Wednesday, November 17, 2010

The cost of Identity Theft.

New TD Ameritrade data theft settlement offers people $50-$2,500 for ID theft in 2007 breach

Millions of current and former TD Ameritrade customers whose contact information may have been stolen more than three years ago will be eligible to receive as much as $2,500 under a new proposed settlement agreement.

But it's not clear how many of the 6.2 million TD Ameritrade customers affected will be able to collect anything under the proposed settlement outlined in court documents filed Monday, because the payments will only be offered to identity-theft victims. And most of the payments, which would range between $50 and $2,500 per person, will likely be less than the maximum.

A federal judge who rejected an earlier settlement agreement also must approve the deal.

The new proposed settlement, which is the second attempt at resolving the lawsuit, will cost Ameritrade between $2.5 million and $6.5 million. If claims worth more than $6.5 million are submitted, the payments to individuals and the plaintiffs' lawyers will be reduced.

… Plaintiffs' attorney Gretchen Nelson said it's difficult to prove an identity theft was caused by a particular data breach, so the settlement is designed to allow for that.

Ameritrade's Petrick said customers won't have to prove their identity theft problems were related to the data theft. As long as people can show they were Ameritrade customers and suffered identity theft from an unknown cause, they will be able to submit a claim for payment.

… If the claims submitted and attorneys' fees in the settlement add up to less than $2.5 million, Ameritrade will donate any remaining money up to $2.5 million to non-profit groups concerned about privacy rights, such as the Electronic Privacy Information Center.

Starting the “paying for our sins” process...

AvMed sued over loss of computers holding personal information

Five AvMed Health Plans customers filed a class-action lawsuit Tuesday against the health insurer on behalf of 1.2 million people whose personal information was on two laptops that went missing from the company’s Gainesville office.

AvMed officials said there are no known cases of identity theft connected to the incident. [I imagine the conversation was more like: “Has anyone found out the data came from us?” Bob] One of the computers was recovered soon after the incident.

The lawsuit contends AvMed violated federal health privacy rules, industry standards and its own stated consumer protections in not securing the computers or encrypting the data on the computers.

The plaintiffs are suing for damages and to enforce data security measures.

… AvMed officials previously said the data were scrambled in such a way as to make the risk of identity theft very low. [Data stored in Relational Databases is not in the same sequence as data on a paper form. That does not mean the data can not be easily reassembled. Bob]

… The company also says it has strengthened its data security and procedures. [Is that “proof” that their security was not adequate before the theft? Bob]

… The two laptops were reported missing from a locked conference room on Dec. 11, 2009. AvMed waited until February to notify 360,000 customers whose information was on the laptops to avoid hindering the investigation and to set up identity protection services. Another 860,000 customers were notified in June after AvMed determined their information was on the computers. [Did it really take them 6 months to determine what data was on the laptops? Bob]

It's not Wikileaks, but there is no whistle blower protection either.

Verizon breach disclosure web launched

November 17, 2010 by admin

Last week I posted a news item that Verizon was creating a web site where breaches could be reported anonymously. U.K. lawyer Stewart Room raises an interesting concern about using the site:

This is a fascinating concept, but from a legal perspective it is potentially fraught with difficulty for those organisations whose employees decide to take advantage of the service; if the organisation by its workers decides that it is ok to report incidents, albeit anonymously, to a third party, then it can attract close scrutiny about its breach reporting procedures in a general and specific sense, perhaps attracting the charge that it should be reporting to regulators too; ultimately, there are learning and mitigation purposes that are served in reporting to both recipients; the difficult question that will need to be thought through is “why is anonymous reporting ok, when open reporting is not?” Imagine a line of cross examination in a court environment that could be faced by the IT worker who unilaterally went down the route of reporting to a third when their organisation decided to keep quite (sic)…

Read more on Stewart Room.

About time!

