Friday, January 14, 2011

Interesting. Will more AG's begin to “insist” that credit monitoring be offered?

CT AG looking into UConn breach, demands credit monitoring services

January 13, 2011 by admin

It looks like Connecticut’s new Attorney General, George Jepsen, intends to pursue data breaches like his predecessor. According to Hartford Business Times, Jepsen has sent a letter to UConn requesting additional information on the breach and he “has also has insisted UConn provide its customers with identify theft and other credit protections.”

The business of Computer Crime

Your personal data in the wrong hands

January 13, 2011 by admin

Fabio Assolini of Kaspersky writes:

What happens when all of your personal data is readily available for use by a cybercriminal?

Last November we published a blog talking about Brazilian phishing attacks that displayed the victims’ CPF numbers – the Natural Persons Register, the equivalent of a Social Security Number used by the Brazilian government to identify each citizen. A CPF is the most important document a Brazilian citizen possesses. It’s a prerequisite for a series of tasks like opening bank accounts, getting or renewing a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards, etc.

But this incident was just the tip of the iceberg.

Due to our constant monitoring of malicious activities, we found some bad guys offering access to a complete database of all Brazilian citizens that have a CPF – all you need to do is contact a number and the system will bring you the complete personal data of a potential victim.

Read more on SecureList.

[From the article:

We found 3 mirrors of this website offering this kind of ‘service’ to Brazilian bad guys – it’s a service that we call C2C (cybercriminals to cybercriminals).

… Nowadays, we see that the problem of protecting private information is not just confined to users, but applies equally to governments and corporations alike.

(Related) Not sure a password fixes the problem. Why is the data online in the first place?

KY: Information on Green River District Health Department patients exposed on the Web for months

January 13, 2011 by admin

James Mayse reports for the Messenger-Inquirer:

The names, Social Security numbers and dates of birth of thousands of people who visited the Green River District Health Department were available unsecured online for months, at least since October.

But the company maintaining the computer database fixed the problem immediately Wednesday evening after being notified by the Messenger-Inquirer. Numerous follow-ups by M-I reporters and editors found that the database had been secured and now requires a password to access.

The database was created by Fox Technology Group, an Owensboro company that has since been absorbed by Integranetics. The Messenger-Inquirer found 9,986 names and personal information of Daviess County residents on the list after being notified of the problem by a concerned resident who discovered the information while doing a simple Google search.

Almost all of the names included dates of birth, and more than half included Social Security information.

Read more on iStockAnalyst


Computer with Guardsmen’s Personal Info Stolen from Santa Fe Headquarters

January 13, 2011 by admin

New Mexico soldiers deploying to Kosovo now have one more thing to worry about after a computer containing personal information was stolen from the National Guard Headquarters in Santa Fe.

It contained deployment records and social security information for about 650 soldiers throughout the state. The computer was stolen sometime between Dec. 23-28. Soldiers affected have been sent a letter telling them to check with the social security administration, contact their banks and keep an eye on their credit.

A representative from the Guard says both the Army and State Police are investigating.

Source: KRQE

And the data on the computer weren’t encrypted….. why?

And the National Guard isn’t offering them free credit monitoring when they won’t even be around to keep an eye on their credit reports after they deploy…. why?

There doesn’t seem to be any statement on the NM National Guard’s site.

Now they need to define stigma. Is being a “liberal” sufficient?

Second Circuit limits the right to medical privacy

January 13, 2011 by Dissent

We normally associate the constitutional right to privacy with abortion and other child-bearing and (and related) concepts. But that right also covers the right to avoid disclosure of certain personal matters, including medical information. This case asks whether a New York City schoolteacher could sue the Board of Education for publicizing her fibromyalgia. The answer is No.

The case is Matson v. Board of Education, decided on January 11. School officials disciplined Matson, a music teacher, for taking sick leave so she could conduct a symphony orchestra at Trinity Church. Her doctor said the stress was work-related. While she needed time off from work, she could still function as a conductor at the church. In disciplining Matson, school officials publicized a report that made reference to her disability, characterized as “chronic fatigue syndrome, known as fibromyalgia.” Matson does not sue over the discipline but, instead, the public report that mentions her disability.

Read more on Bergstein & Ullrich, LLP Second Circuit Civil Rights. It seems that unless you have a fatal or stigmatizing medical condition, you don’t have a right to medical privacy in the Second Circuit.

Airfield of Dreams: If you pay us, we won't grope? What is the strategic statement here? We don't have enough information to know who you are, so we need more or we continue to treat you as a possible terrorist?

TSA: More disclosure by airline travelers could cut intrusive screenings

January 13, 2011 by Dissent

Paul Corson reports:

The head of the Transportation Security Administration says airline travelers could minimize their exposure during the screening process by disclosing more about themselves up-front.

TSA Administrator John Pistole, in a speech Thursday to a lawyers’ group, said the use of detailed identity profiles would be part of a shift toward the greater use of intelligence to try to disrupt potential terrorist activity against commercial flights.

“There are groups of people out there, the very frequent travelers who are willing to provide information,” Pistole said, so that for a fee, “if you don’t want to stand in line, here’s what we can do.”

Pistole said passenger identification would be more stringent than the typical name, date of birth and gender now required to board a jetliner, that he said is “not much to go on.”

He said a trusted traveler program would apply to “those individuals who are willing to disclose more information about themselves in exchange for a different level of screening.”

Pistole did not describe what elements in the screening process a passenger could avoid, saying only it would involve “more identity-based screening than the physical screening.”

Read more on CNN

Sounds like extortion to me: give us all your personal details if you don’t want to be humiliated and have your genitalia touched?

Congress better straighten this out and as a priority item. Look how quickly they introduce bills to protect themselves after the Tucson shooting. Let them introduce bills to protect the innocent public from government assault in the name of sham “security.”

Free(?) webinar on Privacy.

Employee Privacy Gains in the United States

January 14, 2011 by Dissent

Boris Segalis writes:

2010 arguably was a breakout year for consumer privacy in the U.S., but the year also brought about significant changes to the legal landscape of employee privacy. Federal and state court decisions, state legislation and agency actions suggest that the U.S. may be moving towards a greater level of privacy protection for employees. Employers are well-advised to consider these developments in reviewing and revising policies that affect the privacy of their employees.

Read more on InformationLawGroup. Boris reviews several important rulings during 2010 including Quon and Stengart, and also reviews new statutes in Illinois and Oregon that went into effect and that impact employee privacy. The group also notes:

For more information about privacy issues in the workplace, please join us for a webinar on January 27, 2011. The webinar, offered through Park Avenue Presentations, will focus on workplace privacy in the U.S. and Europe. Please email for registration details.

The webinar has been added to the listing of Data Privacy Day 2011 events available elsewhere on this site.

Interesting summary

Who Owns Your Data?

The fundamental problem with data ownership is that bits don’t behave like atoms. For most of human history, our laws have focused on physical assets that couldn’t be duplicated. The old truism “possession is nine-tenths of the law” doesn’t apply in a world where making a million copies, each as good as the original, is nearly effortless.

It’s not just the ability to copy that makes data different, however. How data is used affects its value. If I share a movie with someone, the copyright holder loses a potential sale. On the other hand, they may make money: freely sharing Monty Python videos online increased DVD sales by 23,000%. Some kinds of information were meant to be shared. If I give my phone number to someone, surely it’s gained value. But if it’s written on a bathroom wall, presumably it’s lost some.

Perhaps it was translated poorly from the Japanese? ...or to the Japanese? ...or Japanese law allows this? ...or they have a bunch of bad lawyers?

Today’s Award for the Silliest Theory of the Computer Fraud and Abuse Act

January 14, 2011 by admin

Orin Kerr, a law professor and former attorney in the DOJ who worked in the computer crimes division, has a commentary on a lawsuit involving CFAA claims that’s interesting in terms of defining the scope of what the Computer Fraud and Abuse covers – and shouldn’t cover:

Today’s Award for the Silliest Theory of the Computer Fraud and Abuse Act

…goes to the arguments made by Sony’s lawyers in a complaint and motion for a TRO in a recently-filed civil case: Sony Sues PS3 Hackers. The argument: You’re guilty of felony computer hacking crimes if you access your own computer in a way that violates a contractual restriction found in the fine print of the licensing restriction of the product imposed by the manufacturer.

I realize the complaint characterizes the defendants as hackers, and the CFAA is supposed to be about hacking. But think for a moment about the nature of this claim. You bought the computer. You own it. You can sell it. You can light it on fire. You can bring it to the ocean, put it on a life raft, and push it out to sea. But if you dare do anything that violates the fine print of the license that the manufacturer is trying to impose, then you’re guilty of trespassing onto your own property. And it’s not just a civil wrong, it’s a crime.

Read more on The Volokh Conspiracy.

(Related) Another Sony strategic error...

Why Sony Cannot Stop PS3 Pirates

"A former Ubisoft exec believes that Sony will not be able to combat piracy on the PlayStation 3, which was recently hacked. Martin Walfisz, former CEO of Ubisoft subsidiary Ubisoft Massive, was a key player in developing Ubisoft's new DRM technologies. Since playing pirated games doesn't require a modchip, his argument is that Sony won't be able to easily detect hacked consoles. Sony's only possible solution is to revise the PS3 hardware itself, which would be a very costly process. Changing the hardware could possibly work for new console sales, though there would be the problem of backwards compatibility with the already-released games. Furthermore, current users would still be able to run pirated copies on current hardware."

An anonymous reader adds commentary from PS3 hacker Mathieu Hervais about Sony's legal posturing.

Their logic is peccable. (That's the opposite of “impeccable, right?) “We will limit our unlimited plan...”

Virgin Mobile To Start Throttling Broadband2Go

"Virgin Mobile sent an e-mail today informing me of their plans to start throttling the Broadband2Go Plan. The web site doesn't seem to reflect the change yet, but here is the message they sent to me: 'Here at Virgin Mobile, our mission is to deliver an outstanding customer experience. Sometimes that means making difficult choices in order to provide the best possible service to the greatest number of customers. To make sure we can keep offering our $40 Unlimited Broadband2Go Plan at such a great price, we're putting a speed limit in place for anyone on that plan who uses over 5GB in a month. How will it work? Starting February 15, 2011, if you go over 5GB in a month on the $40 Unlimited Plan: Your data speeds will be limited for the remainder of the monthly plan cycle. During this time, you may experience slower page loads and file downloads and lags in streaming media. Your data speeds will return to normal as soon as you buy a new Broadband2Go Plan. This change will only affect plans bought on or after 2/15/2011. How will it affect me? Keep in mind, 5GB is A LOT of data. To give you an idea, it's about 250 hours of web browsing or over 500,000(!) emails. So this change shouldn't affect you unless you're a heavy downloader/streamer/etc.'"

Just when I was getting comfortable recommending it to people, too. I do prefer a slowdown to an absolute cap, but this sours me a bit on the (locked-to-Sprint) MiFi I bought to use the Virgin service.

For my Ethical Hackers: Hacking in the Cloud

Amazon EC2 Enables Cheap Brute-Force Attacks

"German white-hat hacker Thomas Roth claims he can crack WPA-PSK-protected networks in six minutes using Amazon EC2 compute power — an attack that would cost him $1.68. The key? Amazon's new cluster GPU instances. 'GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad-core CPUs when it comes to brute forcing SHA-1 and MD,' Roth explained. GPU-assisted servers were previously available only in supercomputers and not to the public at large, according to Roth; that's changed with EC2. Among the questions Roth's research raises is, what role should Amazon and other public-cloud service providers play in preventing customers from using their services to commit crimes?"

Interesting numbers

Are We Too Obsessed With Facebook? [INFOGRAPHIC]

No comments: