Saturday, December 18, 2010

I wonder if any of Silverpop's customers actually audited their security? That would seem to be a prudent step before relying on them to protect sensitive data.

13 million deviantART e-mail addresses exposed by hackers

December 17, 2010 by admin

Matthew Humphries covers a Silverpop-related deviantART e-mail address hack mentioned previously on this blog:

Pre-Christmas 2010 will be remembered as the time when well-known online brands and websites started to fall to hackers. The biggest of them all so far has been Gawker, and we’ve also seen McDonalds have its databases compromised this week. But that’s not the end of the security breaches.

Today deviantART, the largest online community of artists, has announced its user database has also been compromised. The fallout being up to 13 million user e-mail addresses, usernames, and birth dates being exposed and likely used by spammers.

The breach occurred through Silverpop System Inc. It’s a marketing company deviantART uses to communicate with its users through a mailing list, but now seems to be a weak point in securing user data. The company is assuming the data was stolen by spammers.

The only saving grace is passwords were not taken, so if you have a deviantART account it has not been compromised. What it will likely result in is a lot more spam e-mails being directed to those 13 million accounts.


[From the article:

The data stolen also brings up a few questions. Most importantly why is the site sharing date of birth information with a marketing company? Is it for more targeted advertising? If this is the case it should stop, as a number of sites still rely on date of birth as a security question.

Although fairly harmless on its own, a date of birth combined with an e-mail address may be enough to compromise security on other sites. For example, you have an e-mail and password login with date of birth check for recovering that password.

[Remember too that Spammers could be building a dossier database similar to the ones Behavioral Advertisers construct. Bob]

This would be funny if it wasn't yet another indication of a failure to understand basic security practices.

(follow-up) Massachusetts man pleads guilty to selling and using TSA employees’ identities

December 17, 2010 by admin

A Lynn man pleaded guilty in federal court today to selling and using the names, dates of birth, and Social Security numbers of Transportation Security Administration employees who worked at Logan Airport.

Michael Debring, A/K/A Michael Washington, 49, pleaded guilty before U.S. District Judge Nathaniel M. Gorton to conspiracy, misrepresenting a Social Security number with intent to defraud, possessing 15 or more unauthorized access devices with intent to defraud, and aggravated identity theft.

At today’s plea hearing, the prosecutor told the Court that had the case proceeded to trial, the Government’s evidence would have proved that between July 2008 and December 9, 2009, Derring and his co-conspirator, Tina White, opened accounts using TSA employees’ identities to obtain gas, electric, cable television, telephone, and other services for themselves and their relatives, friends and customers. Some recipients of the services would not pay the bills, knowing that the account-holder details did not match the recipients’ identities.

… Derring obtained the names, dates of birth, and Social Security numbers of employees who worked for TSA at Logan Airport from a relative who worked as a contractor at TSA’s department of human resources.

… Source: U.S. Attorney’s Office, Massachusetts

Now this is how everyone should approach their security planning.

NSA Considers Its Networks Compromised

"Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable — not even that of the NSA. 'There's no such thing as "secure" any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly."

Yet another indication that Politicians aren't like us second class citizens...

AU: Parliament porn users’ ID a secret

December 17, 2010 by Dissent

Alexandra Smith reports:

The NSW Parliament will not discipline or even identify staff members or MPs who used the parliamentary computer system to access websites that contained ”sexually explicit images of young people”.

The Speaker of the Legislative Assembly, Richard Torbay, and the President of the Legislative Council, Amanda Fazio, have declared the matter closed despite confirmation that nine inappropriate websites were accessed.

In a statement yesterday, they confirmed that advice from the Crown Solicitor was that there was ”no legal obligation to refer the information in the report to the NSW Police Force”.

The identity of the staff or MPs who accessed the pornographic sites will remain secret, ensuring no one can be disciplined, despite an obvious breach of the Parliament’s IT guidelines.

Read more in The Age.

Now, see, I wouldn’t think that public officials using publicly funded work-related computers should have an expectation of privacy if they engage in such conduct.

[From the article:

Ernst & Young was commissioned to review the internet filter after a parliamentary human resources executive, Lisa Vineburg, commissioned an unauthorised audit [I wonder if she got canned? Bob] of internet use by all MPs and staff.

The raw data ended the ministerial career of the MP for Heathcote, Paul McLeay, who resigned after he learned details of his internet use had been leaked to the media. He admitted he had repeatedly visited pornographic and gambling sites from the parliamentary computer system.

I'm not sure I fully agree with this. If it is okay for the cops to follow someone without a warrant (it is, isn't it?) why can't they use technology to make their work more efficient? Is it the “sneaking onto private property to attach the device” that is the real concern? How about remotely turning on the OnStar or other devices in the car to report locations visited?

Delaware and Massachusetts courts strike down warrantless GPS tracking

December 17, 2010 by Dissent


The Delaware Superior Court has ruled that police must obtain a warrant before using GPS devices to monitor vehicles. The Court said that the Delaware Constitution protects its citizens’ reasonable expectation of privacy from “constant surveillance.” “Everyone understands there is a possibility that on any one occasion or even multiple occasions, they may be observed by a member of the public or possibly law enforcement,” the Court reasoned, “but there is not such an expectation that an omnipresent force is watching your every move.” In a related case, the Massachusetts Supreme Court held that a warrant is required for the use of a GPS tracking device. EPIC filed an amicus brief in that case.


Susan Freiwald on United States v. Warshak: Sixth Circuit Brings Fourth Amendment Protection to Stored Email, At Last

December 18, 2010 by Dissent

Susan Freiwald, one of the law professors whose articles were cited in the recent Warshak decision, has this commentary and analysis on Concurring Opinions:

Finally! A Federal Appellate Court has brought the Fourth Amendment to stored email! On December 14th, in United States v. Warshak, the 6th Circuit held that when government agents compel an Internet Service Provider (ISP) to disclose its user’s stored emails, they invade the user’s reasonable expectation of privacy, which constitutes a search under the Fourth Amendment and requires a warrant or an applicable exception.

In a 2007 decision, a panel of the 6th Circuit found a reasonable expectation of privacy (REP) in Warshak’s stored emails when he sought an injunction, but the 6th Circuit, en banc, vacated that decision the next year on ripeness grounds. The case decided three days ago concerned Warshak’s appeal of his criminal conviction of an array of charges related to fraudulent business practices. The trial was long and involved (and much of the decision concerns other issues). As part of the investigation, prosecutors seized 27,000 of Warshak’s private emails, ex parte, and without first getting a warrant. Along with Patricia Bellia, of Notre Dame, I wrote an amicus brief for law professors prior to the 2007 decision, and have written law review articles (with Tricia) on the topic since. Below, I explain the court’s constitutional analysis, discuss why this discussion was so long in coming and share some thoughts about the future.

Read more of her analysis on Concurring Opinions.

Who is Dale Carnegie ? Clausewitz said something to the effect that “war was a continuation of politics by other means.” How does that work when the politician is crazy?

North Korea Says War With South Would Go Nuclear

"According to reports from the Uriminzokkiri, the official website of the Democratic People's Republic of Korea, a war with South Korea would involve nuclear weapons, and '[will] not be limited to the Korean peninsula.' The article goes on, 'The Korean peninsula remains a region fraught with the greatest danger of war in the world. This is entirely attributable to the US pursuance of the policy of aggression against the DPRK (North Korea).'"

No comments: