Tuesday, April 13, 2010

Perhaps fines will get industry's attention, but not $1.95 per victim – it costs more than that to send them a notification letter.

http://www.databreaches.net/?p=11176

FINRA Fines D.A. Davidson & Co. $375,000 for Failure to Protect Confidential Customer Information

April 12, 2010 by admin

The Financial Industry Regulatory Authority (FINRA) issued the following press release today:

The Financial Industry Regulatory Authority (FINRA) announced today that it has fined D.A. Davidson & Co., of Great Falls, MT, $375,000 for its failure to protect confidential customer information by allowing an international crime group to improperly access and hack the confidential information of approximately 192,000 customers.

FINRA found that prior to January 2008, D.A. Davidson did not employ adequate safeguards to protect the security and confidentiality of customer records and information stored in a database housed on a computer Web server with a constant open Internet connection. The unprotected information included customer account numbers, social security numbers, names, addresses, dates of birth and other confidential data. Furthermore, the firm’s procedures for protecting that information were deficient in that the database was not encrypted and the firm never activated a password, thereby leaving the default blank password in place.

… FINRA found that on Dec. 25 and 26, 2007, D.A. Davidson’s database was compromised when an unidentified third party downloaded confidential customer information through a sophisticated network intrusion. To breach D.A. Davidson’s system, the hacker employed a mechanism called “SQL injection,” an attack in which computer code is repeatedly inserted into a Web page for the purpose of extracting information from a database. The hacker was able to access and download the affected customers’ confidential information.

FINRA also found that between April 2006 and October 2007, the firm had retained independent auditors and outside security consultants to review and/or audit its network security. During the course of those consultations, the firm received recommendations for enhancements to its security systems . Although the firm implemented the majority of those recommendations, it failed to implement a recommendation, made in or about April 2006, that it install an intrusion detection system. The firm had not implemented such a system at the time the hack occurred in December 2007.

The breach was discovered through an email that was sent by the hacker on Jan.16, 2008, blackmailing the firm. Upon receiving the threat, D.A. Davidson reported the incident to law enforcement and assisted the Secret Service in identifying four members of an international group suspected of participating in the hacking attack of the firm. Three of those individuals have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana.

A class-action lawsuit against D.A. Davidson settled in November 2009.



The concept of migration to new systems suggests bringing your data with you, not abandoning it. This is a good example of bad management.

http://www.databreaches.net/?p=11181

Atlassian hacked

April 13, 2010 by admin

From the Atlassian company blog:

Around 9pm U.S. PST Sunday evening, Atlassian detected a security breach on one of our internal systems. The breach potentially exposed passwords for customers who purchased Atlassian products before July 2008. During July 2008, we migrated our customer database into Atlassian Crowd, our identity management product, and all customer passwords were encrypted. However, the old database table was not taken offline or deleted, and it is this database table that we believe could have been exposed during the breach.



Kind of a broad brush, but it's a start.

http://www.pogowasright.org/?p=8886

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

April 13, 2010 by Dissent

Recommendations of the National Institute of Standards and Technology – April 2010

Erika McCallister Tim Grance Karen Scarfone

Executive Summary:

The escalation of security breaches involving personally identifiable information (PII) has contributed to the loss of millions of records over the past few years. Breaches involving PII are hazardous to both individuals and organizations. Individual harms’ may include identity theft, embarrassment, or blackmail. Organizational harms may include a loss of public trust, legal liability, or remediation costs. To appropriately protect the confidentiality of PII, organizations should use a risk-based approach; as McGeorge Bundy once stated, ―If we guard our toothbrushes and diamonds with equal zeal, we will lose fewer toothbrushes and more diamonds.

This document provides guidelines for a risk-based approach to protecting the confidentiality of PII. The recommendations in this document are intended primarily for U.S. Federal government agencies and those who conduct business on behalf of the agencies, but other organizations may find portions of the publication useful. Each organization may be subject to a different combination of laws, regulations, and other mandates related to protecting PII, so an organization‘s legal counsel and privacy officer should be consulted to determine the current obligations for PII protection. For example, the Office of Management and Budget (OMB) has issued several memoranda with requirements for how Federal agencies must handle and protect PII. To effectively protect PII, organizations should implement the following recommendations….

NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)



“We'd be okay if they didn't bother checking up on us.”

http://www.bespacific.com/mt/archives/024002.html

April 12, 2010

Federal Cyber Security Outlook for 2010

"How well prepared are IT professionals within U.S. government agencies to respond to foreign cyber threats? Will government initiatives, such as the Comprehensive National Cybersecurity Initiative and the creation of the U.S. National Cybersecurity Coordinator role, be effective in addressing the challenges facing U.S. critical IT infrastructure? What is the impact of compliance on security within the federal IT environment? Commissioned by Lumension, Clarus Research Group set about to answer these and other important questions facing federal IT in Lumension’s Federal Cyber Security Outlook for 2010: National IT Security Challenges Mounting study. Clarus Research Group interviewed over 200 federal IT decision-makers and influencers about endpoint operations, IT security and compliance issues."

[From the report:

While the majority of respondents feel more confident in their level of IT security today versus a year ago, this is mainly due to improved IT security technology, stronger collaboration between IT operations and security, and a focus on meeting compliance requirements. However, increasing audit burdens and a lack of resources are identified as major challenges in meeting compliance requirements.


(Related) If a cyber war can start by accident, could that accident be untrained (12-year-old) hackers?

http://www.networkworld.com/news/2010/040710-clarke-book-review.html?source=NWWNLE_nlt_security_2010-04-08

'Cyber War' author: U.S. needs radical changes to protect against attacks

By Ellen Messmer, Network World April 07, 2010 10:23 AM ET

In his new book, Cyber War, Richard Clarke says nations are building up their online armies and weapons largely far from public view, increasing the danger of a deliberate or accidental cyberwar, which in turn could trigger violent conflicts across the globe.


(Related) Never accept a suggestion from someone with a clear bias. In the hierarchy of technology, shouldn't we start with what already exists?

http://arstechnica.com/tech-policy/news/2010/04/should-the-government-require-all-mobile-devices-to-include-a-tv-set.ars

Should the US govt force all cell phones to carry TV tuners?



How Italy sees the Internet?

http://www.pogowasright.org/?p=8883

Milan judge: The Internet is not a lawless prairie

April 12, 2010 by Dissent

Philip Willan reports:

A Milan judge Monday explained the reasoning behind his decision to convict three Google executives of violating Italy’s privacy law by allowing the posting of a controversial bullying video, saying the Internet is not a lawless prairie and the executives are criminally responsible because their company benefitted financially from the offense.

With images of the Wild West evidently in mind, Judge Oscar Magi wrote in a 111-page explanation of his decision to convict the Google executives: “There is no such thing as the limitless prairie of Internet where everything is permitted and nothing can be prohibited, on pain of a global excommunication by the people of the Web.”

Read more on Network World.



I suspect this will become popular. I know a lot of people who would complain if they didn't have to wade through those automated phone systems and then talk to a bureaucrat...

http://news.slashdot.org/story/10/04/12/1944254/Crowdsourcing-the-Department-of-Public-Works?from=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

Crowdsourcing the Department of Public Works

Posted by Soulskill on Monday April 12, @04:13PM

blackbearnh writes

"Usually, Gov 2.0 deals mainly with outward transparency of government to the citizens. But SeeClickFix is trying to drive data in the other direction, letting citizens report and track neighborhood problems as mundane as potholes, and as serious as drug dealers. In a recent interview, co-founder Jeff Blasius talked about how cities such as New Haven and Tucson are using SeeClickFix to involve their citizens in identifying and fixing problems with city infrastructure. 'We have thousands of potholes fixed across the country, thousands of pieces of graffiti repaired, streetlights turned on, catch basins cleared, all of that basic, broken-windows kind of stuff. We've seen neighborhood groups form based around issues reported on the site. We've seen people get new streetlights for their neighborhood, pedestrian improvements in many different cities, and all-terrain vehicles taken off of city streets. There was also one case of an arrest. The New Haven Police Department attributed initial reports on SeeClickFix to a sting operation that led to an arrest of two drug dealers selling heroin in front of a grammar school.'"


(Related) If this is useful, it should translate to other industries.

http://techcrunch.com/2010/04/12/twitter-launches-a-new-guide-for-media-organizations/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29

Twitter Launches A New Guide For Media Organizations

by Jason Kincaid on Apr 12, 2010

Twitter has just launched a new site called Twitter Media, where it’s offering media organizations and journalists some case studies and guidelines to better connect with their Twitter fans.



In order to legislate a thing, you must first understand the thing.

http://torrentfreak.com/how-file-sharers-will-bypass-uks-anti-piracy-act-100412/

How File-Sharers Will Bypass UK’s Anti-Piracy Act

Written by Ernesto on April 12, 2010

Last Wednesday the Digital Economy Bill was forced through by the UK Government. Under the new law copyright holders have the power to spy on those who infringe their rights, which may ultimately lead to file-sharers being disconnected from the Internet. In addition, copyright holders can urge the Government to close websites without the hassle of going through the courts.

… For those who don’t want to give up their habit of downloading copyrighted material, there are simply dozens of ways to download music and movies without being at risk. Much like DRM, the Act will not stop tech savvy file-sharers, it will only change the rules of the game.

Listed below are a few ways how file-sharers will easily avoid the measures that have been introduced by the new legislation.


(Related) Piracy isn't what the RIAA thinks it is? What a shock!

http://news.cnet.com/8301-31001_3-20002304-261.html?part=rss&subj=news&tag=2547-1_3-0-20

Feds raise questions about big media's piracy claims

by Greg Sandoval April 12, 2010 4:15 PM PDT

After spending a year studying how piracy and illegal counterfeiting affects the United States, the Government Accountability Office says it still doesn't know for sure.

Congress tasked the GAO in April 2009 with reviewing the efforts to quantify the size and scope of piracy, including the impacts of Web piracy to the film and music industries. In a 32-page report issued Monday, the GAO said most of the published information, anecdotal evidence, and records show that piracy is a drag on the U.S. economy, tax revenue, and in some cases potentially threatens national security and public health. But the problem is, according to the GAO, the data used to quantify piracy isn't reliable.



There was a report from the UK some months back where lawyers were sending letters to alleged downloaders threatening lawsuits – at least they used proper English.

http://www.wired.com/threatlevel/2010/04/ransomware/

Malware Threatens to Sue BitTorrent Downloaders

By David Kravets April 12, 2010 4:57 pm

A new malware scam is trying to dupe BitTorrent users into coughing up serious cash for illegally downloading copyrighted material.

The code displays a box with the message “Warning! Piracy detected!” and opens a web page purportedly run by a Swiss company “committed to promoting the cultural and economic benefits of copyright.”

The fake company, the ICCP Foundation, also claims to be backed by the Recording Industry Association of America, the Motion Picture Association of America and others. “It appears to scan the user’s hard drive for .torrent files and displays these as ’evidence’ of an earlier infringement,” wrote TorrentFreak, which first disclosed the malware.



Organized students? Isn't that an oxymoron?

http://www.makeuseof.com/tag/delicious-completely-organize-student-life/

How to Use Delicious to Completely Organize Your Student Life

No comments: