Wednesday, May 04, 2011

Sony #2:

SOE security breach: only “900″ of stolen credit cards were active

May 3, 2011 by admin

Steven Williamson reports:

Following the closure of Sony Online Entertainment’s network operations earlier today, the company has now confirmed that only a small percentage of credit card details – possibly seized by hackers during the recent security breach – could be used for fraudulent purposes.

Earlier today, PSU reported that Sony Online Entertainment had shut down its game servers after confirming that 24 million accounts had been compromised. The main fear from users of the service was that stolen data from credit cards linked to the accounts had landed in the hands of hackers. A later report stated that 12,700 customers’ credit card numbers may have been stolen, alongside personal information from approximately 24.6 million SOE accounts. SOE has now revealed, via, that only “900” of the credit cards on record were still active when stolen. [Obfuscation check: Does this mean all the other cards had been canceled (how would they know that?), OR that they were not waiting for payment on the other cards? Bob]

Read more on PlayStation Universe.

(Related) Global systems (even gaming in the Cloud) have global risks.

Ontario woman suing Sony over PlayStation breach

May 3, 2011 by admin

Aha – our Canadian neighbors have caught the litigation bug. The Canadian Press reports:

A proposed class action lawsuit has been filed in Ontario on behalf of about one million Canadian PlayStation and Qriocity users.

[...]The Toronto law firm McPhadden Samac Tuovi is proposing the class action suit against Sony Japan, Sony USA, Sony Canada and other Sony entities for breach of privacy.

The lawsuit claims damages in excess of $1 billion, which includes having Sony pay the costs of credit monitoring services and fraud insurance coverage for two years.

The representative plaintiff in the action, which contains allegations that haven’t been proven in court, is Natasha Maksimovic, 21, of Mississauga, Ont.

Read more in The Globe and Mail.

For my Computer Security students. This is another small breach (I normally wouldn't mention it) but it does illustrate how the Public Relations folks can “invent” security and mitigation where none exists...

Stolen Laptop Compromises Patient Information

By Dissent, May 3, 2011

WMUR reports:

Speare Memorial Hospital in Plymouth (New Hampshire) is warning patients that a laptop computer with patient information was stolen last month.

Officials said the computer was in an employee’s locked car in Boston on April 3. It contained patient names, addresses, hospital account numbers, medical record numbers, and other patient and health information.

With one exception, no Social Security numbers, insurance information or credit card information was on the computer.

Okay, now that would have been bad enough – after all, what were such sensitive data doing on a laptop without encryption and then just left in an employee’s car? But the notification gets much worse from my perspective:

Hospital spokeswoman Michele Hutchins said the hospital believes the information might not be on the laptop any longer.

“Most likely this computer has been scrubbed, because the person who took it is was most interested in the hardware, but you can’t assume that,” she said.

That is just pure speculative bulls**t. [Don't hold back, tell us how you feel... Bob] It is self-serving and minimizes the risk – and may mislead patients into not taking immediate and necessary steps to protect themselves.

For my money, breached entities should be be barred from making such statements.

The hospital said it immediately notified the nearly 6,000 patients affected and is working to beef up security. The employee who had the laptop has resigned. [...and his manager and the security manager? Bob]

“That management level administrator has since resigned because the confidential information was only designed to stay on the hospital’s secure server and not be saved on the hard drive of a portable computer,” said Michele Hutchins, hospital spokeswoman.

What do they mean “designed to stay on the secure server?” What prevented it from being downloaded to a portable device other than instructions to employees of “don’t do this?”

Seriously. When I read breach disclosures like this one, I really wish the government would just start handing out stiff fines.

The hospital’s statement, linked from its home page, reads:

Patients Notified of Potential Breach of Protected Health Information

Speare Memorial Hospital has been alerted that a laptop computer containing protected health information was stolen from an employee’s secured, parked automobile on April 3, 2011. The computer was password protected, however that does not afford complete protection from unauthorized access. The protected health information on the computer included patient names, and in some instances: patient addresses, hospital account numbers, medical record numbers, physician names, dates of service, procedure codes, and diagnosis codes.

Speare Memorial Hospital is fully committed to protecting all of the information that our patients have entrusted to us. Upon learning of this incident the day after, we immediately undertook a process to identify the extent of information on the computer [because up til then, we had no clue there was data on the laptop. Bob] and have sent a letter of notification to the patients affected by this potential breach. Additionally, we have engaged experts to assist us in identifying additional safeguards that would strengthen our current security measures, and a police report has been filed.

We sincerely regret this incident. Protecting our patients’ personal and health information privacy is very important to us and we will continue to do everything we can to correct this situation and fortify our security protections. We will be monitoring for any indication of misuse of patient information, and recommend that patients review their future hospital account statements closely. [Isn't there more serious risk of someone using the ID information leaked to obtain free medical services and then that medical data being entered on a patient's medical history? That could screw up future medical decisions and insurance records... Bob]

So why does the notice say “potential breach?” THE DATA WERE STOLEN. And describing the employee’s car as “secured?” Seriously – a locked car is “secured?” Stop minimizing this, Speare.

For my Computer Security students. Note that security breaches aer not resolved quickly.

FTC Settles Charges Against Ceridian and Lookout Over 2009 Data Breaches

May 3, 2011 by admin

Two companies that maintain large amounts of sensitive information about the employees of their business customers, including Social Security numbers, have agreed to settle Federal Trade Commission charges that they failed to employ reasonable and appropriate security measures to protect the data, in violation of federal law. Among other things, the settlement orders require the companies to implement comprehensive information security programs and to obtain independent audits of the programs every other year.

The settlements with Ceridian Corporation and Lookout Services, Inc. are part of the FTC’s ongoing efforts to ensure that companies secure the sensitive consumer information they maintain. In complaints filed against the companies, the FTC charged that both Ceridian and Lookout claimed they would take reasonable measures to secure the consumer data they maintained, including Social Security numbers, but failed to do so. These flaws were exposed when security breaches at both companies put the personal information of thousands of consumers at risk. The FTC challenged the companies’ security practices as unfair and deceptive.

According to the FTC’s complaint against Ceridian, a provider to businesses of payroll and other human resource services, the company claimed, among other things, that it maintained “Worry-free Safety and Reliability . . . Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.” However, the complaint alleges that Ceridian’s security was inadequate. Among other things, the company did not adequately protect its network from reasonably foreseeable attacks and stored personal information in clear, readable text indefinitely on its network without a business need. These security lapses enabled an intruder to breach one of Ceridian’s web-based payroll processing applications in December 2009, and compromise the personal information – including Social Security numbers and direct deposit information – of approximately 28,000 employees of Ceridian’s small business customers.

The other company, Lookout Services, Inc., markets a product that allows employers to comply with federal immigration laws. It stores information such as names, addresses, dates of birth and Social Security Numbers. According to the FTC’s complaint against Lookout, despite the company’s claims that its system kept data reasonably secure from unauthorized access, it did not in fact provide adequate security. For example, unauthorized access to sensitive employee information allegedly could be gained without the need to enter a username or password, simply by typing a relatively simple URL into a web browser. In addition, the complaint charged that Lookout failed to require strong user passwords, failed to require periodic changes of such passwords, and failed to provide adequate employee training. As a result of these and other failures, in 2009, an employee of one of Lookout’s customers was able to access sensitive information maintained in the company’s database, including the Social Security numbers of about 37,000 consumers.

The settlement orders bar misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers. They require the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years.

The FTC will publish a description of the consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through June 2, after which the Commission will decide whether to make them final.

Source: FTC

Related Files/Documentation:

In the Matter of Ceridian Corporation, a corporation FTC File No. 102 3160

In the Matter of Lookout Services, Inc., a corporation FTC File No. 102 3076

The laws are really loose. Campaign funds are actually “campaign and paying for my screwups” funds. No wonder politicians hold so many fund raisers...

Texas Comptroller dips into campaign fund to pay for credit restoration services

May 3, 2011 by admin

Facing mounting criticism of her handling of her office’s massive data breach, Texas Comptroller Susan Combs has apologized for the security lapse that exposed personal information on 3.5 million citizens and has agreed to pay for identity restoration services out of her campaign fund.

Read more on InfoSecurity.

Okay, her campaign fund isn’t exactly the same as her personal checking account, but still, I find this unusual and don’t remember ever seeing anyone in government ever dipping into their own campaign or resources to help defray the costs of a data breach. Can you remember anything like this before?

“Of course. You don't think we trust our customers do you?” (Just like Lower Merion High School spied on their students...)

PC rental store accused of using webcams, keyloggers on customers

May 3, 2011 by Dissent

Jacqui Cheng reports:

Built-in webcams are becoming more and more common in computers these days, and in turn, they are becoming more and more of a liability. A Wyoming couple is now accusing national rent-to-own chain Aaron’s Inc. of spying on them at home using their rented computer’s webcam without their knowledge. Aaron’s also allegedly used a keylogger and took regular screenshots of the couple’s activities on the machine, leading the couple to file a class-action lawsuit in the US District Court for the Western District of Pennsylvania.

Read more on ars technica.

(Related) Extending the “pat down” I can see TSA ordering thousands of these and requiring anyone wanting to fly to swallow one 24 hours before the flight in case they eat anything suspicious! “Hey, we've got traces of felafel over here! Call out SWAT!”

The World's Smallest Video Camera

"Medigus has developed what it claims is the world's smallest video camera at just 0.039-inches (0.99 mm) in diameter. The Israeli company's the second-gen model (a 0.047-inch diameter camera was unveiled in 2009) has a dedicated 0.66x0.66 mm CMOS sensor that captures images at 45K resolution and no, it's not destined for use in tiny mobile phones or covert surveillance devices, instead the camera is designed for medical endoscopic procedures in hard to reach regions of the human anatomy."

I'm sure Google will “take it under advisement”

May 03, 2011

EPIC Proposes "Fair Information Practices" for Google

"Today EPIC submitted detailed comments on a landmark privacy agreement that requires Google to adopt a "Comprehensive Privacy Plan" to safeguard the privacy and personal information of Internet users. In comments to the Federal Trade Commission, EPIC recommended that the FTC require Google to adopt and implement comprehensive Fair Information Practices complaint EPIC: In re Google Buzz ..."


Authorities in Austria and Switzerland Rule on Google Street View

May 3, 2011 by Dissent

On April 21, 2011, the Austrian Data Protection Commission (“Austrian DPA”) published its decision allowing Google to register its Google Street View application on the Austrian DPA’s data processing register. As part of the registration procedure, Google agreed to blur images of faces and license plates prior to publishing them on the Internet, and to provide information to the public about the right to object to publication of certain images.


On March 30, 2011, the Federal Administrative Court of Switzerland (the “Court”) issued its ruling on a previous opinion by the Swiss Data Protection Authority (“Swiss DPA”) concerning Google Street View. The Court found in favor of the Swiss DPA, which initially brought the claim in November 2009.

Read more on Privacy and Security Information Law Blog.

Includes a video of the “news item” Note the name of the site they point you to...

Smart phone pictures can pose privacy threat

People can find your location from the smart phone pictures you upload on the web. It's called geotagging. Every time you snap a photo and post it online, your phone could be sending out metadata.

Metadata is detailed information contained within the photo file, including the date, time and exact GPS location when you took the picture. If you post them online, a complete stranger can click on your pictures and find out your location when you took them, sometimes within a matter of feet.

People who upload numerous online photos may be unknowingly posting a pattern of their behavior, available to anyone with a computer.

Here's how you can disable geotagging on different types of smart phones.

[ … ]

You can find more detailed instructions here:

(Related) Another tool for protecting your phone...

Marlinspike's Droid Firewall Kills Tracking

"The first dynamic Android firewall, dubbed WhisperMonitor, has been released by respected security researcher Moxie Marlinspike. The firewall will allow users to stop location-tracking apps and restrict connection attempts by applications. Marlinspike, whose company created the application, designed WhisperMonitor in response to the incidence of location tracking and malware on Android platforms. It monitors all outbound connection attempts by applications and the operating system, and asks users to permit or block any URLs and port numbers that are accessed."

No more than a license plate identifies a driver. But if they tow your car, who get to pay the fine? Still, you gotta admire a judge who won't be blinded by baffling techno-babble.

An IP Address Does Not Point To a Person, Judge Rules

"A possible landmark ruling in one of the mass-BitTorrent lawsuits in the US may spell the end of the 'pay-up-or-else-schemes' that have targeted over 100,000 Internet users in the last year. District Court Judge Harold Baker has denied a copyright holder the right to subpoena the ISPs of alleged copyright infringers, because an IP-address does not equal a person. Among other things, Judge Baker cited a recent child porn case where the US authorities raided the wrong people, because the real offenders were piggybacking on their Wi-Fi connections. Using this example, the judge claims that several of the defendants in VPR's case may have nothing to do with the alleged offense either. ... Baker concludes by saying that his Court is not supporting a 'fishing expedition' for subscribers' details if there is no evidence that it has jurisdiction over the defendants."

For the Hacker Toolkit

Recover lost, damaged, or deleted files with free Recuva

The key to success with this or any other data-recovery solution is to immediately stop using whatever media contains the missing data--memory card, hard drive, flash drive, smartphone, etc. That's because any additional write activity can more permanently erase or damage the files you're trying to recover.

Recuva is compatible with Windows XP and later. It's one of those freebie gems everyone should keep on hand in case of emergency. (There's also a portable version you can keep on your flash drive, phone, or whatever for anytime, anywhere use--no installation required.) Here's hoping you never need it! (But, for heaven's sake, make backups, people!)

“The trouble with quotes on the Internet is that you can never know if they are genuine." -Abraham Lincoln

No comments: