If the facts reported here are correct,
the process used to allow a client to view his account online somehow
depends on a number linked to their records. That number is then
displayed in the URL of the webpage generated by the system. A very
old security design no-no. Then we seem to have an attempt to keep
the whistle blower quiet. That should be legally discouraged, since
common sense doesn't seems to be in evidence...
AU:
First State Superannuation fails to adequately secure online
accounts, then threatens the security researcher?
October 14, 2011 by admin
First, let’s start with the breach,
as reported by Darren Pauli on SC
Magazine:
A security
researcher was questioned by NSW Police after quietly reporting a
massive security gaffe to First State Superannuation
that potentially exposed millions of customer accounts.
Patrick Webster
found he was able to access electronic superannuation notices of any
customer by changing numerical values in URLs used to issue
statements to clients.
Webster, a
customer of First State Superannuation and consultant at OSI
Security, increased the URL number value by one and
was granted access to a former colleagues’ super statement.
He was shown
information such as name, address, date of birth, next of kin and
superannuation payments.
[...]
Okay, simply changing a numerical value
in a url exposes customers’ data? In 2011? First State
Superannuation should be very embarrassed.
In a letter
to customers dated October 7, they acknowledged that customers’
online accounts had been accessed, but did not reveal how
ridiculously simple it was for Webster to access their accounts.
Then, in a phrasing that is completely contradicted
by the circumstances, they write, “Your account remains secure.”
”Remains?” It was not secure, which is why Webster was able to
access others’ member statements. Maybe now it’s more secure,
but for them to imply that the accounts had always been secure and
remained secure is misleading, I think.
But their response to the breach
deserves heaps and heaps of scorn and shaming. As also reported by
Darren Pauli:
A security
consultant who
quietly tipped off First State Superannuation about a web
vulnerability that potentially put millions of customers at risk
has been slapped with a legal threat demanding he allow the company
access to his computer, and warned he may be forced to pay the cost
of fixing the flaw.
A legal document
(pdf)
seen by SC and sent from Pillar, the fund administrator of First
State Super, demanded that Patrick Webster provide the company’s IT
staff access to his computer.
Read more on SC
Magazine. The legal document indicates that Webster reportedly
accessed 568 members’ accounts. Why he accessed so many is not
explained, and may wind up being important, but First State’s
suggestion that he might have to pay for them fixing their sloppy
security is mind-numbingly shameful.
Interesting that they detected this.
Often, organizations don't know (or care) what their contractor do
with their data.
SEC
Warns Staff Their Stocks Data Was Exposed
October 14, 2011 by admin
From the heeding-their-own-advice
dept.:
The Securities and
Exchange Commission is warning staffers that their personal brokerage
account information may have been compromised, after it
uncovered security flaws with an ethics compliance program.
The SEC put the
program in place after its internal watchdog raised concerns about
possible insider trading among SEC staffers.
In an October 7
letter to SEC employees, Chief Information Officer Thomas Bayer said
that the contractor hired to operate a computer program that tracks
trades had violated its agreement with the
SEC by providing names and account numbers to a
subcontractor without permission.
“We are not
aware of any actual misuse of the data,” Bayer wrote.
“Nevertheless, it is the SEC’s policy to provide notification of
any incident that presents the potential for unauthorized access to
personal information.”
Read more on NEWS.GNOM.ES
So if I understand this. If a truly
ignorant (or lazy) 'data controller' can't figure out what a
competent 12-year-old can, they're free to distribute the data?
UK
Information Tribunal Rules Properly Anonymized Personal Data Can Be
Disclosed Under FOIA
October 14, 2011 by Dissent
On September 7,
2011, the United Kingdom Information Tribunal published a decision
that appears to resolve the long-running uncertainty regarding the
extent to which anonymized personal information may be disclosed
under the UK’s Freedom of Information legislation. The UK’s FOIA
was introduced and applicable to most of the UK in 2000, with
equivalent law following for Scotland in 2002.
[...]
In short, the High
Court’s current position appears to be that if a
data controller removes enough identifiers from a copy set of
personal data to ensure the controller itself is unable to translate
the anonymized copy back into personal data, then the
anonymized copy can be disclosed to a third party pursuant to a FOIA
request.
Read more on Hunton & Williams
Privacy
and Information Security Law Blog.
[From the blog:
For years, this personal data exception
has befuddled UK courts. The first
case on anonymization and disclosure reached the House of Lords
in 2008, with three members of the House issuing judgments. Baroness
Hale delivered a robust minority view that
the test should be whether disclosing the information
would allow the recipient
to identify individuals, but the majority followed Lord
Hope’s lengthy opinion suggesting that the data must be
sufficiently altered so as to be anonymous to the controller
before it can be disclosed
Don't ya just love that dry British
humor?
“How
private is private?” – a speech by Mr Justice Eady
October 14, 2011 by Dissent
On 8 October 2011,
Mr Justice Eady gave a speech entitled “How
private is private?” to the “2011
Young Bar Conference“. The speech is a characteristically
entertaining and informative tour of the privacy landscape, with a
little gentle teasing of press and politicians along the way and a
firm message about the relationship between parliament and the
judiciary.
Read more on Inforrm’s
Blog.
We're looking for a new HTML5 textbook.
My search returned 127 hits!
PDFSb:
Online Database Of Free Ebooks
PDFSb is a free for all website, and
may be called a hub of free PDF books. The website serves as a link
to the millions of free PDF books online. The good thing, it gives
you all of those in 1 place. Not only that, but the ability to search
for a book makes things a lot easier. Currently, the database holds
6,500,000+ books and ever growing!
No comments:
Post a Comment