There's nothing like a little security
breach to mess up your IPO...
Notification
delayed is notification denied? Betfair admits data hack… after 18
months
September 30, 2011 by admin
Nicole Kobie reports:
Gambling website
Betfair has admitted its systems were attacked 18 months ago, but
says it didn’t warn customers on the advice of UK police.
The gambling
company was hacked in March 2010, according to a report leaked to The
Telegraph, but Betfair didn’t notice the attack until six
days later.
The
report said card details of most of Betfair’s users were taken,
as well as 3.15 million account names with associated security access
questions, 2.9 million account names with addresses, and 89,744
sets of bank account details.
The report into the attack was apparently dated at the end of
September 2010, just days after Betfair had announced its IPO.
Read more on PC
Pro. The company’s explanation for not notifying/disclosing was
three-fold, it seems: SOCA advised them not to, they say, their
security made the data unusable, and they were able to recover it all
intact.
For additional coverage see Alistair
Osborne’s report on The
Telegraph.
[From the Telegraph
article:
… a report into the crime by
London-based consultants Information Risk Management lambasted
Betfair for the inadequacy of its systems security.
"Information security was not
implemented in accordance with best practice," the
report said, adding: "Appropriate information security
governance is not in place within Betfair and as a consequence the
business has been exposed to significant risks."
… Because of our security measures,
the data was unusable for fraudulent activity … [Interesting
phrasing. What was it usable for? Bob]
Follow up Apparently not a concept
they are familiar with...
By Dissent,
September 30, 2011
Sig Christensen has the confirmation
for my hunch that the SAIC
breach involved theft and not just loss of the backup tapes:
Science
Applications International Corp., a Pentagon contractor, said
Thursday the worker had been given the job of taking the tapes from
one federal facility to another when they were stolen.
A San Antonio
police report said the tapes containing the sensitive information,
including diagnoses and treatment information on beneficiaries in the
Defense Department’s Tricare program, were left in the car for most
of the day.
[...]
Police said the
car was parked at 300 Convent from 7:53 a.m. to 4:30 p.m. Sept. 13. A
stereo system valued at $300 was taken from the worker’s 2003 Honda
Civic, as was a GPS device and the backup tapes. The worker valued
the data tapes at $100.
Read more on MySanAntonio.com.
As I indicated previously, this appears
to be the second report of stolen backup tapes from SAIC since June
2010. Despite the losses, the firm continues to earn huge contracts
with the government.
[From the article:
They were being relocated in hopes of
finding a way to encrypt the data so the tapes could work with an
operating system, Guidry said. The system used to
back up information on the tapes could not encrypt data to federal
standards.
Guidry didn't say if the worker
violated a company rule in leaving the tapes in his car, but conceded
“if they weren't in the car, they wouldn't be stolen.” But
he said there was no evidence so far that “the data has been
accessed by unauthorized persons.”
It's a shame that this concept doesn't
translate well from the Canadian...
Ca:
Lawful access would trample rights
September 30, 2011 by Dissent
Craig McInnes has some nice reporting
on the controversy over lawful access in Canada and legislative
proposals:
B.C.’s
Information and Privacy Commissioner is worried that Canadians don’t
really understand what is at stake.
“I see lawful
access as one of those fundamental tipping points,” Elizabeth
Denham said in a telephone interview this week.
“If you are
setting up private sector in a way that will provide easier access to
the police, that’s shifting our fundamental outlook about privacy
and civil rights protections of constitutional rights.”
Under the proposed
changes, if police want to know what people are saying on the
Internet, they will still need to get a warrant. But Internet
providers would be required to turn over on request information that
includes subscribers names and addresses, phone numbers, email
addresses and even their ISP addresses and information about the kind
of machines and software they are using.
“These appear to
be minor pieces of personal information but they are personal
information and it’s a slippery slope to give them
up without judicial oversight,” Denham says.
Read more on Vancouver
Sun.
For my Ethical Hackers...
"Earlier this week, Microsoft
released an announcement about the
disruption of the Kelihos botnet that was responsible for spam
messages, theft of sensitive financial information, pump-and-dump
stock scams and distributed denial-of-service attacks. The botnet
had a complex, multi-tiered architecture as well as a custom
communication protocol and three-level encryption. Kaspersky Lab
researchers did the heavy lifting, reversing
the protocol and cracking the encryption and then sink-holing the
botnet. The company worked closely with Microsoft's Digital
Crimes Unit (DCU), sharing the relevant information and providing
them with access to our live botnet tracking system."
[Related Links:
It might be fun to explore some “what
could possibly go wrong” scenarios with a bunch of lawyers. For
example, could a change of privacy policy be a form of “bait &
switch?”
Class
Action Lawsuit Targets Pandora
September 29, 2011 by Dissent
Eriq Gardner reports:
Pandora, the web
service that allows users to customize radio stations based on
listening preferences, is facing a class action lawsuit in Michigan.
Peter
Deacon, a Michigan resident, is leading the lawsuit with
claims that Pandora is breaching customer privacy by making users’
profile pages, including favorite songs and listener history,
publicly available and searchable online. Additionally, the class
action asserts that Pandora is violating privacy by integrating
users’ listening records with their Facebook accounts.
The openness is
claimed
to be a violation of Michigan’s Video Rental Privacy Act and
Consumer Protection Act. The plaintiffs are demanding statutory
damages of $5,000 per person.
Read more on Hollywood
Reporter.
When are businesses going to learn that
some users really really really don’t like you taking
their data and posting it to Facebook without their explicit consent?
And that changing your privacy policy may be legal
but it’s not smart if you apply it to existing accounts
without actually contacting users or customers to alert them and give
them a chance to opt out or delete their accounts?
Nothing helps to fund NASA (any
scientific endeavor actually) more than someone else doing well.
This is unlikely to create the same level of response as Sputnik, but
at least we have something to point to when we say “We gotta do
something!”
China
Takes First Steps Toward A Space Station, Launches Tiangong 1
As NASA’s steps
get smaller, China’s space program is making big leaps with
plans to have a manned space station in orbit by 2020.
Geeky stuff...
Canonical
Releases Windows Version of Ubuntu One
Canonical,
the commercial backer behind the Ubuntu
Linux distribution, have been hosting a file synchronization service
called Ubuntu One for a couple
years now. A free account gets you 5GB of storage,
and the client side controls have been baked into the last couple of
releases of the Ubuntu distribution. It works pretty much like
Dropbox or similar services, but has been — until today —
Linux-only.
In an announcement
late last night, Canonical has revealed that there is
now a Windows client for Ubuntu One, allowing you to
access all your files from either Linux or Windows computers.
Really interesting rumor. But, what
would they do with it?
Rumour:
Amazon eyeing smartphone sector via Palm acquisition
Stay current!
Jargon
Watch: Flytilla, Botcloud, Dot-Brand
Botcloud n. A
botnet comprised of hundreds or thousands of virtual computers leased
from a cloud computing provider like Amazon.com for nefarious
purposes. It allows hackers to avoid the risk and hassle of
commandeering PCs to spread a virus.
Dot-brand n. A
top-level domain consisting of a company name, like .pepsi or .ibm.
Companies and organizations can apply for one for $185,000, a
promotional opportunity that some interest groups—compelled to pay
to protect their trademarks—consider extortionary.
Once again, Dilbert to the rescue.
Here he demonstrates how to avoid malware on Flash Drives!
No comments:
Post a Comment