. 20. The company learned of the breach about a week earlier, but hackers had been lifting credit card numbers for some nine months prior.

Actually, Heartland was notified of the breach months earlier by Visa and MasterCard, but said it took them several months and three forensics teams to confirm the breach for themselves. Shortly after confirming the breach, they revealed it.

Kaplan also writes:

Heartland did not say how many records were compromised in the breach, but some estimates placed the number around 100 million, making it the largest reported data breach in history.

In indicting Albert Gonzalez earlier this year, the U.S. Attorney’s Office in New Jersey alleged that the number was 130 million. If that is accurate, that makes the largest known single breach. Heartland has never issued any numbers, indicating that they didn’t know.

Heartland issued a brief press release:

Heartland Payment Systems® (NYSE: HPY), a leading provider of credit/debit/prepaid card processing, payroll, check management and payment services, today announced that on December 7, 2009, the United States District Court for the District of New Jersey, granted Heartland’s motion to dismiss the consolidated shareholder class action, titled In Re Heartland Payment Systems, Inc. Securities Litigation, which had been filed against Heartland, Robert O. Carr, Heartland’s Chairman and Chief Executive Officer and Robert H.B. Baldwin, Jr., Heartland’s President and Chief Financial Officer. The case, which arose out of the breach to the company’s processing system previously disclosed by the Company on January 20, 2009, was dismissed in its entirety with prejudice.

Mary Pat Gallagher of New Jersey Law Journal adds more:

U.S. District Judge Anne Thompson in Trenton, N.J., on Monday granted a defense motion to dismiss the case, In re Heartland Payment Systems Inc. Securities Litigation, 09-civ-1043, finding the plaintiffs failed to allege the existence of any material statement or omission or to adequately plead scienter.

Thompson dismissed the suit with prejudice, saying it appeared “further specificity would not cure the Complaint’s deficiencies” and thus, “amendment would be futile.”


(Related) The CEO had suggested in a speech (before the breach) that PCI security was inadequate. Would that plus a lack of evidence showing they had implemented additional security be sufficient?

http://www.storefrontbacktalk.com/securityfraud/federal-judge-dismisses-heartland-data-brach-lawsuit-cites-insufficient-evidence-of-weak-security/

Heartland Lawsuit Dismissed, “Insufficient Evidence” Of Weak Security

Written by Evan Schuman December 10th, 2009

A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.

… Heartland’s people spent much of January 2008 cleaning up the payroll mess, ultimately concluding that no data was taken from the payroll program.

But what Heartland’s people didn’t know at the time, Thompson wrote in her decision, was that Gonzalez’s team had hidden another program in the system, one that infected payment processing. Whether the payroll program attack failed or if it had always been intended to be a distraction, giving Heartland the false belief that the threat had been neutralized, is still unknown.

… Thompson also ruled that a retailer can say it has strong security without meaning that it is invulnerable to any attack. “The fact that a company has suffered a security breach does not demonstrate that the company did not ‘place significant emphasis on maintaining a high level of security.’ It is equally plausible that Heartland did place a high emphasis on security but that the Company’s security systems were nonetheless overcome. In fact, given all the money that Heartland spent [Note that “all the money” is without reference. Did smaller competitors spend less? Was any money invested in detecting security breaches? Bob] on security in late 2007 and the fact that Heartland did take steps to fix its security after the SQL breach, the latter explanation seems much more plausible,” she wrote.



Bad decision. The delay is making them look uncaring and incompetent.

http://www.phiprivacy.net/?p=1622

UMC patients at risk of identity theft may wait 60 days to find out

By Dissent, December 10, 2009 7:19 am

Marshall Allen follows up on a UMC breach and shows how HITECH’s 60-day notification deadline is being used by the hospital to its fullest:

Kathy Silver, CEO of University Medical Center, learned three weeks ago that names, birth dates and Social Security numbers for at least 21 patients were leaked from the hospital — a crime being investigated by the FBI.

But the hospital still has not disclosed the breach to the patients, Silver told a committee of legislators Wednesday. She spoke as if this was not a problem. The law allows 60 days from the time UMC learns of a security breach to inform patients, she said.

One victim says that is too long to wait to tell patients they may be at risk of identity theft.

The hospital should have disclosed the breach immediately, said a 40-year-old UMC patient whose personal information — the kind that can be used for identity theft — was leaked. The man, who went to the public hospital Nov. 1 after a motorcycle accident, learned his privacy had been breached only when a Las Vegas Sun reporter told him Wednesday afternoon.

Read more in the Las Vegas Sun.

Reading the news story, I am reminded of the old adage, “Just because you can doesn’t mean you should.” [Sound familiar? Bob]

[From the article:

Silver was called before the state’s Legislative Committee on Health Care as a result of Sun stories that exposed an allegedly systemic leak of patient information at the hospital.

Silver assured the committee that the hospital is committed to uncovering the leak, and when the employee or employees are identified, “termination will be the least of their problems. It’s a serious situation.”

… The Sun reported the leak — the latest scandal to hit the beleaguered hospital — after the newspaper obtained 21 UMC patient “face sheets” — cover sheets that include overviews of each case — from a source who was concerned about the leak. The sheets were from Oct. 31 and Nov. 1 and were for people involved in traffic accidents.

The Sun’s source said he was several degrees removed from the leak and did not know how the records were being released from the hospital, but that they were allegedly being sold for months, or even years, to ambulance-chasing attorneys so they could mine for clients.



Improve” things for whom?

http://www.pogowasright.org/?p=6194

Facebook’s New Privacy Changes: The Good, The Bad, and The Ugly

December 9, 2009 by Dissent Filed under Featured Headlines, Internet

Kevin Bankston writes:

Five months after it first announced coming privacy changes this past summer, Facebook is finally rolling out a new set of revamped privacy settings for its 350 million users. The social networking site has rightly been criticized for its confusing privacy settings, most notably in a must-read report by the Canadian Privacy Commissioner issued in July and most recently by a Norwegian consumer protection agency. We’re glad to see Facebook is attempting to respond to those privacy criticisms with these changes, which are going live this evening. Unfortunately, several of the claimed privacy “improvements” have created new and serious privacy problems for users of the popular social network service.

The new changes are intended to simplify Facebook’s notoriously complex privacy settings and, in the words of today’s privacy announcement to all Facebook users, “give you more control of your information.” But do all of the changes really give Facebook users more control over their information? EFF took a close look at the changes to figure out which ones are for the better — and which ones are for the worse.

Our conclusion? These new “privacy” changes are clearly intended to push Facebook users to publicly share even more information than before. Even worse, the changes will actually reduce the amount of control that users have over some of their personal data.

Not to say that many of the changes aren’t good for privacy. But other changes are bad, while a few are just plain ugly.

Read EFF’s analysis of the changes on EFF.



What “Existing” database are they talking about? Do they have pictures of “frequent shoppers” or “frequent shoplifters” and where did they get the pictures?

http://tech.slashdot.org/story/09/12/10/0224204/Biometric-Face-Recognition-At-Your-Local-Mall?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Biometric Face Recognition At Your Local Mall

Posted by samzenpus on Thursday December 10, @02:09AM from the sunglass-and-disguise-hut dept.

dippityfisch writes

"The Sydney Morning Herald reports that face recognition is being considered at Westfield's Sydney mall to catch offenders. The identification system matches images captured by surveillance cameras to an existing database of faces. Police said they could not comment on the center's intentions, but would welcome any move to improve security and technology in the area."

[From the article:

[Police] said many businesses already used face recognition systems without public knowledge.

''You'd be surprised at how many have it,'' Detective Inspector Grant Healey of Penrith said. ''Any tool that helps us identify offenders is a great tool for us, too.


(Related)

http://www.pogowasright.org/?p=6203

Israel tests biometric database

December 10, 2009 by Dissent Filed under Legislation, Non-U.S., Surveillance

John Oates had this news report in the The Register earlier this week:

The Israeli Knesset has voted in favour of a bill for a compulsory biometric database of all citizens.

The Biometrics Database Law passed the Knesset 40 votes in favour to 11 against.

A big row over privacy forced the bill back to the drawing board. This led to the idea of a two-year trial rather than a full-blown introduction. Three months before the end of that period ministers will decide to adopt or ditch the technology.

Read more in The Register.


(Related) It could never happen here...

http://www.wired.com/threatlevel/2009/12/terrorist-watchlist/

FBI: 19,000 Matches to Terrorist Screening List in 2009

By Kim Zetter December 9, 2009 3:50 pm

… A Justice Department inspector general report earlier this year found that the FBI was mishandling the watchlist and was failing to add legitimate suspects of terrorist investigation while also failing to properly update and remove records from the list, subjecting U.S. citizens to unjustified scrutiny.



Lawsuits in the Cloud. Is this a new branch of Computer Law? Sounds like a no-brainer to me (as in “Management has no brain.”).

http://www.databreaches.net/?p=8799

Microsoft and Danger to blame for Sidekick data loss – lawsuit

December 9, 2009 by admin Filed under Breach Incidents, Of Note

Courthouse News has uploaded a copy of a class action lawsuit against Microsoft and Danger Inc. The complaint, filed by Terrence and Katie Teraszcka, Adam Beckelman, and Michael Guerrero in Cook County Court on November 17th, alleges that the defendants negligently failed to back up data before a network upgrade, resulting in Sidekick users losing their important data. [Again, ignoring “Best Practices” Bob] The data loss occurred in October 2009.

The lawsuit cites an article by Dan E. Dilger in Roughly Traded Magazine that points the finger at Microsoft by citing a source who implicates Roz Ho of Microsoft:

According to the source, the real problem was that a Microsoft manager directed the technicians performing scheduled maintenance to work without a safety net in order to save time and money. The insider reported:

“In preparation for this [SAN] upgrade, they were performing a backup, but it was 2 days into a 6 day backup procedure (it’s a lot of data). Someone from Microsoft (Roz Ho) told them to stop the backup procedure and proceed with the upgrade after assurances from Hitachi that a backup wasn’t necessary. This was done against the objections of Danger engineers.

”Now, they had a backup from a couple of months ago, but they only had the SAN space for a single backup. Because they started a new backup, they had to remove the old one. If they hadn’t done a backup at all, they’d still have the previous backup to fall back on.

“Anyway, after the SAN upgrade, disks started ‘disappearing.’ Logically, Oracle [software] freaked out and started trying to recover, which just made the damage worse.”

The problem with this report is that is places the blame, not on a complex Oracle deployment, not on bad SAN hardware or a firmware glitch, not a disgruntled employee with inappropriate levels of access to a mission critical service, but squarely upon Microsoft management.

The plaintiffs seek class-action status and economic relief of less than $75,000 per plaintiff.



Focus on telling the truth. “Unlimited” means “Limited” Honest!

http://mobile.slashdot.org/story/09/12/09/2028245/ATampT-Moves-Closer-To-Usage-Based-Fees-For-Data?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

AT&T Moves Closer To Usage-Based Fees For Data

Posted by timothy on Wednesday December 09, @04:08PM from the applied-price-theory dept.

CWmike writes

"AT&T has moved closer to charging special usage fees to heavy data users, including those with iPhones and other smartphones. Ralph de la Vega, CEO of AT&T Mobility and Consumer Markets, came close on Wednesday to warning about some kind of use-based pricing while speaking at a UBS conference. 'The first thing we need to do is educate customers about what represents a megabyte of data and...we're improving systems to give them real-time information about their data usage,' he said. 'Longer term, there's got to be some sort of pricing scheme that addresses the [heavy] users.' AT&T has found that only 3% of its smartphone users — primarily iPhone owners — are responsible for 40% of total data usage, largely for video and audio, de la Vega said. Educating that group about how much they are using could change that, as AT&T has found by informing wired Internet customers of such patterns. De la Vega's comments on data use were previewed in a keynote he gave in October at the CTIA, but he went beyond those comments on Wednesday: 'We are going to make sure incentives are in place to reduce or modify [data]uses so they don't crowd out others in the same cell sites.' Focus groups have been formed at AT&T to figure out how to proceed."


(Related)

http://www.wired.com/epicenter/2009/12/iphone-caps/

Cap My iPhone? Try This Instead, AT&T

By Ryan Singel December 9, 2009 6:09 pm

The first piece of advice is just a no-brainer. If you can’t handle the network traffic, stop selling a device that comes with a promise of unlimited 3G data service.



Think HUGE!

http://www.crunchgear.com/2009/12/09/study-americans-consume-34-gigabytes-of-information-per-day/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Study: Americans consume 34 gigabytes of information per day

There’s a pretty interesting report that was just published today entitled “How much information?” It was put together by the Global Information Industry of the University of California at San Diego. It looks at the year 2008 and tries to quantify how much information the average American consumes across all forms of media: TV, newspaper, Web sites, radio, you name it. When you crunch all the numbers, it looks like the average American consumes 34 gigabytes of data every single day. (That’s 3.6 zettabytes in total.)



Need a tool for visualizing large data sets?

http://www.insideria.com/2009/12/28-rich-data-visualization-too.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+oreilly%2Fnews+%28O%27Reilly+News%29

28 Rich Data Visualization Tools

Theresa Neil December 10, 2009



For my website students

http://www.makeuseof.com/tag/create-professional-looking-photo-slideshows-with-photo-story-3/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

Create Professional Looking Photo Slideshows With Photo Story 3

Dec. 9th, 2009 By Mark O'Neill

… One of those nice pieces of software is something called Photo Story 3 for Windows, an app which allows you to make professional looking photo slideshows complete with music, your own narration and photo subtitles. It claims you need Windows XP to run it but it is is working perfectly fine on my Windows 7 machine. You can find out here all the other system requirements needed to make this app work.



This is not for the faint of heart...

http://www.makeuseof.com/tag/powerpoint-twitter-tools-to-auto-tweet-instantly-view-feedback/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Makeuseof+%28MakeUseOf.com%29

How To Integrate Twitter with PowerPoint: Tweet Presentation Notes & See Instant Feedback

Dec. 9th, 2009 By Mahendra Palsule

Speakers and presenters at conferences are increasingly finding their audience live tweeting during their presentation. In most cases, the presenter has no clue about what the audience is saying on Twitter. This leads to a disconnect between the true thoughts of the audience in contrast with that of the presenter. In order to avoid such scenarios, you can incorporate Twitter within your PowerPoint presentation both to be an active participant as well as to gather feedback from the audience.

Wednesday, December 09, 2009

I blogged about this yesterday and noted there were no facts in the article. Some are starting to trickle out.

http://www.databreaches.net/?p=8776

Attorney General Says Health Net Security Breach Concerns Worsen After Report Reveals Breach Was Likely Theft

December 8, 2009 by admin Filed under Healthcare Sector, Of Note, U.S.

The Connecticut Attorney General, Richard Blumenthal, has issued a statement about his intensified concerns about the Health Net breach:

… “An independent investigative report shreds Health Net’s sanitized story — revealing that this severe security breach was most likely a theft, and that two laptops were also stolen from Health Net’s facility at virtually the same time,” Blumenthal said.

… In a second letter to Health Net officials, Blumenthal said there are significant inconsistencies between Health Net’s response to his office and an independent report by Kroll, a security company Health Net hired to assess the loss of the missing disk drive. Blumenthal has asked Health Net for more details and requested a meeting.

… “The most glaring inconsistencies are Health Net’s explanations for its delay in reporting the data breach, its characterization of the likely cause of that data breach, and its assessment of the accessibility level of the data that was contained on the missing disk drive.

“Health Net has emphasized its inability to promptly access data on the disk to indentify and notify those whose information was compromised, and offered assurances that the data could not be viewed without special software. These claims contradict Health Net’s own private security firm, which claims the data could be easily accessed through common commercially available software — and indicating another Health Net office in Rancho Cordova may have had a copy of the compromised information on hand to identify.

“Health Net has gone out of its way to dismiss and downplay this serious security breach when it should have been focusing on notifying and protecting people who may be at risk of financial fraud or having health information leaked.”

Blumenthal has requested a meeting with Health Net staff and is seeking additional details, including:

  • Why did Health net fail to assess the information contained on the missing drive by communicating with its Rancho Cordova office and assessing the information it had successfully copied from the drive onto its EXP server?

  • Why was there an eight-day delay in notifying the Health Net Privacy Officer after the drive was discovered to be missing?

  • Were the IBM and other technical consultants retained under a “business associate” agreement as the term is defined under HIPAA?

  • Was any protected health or financial information contained on the stolen laptops?

  • How many separate Connecticut individuals’ protected health information was on the missing drive?


(Related) This explains why the AGs are taking an interest. The thumbscrews are being tightened.

http://www.phiprivacy.net/?p=1612

Two Data Security Breaches Give State Attorneys General a Chance to Exercise Their New HIPAA Powers

By Dissent, December 8, 2009 3:19 pm

In a sign that state attorneys general may be flexing the HIPAA enforcement muscle granted by the HITECH Act provisions in the Recovery Act, the Connecticut and Arizona attorneys general are investigating health plans that recently experienced data breaches that they failed to disclose for several months.

Typically, state attorneys general prosecute only violations of state laws, but they now have authority to investigate and levy fines for violations of HIPAA and the HITECH Act, which requires mandatory notifications within two months of knowledge of a breach.

[...]

Specifically, the HITECH Act states that when an AG “has reason to believe that an interest of one or more of the residents of that state has been or is threatened or adversely affected by any person who violates a [privacy and security provision], the attorney general of the state…may bring a civil action on behalf of such residents of the state in a district court of the United States of appropriate jurisdiction.”

Read the full article from Report on Patient Privacy on AISHealth.com.



More information is always useful

http://www.databreaches.net/?p=8785

Verizon Business Issues 2009 Supplemental Data Breach Report Profiling 15 Most Common Attacks

December 9, 2009 by admin

… To access the Verizon Business 2009 Supplemental Report, click below: www.verizonbusiness.com/go/09SuppDBIR

A complete copy of the 2009 Data Breach Investigations Report is available at: http://www.verizonbusiness.com/resources/security/reports/2009_databreac…



What we have here is a learning moment.

http://www.pogowasright.org/?p=6143

Tiger Woods has forfeited his right to privacy – no


OR

http://www.pogowasright.org/?p=6140

Tiger Woods has forfeited his right to privacy – yes



You can find transcripts and other interesting stuff at the FTC website. Just follow the links.

http://www.pogowasright.org/?p=6131

Ngo: Online targeted advertising discussed at FTC roundtable

December 8, 2009 by Dissent Filed under Businesses, Internet

Melissa Ngo of Privacy Lives blogged about her participation and the issues addressed in yesterday’s first of three FTC Roundtable:

The Federal Trade Commission had the first of three privacy roundtables yesterday, and I spoke on a panel about online targeted behavioral advertising.

… A New York Times article on the roundtable quoted me about a fundamental issue that divides industry and consumer advocates: opt-in or opt-out. Opt-in, the choice of consumer advocates, puts the burden on companies to have strong privacy protections and use limitations so consumers will choose to share their data. Opt-out, the choice of the majority of ad industry players, puts the burden on consumers to learn about what the privacy policies are, whether they protect consumer data, whom the data is shared with and for what purpose, and how to opt-out of this data collection, use and sharing.

Read more on Privacy Lives



“We're number two! We're number two!” I wonder why?

http://news.slashdot.org/story/09/12/08/2042253/US-No-Longer-Leading-the-World-In-Spam?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

US No Longer Leading the World In Spam

Posted by kdawson on Tuesday December 08, @05:20PM from the we're-number-two dept.

darthcamaro writes

"America is no longer the spam king. According to Cisco, US-originated spam dropped by over two trillion messages — American-based IP addresses sent about 6.2 trillion spam messages. The new world leader is Brazil at 7.7 trillion messages. [NOTE: These are yearly figures. Bob] 'I'm not completely surprised to see US falling to number two in the spam stats, but I didn't expect it to happen yet,' said Cisco Fellow Patrick Peterson. 'I was really gratified to see the actual spam volume decrease, not just ranking, but we [also] decreased the amount of spam that is pouring out of the United States.'"

The drop in US spam might have had something to do with the temporary shutdown of the McColo spam ISP.


(Related) A very small percentage of a very large number is all it takes to turn a profit.

http://www.theregister.co.uk/2009/12/07/phishing_hit_rate/

One in 200 success rate keeps phishing economy ticking over

Nibbles add up to big haul

By John Leyden Posted in Security, 7th December 2009 18:26 GMT

… Stats culled from Trusteer's anti-phishing browser plug-in, which is offered by banks to their clients as a transaction security add-on, revealed that 0.47 per cent of a bank’s customers fall victim to phishing attacks each year.

… Trusteer's report (PDF) is worth considering because it looks at how many would-be marks respond to phishing emails (ie live attack data). Most surveys only look at how many phishing attacks are launched and what brands are targeted, without considering how successful these attacks actually might be.



This is either really dumb or really smart. (I'm leaning heavily toward dumb.) Some articles are calling this a bailout for Microsoft and others are suggesting that Microsoft will use it as a way to test their software, allowing Germany to identify problems for them.

http://www.h-online.com/security/news/item/Germany-to-set-up-centre-to-coordinate-fight-against-botnets-880077.html

8 December 2009, 16:32

Germany to set up centre to coordinate fight against botnets

… The idea, jointly developed by the Federal Office for Information Security (BSI) and the Association of the German Internet Industry (eco), is based on the premise that internet service providers (ISPs) have long had the technical capability to identify infected computers by analysing network traffic.

… According to the plan, ISPs will contact customers whose PCs are infected with a bot, possibly by post or by telephone. [Why not by email? Too technical? Bob] The plan also contemplates having infected computers automatically connect to a special web page each time they connect to the internet. Before the plans are implemented, however, a decision needs to be made on what sanctions customers who decline to cooperate with their ISP can be subjected to.



Good news for the Class Action lawyers if this works. (Why do we preach BACKUP! If no one listens?)

http://www.databreaches.net/?p=8780

Class Action Lawsuit Alleges Palm Pre/Pixi Users Suffered from Data Loss

December 8, 2009 by admin Filed under Business Sector, Of Note, Other

A Bay Area man filed a class action lawsuit against Palm and Sprint Nextel (NYSE:S) for losing most all the contacts, appointments and other data stored by many of the hundreds of thousands of Sprint users of the popular Palm webOS line of mobile phones, including the Palm Pre and Pixi.

The data loss is reminiscent of the recent data loss suffered by T-Mobile Sidekick users after Microsoft lost the personal data of Sidekick users.

The lawsuit alleges that Palm and Sprint actively marketed the Palm webOS mobile phones as automatically backing up all the data that users would store, such as contacts, appointments, and more and then failed to follow through on these promises.

The suit is brought by Jason Standiford of San Francisco. Standiford alleges he suffered a nearly complete loss of his personal data in November after exchanging his fourth malfunctioning Palm Pre for a fifth new Palm Pre. He further alleges that Palm has since recovered some, though not all of his data, leaving him missing crucial information Palm promised it would safeguard for him.

Read more on Wireless and Mobile News. A copy of the lawsuit can be found here (pdf).



An element of a future business model for games, music, movies, etc.? Didn't Gillette do something like this? NOTE: DLC is “DownLoadable Content” in other words, new blades for your free razor.

http://games.slashdot.org/story/09/12/09/0631228/Pirates-as-a-Marketplace?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Pirates as a Marketplace

Posted by Soulskill on Wednesday December 09, @06:31AM from the marrrrrrrket-share dept.

John Riccitiello, the CEO of Electronic Arts, made some revealing comments in an interview with Kotaku about how the company's attitudes are shifting with regard to software piracy. Quoting:

"Some of the people buying this DLC are not people who bought the game in a new shrink-wrapped box. That could be seen as a dark cloud, a mass of gamers who play a game without contributing a penny to EA. But around that cloud Riccitiello identified a silver lining: 'There's a sizable pirate market and a sizable second sale market and we want to try to generate revenue in that marketplace,' he said, pointing to DLC as a way to do it. The EA boss would prefer people bought their games, of course. 'I don't think anybody should pirate anything,' he said. 'I believe in the artistry of the people who build [the games industry.] I profoundly believe that. And when you steal from us, you steal from them. Having said that, there's a lot of people who do.' So encourage those pirates to pay for something, he figures. Riccitiello explained that EA's download services aren't perfect at distinguishing between used copies of games and pirated copies. As a result, he suggested, EA sells DLC to both communities of gamers. And that's how a pirate can turn into a paying customer."



Toward a replacement for newspapers? Clearly we will need to wait for more papers to join this project – which has potential. There has to be a way for readers to select stories to cover (not everyone believes the Redskins are the only football team in America. Worth exploring!

http://www.bespacific.com/mt/archives/022977.html

December 07, 2009

Google Launches Joint News-by-Topic Service

New York Times: "Google on Tuesday introduced a new approach to presenting news online by topic, developed with The New York Times and The Washington Post, and said that if the experiment succeeded, it would be made available to all publishers. The announcement of the “living stories” project shows Google collaborating with newspapers at a time when some major publishers have characterized the company as a threat. Google has also taken steps recently to project an image of itself as a friend to the industry."

  • "The Living Stories project is an experiment in presenting news, one designed specifically for the online environment. The project was developed by Google in collaboration with two of the country's leading newspapers, The New York Times and The Washington Post. [Note: See Living Stories FAQ]

  • All in one place: "Complete coverage of an on-going story is gathered together and prioritized on one URL. You can now quickly navigate between news articles, opinion pieces and features without long waits for pages to load."

  • Easy to explore: "Each story has an evolving summary of current developments as a well as an interactive timeline of critical events. Stories can be explored by themes, significant participants or multimedia."

  • Smarter reading: "Updates to the story are highlighted each time you come back, and older news is summarized."



Could this be extended to other areas?

http://www.killerstartups.com/Web20/legallynoted-com-for-law-students-everywhere?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+killerstartups%2FBkQV+%28KillerStartups.com%29

LegallyNoted.com - For Law Students Everywhere

http://www.legallynoted.com/

LegallyNoted is a new online resource that is primarily geared towards law students. We could convey its essence effectively by comparing it to a 24-hour virtual study group where active law students can come together and share information such as class notes, outlines and briefs. They can also interact among themselves and develop successful class strategies in that way.