US data laws spur encryption take-up

Data security laws are now the main reason US companies take up encryption, for the first time surpassing even anxiety over data breaches, a new report by the Ponemon Institute on behalf of Symantec has found.

Reporting for its fourth year in 2010, US Enterprise Encryption Trends found that regulations were cited as the biggest factor for using encryption by 69 percent of the nearly 1,000 survey IT security respondents in larger companies and government.

View The 2010 Annual Study: U.S. Enterprise Encryption Trends (registration required)

(Related) For my Ethical Hackers

For 18 Minutes, 15% of the Internet Routed Through China

Posted by CmdrTaco on Tuesday November 16, @02:24PM

"For 18 minutes this past April, 15% of the world's internet traffic was routed through servers in China. This includes traffic from both .gov and .mil US TLDs."

The crazy thing is that this happened months ago, and nobody noticed. Hope you're encrypting your super-secret stuff.

Summary only, but it is always interesting to see what drops out when the politicians get their fingers in the poe...

Commerce Dept. weighs privacy policy guidelines

Trade publication TR Daily obtained a copy of a draft summary of the report.

(Related) Do you suppose the guidelines address anything like this?

The Quantified Self: Personal Choice and Privacy Problem?

November 16, 2010 by Dissent

Another thought-provoking blog by Scott Peppet over on Concurring Opinions. Here’s part of it:

…. And what of privacy? It may not seem that an individual’s choice to use these technologies has privacy implications — so what if you decide to use FitBit to track your health and exercise? In a forthcoming piece titled “Unraveling Privacy: The Personal Prospectus and the Threat of a Full Disclosure Future,” however, I argue that self-tracking — particularly through electronic sensors — poses a threat to privacy for a somewhat unintuitive reason.

I do not worry that sensor data will be hacked (although it could be), nor that the firms creating such sensors or web-driven tracking systems will share it underhandedly (although they could), nor that their privacy policies are weak (although they probably are). Instead, I argue that these sensors and tracking systems are creating vast amounts of high-quality data about people that has previously been unavailable, and that we are already seeing ways in which sharing such data with others can be economically rewarding. For example, car insurance companies are now offering discounts if you install an electronic monitor in your car that tells the insurer your driving habits, and employers can use DirectLife devices to incentivize employees to participate in fitness programs (thereby reducing health insurance costs).

Such quantified, sensor-driven data become part of what I call the “Personal Prospectus.” The Personal Prospectus is a metaphor for the increasing array of verified personal information that we can share about ourselves electronically. Want to price my health insurance premium? Let me share with you my FitBit data. Want to price my car rental or car insurance? Let me share with you my regular car’s “black box” data to prove I am a safe driver. Want me to prove I will be a diligent, responsible employee? Let me share with you my real time blood alcohol content, how carefully I manage my diabetes, or my lifelong productivity records.

Read the whole thing on Concurring Opinions.

Interesting. The NYT saying government can't do anything it wants...

Searching Your Laptop

November 16, 2010 by Dissent

A New York Times editorial begins:

Federal courts have long agreed that federal agents guarding the borders do not need a warrant or probable cause to search a traveler’s belongings. That exception to the Fourth Amendment needs updating and tightening to reflect the realities of the digital age.

The government has a sovereign right and responsibility to secure the borders. The recent discovery of two powerful package bombs being shipped to the United States is a reminder of the many dangers out there.

There is also a big difference between government agents scanning items for explosives or looking through a suitcase full of clothing, and searching through the hard drive of a laptop computer containing work papers, financial records, e-mail messages and Web site visits.

Read more in the New York Times.

Trust us! I suppose this would be attached to my dossier...

One Hundred Naked Citizens: One Hundred Leaked Body Scans

November 16, 2010 by Dissent

At the heart of the controversy over “body scanners” is a promise: The images of our naked bodies will never be public. U.S. Marshals in a Florida Federal courthouse saved 35,000 images on their scanner. These are those images.

A Gizmodo investigation has revealed 100 of the photographs saved by the Gen 2 millimeter wave scanner from Brijot Imaging Systems, Inc., obtained by a FOIA request after it was recently revealed that U.S. Marshals operating the machine in the Orlando, Florida courthouse had improperly-perhaps illegally-saved images of the scans of public servants and private citizens.

Read more on Gizmodo and watch the video.

Scanner image in carousel from Gizmodo video screenshot.

(Related) Pilots can't be terrorists. (Reverse profiling?) Makes me wonder who else is exempt (Congress?)

TSA plans modest changes to 'virtual strip searches'

… TSA administrator John Pistole said today that the agency will be "announcing some new policies" in the "near future" that will change the screening process for pilots, who have protested being forced to choose between a "virtual strip search" or an invasive pat-down a few minutes before they're handed the controls of a 975,000-pound kerosene-fueled missile in the form of a jumbo jet. (See our previous coverage.)

(Related) Security screening = roach motel.

TSA Investigating ‘Don’t Touch My Junk’ Passenger

The TSA has launched an investigation of a passenger in San Diego who left the airport after opting out of an invasive body scan and criticizing the proposed alternative pat-down.

John Tyner, a 31-year-old software programmer, recorded the encounter on his mobile phone and posted it to his blog. From there, it quickly went viral, tapping a groundswell of frustration over TSA’s procedures.

But far from backing down, the TSA told local reporters that it’s now investigating the passenger, who may face an $11,000 fine if the agency sues him.

“What he’s done, he’s violated federal law and federal regulations which states once you enter and start the process you have to complete it,” TSA’s San Diego security director told the Fox 5 News.

(Related) How the rest of the world sees the TSA? Humor, I think...

Taiwanese Animators Recreate TSA ‘Junk’ Incident

Computer Security tools & Techniques. Looks like a “real time” log analyzer. Hard to believe this is really new...

Fingerprint’ software to stem cyber crime

November 16, 2010 by admin

Revolutionary digital fingerprinting software invented by Edinburgh computer scientists could be set to stem the growing tide of cyber crime.

The technology, developed at Edinburgh Napier University, allows CCTV-style monitoring of online systems.

It digitally mimics the DNA matching process used in the real world.

The software, which will be on sale in six months, works out what classified data has been accessed by the hacker before alerting the company’s managers. [If it knows “Hacker” and “Classified Data” Why not STOP the access? Bob]

Read more on BBC.

[The company website:

1) recognize a market 2) fulfill the demand 3) retire

Teen Can't Wait for Apple: Orders iPhone 4 Parts Direct From Foxconn, Makes $130,000

According to The Observer, Lam realized there could be big money in getting white iPhone 4 parts early, and he made attempts to skip Apple and directly contact the company's controversial supplier, Foxconn.

"I knew a guy from a few years back that had somewhat of a relationship with folks in Foxconn," Lam, who speaks fluent Chinese, told The Observer.

After arranging orders for parts to make a white iPhone 4 conversion kit, Lam created, which offers the parts for between $135 and $279. The site soon went viral thanks to the tech blogosphere, and Lam made a killing. Since August alone, he's pulled in more than $130,000 from selling the white conversion kits, according to The Observer.

For my students

Blumind – A Beautiful, Lightweight & Portable Mindmap Application [Windows]

Do you use mindmaps? This method of organizing information is popular among academia because it can help them make sense of information clutters. But the use of mindmaps are not limited to educational environments only.

Anybody can use mindmaps for various uses including, for example, to remember school subjects faster, to expand a topic to write about, to organize ideas, to break down a complicated project, and many more.

While the traditional pen and paper method is still used today, you can also use your computer to generate your mindmaps. There are many mindmap creators out there that you can choose and use. One of the free alternatives to create and manage your mindmaps is Blumind.

Since the site is in Chinese, you might need a little help from Google Translate.

No comments: