Wednesday, August 25, 2010

Another great teaching tool. Listing what they did wrong will provide a complete list of “Best Practices”

AU: Hacker hits Ballarat City Council files

August 24, 2010 by admin
Filed under Breach Incidents, Government Sector, Hack, Non-U.S., Subcontractor

Leave a Comment

Benjamin Preiss reports:

Ballarat City Council’s online network was in meltdown yesterday after it was discovered somebody had broken into the system.

One source, who had specific details about the security scare, said a teenager from regional Victoria had gained access to the system.

”Essentially the level of access that’s available is complete and unrestricted access to all their files,” [The very definition of poor computer security. Bob] the source said.

Council staff detected the security breach on Monday after a resident came forward with claims the system had been hacked. [They apparently had no “Detection” controls. Bob]

Ballarat City Council chief executive officer Anthony Schinck said the network would be shut down until the end of the week after unauthorised access to payroll data and emails.


Mr Schinck said the council network was accessed via a ”third party provider”, which provides network support to Ballarat and other local councils….. “It appears that log ins and passwords have been potentially stolen (which) has allowed access to the system.”

Read more in The Courier.

[From the article:

Yesterday the council called in computer security experts to examine the system and determine exactly how much information had been viewed. Mr Schinck said he did not believe documents had been tampered with or removed. [Apparently, they have no logs or don't know how to read them... Bob]

If not immediately, then eventually. Which strategy meets Mercer's strategic goal to appear defensive, unresponsive and insensitive?

UPDATE: Idaho Power says Mercer breach affected over 375,000

August 25, 2010 by admin

The Mercer Health & Benefits breach involving a backup tape lost in transit after being shipped by FedEx is one of those multi-client breaches that comes out in dribs and drabs. But if Mercer hoped to keep the total number affected under wraps, one of their clients may have spilled their beans.

On August 12, Idaho Power Health Plan posted an FAQ on their site that I just came across. It says, in part:

2. What happened and what data information was lost?
A data breach was reported by Mercer to Idaho Power on June 16, 2010. According to Mercer, on March 26, 2010 a package containing a server back-up tape was sent via FedEx from Mercer’s Boise office to their Seattle office and is presently unaccounted for.

The tape contained personal demographic information (not medical or health-related data). The lost information included names, addresses, dates of birth, and Social Security numbers for approximately 5,000 Idaho Power employees and dependents and approximately 375,000 other individuals whom Mercer services through their client base.

The FAQ challenges Mercer’s reassuring statement that the unencrypted data would be difficult to be read: [Good for them! Bob]

3. Has the tape been recovered? Any indication the tape or any information on the tape has been inappropriately misused?
The tape cannot be accounted for, and we cannot confirm the tape or any information on it has or has not been inappropriately misused.

While the tape was not encrypted, Mercer indicates it is not the type of media that is readily accessible. Idaho Power disagrees and we are moving forward with our own independent investigation. You will be informed as the investigation progresses.

The FAQ is four pages and is either the most detailed, or one of the most detailed, breach FAQs I can recall seeing. The only thing I don’t spot in the FAQ is a phone number at Idaho Power that people can call.

This didn't work too well when they tried identifying marijuana growers by using thermal imaging to detect their “grow lights”

August 24, 2010

U.S. and Foreign Govt' buy backscatter x-ray scanners mounted in vans

Follow up to previous postings on government implementation of whole body scanning technology at airports, via Forbes news that "American Science & Engineering, a company based in Billerica, Massachusetts, has sold U.S. and foreign government agencies more than 500 backscatter x-ray scanners mounted in vans that can be driven past neighboring vehicles to see their contents... While the biggest buyer of AS&E’s machines over the last seven years has been the Department of Defense operations in Afghanistan and enforcement agencies have also deployed the vans to search for vehicle-based bombs in the U.S."

“Papers, student.” How can school districts ignore reactions to “spying” like the Lower Merion incident?

CT: Proposal would track students

August 25, 2010 by Dissent

Erin Cox reports that a district in Connecticut is thinking of making students carry chipped ID cards so that they can track them. Yes, really.

The New Canaan school district is thinking about electronically tracking their students.

Many students are not pleased with the idea that they could end up testing new tracking technology.


New Canaan already has GPS and video cameras on all their buses, but is only exploring being part of an experiment testing such tracking. Under the program, students would be carrying an ID card with radio frequency strips. It pinpoints a student’s location, be it in the classroom or off grounds in nearby downtown.

Read more on WTNH.

This is a really, really, really bad idea. The district has a solid reputation in terms of student performance, so why do they need to surveill or track students this way? Naturally, a vendor thinks it’s a good idea and could be used in emergencies. And the last time New Canaan had that kind of emergency was… when?

New Canaan, meet Lower Merion. And the ACLU. And

“Thank you for opting out of cookie tracking. Here's another cookie.” What genius developed this strategy? Perhaps we could call it “Mis-Behavioral Advertising?”

Ad Firm Sued for Allegedly Re-Creating Deleted Cookies

Specificmedia, one of the net’s largest ad-serving and tracking companies, has been hit with a federal lawsuit accusing the company of violating computer intrusion laws by secretly re-creating cookies deleted by users.

The lawsuit (.pdf), filed in California’s Central District federal court last Wednesday, is the third such suit filed this month by privacy attorney Joseph Malley. The first “zombie” cookie suit targeted sites ranging from MTV to Scribd that used technology from a company called Quantcast, while the second suit went after Disney and Demand Media for their use of similar tech from Clearspring Technologies.

Scam-du-jour. Unfortunately, lots of geeks would be interested in this IPO

Sketchy Startup Promises Facebook Stock To Investors

Oh, this is a huge mess in the making. A company called Freevi that has already had it’s hand slapped for securities laws violations by the State of California is trying to raise funds from investors by promising to “secure” the investment with Facebook stock. How did I find out about this? Via a spam email that hit my inbox, which is a general solicitation if I’ve ever seen one (that’s very relevant to the Securities Act of 1933).

The founder of the company, Neil Chandran, spends a great deal of time talking up Facebook’s value, saying that an IPO is “imminent” and noting that Google shot from $85 to $500 after their IPO. He also says that Facebook should hit $120, no problem.

This is a general solicitation of securities by an underwriter under the Securities Act. But it’s being done without disclosure of information required by the Act – namely, a prospectus. This is exactly the kind of thing that the SEC salivates over as they sharpen their legal claws.

Facebook redefines free speech. When you're trendy, nobody worries about nit-picky things like the constitution.

Facebook Bans Pot-Leaf Image in Political Ad

(Related) “We own everything – including your face!”

Facebook Lawsuit Throws the -book at Social Networking Site for Teachers

Misappropriating the distinctive book portion of Facebook’s trademark, defendant has created its own competing online networking community in a blatant attempt to become a Facebook for teachers,” (.pdf) according to a filing in San Francisco federal court.


Ca: Privacy czar continues her scrutiny of Facebook

August 25, 2010 by Dissent

Sarah Schmidt reports:

The clock has run out on Facebook to revamp its privacy rules to avoid a public showdown with Canada’s privacy czar over how it protects the personal information of its 500 million users worldwide.

After announcing in July 2009 that the social media giant was operating outside of Canada’s private-sector privacy law, privacy commissioner Jennifer Stoddart struck a deal with Facebook. It gave the California company one year to change or face the risk of being hauled before a federal judge to compel Facebook to implement the commissioner’s directives to provide users more detailed control over their personal information and to curtail the access of outside software and website developers to their data.

Now Stoddart is set to issue her assessment on whether Facebook has lived up to its list of undertakings to bring the company on side with Canada’s Personal Information Protection and Electronic Documents Act.


It's not identity theft, but perhaps my Computer Security students will now understand why I use the Zombie metaphor...

Who Owns Your Dead Son’s Brain?

By Dissent, August 24, 2010

Over on The Volokh Conspiracy, Jonathan H. Adler writes:

Do parents have a constitutionally protected property interest in the dead body of their child, including all organs? Not necessarily is the answer given by the U.S. Court of Appeals for the Sixth Circuit in Albrecht v. Treon, at least under Ohio law as interpreted by the Ohio Supreme Court.

The Albrechts brought a Section 1983 suit against the county coroner, among others, alleging that they were deprived of a protected property interest without due process of law when the coroner removed and retained their dead son’s brain without notice. According to the state, the brain was needed for additional study to aid in a criminal investigation. The question was certified to the Ohio Supreme Court, which held that under Ohio law the parents have no constitutionally protected interest in their child’s human remains that are retained for criminal investigation purposes, prompting a judgment for the state in district court. Today, the Sixth Circuit affirmed, distinguishing Circuit precedent that recognized constitutionally protected property interests in a family member’s body parts retained for donation purposes.

There is something disturbing to me about treating body parts as property, and I wonder if that is really the only viable legal analysis or approach. Our society seems to understand the emotional need of families to bury even fragments of their dead and to have that solace or comfort, and yet decisions about whether states have to notify family members of parts removed or offer them the opportunity to make their own arrangements for burial or disposal after any forensic examinations are completed is seemingly left to the states as a matter of property law.


A legal analysis of the case written back in 2007 provides some background and discussion of the issues.

Purchase of a lottery ticket automatically waves your right to privacy. Perhaps an additional fee could be added to buy it back?

Lottery Winner Sues Texas for Privacy

August 24, 2010 by Dissent

Elizabeth Banicki reports:

A Texas lottery winner sued the state to keep his identity private, for the privacy and safety of his family. After the Lottery Commission claimed that it had received a freedom of information request about the winner, Attorney General Greg Abbott ruled that information about John Doe should be released without redactions.

State lotteries customarily use information about winners, including photos, to advertise the gambling games. [Another “automatic” consent form? Bob]

In his complaint in Travis County Court, Doe says the Lottery Commission asked him for “a written statement describing his purchase of the winning ticket and the events that transpired prior to its presentation to the Lottery Commission for verification.”

Read more on Courthouse News. You can find the complaint here (pdf).

Perhaps asking my students to create their own “snippets” would teach them about privacy.

Six social implications of Facebook Places

Some snippets of conversations in the near-future:

Erstwhile friend: "Why didn't you ask me to go club-hopping with you last night? I'm not in your posse anymore?"

Prosecutor: "The subpeona of your Facebook records clearly shows that you're a known associate of Vinnie 'Big Guy' Vecchione."

Boss: "I guess you weren't too 'sick' to check into the ballpark for yesterday's afternoon game."

Husband to wife: "Yes, dear, I did check into Victoria's Secret downtown -- to buy something for you. It was going to be a surprise...."

Personal trainer: "You went to that greasy fast-food joint? I quit!"

"I wasn't really at the bar -- my friends checked me in there as a joke! I swear!"

For my Ethical Hacking students

Searching For Backdoors From Rogue IT Staff

Posted by CmdrTaco on Tuesday August 24, @05:43PM

"When IT staff are terminated under duress, there is often justification for a complete infrastructure audit to reduce future risk to a company. Here is an exploration of the steps necessary to maintain security."

Of course the first piece of advice is to basically assume you've been rooted. Ouch.

This could be fun for my website students.

Want a weather report? Watch this music video

If you watch the music video for singer Lissie Maurus' new song "Cuckoo" today, you might see the musicians against a nice sunny backdrop. Or a gray, windy one. It depends where you're watching it from.

The video changes according to live weather conditions. Viewers zoom in on a city or area on an interactive Google world map, and the video backdrop changes according to current local conditions. Pick a different location and the song continues while a humorously mustachioed, bow-tie-wearing TV weatherman kind of guy delivers a new forecast before the video shifts to reflect the new locale.

Gottta keep up with the evolution of language.

Interweb, defriend make it into the dictionary

A slew of geeky slang terms have made it into the the new third edition of the Oxford Dictionary of English.

Among the new entries are Interweb, defriend, hater, and tweetup, the definitions of which you can check out for yourself by clicking on those links.

Read more of "Interweb, defriend and tweetup make it into the dictionary" at Crave UK.

How to get millions of consumers to replay your ads! Very amusing.

OldSpiceVoicemail: Generate Custom Voicemail Recording In The Voice of OldSpice Man

As part of a new marketing strategy, OldSpice has suddenly taken the social media by storm using viral videos. A very prominent feature of the person featured as the OldSpice guy is his voice. If you are amongst the millions of people who love that voice, use OldSpiceVoicemail to generate custom voicemail recordings in his tone.

No comments: