Hacking Takes Lead as Top Cause of Data Breaches
Hacking has topped human error as the top cause of reported data breaches for the first time since such tracking began in 2007, according to the Identity Theft Resource Center’s 2009 Breach Report.
In its report, titled “Data Breaches: The Insanity Continues,” the non-profit ITRC found that 19.5 percent of reported breaches were due to hacking, with insider theft as the second most common cause at 16.9 percent. For the past two years, “data on the move,” a typically human-error loss of a portable devices such as laptops or even briefcases, was the most common reported cause.
Read more on PCWorld.
Analyses of 2009 data conducted by ITRC are linked from their press release, here. As I had commented earlier, breach reports in 2009 were down compared to 2008, but interpreting what appears to be a decrease is fraught with difficulty as there are too many unknowns. OSF’s Dave Shettler also addressed the apparent decrease, citing some of the same possibilities I had, but throwing in solar flares for good measure. With respect to the apparent decline, ITRC says:
Are data breaches increasing or decreasing? That is the question no one can answer. This fact will not change until there is a single data breach list requiring mandatory public reporting. With some breaches not being reported publicly, and some state Attorneys General not allowing public access to reported breaches, we doubt that anyone is in a position to answer the question above. When we allow laws to be created requiring breach reporting but not disclosure, and provide minimal enforcement or penalty for non-compliance, we can expect a lack of public disclosure. Counting breaches becomes an exercise in insanity.
(Related) No need to hack the software if it doesn't do its job in the first place.
Obama: Software Flaws Let Christmas Bomber Get Through
By Noah Shachtman January 7, 2010 9:30 pm
Crappy government software — and failure to use that software right — almost got 289 people killed in the botched Christmas day bombing.
Bad management (there should be nothing you do for VIPs that you don't do for the general public) but typical politics (the general public doesn't endorse you, contribute large amounts, or attract journalists if security fails).
Ie: Revenue set up VIP unit (but don’t the little people deserve privacy too?)
TJ McIntyre writes:
One recent story which didn’t attract as much attention as it should have was the revelation that the Revenue have set up a special VIP unit to minimise leaks of confidential information about public figures. This emerged with the publication of an audit by the Data Protection Commissioner which found significant weaknesses in Revenue controls of data. (Weaknesses which still existed despite promised reforms after high profile scandals in 2005 and again in 2007.)
Read more on IT Law in Ireland.
After you cave in to the IRS you need to reassure your other tax dodging customers that you won't do it to them.
Switzerland court rules UBS disclosure of client information was illegal
The Federal Administrative Court of Switzerland ruled Friday that the Swiss Financial Market Supervisory Authority (FINMA) violated the law in February 2009 when it ordered UBS to disclose information to the US on more than 250 of the bank’s clients. FINMA issued the order after the US Department of Justice (DOJ) accused UBS of assisting Americans in hiding accounts from the Internal Revenue Service (IRS). The court stated [WSJ report] that FINMA lacked the authority to authorize the release of information, and that the issue should have been addressed by the Federal Council.
Read more on JURIST.
New tech, new hacks.
Social networking hacks: Top 10 Facebook and Twitter security stories of 2009
Hackers, botnets, viruses and controversial "privacy" settings dominate headlines in '09
By Jon Brodkin, Network World January 07, 2010 11:20 AM ET
Note for the security files: Next time you review a security breach, ask yourself if they were as well secured as your kids online game.
Blizzard Authenticators May Become Mandatory
Posted by Soulskill on Saturday January 09, @03:27AM from the gotta-take-off-your-shoes-too dept.
An anonymous reader writes
"WoW.com is reporting that a trusted source has informed them that Blizzard is giving serious consideration to making authenticators mandatory on all World of Warcraft accounts. The authenticators function the same as ones provided by most banks — in order to log in, you must generate a number on the external device. Blizzard already provides a free iPhone app that functions as an authenticator. The source stated, 'it is a virtually forgone conclusion that it will happen.' This comes after large spates of compromised accounts left Bizzard game masters severely backlogged by restoration requests."
When it comes to encryption, do it yourself! ...and remember, key management is... well... key!
NIST Investigating Mass Flash Drive Vulnerability
Posted by Soulskill on Saturday January 09, @05:05AM from the 123456-letmein dept.
Lucas123 writes with a followup to news we discussed earlier this week that the encryption on NIST-certified flash drives was cracked.
"A number of leading manufacturers of encrypted flash drives have warned their customers of a security flaw uncovered by a German company. The devices in question use the AES 256-bit encryption algorithm and have been certified using the FIPS 140-2, but the flaw appears to circumvent the certification process by uncovering the password authentication code on host systems. The National Institute of Standards and Technology said it's investigating whether it needs to modify its standards to include password authentication software on host systems. Security specialist Bruce Schneier was blunt in his characterization of the flaw: 'It's a stupid crypto mistake and they screwed up and they should be rightfully embarrassed for making it.'"
I wish to point out that these are not actually Auditors (CISA) but rather Certified Software Managers (CSM) AKA: license snoops
Recession Turning Software Auditors Into Greedy Traffic Cops
Posted by Soulskill on Friday January 08, @09:46PM from the twenty-six-in-a-twenty-five dept.
"As the recession bites, software auditors are cracking down, and some are simply exploiting loopholes and technicalities to meet their targets, according to analyst Forrester. They may be within their rights, but they aren't endearing themselves to users; Steve Ballmer faced weary customers in London last year, and admitted Windows licenses have deliberate 'gotchas.'"
Proof of concept or an attempt to drive the price of their shares down before a takeover bid?
Looks like Rupert Murdoch’s just started blocking search engines
by Martin Bryant on January 8, 2010
Remember when Rupert Murdoch caused a stir by saying that he was going to start blocking news search services like Google News from carrying his sites’ stories? Well, it looks like he’s started.
Indeed, checking the contents of www.timesonline.co.uk/robots.txt reveals the following code.
#Agent Specific Disallowed Sections
A must-have new computer peripheral: the fire extinguisher!
Acer Recalls 22,000 Notebooks Due To Burn Hazard
Posted by Soulskill on Friday January 08, @06:53PM from the hot-product dept.
An anonymous reader writes
"The US Consumer Product Safety Commission, in cooperation with Acer, today announced a voluntary recall of 22,000 notebook computers. Acer has received three reports of computers short circuiting, resulting in slight melting of the external casing. No incidents occurred in the United States. No injuries have been reported."
Will the law ever catch up to the do-gooders?
Court Unfriendly To FCC's Internet Slap At Comcast
Posted by ScuttleMonkey on Friday January 08, @03:47PM from the unchecked-authority-generally-bad dept.
Several sources are reporting that federal judges have been harsh in their examination of the FCC's action against Comcast in 2008 for the throttling of Internet traffic from high-bandwidth file-sharing services.
"'You can't get an unbridled, roving commission to go about doing good,' said US Court of Appeals for the District of Columbia Circuit Chief Judge David Sentelle during an oral argument. The three-judge panel grilled FCC General Counsel Austin Schlick on the parts of communications law it could cite to justify the Comcast punishment. The FCC argues that it was enforcing an open Internet policy implicit in the law. Judge A. Raymond Randolph repeatedly said the legal provisions cited by the FCC were mere policy statements that by themselves can't justify the commission's action. 'You have yet to identify a specific statute,' he said. The judges' decision in the case could throw into question the FCC's authority to impose open Internet rules."
CES: Why the White House is backing away from Net neutrality
by Larry Downes January 8, 2010 6:54 AM PST
… The administration is clearly backtracking. But why?
Part of the reason is some unexpected political pressure, including a letter signed by 72 congressional Democrats opposing the FCC's proposed rules soon after they were announced.
But the bigger explanation is the growing priority within the administration for nationwide, affordable broadband service.
Gentlemen, start your lawsuits! In fact, such short range use is probably legal, isn't it?
MagicJack’s Making Cell Phone Fees Disappear
Source: AP January 8, 2010
The company behind the magicJack, the cheap Internet phone gadget that’s been heavily promoted on TV, has made a new version of the device that allows free calls from cell phones in the home, in a fashion that’s sure to draw protest from cellular carriers.
… The device is, in essence, a very small cellular tower for the home.
The size of a deck of cards, it plugs into a PC, which needs a broadband Internet connection. The device then detects when a compatible cell phone comes within 8 feet, and places a call to it. The user enters a short code on the phone. The phone is then linked to the magicJack, and as long as it’s within range (YMax said it will cover a 3,000-square-foot home) magicJack routes the call itself, over the Internet, rather than going through the carrier’s cellular tower. No minutes are subtracted from the user’s account with the carrier. Any extra fees for international calls are subtracted from the user’s account with magicJack, not the carrier.
Tech for shade tree mechanics. If you think you need an advanced degree to work on your “high-tech, computer controlled” car, you haven't been talking to a mechanic recently.
CES: Decipher your car's idiot light with CarMD
by Rafe Needleman January 8, 2010 1:23 PM PST
I need to spend more time figuring out how to use “social networks” in my classes. This looks like a possible tool.
HootSuite Raises $1.9 Million For Social Media Dashboard
by Leena Rao on January 8, 2010
Vancouver-based HootSuite, which dubs itself as “the professional Twitter client,” lets users manage their Twitter, Facebook, Linkedin, and Ping.fm accounts through one interface.