Saturday, January 09, 2010

It's probably not my students. But we do spend time talking about attacking networks and computers.

Hacking Takes Lead as Top Cause of Data Breaches

January 9, 2010 by admin Filed under Breach Incidents, Commentaries and Analyses, Of Note

Hacking has topped human error as the top cause of reported data breaches for the first time since such tracking began in 2007, according to the Identity Theft Resource Center’s 2009 Breach Report.

In its report, titled “Data Breaches: The Insanity Continues,” the non-profit ITRC found that 19.5 percent of reported breaches were due to hacking, with insider theft as the second most common cause at 16.9 percent. For the past two years, “data on the move,” a typically human-error loss of a portable devices such as laptops or even briefcases, was the most common reported cause.

Read more on PCWorld.

Analyses of 2009 data conducted by ITRC are linked from their press release, here. As I had commented earlier, breach reports in 2009 were down compared to 2008, but interpreting what appears to be a decrease is fraught with difficulty as there are too many unknowns. OSF’s Dave Shettler also addressed the apparent decrease, citing some of the same possibilities I had, but throwing in solar flares for good measure. With respect to the apparent decline, ITRC says:

Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.

(Related) No need to hack the software if it doesn't do its job in the first place.

Obama: Software Flaws Let Christmas Bomber Get Through

By Noah Shachtman January 7, 2010 9:30 pm

Crappy government software — and failure to use that software right — almost got 289 people killed in the botched Christmas day bombing.

Bad management (there should be nothing you do for VIPs that you don't do for the general public) but typical politics (the general public doesn't endorse you, contribute large amounts, or attract journalists if security fails).

Ie: Revenue set up VIP unit (but don’t the little people deserve privacy too?)

January 9, 2010 by admin Filed under Breach Laws, Commentaries and Analyses, Non-U.S.

TJ McIntyre writes:

One recent story which didn’t attract as much attention as it should have was the revelation that the Revenue have set up a special VIP unit to minimise leaks of confidential information about public figures. This emerged with the publication of an audit by the Data Protection Commissioner which found significant weaknesses in Revenue controls of data. (Weaknesses which still existed despite promised reforms after high profile scandals in 2005 and again in 2007.)

Read more on IT Law in Ireland.

After you cave in to the IRS you need to reassure your other tax dodging customers that you won't do it to them.

Switzerland court rules UBS disclosure of client information was illegal

January 8, 2010 by Dissent Filed under Court, Non-U.S.

The Federal Administrative Court of Switzerland ruled Friday that the Swiss Financial Market Supervisory Authority (FINMA) violated the law in February 2009 when it ordered UBS to disclose information to the US on more than 250 of the bank’s clients. FINMA issued the order after the US Department of Justice (DOJ) accused UBS of assisting Americans in hiding accounts from the Internal Revenue Service (IRS). The court stated [WSJ report] that FINMA lacked the authority to authorize the release of information, and that the issue should have been addressed by the Federal Council.

Read more on JURIST.

New tech, new hacks.

Social networking hacks: Top 10 Facebook and Twitter security stories of 2009

Hackers, botnets, viruses and controversial "privacy" settings dominate headlines in '09

By Jon Brodkin, Network World January 07, 2010 11:20 AM ET

Note for the security files: Next time you review a security breach, ask yourself if they were as well secured as your kids online game.

Blizzard Authenticators May Become Mandatory

Posted by Soulskill on Saturday January 09, @03:27AM from the gotta-take-off-your-shoes-too dept.

An anonymous reader writes

" is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."

When it comes to encryption, do it yourself! ...and remember, key management is... well... key!

NIST Investigating Mass Flash Drive Vulnerability

Posted by Soulskill on Saturday January 09, @05:05AM from the 123456-letmein dept.

Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked.

"A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company. The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems. The National Institute of Standards and Technology said it's investigating whether it needs to modify its standards to include password authentication software on host systems. Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"

I wish to point out that these are not actually Auditors (CISA) but rather Certified Software Managers (CSM) AKA: license snoops

Recession Turning Software Auditors Into Greedy Traffic Cops

Posted by Soulskill on Friday January 08, @09:46PM from the twenty-six-in-a-twenty-five dept.

judgecorp writes

"As the recession bites, software auditors are cracking down, and some are simply exploiting loopholes and technicalities to meet their targets, according to analyst Forrester. They may be within their rights, but they aren't endearing themselves to users; Steve Ballmer faced weary customers in London last year, and admitted Windows licenses have deliberate 'gotchas.'"

Proof of concept or an attempt to drive the price of their shares down before a takeover bid?

Looks like Rupert Murdoch’s just started blocking search engines

by Martin Bryant on January 8, 2010

Remember when Rupert Murdoch caused a stir by saying that he was going to start blocking news search services like Google News from carrying his sites’ stories? Well, it looks like he’s started.

News aggregator NewsNow is claiming that Murdoch’s UK-based Times Online website has started blocking it from indexing stories.


Indeed, checking the contents of reveals the following code.

#Agent Specific Disallowed Sections

User-agent: NewsNow

Disallow: /

A must-have new computer peripheral: the fire extinguisher!

Acer Recalls 22,000 Notebooks Due To Burn Hazard

Posted by Soulskill on Friday January 08, @06:53PM from the hot-product dept.

An anonymous reader writes

"The US Consumer Product Safety Commission, in cooperation with Acer, today announced a voluntary recall of 22,000 notebook computers. Acer has received three reports of computers short circuiting, resulting in slight melting of the external casing. No incidents occurred in the United States. No injuries have been reported."

Will the law ever catch up to the do-gooders?

Court Unfriendly To FCC's Internet Slap At Comcast

Posted by ScuttleMonkey on Friday January 08, @03:47PM from the unchecked-authority-generally-bad dept.

Several sources are reporting that federal judges have been harsh in their examination of the FCC's action against Comcast in 2008 for the throttling of Internet traffic from high-bandwidth file-sharing services.

"'You can't get an unbridled, roving commission to go about doing good,' said US Court of Appeals for the District of Columbia Circuit Chief Judge David Sentelle during an oral argument. The three-judge panel grilled FCC General Counsel Austin Schlick on the parts of communications law it could cite to justify the Comcast punishment. The FCC argues that it was enforcing an open Internet policy implicit in the law. Judge A. Raymond Randolph repeatedly said the legal provisions cited by the FCC were mere policy statements that by themselves can't justify the commission's action. 'You have yet to identify a specific statute,' he said. The judges' decision in the case could throw into question the FCC's authority to impose open Internet rules."


CES: Why the White House is backing away from Net neutrality

by Larry Downes January 8, 2010 6:54 AM PST

… The administration is clearly backtracking. But why?

Part of the reason is some unexpected political pressure, including a letter signed by 72 congressional Democrats opposing the FCC's proposed rules soon after they were announced.

But the bigger explanation is the growing priority within the administration for nationwide, affordable broadband service.

Gentlemen, start your lawsuits! In fact, such short range use is probably legal, isn't it?

MagicJack’s Making Cell Phone Fees Disappear

Source: AP January 8, 2010

The company behind the magicJack, the cheap Internet phone gadget that’s been heavily promoted on TV, has made a new version of the device that allows free calls from cell phones in the home, in a fashion that’s sure to draw protest from cellular carriers.

The new magicJack uses, without permission, radio frequencies for which cellular carriers have paid billions of dollars for exclusive licenses.

… The device is, in essence, a very small cellular tower for the home.

The size of a deck of cards, it plugs into a PC, which needs a broadband Internet connection. The device then detects when a compatible cell phone comes within 8 feet, and places a call to it. The user enters a short code on the phone. The phone is then linked to the magicJack, and as long as it’s within range (YMax said it will cover a 3,000-square-foot home) magicJack routes the call itself, over the Internet, rather than going through the carrier’s cellular tower. No minutes are subtracted from the user’s account with the carrier. Any extra fees for international calls are subtracted from the user’s account with magicJack, not the carrier.

Tech for shade tree mechanics. If you think you need an advanced degree to work on your “high-tech, computer controlled” car, you haven't been talking to a mechanic recently.

CES: Decipher your car's idiot light with CarMD

by Rafe Needleman January 8, 2010 1:23 PM PST

I need to spend more time figuring out how to use “social networks” in my classes. This looks like a possible tool.

HootSuite Raises $1.9 Million For Social Media Dashboard

by Leena Rao on January 8, 2010

Vancouver-based HootSuite, which dubs itself as “the professional Twitter client,” lets users manage their Twitter, Facebook, Linkedin, and accounts through one interface.

… HootSuite faces competition from other all-in one social media dashboards including TweetDeck, PeopleBrowsr, and Seesmic

Friday, January 08, 2010

Let me get this straight. Someone changed my medical records, but you don't think I should know about it? You will be sending those records to my insurance company, right? They will be refusing to compensate me for the procedures that are no longer on my record, right?

After further review, investigator doesn’t think WDH had to report data breach

By Dissent, January 8, 2010 6:29 am

Adam D. Krauss brings us the latest on the controversy over a breach at Wentworth-Douglass Hospital:

A state investigator says after reviewing additional information he still doesn’t think Wentworth-Douglass Hospital had to notify patients impacted by the privacy breach.

James Boffetti, who leads the Office of the Attorney General’s consumer protection and antitrust bureau, said the breach didn’t trigger the state’s notification law even though personal information was improperly viewed by an ex-employee.

“What we know is she, as an apparent act of retaliation against her former employers, tampered with certain fields of information,” including patients’ genders, addresses and where their reports should be sent, he said. But “there isn’t any indication that she misused the information.”

RSA 359-C: 20 says in the event of a breach those doing business in the state must determine whether personal information will be misused and mandates notification of those affected if misuse has occurred, is reasonably likely to occur or if a determination cannot be made.

Read more on Foster’s Democrat.

Update How much is Visa actually out of pocket because of this breach? Zero Issuing banks reimburse their cardholders.

Heartland in $60 mln settlement agreement with Visa

January 8, 2010 by admin Filed under Breach Incidents, Financial Sector, Of Note, U.S.

Reuters is reporting:

Heartland Payment Systems Inc (HPY.N) said it reached a $60 million settlement agreement with Visa Inc (V.N), under which it will pay issuers of Visa-branded credit and debit cards for data security breach claims.

Heartland, the fifth-largest payments processor in the United States, said the settlement was with respect to losses issuers may have incurred from a criminal breach of its payment systems in 2008.

Visa would credit the full amount of intrusion-related fines it previously collected from Heartland’s sponsoring bank acquirers and provide details of the settlement to eligible issuers in the coming days, Heartland said in a statement.

[Press Release omitted Bob]

Basic management control. Know the flow of records and investigate any anomalies!

UMC lacks way to log patients’ records

By Dissent, January 8, 2010 6:59 am

Marshall Allen updates us on a recent breach involving allegations that insider(s) accessed and sold patient data to local attorney(s):

University Medical Center has no system to track patient records, leading to numerous instances in which hospital paperwork containing Social Security numbers, birth dates and other private information goes missing, a state investigation has found.

The investigation was triggered by a Las Vegas Sun story revealing that patient records of traffic injury victims were being systematically leaked from UMC, allegedly to ambulance-chasing attorneys in search of clients. The breach, an apparent violation of federal law, is also being investigated by the FBI.

The Nevada State Health Division examined the public hospital’s methods for protecting patient privacy. It released its report Thursday.


After reading the report, Jeffrey Drummond, a Dallas attorney who specializes in helping hospitals comply with patient privacy laws, said it’s rare for a facility to take such a “cavalier” attitude toward securing sensitive information. [I suspect it is not rare. Perhaps the public rarely hears about it... Bob]

“This strikes me as pretty outrageous,” he said. “The lack of control over what’s going on in the hospital with regard to patient information, if this (report) is remotely true, seems outrageous.”


Washington, D.C., attorney Kirk Nahra, who also specializes in hospital privacy compliance, offered a more nuanced view of the report. There’s nothing in the document that directly relates to the leak of the face sheets originally reported in the Sun, he said, and even the most stringent privacy practices can’t stop an employee who wants to commit a criminal act.

A trauma center is a chaotic place where hospitals balance caring for the needs of patients with protecting their private information, Nahra said. The same kinds of problems reported by the state could be found in other emergency rooms, he said, though they should serve as a wake-up call to UMC.

Read more in The Las Vegas Sun.

Balancing? Keeping track of where you file multiple copies of a medical record and keeping track of access to records does not interfere with patient care, particularly when some of the recording is automated through software. In fact, having a system that enables you to know where to find information can speed up health care. Having been involved in emergency care in the past, I could agree with Kirk if he argued that occasionally, a copy of a file might get lost or misplaced in an emergency room, but to minimize the failure to have a system in place for monitoring access is just excusing sloppy security and privacy practices. The fact that it may also occur in other emergency rooms does not minimize the importance of the problem, if the report is accurate.

Now this looks like “anonymized data” to me. Are schedules covered by HIPAA? Apparently. (Is vindictiveness a disease?)

MS: Woman out of a job after sending tweet to Governor Barbour

By Dissent, January 8, 2010 9:22 am

Julie Straw of WDAM reports:

A tweet to Governor Haley Barbour ended with a University Medical Center employee resigning from her job. She said she was simply using the social networking site Twitter to exercise her right to freedom of speech. UMC officials said it was a violation of privacy laws.

Last Tuesday afternoon Governor Haley Barbour wrote this on his Twitter page, “Glad the Legislature recognizes our dire fiscal situation. Look forward to hearing their ideas on how to trim expenses.”

Less than an hour later Jennifer Carter, a former administrative assistant for UMC’s nursing school, tweeted this to Governor Barbour, “Schedule regular medical exams like everyone else instead of paying UMC employees over time to do it when clinics are usually closed.”

Carter was referring to an incident she was told about by several UMC staffers three years ago. She claims the Governor came to the Pavilion on a Saturday when it is usually closed and had it specially staffed with 15-20 people all for a check up.

“I wasn’t really jabbing at him. That’s just what people do on Twitter,” said Carter.

Two days later Carter was contacted by UMC’s Department of Compliance for violation of HIPAA Laws.

She said the Compliance Department told her the Governor’s Office had tracked her down and told them to deal with her.

“I was told I would be suspended for three days without pay until the paper work could be done. I was strongly encouraged to resign,” said Carter. She did resign.

Carter doesn’t believe her Tweet broke any privacy laws that protect patients.

Read more on WDAM.

I’m surprised that Carter doesn’t recognize that revealing anything she learned about him or his medical appointments through her employment is a HIPAA violation. Could someone reading the tweet not realize that she was referring directly to him? I suppose, but the fact is she knew she was referring to his visit to UMC and that means she was disclosing information that should not have been disclosed. At least that’s how I see it.

There must not be a large music or film industry in Oregon.

Senator Demands IP Treaty Details

By David Kravets January 7, 2010 5:39 pm

That a U.S. senator must ask a federal agency to share information regarding a proposed and “classified” international anti-counterfeiting accord the government has already disclosed is alarming. Especially when the info has been given to Hollywood, the recording industry, software makers and even some digital-rights groups. [“Yeah, but we trust them!” Bob]

Sen. Ron Wyden (D-Oregon) is demanding that U.S. Trade Representative Ron Kirk confirm leaks surrounding the unfinished Anti-Counterfeiting Trade Agreement, being negotiated largely between the European Union and United States. Among other things, Wyden wants to know if the deal creates international guidelines that mean consumers lose internet access if they are believed to be digital copyright scofflaws.

Read More

So that's were that email came from. Instead of “Bob is on vacation” it replies “Got Viagra?” If Chinese hackers could write clear English, this might have been more successful.

Hotmailers Hawking Hoax Hunan Half-Offs

Posted by kdawson on Thursday January 07, @04:05PM from the how-horrific dept.

Frequent Slashdot contributor Bennett Haselton writes

"An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?"

Read below for Bennet's thoughts.

After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:

[Long post follows Bob]

For all you stalkers

Hack Pinpoints Victim's Physical Location

'Samy worm' writer publishes proof-of-concept that gleans home router GPS coordinates

Jan 06, 2010 | 03:38 PM By Kelly Jackson Higgins DarkReading

Samy might know where you live: Samy Kamkar, the hacker who spread the massive MySpace worm in 2005, has published a proof-of-concept attack that identifies a victim's geographic location via his home router.

Kamkar says it all started when he found a cross-site scripting (XSS) bug in a Verizon FiOS wireless router, which allowed him to grab the browser's MAC address and then map it to the GPS coordinates via Google Location Services. The attack works on any browser and doesn't rely on browser-based geolocation features.

(Related) The flip side of stalking?

Bank Thieves Foiled by GPS-Spiked Cash

By Kim Zetter January 7, 2010 3:50 pm

Forget exploding dye packs. Three thieves who made off with about $9,000 in cash from an Illinois bank were thwarted by a GPS device inserted in the cash that led authorities straight to their door, according to the Chicago Tribune.

Read More

Canada has something like this, but it's a CD tax. So if I claim copyright on my Blog, will France and Canada send me money? If not, should I sue them?

France Considers 'Pirate Tax' For Online Ads

Posted by samzenpus on Friday January 08, @04:36AM from the somone-has-to-pay dept.

angry tapir writes

"A report commissioned by the French Minister of Culture Frédéric Mitterrand urges the introduction of a tax on online advertising such as that carried by Google, which would be used to pay the creators of artistic and other works that lose out to online piracy."

(Related) Owning a copyright make you crazy?

Mexico Wants Payment For Aztec Images

Posted by samzenpus on Thursday January 07, @10:44PM from the montezuma's-latest-revenge dept.

innocent_white_lamb writes

"Starbucks brought out a line of cups with prehistoric Aztec images on them. Now the government of Mexico wants them to pay for the use of the images. Does the copyright on an image last hundreds of years?"

I don't suppose they'd allow me to become a utility – my level of campaign contributions is too low.

Google launches a utility as DOE funds data center efficiency

With opportunities abounding in renewable power and energy efficiency, traditional IT companies are making some rather aggressive moves into this market. This week, Google announced that it will launch its own utility, while Yahoo has found a source of funds for a new data center: the Department of Energy.

By John Timmer Last updated January 7, 2010 12:33 PM

Always good for breaking stereotypes. Those “fat cat” Republicans only get two of the top ten slots. Most, of course, got their money the old fashioned ways (marriage or inheritance) But it's always comforting to know that Congressmen are just like real citizens.

January 07, 2010

The Richest Members of the US Congress

Center for Responsive Politics - Personal Finances Disclosures: "In some ways, lawmakers' finances look a lot like those of many Americans. They include diverse portfolios of stocks, bonds, mutual funds and real estate. They have bank accounts, credit cards and mortgages. The difference: Politicians generally have more money and—unlike most people they represent—they must make their investments public. By May 15 of each year, congressional members and top officials in the executive branch must file forms covering the preceding calendar year that detail their personal finances. By law, they must list their assets and liabilities, their income (excluding their government salaries, oddly), asset transactions, gifts they received and more. They need not list property unless it produces income, meaning their primary residence is generally not listed. But they must include the source of their spouse's income. Explore the holdings and activity of a particular politician or search through our database by keyword or organization to see who has holdings in your company or asset of choice."

(Related) I can't do this – I barely recognize myself when I look in the mirror. Perhaps we can get some of those poorer Congressmen to tweet about their love of Big Macs...

The Secret Business of Celebrity Tweets

By Steven Avalos Posted Jan 5th 2010 03:03PM

Are celebs being paid to tweet about brands or services? Nicole Richie, Kim Kardashian, Whitney Port and Audrina Patridge can reportedly earn up to $10,000 per tweet for companies including Sony and Nestle. Say it ain't so. OK! Magazine reports on the dark underbelly of the Twitterverse, and you may never look at social media the same again!

… The biggest earners are Britney Spears and P. Diddy who could earn up to $20,000 per tweet. $20K. Per tweet.

Mark your calendars

Webinar: “The State of U.S. Healthcare Privacy – Survey Results and Expert Perspectives”

By Dissent, January 7, 2010 1:52 pm

I received this notice of an educational webinar titled “The State of U.S. Healthcare Privacy – Survey Results and Expert Perspectives”, featuring Deven McGraw, Director of the Privacy Project at the Center for Democracy and Technology (full bio), and John Houston, Vice President; Information Security and Privacy; Assistant Counsel at the University of Pittsburgh Medical Center (full bio).

Date: Wednesday, January 27th, 2010 Time: 11:00 Pacific / 2:00 Eastern

Interesting. Looks like an RSS reader for Tweets. If they use my Tweet, can I demand royalties?

Sky News Orders All Journalists to Install Tweetdeck

by Zee on January 7, 2010

Sky News is installing Twitter’s most popular application Tweetdeck on all of it’s journalist’s computers in the hope that it will stir the use of social media for newsgathering and reporting.

Thursday, January 07, 2010

And today's “Well, DUH!” Award goes to...

Heartland breach shows why compliance is not enough

January 6, 2010 by admin Filed under Commentaries and Analyses, Financial Sector

Jaikumar Vijayan reports:

The [Heartland] intrusion led to the “stark realization that passing a PCI security audit does not make a company secure,” said Avivah Litan, an analyst at research firm Gartner Inc. “This was known well before the breach, but Heartland served as a big pail of ice water thrown on the face of companies complying with PCI,” she said.

The intrusion highlighted “very clearly and with no uncertain doubt” that companies needed to worry about securing their systems first rather than complying with PCI standards, Litan said. The Heartland breach showed that it was worth it for companies to go beyond the requirements of the PCI standard by implementing technologies such as end-to-end encryption for protecting cardholder data, she added.

The Heartland incident showed that compliance with standards such as PCI is meaningless unless there is a way of monitoring that compliance on a continuous basis, said Philip Lieberman, CEO of Lieberman Software Corp., a Los Angeles-based vendor of identity management products.

“There is nothing wrong with PCI. It is a good standard,” Lieberman said. “But it also has a fundamental flaw.” PCI compliance, he said, is a “point-in-time” certification of a company’s readiness to handle security threats. However, there is no continuous process for monitoring compliance built into the PCI standard, he said. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.

Read more on Computerworld.


Companies have just months to replace old wireless payments systems

January 7, 2010 by admin Filed under Uncategorized

Retailers and caterers have just six months to replace old systems if they are to continue to use wireless card payment technology. The industry payment security body might revoke the right to process cards for companies that do not upgrade their technology.

The Payment Card Industry (PCI)’s Data Security Standard (DSS) is the set of technical requirements which must be met by retailers who want to process cards.

It was changed in 2008 to ban the use of Wired Equivalent Privacy (WEP) technology in the transmission of card details from mobile card terminals to the main part of a system.


[From the article:

From last year companies were barred from installing new systems that use WEP and from June of this year companies will be stopped from using WEP-based systems at all. The PCI's Security Standards Council (SSC) said that any company still using WEP after that date would not be compliant with PCI DSS. [What's wrong with this picture: WEP encryption is not compliant, but you are still PCI compliant until June. Bob]

For your C-level managers and your Security Manager

Enterprise Security For the Executive

Posted by samzenpus on Wednesday January 06, @01:56PM from the read-all-about-it dept.

brothke writes

[A book review. Bob]

One thing that Bayuk does very well repeatedly throughout the book is to succinctly identify an issue and its cause. In chapter 6 — Navigating the Regulatory Landscape — she writes that if a CxO does not have management control over an organization, then the organization will fail the audit. It will fail because even if the organization is secure today, there is no assurance that it will be going forward. In addition, control means that the CxO will ensure that the organization is attempting to do the right thing. And in such cases, passing an audit is much easier.

For your Security Manager. Should I be offended that I didn't get this Phishing email?

Fake "Bill Gates" Message Dupes Top Tools

Posted by timothy on Wednesday January 06, @05:00PM from the top-tools-are-working-on-it-top-tools dept.

yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved:

"A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."

Very political. Comments are split between Liberal and Conservative. Sad that there is no consensus on how to secure our borders.

War Blogger May Sue Over Handcuffing At Seattle Airport

January 7, 2010 by Dissent Filed under Featured Headlines, Surveillance

Declan McCullagh writes:

A blogospheric flap complete with threats of legal action has arisen after Michael Yon, the popular war blogger and former Green Beret, said he was detained upon returning to the United States and asked about how much money he makes every year.

Yon posted on Facebook on Tuesday that he was handcuffed and “arrested at the Seattle airport” for refusing questions, including ones related to his annual income, that “had nothing to do with national security.”

Read more on the flap on CBS.

Declan provides links to a number of commentaries, including a post by former former undersecretary for policy at Homeland Security, Stewart Baker, with the catchy title, “Actually, a Chip That Big Will Have to Come Off Your Shoulder and Go Through the X-Ray.” But as he points out, the public does not have full information on the incident from either side.

(Related) Are border guards delusional or do they make this stuff up to justify the funds spent?

January 06, 2010

UK E-Borders Program

"The UK Border Agency is responsible for delivering the e-Borders programme, and we are doing so with the support of the police and HM Revenue & Customs. We are working closely with the travel industries, whose support is crucial to the programme's success. Information will be gathered on all travellers, passengers and crew entering or leaving the country by air, sea or rail. It will allow us to identify passengers who are a potential risk and alert the relevant authorities."

[Of course they can not identify “passengers who are a potential risk” by the information this program provides. They can match the names to another list, and if Osama bin Laden travels under his own name they can be ready to welcome him to the UK. Bob]

New laws to ignore!

Nevada and New Hampshire Data Security and Privacy Laws Take Effect

By Dissent, January 7, 2010 8:50 am

[From the article:

February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.

No doubt this “secret law” came as a great shock to HHS. (Shame on Congress for pulling a Dean Wormer) If they had had a few months advance warning, no doubt they would already be posting these reports.

More on the HITECH-mandated breach reports on HHS

By Dissent, January 6, 2010 1:40 pm

Several weeks ago, I initiated an inquiry about the breach reports that I expected to see on HHS’s web site. Under the new HITECH Act provisions, covered entities experiencing breaches involving the unsecured PHI of 500 or more patients are required to report the incident to HHS – if the incident meets the “harm threshold” that HHS added to the regulations despite the language of the statute and Congress’s clear intentions. Did the harm threshold give everyone a “pass” on reporting incidents to HHS, or is HHS just behind in getting the reports up on their web site? Inquiring minds wanted to know.

As it turns out, HHS has received breach reports under the new law, but is first working out a number of issues before reports will be uploaded to their site. According to a senior health information privacy specialist with whom I spoke yesterday, HHS has not yet determined whether the reports submitted to it in various formats should be uploaded as is or whether some “user-friendly” report should be provided by HHS for the incident. HHS is also reportedly concerned about going through documentation carefully to ensure that they do not accidentally publicly reveal any personal information that might be contained in any reports. According to the specialist, HHS has not created or disseminated any template for covered entities to use in reporting incidents.

Predictably, I tried to encourage HHS to just upload what they get — just as a number of states do. While HHS is uploading what they already have, they can develop a template that includes the kind of details those of us who track and analyze breaches will find helpful. Somehow I doubt they’ll take my well-meant advice, however.

So when will we actually see the first reports showing up on HHS’s web site? The specialist could not say, but I hope the fact that HHS knows that people are waiting and inquiring will encourage them to get the information out to the public sooner rather than later. Nor did the specialist know how many reports HHS has already received, but he did say that they were receiving reports from all over.

In the meantime, I’ll just sit over here and wonder about what we’ll learn when reports are finally available for public inspection.

I doubt anyone will read this before buying.

Updated and Corrected: E-Book Buyer’s Guide to Privacy

January 7, 2010 by Dissent Filed under Internet

Ed Bayley of EFF writes:

A few weeks ago, EFF published its first draft of a Buyer’s Guide to E-Book Privacy, which summarized and commented on the privacy-related policies and behaviors of several e-readers. In that first draft we incorporated the actual language of the privacy policies as much as possible, which unfortunately created some confusion since companies generally use different language to address similar issues. We also did a few other things clumsily.

Since then, thanks to the feedback and corrections we’ve received, we’ve made some updates and corrections to the guide which we hope will make it more useful. First, we’ve re-written many of the questions and answers to provide more clarity about the behavior of each e-reader. Second, we’ve tried point out where companies’ privacy policies themselves are unclear on particular issues. And finally, we’ve made the whole thing easier to read by changing its visual layout.

No more secret agents. (Get it? Agents... Agency...) How are organizations going to stop this?

Businesses May be Liable for Employee Statements on Social Networking Sites, says new FTC Guidelines

January 7, 2010 by Dissent Filed under Businesses, Internet, Workplace

Michael Overly writes:

New FTC guidelines ( that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements.

The FTC guidelines state that where a connection exists between the speaker and the company selling the products and/or services and that connection would materially affect the weight or credibility of the speaker’s statements, the connection must be fully disclosed.

Read more on CSO.

There's an army out to get you... (Computer Security test question: Name them.)

Today’s burning question

January 6, 2010 by admin Filed under Malware

How many new strains of malware were identified in 2009?

(a) 12,186,379
(b) about 18 million
(c) over 25 million

Answer: (c), according to PandaLabs. Read more on InfoWorld.

Know your target

January 06, 2010

Pew: Updated Demographics for Internet, Broadband and Wireless Users

Updated Demographics for Internet, Broadband and Wireless Users, January 5, 2010

  • "74% of American adults (ages 18 and older) use the internet -- a slight drop from our survey in April 2009, which did not include Spanish interviews. At that time we found that 79% of English-speaking adults use the internet.

  • 60% of American adults use broadband connections at home -- a drop that is within the margin of error from 63% found in April 2009.

  • 55% of American adults connect to the internet wirelessly, either through a WiFi or WiMax connection via their laptops or through a handheld device like a smart phone. This figure did not change in a statistically significant way during 2009."

Useful stuff?

January 06, 2010

What's New in THOMAS

News release: "Several changes have been made to THOMAS for the second session of the 111th Congress. These changes include: Bookmarking and Sharing Widget; Top Five Bills; New RSS feed: Bills Presented to the President; Contacting Members of Congress; Tip of the Week; Bill Text PDFs."

Trekkies will love it!

Turn Your Android Phone Into A Real Star Trek Tricorder

By Ryan Dube on Jan. 6th, 2010

Humor? They claim not.

Mobile phone emissions reverse the effects of Alzheimer's

by Stevie Smith - Jan 7 2010, 10:22

The future according to Jonathan (an hour long video)

Jonathan Zittrain Predicts Web 3.0 Will Be More Human

Today only!

Giveaway of the Day - Streaming Video Recorder 2.0.7

Wednesday, January 06, 2010

The numbers always grow – although rarely by a factor of 6...

(NARA update) More potential victims of identity theft notified of hard-drive loss

January 5, 2010 by admin Filed under Breach Incidents, Government Sector, Lost or Missing, U.S.

Elise Castelli reports:

The National Archives and Records Administration last month warned 150,000 more people who interacted with the Clinton administration that their personal information may be at risk after a hard drive was lost.

The December letters were the second batch sent in connection with the March data loss. Previously, NARA mailed more than 26,000 letters to potential identity theft victims, according to the agency’s Jan. 4 statement. Data on the drive included the names and Social Security numbers of White House employees, job applicants and White House visitors.

In the letters, NARA offers affected individuals one year of free credit monitoring, identify theft insurance and fraud resolution assistance through the credit monitoring firm Experian.


This may be the hack of 2010. All you need do is scan for default or simple passwords to initiate the transfers, and someone on the other end to withdraw the money before the victim catches on.

Hacker steals $3M from Duanesburg schools

January 5, 2010 by admin Filed under Education Sector

Paul Nelson reports:

A computer hacker stole $3 million from the Duanesburg Central School District last month and transferred the money to overseas banks, school officials said today.

The thefts occurred between Dec. 18 and Dec. 21. The district’s bank, NBT Bank, noticed the questionable money transfers on Dec. 22 and alerted the district, Superintendent Christine Crowley said.

The FBI is investigating the theft.

So far, the district has been able to recover $2.5 million of the money. Crowley said the school is confident it will recover the rest of the money.

Crowley said no one with the district or its bank are considered suspects.


Interesting to non-lawyer-me. If this data was the result of a hack, it is necessary to review it (how else do you know who to notify) But can it be used as evidence without verification?

Hackers May Have Unearthed Dirt on Stanford

January 6, 2010 by admin Filed under Breach Incidents, Financial Sector, Hack, Of Note

Brian Krebs writes:

In early 2008, while federal investigators were busy investigating disgraced financier Robert Allen Stanford for his part in an alleged $8 billion fraudulent investment scheme, Eastern European hackers were quietly hoovering up tens of thousands customer financial records from the Bank of Antigua, an institution formerly owned by the Stanford Group.


Once inside of Stanford’s network, the unidentified hackers appear to have swiped the credentials from an internal network administrator, and soon had downloaded the user names and password hashes for more than 1,000 employees of Stanford Financial, Stanford Group, Stanford Trust, and Stanford International Bank Ltd.

Among the purloined files is a listing of what appear to be ownership and balance information for tens of thousands of customer accounts at Bank of Antigua. Each listing includes the account number, owner’s name, address, balance, and accrued interest.


[From the Krebs site:

On the condition of anonymity, the investigator shared with this author files recovered from the breach, which were stored in plain text for at least several weeks on a Web site controlled by the attackers. This source said he forwarded the same information on to the FBI shortly after discovering it in early 2008.

I never said dates couldn't be a problem. What I said was, “Testing for date problems so easy even a caveman could do it.”


Posted by kdawson on Wednesday January 06, @01:54AM from the wait-till-two-oh-thirty-eight dept.

After our recent discussion of decimal/hexadecimal confusion at the turn of 2010, alphadogg writes in with a Network World survey of wider problems caused by the date change.

"A decade after the Y2K crisis, date changes still pose technology problems, making some security software upgrades difficult and locking millions of bank ATM users out of their accounts. Chips used in bank cards to identify account numbers could not read the year 2010 properly, making it impossible for ATMs and point of sale machines in Germany to read debit cards of 30 million people since New Year's Day, according to published reports. The workaround is to reprogram the machines so the chips don't have to deal with the number. In Australia, point-of-sales machines skipped ahead to 2016 rather than 2010 at midnight Dec. 31, rendering them unusable by retailers, some of whom reported thousands of dollars in lost sales. Meanwhile Symantec's network-access control software that is supposed to check whether spam and virus definitions have been updated recently enough fails because of this 2010 problem."

You know you have arrived in the digital age when lawyers are instructed to build digital reference books...

January 05, 2010

Establishing Guidance for Prosecutors Regarding Criminal Discovery

Issuance of Guidance and Summary of Actions Taken in Response to the Report of the Department of Justice Criminal Discovery and Case Management Working Group, David W. Ogden, Deputy Attorney General, January 4, 2010

  • "By making deliberate choices regarding discovery issues, prosecutors are most likely to comply with discovery obligations imposed by law and Department policy and assure that the goals of a prosecution are met. By separate memorandum to the United States Attorneys and to the heads of components that prosecute criminal cases, I am directing that each USAO and component develop a discovery policy that establishes discovery practice within the district or component. This directive will assure that USAOs and components have developed a discovery strategy that is consistent with the guidance and takes into account controlling precedent, existing local practices, and judicial expectations."

From the article:

Create an online directory of resources pertaining to discovery issues that will be available to all prosecutors at their desktop

I would never say that the Democrats are concerned that Health Care costs are not rising as fast as they used to. I would never say that is why they want to pass a law requiring every American to buy more Health Care. Not me. I would never say that.

January 05, 2010

CMS Issues Annual Report on National Health Spending

Health Spending Growth At A Historic Low In 2008: "In 2008, U.S. health care spending growth slowed to 4.4 percent—the slowest rate of growth over the past forty-eight years. The deceleration was broadly based for nearly all payers and health care goods and services, as growth in both price and nonprice factors slowed amid the recession. Despite the slowdown, national health spending reached $2.3 trillion, or $7,681 per person, and the health care portion of gross domestic product (GDP) grew from 15.9 percent in 2007 to 16.2 percent in 2008. These developments reflect the general pattern that larger increases in the health spending share of GDP generally occur during or just after periods of economic recession. Despite the overall slowdown in national health spending growth, increases in this spending continue to outpace growth in the resources available to pay for it.."

  • National Health Expenditure Data - "The National Health Expenditure Accounts (NHEA) are the official estimates of total health care spending in the United States. Dating back to 1960, the NHEA measures annual U.S. expenditures for health care goods and services, public health activities, program administration, the net cost of private insurance, and research and other investment related to health care. The data are presented by type of service, sources of funding, and by sponsors."

Competitive vacuum # 906 (and you thought it was dangerous to be texting while driving.

Bringing Free Television To Phones In America

Posted by kdawson on Tuesday January 05, @04:11PM from the all-upside dept.

ideonexus writes

"South Korea, China, Brazil, parts of Europe, and Japan have been watching television on their phones for free since 2005, but American mobile carriers are struggling to offer clunky streaming video using Qualcomm's proprietary MediaFLO system for an additional monthly fee and excessive bandwidth demands. Now, with America having gone digital in June, if Mobile carriers were to have ATSC M/H (advanced television systems committee — mobile/handheld) television-tuner chips built into their handsets it sounds like we could enjoy free TV on our cell phones too; however, these companies have already invested a great deal of money adapting their networks to Qualcomm's format and Qualcomm is considering becoming a mobile television distributor itself."

For my website class

HTML Slidy: Slide Shows in XHTML

Yo! Yo! Yo! Check it out bro! After you get your Mozart tatoo, here's where you can grab some tunes!

The 3 Best Free Classical Music Download Sites

By Tina on Jan. 5th, 2010 is the classical pendant to iTunes. It contains over 450,000 tracks from 3,290 composers, which can be downloaded in exchange for a small fee.

Every week, however, an entire album is available to download for free.


This Wikipedia site is a huge repository of free classical music.

Classic Cat

Classic Cat is the Google of classical music. The index of this classical catalog comprises over 5000 free to download pieces.

Tuesday, January 05, 2010

You can't stop customers from leaving. If they have had reports of “hackers” canceling user accounts, it's already too late to protect them. Fix it and move on!

Facebook blocks social network profile removal service

January 5, 2010 by Dissent Filed under Internet

Last week, this site reported that had received a cease and desist letter from Facebook over its service that enabled people to commit “virtual suicide” on Facebook. Now BBC reports that another web site, Web 2.0 Suicide Machine, has been blocked by Facebook.

Social network giant Facebook has blocked a website from accessing people’s profiles in order to delete their online presence.

The site, Web 2.0 Suicide Machine, offers to remove users from Facebook, Twitter, LinkedIn and Myspace.

It does not delete their accounts but changes the passwords and removes “friend” connections., which offers a similar service, was issued with a “cease and desist” letter by Facebook in 2009.

Netherlands-based moddr, behind Web 2.0 Suicide Machine, says it believes that “everyone should have the right to disconnect”.

However Facebook says that by collecting login credentials, the site violates its Statement of Rights and Responsibilities (SRR).

Read more on BBC.

If Facebook really respects user privacy and user control, shouldn’t a user have the right to give their login credentials to whomever they want?

Perhaps we should ask anyone who wants to fly for “naked pictures” to compare to the images the machine returns? Or we could have “his” and “hers” lines at the airport? (or is that sexist?)

UK, Germany raise concerns about airport scanners

January 5, 2010 by Dissent Filed under Non-U.S., Surveillance, Youth

Alan Travis reports:

The rapid introduction of full body scanners at British airports threatens to breach child protection laws which ban the creation of indecent images of children, the Guardian has learned.

Privacy campaigners claim the images created by the machines are so graphic they amount to “virtual strip-searching” and have called for safeguards to protect the privacy of passengers involved.

Ministers now face having to exempt under 18s from the scans or face the delays of introducing new legislation to ensure airport security staff do not commit offences under child pornography laws.

Read more in The Guardian.

Meanwhile, over in Germany:

Germany’s data protection commissioner, Peter Schaar, has warned officials not to rush the implementation of controversial full-body scanners at airport security stations following a failed terrorist attack last month, daily Frankfurter Rundschau reported on Tuesday.

“So far I have not seen a machine that protects personal rights,” Schaar told the paper, adding that the machines must be able to tell the difference between foreign objects and medical prosthetics or implants.

“The improvement that the naked images are no longer visible on the monitors is not enough on its own,” he said.

Read more in The Local (De).

(Related) No doubt this was prompted by TSAs plan to use those full body imagers on everyone (for political correctness) including those they clearly do not suspect of planning terrorism.

Can the Police Now Use Thermal Imaging Devices Without a Warrant?

January 4, 2010 by Dissent Filed under Court, Featured Headlines, Surveillance

Orin Kerr writes:

In Kyllo v. United States, 533 U.S. 27 (2001), the Supreme Court held that it violated the Fourth Amendment to direct an infrared thermal imaging device at a home without a warrant to determine the home’s temperature. This post asks whether that result is still good law. I realize that probably sounds a bit nutty at first, as Kyllo is only a few years old. But Kyllo deliberately adopted a test designed to let the result change with social practice. This post asks whether changing social practices already allow the police to use thermal imaging devices without a warrant.

I’ll look at the problem in three steps. First, I’ll explain the relevant Fourth Amendment test from Kyllo. Second, I’ll explain how technology and social practice have changed in the eight-and-a-half years since the Kyllo decision. And third, I’ll put the pieces together and ask whether Kyllo’s result remains good law. My bottom line: I’m not really sure, but there is a decent case to be made that the police can now use thermal imaging devices without a warrant consistently with Kyllo.

Read more on The Volokh Conspiracy.

Some years ago, a study reported that since rubber bullets were “non-lethal” they were used much more frequently in Northern Ireland than any other devices or methods prior to their introduction. (If all you have is a hammer, every problem looks like a nail.)

Court to Cops: Stop Tasing People into Compliance

By David Hambling January 4, 2010 9:33 am

Winning the hearts and minds of consumers everywhere...

Best Buy $39.95 "Optimization" At Best a Waste of Money

Posted by ScuttleMonkey on Monday January 04, @04:30PM from the hooray-for-corporate-scams dept.

DCFC writes

"The Consumerist deconstructs the appalling 'optimization service' that Best Buy has been pushing on consumers in recent weeks. The retailer charges 40 bucks to give you a slower PC, and make bizarre claims that it makes it go 200% faster. 'We ran the 3DMark 2003 graphics benchmark on each laptop, comparing optimized and non-optimized settings. For two of our samples, the Gateway and Toshiba, performance changes were negligible. On the Asus laptop, however, optimized tests actually scored about 32% worse than the non-optimized setup. We have been unable to isolate the source of this performance change. On none of the three tested laptops did the optimized settings give a performance boost in our test.'"

A modest proposal: Let's call these massive, record cold waves “Al Gore Heat Waves” after the man who invented them.

January 04, 2010

Blanket of Cold Weather One of Nation's Most Widespread Since January 1985 "An Arctic blast swept across a large swath of the U.S. on Monday, sending temperatures plunging from Minnesota to Florida and bringing a bone-chilling start to the first workweek of the year... Temperatures fell below zero from the Great Plains to the Northeast, following a weekend of heavy snow. The reading of minus-16 degrees in St. Joseph, Mo., Monday marked the city's coldest Jan. 4 since 1947, while minus-37 in International Falls, Minn., Sunday was the coldest there since 1911, said Frank Pereira, a meteorologist at the National Weather Service. Dallas, Jacksonville, Fla., and Little Rock, Ark., fell nearly 20 degrees below their average temperatures for this time of year on Monday, he said. The cold snap is one of the nation's most widespread since January 1985, according to meteorologists at While the cold is expected to ease slightly starting Thursday, this winter is on track to be one of the coldest in the past decade or two, said Ken Reeves, director of forecasting operations at"

Useful hacks.

Understanding Windows 7's 'GodMode'

by Ina Fried January 4, 2010 12:41 PM PST

Although its name suggests perhaps even grander capabilities, Windows enthusiasts are excited over the discovery of a hidden "GodMode" feature that lets users access all of the operating system's control panels from within a single folder.

By creating a new folder in Windows 7 and renaming it with a certain text string at the end, users are able to have a single place to do everything from changing the look of the mouse pointer to making a new hard-drive partition.

For all my students. Definitely worth a read, but it could be greatly expanded.

The Complete Guidebook To Web Searching [PDF]

By Simon Slangen on Jan. 4th, 2010

… Don’t just stand there waiting, it’s free! You can find The Guidebook to Internet Searching in PDF, but also read it online on

(Related) For my twit students? I have long regretted the fact that there are no “how to” guides for new yet widespread technologies.

An Inside Look At A Twitter Style Guide: 140 Characters

by Daniel Brusilovsky on January 4, 2010