Thursday, November 11, 2010

Suspicions confirmed!

10 Riskiest Places to Give Your Social Security Number

November 10, 2010 by Dissent

Kashmir Hill kindly pointed me to this piece by Cameron Huddleston:

McAfee, the antivirus software company, recently released a list of the most dangerous places to give your Social Security number. Many of the places on the list might surprise you:

1. Universities and colleges
2. Banking and financial institutions
3. Hospitals
4. State governments
5. Local government
6. Federal government
7. Medical businesses (These are businesses that concentrate on services and products for the medical field, such as distributors of diabetes or dialysis supplies, medical billing services, pharmaceutical companies, etc.)
8. Non-profit organizations
9. Technology companies
10. Health insurers and medical offices

Read more on Kiplinger

[From the article:

The places are ranked based on the number of data breaches involving Social Security numbers from January 2009 to October 2010. What’s most disturbing is that you must disclose your Social Security number if you want to receive services from most of those places (either as required by law or the groups' own policies).

Perhaps “Any sufficiently advanced Cyber Crime is indistinguishable from Cyber War” (with apologies to Issac Asimov)

Targeted Attacks Focus On Economic Cyberterrorism

Posted by samzenpus on Wednesday November 10, @01:23PM

"When it comes to dangerous Web threats, the only constant is change and gone are the days of predictable attack vectors. Instead, modern blended threats such as Aurora, Stuxnet, and Zeus infiltrate organizations through a variety of coordinated tactics, usually a combination of two or more. Phishing, compromised websites, and social networking are carefully coordinated to steal confidential data, because in the world of cybercrime, content equals cash. And, as a new Websense report illustrates, the latest tactics have now moved to a political and nationalistic stage. Cybercriminals and their blended attacks are having a field day taking advantage of security gaps left open by legacy technologies like firewalls, anti-virus, and simple URL blockers."

Is 3D printing the next “Betamax?”

3D Printing May Face Legal Challenges

Posted by samzenpus on Thursday November 11, @07:57AM

"A coming revolution in 3D printing, with average consumers able to copy and create new three-dimensional objects at home, may lead to attempts by patent holders to expand their legal protections, a paper from Public Knowledge says. Patent holders may see 3D printers as threats, and they may try to sue makers of the printers or the distributors of CAD (computer-aided design) blueprints, according to digital rights group Public Knowledge."

We have to justify all that money we spent!”

Backlash grows over TSA's 'naked strip searches'

"We have received minimal complaints," a TSA spokeswoman told CNET yesterday. She said that the agency, part of DHS, keeps track of air traveler complaints and has not seen a significant rise.

A growing number of airline passengers, labor unions, and advocacy groups, however, say the new procedures--a choice of full-body scans or what the TSA delicately calls "enhanced patdowns"--go too far. (They were implemented without much fanfare in late October, amid lingering questions (PDF) about whether travelers are always offered a choice of manual screening.)

Remember, the FTC closed their investigation in late October. Why another investigation you ask? (see the next article)

FCC investigates Google for Street View privacy breach, UK ICO criticized for sending non-techies to investigate

November 10, 2010 by Dissent

Cecilia Kang reports:

The Federal Communications Commission said Wednesday it is investigating a data breach by Google, whose Street View mapping cars scooped up e-mail addresses and passwords from unencrypted residential Wi-Fi networks.

Last month, Google disclosed that its Street View cars collected passwords, e-mails and other personal information wirelessly from unsuspecting people across the country,” said Michele Ellison, the FCC’s enforcement bureau chief. “In light of their public disclosure, we can now confirm that the Enforcement Bureau is looking into whether these actions violate the Communications Act.”

Read more in the Washington Post. Sara Jerome also covers the development on The Hill, as do Amy Schatz and AMir Efrati in the Wall Street Journal.

Meanwhile, across the great pond, the UK ICO is getting hammered for lack of indepth investigation of the breach. Josh Halliday reports:

The Information Commissioner’s Office (ICO) is facing renewed criticism for sending two ‘non-technical’ members of staff to investigate Google’s illegal collection of data from Wi-Fi connections in July.

Two senior members of ICO staff with “considerable experience” of data protection law cleared Google of any wrongdoing earlier this year after examining a sample of so-called “payload” data at Google’s London headquarters. Conservative MP Rob Halfon said it was “astonishing” that the ICO “did not send technical people” to investigate the breach, which the ICO later ruled was a “significant breach” of the Data Protection Act.

Read more in the Guardian.

(Related) “Who you know” only goes so far...

Critics Call For Probe Into Google Government Ties

Posted by CmdrTaco on Wednesday November 10, @12:40PM

"The National Legal and Policy Center has written to the House Oversight Committee to investigate alleged ties between Google and the Obama administration, specifically with regards to the closure of an FTC probe into Google's Wi-Fi privacy breach, when the company admitted to having collected users' unencrypted information over the course of three years. The NLPC compares Google's relationship with the administration to that of Halliburton and cites the timing of a $30,000-a-head Democratic fundraiser at Google CEO Marissa Meyer's home less than a week before the FTC ended its inquiry, where Obama made a personal appearance, as well as the fact that US deputy chief technology officer Andrew McLaughlin is a former Google employee. The NLPC further alleges that the FTC is tougher on other companies, issuing fines to Twitter and Sears for their privacy violations while letting Google off the hook after the company promised to improve its privacy practices."

...because Doctors are too poor to buy their own? What skills those Apple salesmen have! Will the US follow suit or will the Obama Administration wait for the Google version?

Australian State Govt. To Fund iPads For Doctors

Posted by samzenpus on Thursday November 11, @03:48AM

"The current premier of the Australian state of Victoria, John Brumby, has promised every doctor in Victoria's public hospital system would be issued with an Apple iPad if his incumbent Labor Government was returned to power in the state's upcoming election."

For my Ethical Hackers

V for Vendetta Hacker Strikes at Washington State University

An anonymous hacker wearing a Guy Fawkes mask took over classroom projection screens at Washington State University last Friday, the fifth of November, to broadcast a prerecorded message adapted from V For Vendetta, in a prank that evidently alarmed administrators and amused students.

The nearly four minute video, which was also posted on YouTube, and has its own website, Facebook page and Twitter hashtag, criticizes the university’s IT department. It also urges the student body to rise up against squirrels on the campus grounds. The rodents, the ersatz V complains, do nothing but “eat, drink and breed.”

Video projectors in two dozen classrooms were high-jacked in the prank, according to news reports, and the video was set to replay automatically every hour. The hacker’s website advised university staff that the messages would stop automatically at the end of the day, but referred them to a batch file left on the AV servers that would also reverse the hack. “This script will cleanly remove and reverse all modifications made to the systems.” [“This tape will self-destruct in 5 seconds. Good luck Mr Phelps.” Bob]

A spokeswoman told the Chronicle of Higher Education that campus police were working to identify the perpetrator. “Childish pranks just don’t have a place anymore,” said Darin Watkins. “What may have been seen as cute and clever years ago really doesn’t get that kind of reaction today.” [Apparently the students haven't lost their sense of humor, but having their security failures pointed out to the world does not sit will with the Administration. Bob]

Still not getting serious about security.

November 10, 2010

Intel - 2010 HIMSS Security Survey

2010 HIMSS Security Survey Sponsored by Intel, Final Report, November 3, 2010

  • "Now in its third year, the 2010 HIMSS Security Survey [Healthcare Information and Management Systems Society], sponsored by Intel reports the opinions of information technology (IT) and security professionals from healthcare provider organizations across the U.S. regarding key issues surrounding the tools and policies in place to secure electronic patient data at healthcare organizations. This year, the study was supported by Medical Group Management Association (MGMA) to encourage additional representation in the medical group and ambulatory space. The study was designed to collect information on a multitude of security-related items, including organizations’ general security environment, access to patient data, access tracking and audit logs, security in a networked environment and technology tools in place. This year, we’ve added a series of questions to evaluate how healthcare organizations are handling patient identity issues."

[The report:

[From the report:

Formal Security Position: Slightly more than half (53 percent) of respondents reported they have either a CSO/CISO or full-time staff in place to handle their organizations’ security function. Those working for a hospital were more likely to report that they had a CSO/CSIO in place compared to individuals working for medical practices.

Future Use of Security Technologies: Mobile device encryption, e-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization.

For my Computer Security students...

The Role of Internet Service Providers in Cyber Security (PDF)

The current level of insecurity of the Internet is a worldwide problem that has resulted in a multitude of costs for businesses, governments, and individuals. Past research suggests that one significant factor in these cyber security problems is the inadequate level of security maintained by home users and small businesses. A handful of research studies and security experts have suggested that Internet Service Providers (ISPs) may be in a good position to cost-effectively prevent certain types of malicious cyber behavior, such as the operation of botnets on home users’ and small businesses’ computers. This research brief will review the existing literature and popular press on actions that ISPs are taking or could take to better secure their customers, economic barriers to such solutions, and incentives needed to increase ISP involvement.

For my Computer Security students. This reminds me of a story about a producer of MALT who, during Prohibition, carefully listed ingredients and processes under the warning that “This will make the illegal substance called Beer!”,0,4999462.story

Recording Industry: Here's a (inadvertent) handy guide on best websites for stealing music

In response to an inquiry from the federal government trade czar, the Recording Industry Association of America released Monday a filing itemizing "notorious markets" across the globe.

Notorious markets are physical places and websites "driven by the illegal sales or downloads of unauthorized music."

Unfortunately for them, the filing inadvertently doubles as a primer on the best websites for stealing music. If you didn't know what The Pirate Bay was, you will now thanks to the geniuses at the RIAA.

(Related) For my Ethical Hackers – not that they would ever download music...

7 Completely Free VPN Services To Protect Your Privacy

A VPN allows you to connect your machine to a virtual network which in turn encrypts the data you send, hiding everything from the public domain. A good VPN will keep no records of your browsing history, meaning you’re essentially an anonymous user.

Interesting growth curve. Is this the “next big thing” for my students?

Flush With Fresh Funding, Evernote Hits 5 Million Users

Mere weeks after raising a $20 million round from the likes of Sequoia Capital and Morgenthaler Ventures, memory enhancement service Evernote is today announcing that they’ve hit 5 million users.

The news, which Evernote just announced on its blog, comes less than three months after the startup reached the 4 million users milestone.

In other words, the time to add another million users keeps getting shorter for Evernote (22,130 users signed up yesterday, the company claims).

They needed 446 days to get its first million users, 222 days to get to its second million, 133 days to get to its third and 108 days to reach the 4 million users milestone.

As you can tell from the graph above, they’ve gone from 4 to 5 million users in just 83 days.

Evernote allows users to capture, organize, and find information across multiple platforms. Users can take notes, clip webpages, snap photos using their mobile phones, create to-dos, and record audio.

(Related) Why you might need Evernote...

How Americans Consume 3.6 Zettabytes A Day [Infographic]

No comments: