Wednesday, December 15, 2010

Local This is a good thing. Knowing you have a problem is the first step toward finding a solution. On the other hand, knowing someone is vulnerable is the fist step toward a targeted attack.

Colorado’s state computer systems fail “hacker” test in cyber-security audit

December 14, 2010 by admin

Tim Hoover reports that the state’s cybersecurity is not in good shape and that personal information is at “high risk. You can read his report in the Denver Post.

While the news may not be good, kudos are due for hiring a firm to try to hack into the state’s systems to determine just how weak the security really is.

Hoover also reports that we may not have been told about all state breaches:

And while there had been 43 cyber-security incidents reported to the office since 2006, auditors thought the number was higher, noting that some known incidents had not been reported.

And of course, that’s only the incidents they know about and doesn’t include incidents that were never detected (yes, I’m assuming that there have been undetected incidents. Wouldn’t you?)

This is an interesting twist. Failure to revoke the cards allowed the bad guys to charge purchases, then the bank pulled the money back.

U.S. Bank Hit with Class Action Suit Alleging Data Breach Cover-Up

December 15, 2010 by admin

Jason C. Gavejian writes:

Paintball Punks filed a class action suit against U.S. Bank in Hennepin County, Minnesota. The case was subsequently removed on December 6, 2010, to the Minneapolis District Court. In the complaint, Paintball Punks alleges that between August and December 2009 it received 9 orders totaling approximately $11,000, which were fraudulently billed to U.S. Bank-issued cards. The amount was subsequently chargebacked (U.S. Bank tapped into Paintball Punks’ account to recoup the money after payment).

The online retailer asserts that U.S. Bank failed to protect them and other merchants by failing to remedy a known data breach in the Bank’s system. Despite knowledge of those breaches, U.S. Bank allegedly allowed compromised card accounts to remain active, which led to fraudulent credit card transactions with Paintball Punks and other merchants similarly situated, followed by chargebacks that U.S. Bank processed against the accounts of the merchants.

Read more about the lawsuit on Workplace Privacy Data Management & Security Report

Initially, this looked like a major change in thinking. I'll have to read it to understand what actually happened. (A quick scan suggests they DID show harm, but the lower court decision was still Affirmed.)

Starbucks May Be Aren’t Liable for Workers’ ID Theft Risk (updated)

December 14, 2010 by admin

Tim Hull reports the latest on a lawsuit that stemmed from a case involving a stolen laptop in 2008:

Starbucks employees whose personal information was stolen with a company laptop can sue the coffee kahuna for negligence, the 9th Circuit ruled Tuesday.

About 97,000 current and former Starbucks employees were exposed to identity theft in 2008 when an unknown thief stole a laptop that contained their unencrypted names, addresses and social security numbers. Starbucks informed its employees of the theft and provided free credit-watch services to the affected employees.


None of the plaintiffs claimed that they had lost any money or been the victim of a successful identity theft.

A district court dismissed the complaints, finding that the employees had failed to show an injury under Washington law though did have federal standing.

The federal appellate panel in Seattle agreed, finding sufficient evidence to show that the employees had been harmed by the theft, even though their claims were somewhat hypothetical.

Here, plaintiffs-appellants have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data,” Judge Milan Smith wrote for the court. “Were plaintiffs-appellants’ allegations more conjectural or hypothetical – for example, if no laptop had been stolen, and plaintiffs had sued based on the risk that it would be stolen at some point in the future – we would find the threat far less credible.”

Read more on Courthouse News. The court’s opinion can be found on the Ninth Circuit’s site.

Previous coverage on this site.

This is big, as it’s the first case I can think of where plaintiffs did not demonstrate any financial harm and are talking about other kinds of harm/injury. Of course, the fact that they can proceed with the lawsuit doesn’t mean that they’ll prevail, but it’s still pretty amazing that they got this decision.

Update: I was so excited reading parts of the decision that I totally missed the fact that the court said they affirmed the dismissal of the state level claims. In a separate memorandum, the court explained why it affirmed the dismissal of the state-level claims. It’s not clear to me what would happen if the customers/plaintiffs had fully argued/briefed on the issue of anxiety as harm/injury, but I guess that argument will have to wait for another case.

The risks of Cloud Computing

Google's ChromeOS means losing control of data, warns GNU founder Richard Stallman

Google's new cloud computing ChromeOS looks like a plan "to push people into careless computing" by forcing them to store their data in the cloud rather than on machines directly under their control, warns Richard Stallman, founder of the Free Software Foundation and creator of the operating system GNU.

Two years ago Stallman, a computing veteran who is a strong advocate of free software via his Free Software Foundation, warned that making extensive use of cloud computing was "worse than stupidity" because it meant a loss of control of data.

Now he says he is increasingly concerned about the release by Google of its ChromeOS operating system, which is based on GNU/Linux and designed to store the minimum possible data locally. Instead it relies on a data connection to link to Google's "cloud" of servers, which are at unknown locations, to store documents and other information.

The risks include loss of legal rights to data if it is stored on a company's machine's rather than your own, Stallman points out: "In the US, you even lose legal rights if you store your data in a company's machines instead of your own. The police need to present you with a search warrant to get your data from you; but if they are stored in a company's server, the police can get it without showing you anything. They may not even have to give the company a search warrant."

… But Stallman is unimpressed. "I think that marketers like "cloud computing" because it is devoid of substantive meaning. The term's meaning is not substance, it's an attitude: 'Let any Tom, Dick and Harry hold your data, let any Tom, Dick and Harry do your computing for you (and control it).' Perhaps the term 'careless computing' would suit it better."

… The accountability of cloud computing providers has come under close focus in the past fortnight after Amazon removed Wikileaks content from its EC2 cloud computing service, saying that the leaks site had breached its terms and conditions, and without offering any mediation in the dispute.

(Related) Sort of a “Cloud Computing” failure... When all of your customers' data is protected by the same security, you have a “Single Point of Failure”

Do Walgreens, McDonald’s, and deviantART breaches have common point of compromise?

December 14, 2010 by admin

Dan Goodin reports:

FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used email marketing services from Atlanta-based Silverpop Systems .

“The breach is with Silverpop, an email service provider that has over 105 customers,” Stephen Emmett, a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.”

He declined to provide further details.

Read more in The Register, where Dan reports that deviantART specifically names Silverpop in their notification, and that because Walgreens reported in 2009 that it was using Arc Worldwide as its marketing agency (the same agency McDonald’s said they use), the Walgreens breach may also be linked to Silverpop.

In a statement to Crain’s, Silverpop wrote:

Silverpop “was among several technology providers targeted as part of a broader cyber attack,” the company said in a statement. “When we recently detected suspicious activity in a small percentage of our customer accounts, we took aggressive measures to stop that activity and prevent future attempts. Among other things, we unilaterally changed all passwords to protect customer accounts and engaged the FBI’s cybercrime division.”

Stay tuned, I guess.

(Related) A “Single Point of Hardware Failure?”

Hidden Backdoor Discovered On HP MSA2000 Arrays

"A hardcoded password-related security vulnerability has been discovered which apparently affects every HP MSA2000 G3, a modular large scale storage array. According to the alert, a hidden user exists that doesn't show up in the user manager, and the password cannot be changed, creating a perfect 'backdoor' opportunity for an attacker to gain access to potentially sensitive information stored on the device, as well as systems it is connected to."

[From the article:

Similar vulnerabilities were recently discovered in Cisco Unified Video Conferencing products, where a linux shadow password file contained three hard-coded usernames and passwords.

… “To put this threat in context, supporting infrastructures for today’s virtualized environments have become a network of access points enabling interaction between systems. Many of these access points are privileged in that they are highly powerful and suffer from relatively poor controls - leading to privileged access point vulnerabilities. Cyber criminals understand the potential of these privileged access points and are using the vulnerabilities to transform the cyber crime frontier.

… In reality, organizations need to look at everything that has a microprocessor, memory or an application/process running – these all have similar embedded credentials that represent significant organizational vulnerabilities.

(Related) Maybe data in the Cloud has similar “Rights?”

Govt violated Warshak’s 4th Amdt rights, but evidence admissible because of “good faith” reliance on SCA – 6th Circuit (Update2)

December 14, 2010 by Dissent

Via Howard Bashman of How Appealing:

Email privacy, on appeal: A three-judge panel of the U.S. Court of Appeals for the Sixth Circuit today issued a very lengthy decision on the latest round of appeals in the case captioned United States v. Warshak.

I haven’t had time to wade through the whole opinion yet, so here’s the court’s summary of their holding on the email privacy aspect of the case:

  1. Warshak enjoyed a reasonable expectation of privacy in his emails vis-a-vis NuVox, his Internet Service Provider. See Katz v. United States, 389 U.S. 347 (1967). Thus, government agents violated his Fourth Amendment rights by compelling NuVox to turn over the emails without first obtaining a warrant based on probable cause. However, because the agents relied in good faith on provisions of the Stored Communications Act, the exclusionary rule does not apply in this instance. See Illinois v. Krull, 480 U.S. 340 (1987).

Their analysis of the search and seizure of Warshak’s emails begins on page 14 of the opinion:

Warshak argues that the government’s warrantless, ex parte seizure of approximately 27,000 of his private emails constituted a violation of the Fourth Amendment’s prohibition on unreasonable searches and seizures. The government counters that, even if government agents violated the Fourth Amendment in obtaining the emails, they relied in good faith on the Stored Communications Act (“SCA”), 18 U.S.C. §§ 2701 et seq., a statute that allows the government to obtain certain electronic communications without procuring a warrant. The government also argues that any hypothetical Fourth Amendment violation was harmless. We find that the government did violate Warshak’s Fourth Amendment rights by compelling his Internet Service Provider (“ISP”) to turn over the contents of his emails. However, we agree that agents relied on the SCA in good faith, and therefore hold that reversal is unwarranted.

I’ll post links to discussion of the ruling tomorrow after blawgers have had a chance to read the opinion and respond.

Update: Wow, there’s some great stuff in the opinion. Here’s a crucial snippet:

Accordingly, we hold that a subscriber enjoys a reasonable expectation of privacy in the contents of emails “that are stored with, or sent or received through, a commercial ISP.” Warshak I, 490 F.3d at 473; see Forrester, 512 F.3d at 511 (suggesting that “[t]he contents [of email messages] may deserve Fourth Amendment protection”). The government may not compel a commercial ISP to turn over the contents of a subscriber’s emails without first obtaining a warrant based on probable cause. Therefore, because they did not obtain a warrant, the government agents violated the Fourth Amendment when they obtained the contents of Warshak’s emails. Moreover, to the extent that the SCA purports to permit the government to obtain such emails warrantlessly, the SCA is unconstitutional.

See also EFF’s coverage of the decision. EFF had filed an amicus brief in the case.

Update 2: See Paul Ohm’s commentary and Orin Kerr’s initial commentary.

A challenge to the Surveillance State?

Europe tells Britain to justify itself over fingerprinting children in schools

December 14, 2010 by Dissent

Bruno Waterfield reports:

The European Commission has demanded Britain justifies the widespread and routine fingerprinting of children in schools because of “significant concerns” that the policy breaks EU privacy laws.

The commissioner is also concerned that parents are not allowed legal redress after one man was told he could not challenge the compulsory fingerprinting, without his permission, of his daughter for a “unique pupil number”.

In many schools, when using the canteen or library, children, as young as four, place their thumbs on a scanner and lunch money is deducted from their account or they are registered as borrowing a book.

Research carried out by Dr Emmeline Taylor, at Salford University, found earlier this year that 3,500 schools in the UK – one in seven – are using fingerprint technology.

Read more in the Telegraph.

An overreaction? Does this result from an aggressive application that flags any site that contains certain keywords or are they backing into it because of an application that checks “unclassified” systems for classified material and WikiLeaks documents might trigger a reaction?

Air Force Blocks NY Times, WaPo, Other Media

The Wall Street Journal is reporting that the Air Force, not content with blocking WikiLeaks and its mirrors, has begun blocking media sites carrying WL documents.

"Air Force users who try to view the websites of the New York Times, Britain's Guardian, Spain's El Pais, France's Le Monde or German magazine Der Spiegel instead get a page that says, 'ACCESS DENIED. Internet Usage is Logged & Monitored'... The Air Force says it has blocked more than 25 websites that contain WikiLeaks documents, in order to keep classified material off unclassified computer systems. ... The move was ordered by the 24th Air Force... The Army, Navy, and Marines aren't blocking the sites, and the Defense Department hasn't told the services to do so, according to spokespeople for the services and the Pentagon."

(Related) Perhaps Richard Stallman was correct (see above) I didn't realize “Erotic Incest Fantasy” was a genre, but I wonder if these were “banned” because of a complaint or because of “certain words.” If the latter, will they also ban Psychology or Criminal Justice textbooks?

Amazon Taking Down Erotica, Removing From Kindles

"The independent writers who publish on Amazon report that erotica books containing incest are being taken down with no explanation by Amazon, and removed from the Kindles of purchasers of the books. Author Selena Kitt writes: 'I want to be clear that while the subject of incest may not appeal to some, there is no underage contact in any of my work, and I make that either explicitly clear in all my stories or I state it up front in the book's disclaimer. I don't condone or support actual incest, just as someone who writes mysteries about serial killers wouldn't condone killing. What I write is fiction.' Kindle's own TV ad features a book with a story line of sex between a 19-year-old and his stepmother, defined in some states as incest ('Sleepwalking' by Amy Bloom)."

Stupid is as stupid does...” F. Gump Note that even stupid people can use a computer...

The taunt of an apparent Facebook thief

… Sometime between 10 a.m. and 12:45 p.m. Friday, a burglar busted through our basement door -- simply kicked through the 80-year-old wood panels -- and took a bunch of stuff.

Just one more example of life in the big city. Except that the apparent thief didn't stop with taking our belongings.

He felt compelled to showboat about his big achievement: He opened my son's computer, took a photo of himself sneering as he pointed to the cash lifted from my son's desk, and then went on my son's Facebook account and posted the picture for 400 teenagers to see. In the picture, the man is wearing my new winter coat, the one that was stolen right out of the Macy's box it had just arrived in.

"I've seen a lot, but this is the most stupid criminal I've ever seen," marveled D.C. police Officer Kyle Roe

No comments: