Tuesday, June 14, 2011

This is not a new technique, but (apparently) not everyone has taken note and corrected the hole in their security.

http://www.databreaches.net/?p=18869

Revealed: How Citigroup hackers broke in ‘through the front door’ using bank’s website

June 14, 2011 by admin

Lee Moran reports:

Hackers who stole the personal details of more than 200,000 Citigroup customers ‘broke in through the front door’ using an extremely simple technique.

It has been called ‘one of the most brazen bank hacking attacks’ in recent years.

And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories.

They simply logged on to the part of the group’s site reserved for credit card customers – and substituted their account numbers which appeared in the browser’s address bar with other numbers.

It allowed them to leapfrog into the accounts of other customers – with an automatic computer programme letting them repeat the trick tens of thousands of times.

Read more on The Daily Mail.



Security Breach: The gift that keeps on giving...

http://www.databreaches.net/?p=18861

OR: Portland-area debit card fraud could be related to Michaels PIN skimming

June 14, 2011 by admin

A rash of card fraud reports over the weekend in Beaverton, Oregon may be linked to the breach of some Michaels Stores.

Brent Hunsberger reports:

A number of Portland-area residents reported their debit cards either were compromised or canceled suddenly over the weekend, and Beaverton police said at least one case was related to a data breach earlier this year at Michaels Stores Inc.

Bill Johnson, a customer at First Tech Federal Credit Union, discovered $800 in unauthorized ATM withdrawals on Saturday, while a spokesperson at Advantis Credit Union said it saw a spike in debit card fraud over the weekend. Several U.S. Bank customers reported their debit cards were canceled without notice.

Beaverton Police Department spokeswoman Pam Yazzolino said it referred one case to the U.S. Secret Service, which is investigating the Michaels breach.

Michaels reported last month that Personal Identification Numbers pads at close to 90 stores had been tampered with between Feb. 8 and May 6, exposing payment cards to possible fraud. The tamperings occurred at two stores in Beaverton as well as stores in Tualatin, Roseburg, Springfield and Medford, the company has said.

Some PIN numbers have been used fraudulently since then, company officials said. But in Beaverton, illegal charges using those PINs might be just beginning to show up, Yazzolino said.

Doug Marker, vice president for loss prevention and safety at Michaels, said today via a spokesperson that “it cannot be assumed that all fraud experienced by any Michaels shopper is necessarily connected to Michaels.”

Read more on The Oregonian.

If the Beaverton fraud is Michaels-related, it would be another reminder why people shouldn’t assume that if their information isn’t misused within days, they’re safe, despite any entity’s claims of “We have no evidence of misuse” issued days after breach disclosure.

Related: Past coverage of the Michaels Store breach.



An attention getter?

LulzSec Hacks the US Senate

"LulzSec might not be as famous as Anonymous — they're really best known for hacking sites they like, to prove a point about security — but they may have just raised their profile significantly, posting what appears to be data taken from an internally facing server at the US Senate. However, the fun-loving group might find that the Senate reacts a lot more harshly to intrusions than, say, PBS did."

The group also recently grabbed data from Bethesda Softworks.


(Related) Hummm... I'll need to study this.

http://www.databreaches.net/?p=18846

Rep. Mary Bono Mack Releases Discussion Draft of SAFE Data Act

June 13, 2011 by admin

The following statement was issued by Rep. Mary Bono Mack today:

Calling a recent dramatic increase in cyber attacks “a threat to the future of electronic commerce,” Congresswoman Mary Bono Mack (CA-45), Chairman of the House Subcommittee on Commerce, Manufacturing and Trade, today released a discussion draft of the Secure and Fortify Data Act (SAFE Data Act), which establishes uniform national standards for data security and data breach notification.

“With nearly 1.5 billion credit cards now in use in the United States – and more and more Americans banking and shopping online – sophisticated hackers and cyber thieves have a treasure chest of opportunities to ‘get rich quick’. The SAFE Data Act will provide American consumers with better safeguards in the future,” Congresswoman Bono Mack said in releasing the discussion draft of her legislation.

The Subcommittee on Commerce, Manufacturing and Trade will hold a legislative hearing on the much-anticipated draft on Wednesday (June 15) at 10 am in 2322 Rayburn House Office Building.

Scheduled to testify are the Honorable Edith Ramirez, Commissioner, Federal Trade Commission; Jason Goldman, Telecommunications and e-Commerce Counsel, U.S. Chamber of Commerce; Robert Holleyman, President and CEO, Business Software Alliance; Stuart Pratt, President and CEO, Consumer Data Industry Association; and Marc Rotenberg, Executive Director, Electronic Privacy Information Center.

Congresswoman Bono Mack’s efforts build on legislation passed by the House in 2009 but not acted upon in the Senate. Most importantly, it reflects the changing landscape of data breaches and data security since that time. It also encompasses many of the lessons learned in the aftermath of massive data breaches at Sony, Epsilon and Citigroup, which put more than 100 million consumer accounts at risk.

“You shouldn’t have to cross your fingers and whisper a prayer when you type in a credit card number on your computer and hit ‘enter.’ E-commerce is a vital and growing part of our economy. We should take steps to embrace and protect it – and that starts with robust cyber security,” Bono Mack continued. “Most importantly, consumers have a right to know when their personal information has been compromised, and companies and other organizations have an overriding responsibility to promptly alert them.”

The Federal Trade Commission (FTC) estimates that nearly 9 million Americans fall victim to identity theft every year, costing consumers and businesses billions of dollars annually – and those numbers are growing steadily and alarmingly. Just as troubling, Congresswoman Bono Mack says the frequency and scope of these breaches is “causing incalculable damage to consumer confidence when it comes to shopping and banking online.”

A key feature of the SAFE Data Act requires notification to the FTC and consumers within 48 hours of the time that a breach has been secured and scope of the breach assessed. The FTC would also be given the authority to levy civil penalties if companies or entities fail to respond in a timely and responsible manner. Non-profit organizations such as universities and charities would be required to comply with the legislation.

Additionally, the SAFE Data Act grants the FTC the ability to expand the definition of “personally identifiable information” so long as this new data poses a reasonable risk of identity theft or would otherwise “result in unlawful conduct.”

Following several recent hearings examining this growing problem, Congresswoman Bono Mack says it’s time for Congress to take action.

“These eye-popping data breaches only reinforce my long held belief that much more needs to be done to protect sensitive consumer information. Americans need additional safeguards to prevent identity theft, and the SAFE Data Act will help to accomplish this goal.”

The text of the discussion draft can be viewed by clicking here.

[From the Draft:

DATA SECURITY REQUIREMENTS

A security policy...

The identification of an officer [or other individual] as the point of contact with responsibility for the management of information security.

A process for identifying and assessing any reasonably foreseeable vulnerabilities in each system [...] which shall include regular monitoring for a breach of security of each such system.

A process for taking preventive and corrective action...

A process for disposing of data in electronic form



About time?

Report from first health care privacy conference

By Dissent, June 14, 2011

Andy Oram writes:

Strange that a conference on health privacy has never been held before, so I’m told. Privacy in health care is the first topic raised whenever someone talks about electronic health records–and dominates the discussion from then on–or, on the other hand, is dismissed as an overblown concern not worthy of criticism. But today a conference was held on the subject, prepared by the University of Texas’s Lyndon B. Johnson School of Public Affairs and held just a few blocks from the Capitol building at the Georgetown Law Center as a preconference to the august Computers, Freedom & Privacy conference.

The Goldilocks dilemma in health privacy

Policy experts seem to fall into three camps regarding health privacy. The privacy maximalists include the organizers of this conference, notably the Patient Privacy Rights, as well as the well-known Electronic Privacy Information Center and a number of world-renowned experts, including Alan Westin, Ross Anderson from Cambridge University, Canadian luminary Stephanie Perrin, and Carnegie Mellon’s indefatigable Latanya Sweeney (who couldn’t attend today but submitted a presentation via video). These people talk of the risks of re-identifying data that was supposed to be identified, and highlight all the points in both current and proposed health systems where intrusions can occur.

On the other side stand a lot of my closest associates in the health care area, who intensely dislike Patient Privacy Rights and accuse it of exaggerations and mistruths. The privacy minimalists assert that current systems provide pretty good protection, that attacks on the average person are unlikely (except from other people in his or her life, which are hard to fight systematically), and that an over-concern for privacy throws sand in the machinery of useful data exchange systems that can fix many of the problems in health care. (See for instance, my blog on last week’s Health Data Initiative Forum)

Read more on O’Reilly Radar.

Full Disclosure: PHIprivacy.net was a sponsor of the conference, although I was unable to attend due to other commitments.

[Some resources from the conference: http://www.healthprivacysummit.org/resources



'We're from the government and we're here to help you!”

Federally-Mandated Medical Coding Gums Up IT Ops

"The change over from a medical coding system in use since the 1970s to an updated version that adds more than 50,000 new 7-character codes is being compared to Y2K as an IT project that is nearly impossible to complete on time. [A government specialty... Bob] ICD-10, which replaces ICD-9, adds far more granularity to medical diagnosis and treatment. For example, ICD-9 has one code for a finger amputation. In contrast, ICD-10 has a code for every finger and every section of every finger. An 'unfunded mandate,' [Also a government specialty Bob] the change over to ICD-10 codes is a multi-year project for hospitals, state Medicaid organizations, and insurance providers. The effort, which affects dozens of core systems, is taxing IT operational budgets at a time when shops are already under the gun to implement electronic health records."


(Related) Data volumes are exploding... Interesting video.

http://www.ted.com/talks/daniel_kraft_medicine_s_future.html#126793284858411028

Daniel Kraft: Medicine's future? There's an app for that



Maybe I should emulate Jay Leno and drive antique cars...

http://www.pogowasright.org/?p=23378

Nissan car secretly shares driver data with websites

June 13, 2011 by Dissent

Dan Goodin reports:

Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed and destination to websites accessed through the vehicle’s built in RSS reader, a security blogger has found.

The Nissan Leaf is a 100-percent electric car that Nissan introduced seven months ago. Among its many innovations is a GSM cellular connection that lets drivers share a variety of real-time data about the car, including its location, driving history, power consumption, and battery reserves. Carwings, as the service is known, then provides a number of services designed to support “eco-driving,” such as break downs of the vehicle’s energy efficiency based on comparisons with other owners.

But according to Seattle-based blogger Casey Halverson, Carwings includes the detailed data in all web requests the Nissan Leaf sends to third-party servers that the driver has subscribed to through RSS, or real simple syndication. Each time the driver accesses a given RSS feed, the car’s precise geographic coordinates, speed, and direction are sent in clear text. The data will also include the driver’s destination if it’s programmed in to the Leaf’s navigation system, as well as data available from the car’s climate control settings.

Read more in The Register.


(Related) Why “location” is popular...

Adobe's CTO Pitches 'Apps Near You' Concept

"Next-generation applications will be location-specific, offering users information and features related to where they are at any given moment, Adobe Systems CTO Kevin Lynch, said at the Open Mobile Summit conference. 'Apps near you,' as he called the idea, would pop up on mobile screens when a user is close to a specific location. Lynch showed the example of someone with a Samsung tablet visiting a museum and being able to download a guide application."


(Related) More fun things you can do with “location”

Chinese Spying Devices Installed On Hong Kong Cars

"Spying devices disguised as electronic border cards have been secretly installed on thousands of Hong Kong vehicles by Chinese authorities, according to a Hong Kong newspaper. A translation of the story states Chinese authorities have been installing spying devices on all dual-plate Chinese-Hong Kong vehicles for years, enabling a vast network of eavesdropping across the archipelago."



Law Enforcement is so much easier if everyone is a criminal...

http://www.pogowasright.org/?p=23382

Petition for Rehearing Filed in United States v. Nosal, the Ninth Circuit Case on Criminalizing Violations of Computer Use Policies

June 14, 2011 by Dissent

Orin Kerr writes:

A petition for rehearing was recently filed in United States v. Nosal, the Ninth Circuit decision holding that an employee who violates his employer’s computer use policy is guilty of “exceeding authorized access” to the employer’s computer. I have posted a copy here. I hope the Ninth Circuit grants rehearing, as I think the Nosal case is both wrong on the law and deeply troubling for civil liberties in the Internet age.

Overstatement? I don’t think so. It seems to me that if the federal government can arrest you and throw you in jail for violating a computer use policy — any computer use policy — then the government can arrest pretty much anyone who uses a computer. Most people who use computers routinely violate computer use policies: While we understand that such policies may have force from the standpoint of breach of contract, no one thinks that breaching a computer use policy is the same as hacking into the computer. TheNosal case would change that. Under its reasoning, breaching a written policy is treated the same way as hacking. And as computers become more and more ubiquitous, the power to arrest anyone who routinely uses a computer is the power to arrest anyone.

Read more on The Volokh Conspiracy.



“Rules?”

http://www.bespacific.com/mt/archives/027497.html

June 13, 2011

Report - FBI Expands Surveillance Power of Agents

NYT: "The Federal Bureau of Investigation is giving significant new powers to its roughly 14,000 agents, allowing them more leeway to search databases, go through household trash or use surveillance teams to scrutinize the lives of people who have attracted their attention. The F.B.I. soon plans to issue a new edition of its manual, called the Domestic Investigations and Operations Guide, according to an official who has worked on the draft document and several others who have been briefed on its contents. The new rules add to several measures taken over the past decade to give agents more latitude as they search for signs of criminal or terrorist activity. The F.B.I. recently briefed several privacy advocates about the coming changes. Among them, Michael German, a former F.B.I. agent who is now a lawyer for the American Civil Liberties Union, argued that it was unwise to further ease restrictions on agents’ power to use potentially intrusive techniques, especially if they lacked a firm reason to suspect someone of wrongdoing."


(Related) I guess we can expect more like this...

First Challenge To US Domain Seizures Filed

"You may recall that the US government, mainly through Homeland Security's Immigration and Customs Enforcement division (ICE) has been seizing domain names over the past year, based on bad evidence, even leading to the 'accidental' seizure of 84,000 sites. While it has taken some time, the first challenge has been filed to the domain seizures, by the company Puerto 80, who runs Rojadirecta, a Spanish internet forum that was seized because users linked to streaming sporting events. Rojadirecta was declared perfectly legal (twice!) in Spain, but the challenge obviously focuses on US law, and how the seizure was improper and did not meet the qualifications for a seizure, how the seizure violates the First Amendment by being improper prior restraint on protected speech, and how Rojadirecta is not guilty of criminal copyright infringement. This could represent a very important case in determining the government's legal right to simply seize domain names."



Oh good. We get to see what they looked like before the mug shots...

http://www.bespacific.com/mt/archives/027501.html

June 13, 2011

GPO Releases Congressional Pictorial Directory: 112th Congress

"The U.S. Government Printing Office (GPO) has made available the Congressional Pictorial Directory: 112th Congress on GPO’s Federal Digital System (FDsys), a one-stop site to authentic, published Government information. GPO employees designed and created the Pictorial Directory, which features a color photograph of each Member of the House of Representatives and the Senate and details each Member’s length of service, political party affiliation, and congressional district. The Pictorial Directory also contains pictures of the President, Vice President, and House and Senate officers and officials."



Because Infographics are interesting...

http://www.makeuseof.com/tag/biggest-websites-internet-compared-infographic/

The Six Biggest Websites On The Internet Compared [Infographic]


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)