Saturday, April 02, 2011

Another third party (Cloud Computing?) breach. I wonder if companies using such “outsourced services” gain any reduction in liability?

Kroger customer data stolen from Epsilon (updated)

April 1, 2011 by admin

Yet another email service provider has been compromised for customer names and email addresses.

Kroger Co. is letting customers know a breach of a database with its customers’ names and email addresses.

The breach occurred at Epsilon, a national third-party email fulfillment company headquartered in Dallas.


In the email Kroger sent to customers, the nation’s largest traditional grocer assured them the only information that was obtained was customers’ names and email addresses. Also, it relays the message that Kroger would never ask a customer to email personal information such as credit card numbers or Social Security numbers.

Read more in Business Courier .

No statement appears on Kroger’s web site at the time of this posting, but a brief notice on Epsilon’s web site says:

On March 30th, an incident was detected where a subset of Epsilon clients’ [More than one, less than all? Bob] customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.

Update: A reader kindly sent me a copy of the email Kroger sent to customers:

From: Kroger
Sent: Fri, April 1, 2011 4:16:23 PM
Subject: Important Information from the Kroger Family of Stores

To ensure receipt of your Kroger emails, please add to your address book.

If you are having trouble viewing this email, please click here ([redacted to protect reader's name] ).


Kroger wants you to know that the data base with our customers’ names and email addresses has been breached by someone outside of the company. This data base contains the names and email addresses of customers who voluntarily provided their names and email addresses to Kroger. We want to assure you that the only information that was obtained was your name and email address. As a result, it is possible you may receive some spam email messages. We apologize for any inconvenience.

Kroger wants to remind you not to open emails from senders you do not know. Also, Kroger would never ask you to email personal information such as credit card numbers or social security numbers. If you receive such a request, it did not come from Kroger and should be deleted.

If you have concerns, you are welcome to call Kroger’s customer service center at 1-800-Krogers (1-800-576-4377).


The Kroger Family of Stores

If you wish to create or edit your online Kroger profile, please click here
([redacted to protect reader's name]).

The Kroger Co.
1014 Vine Street
Cincinnati, OH 45202


Epsilon breach also affects JPMorgan Chase customers

April 1, 2011 by admin

The Epsilon hack reported earlier as affecting Kroger customers also affected JPMorgan Chase customers. From the financial firm’s web site, this press release:

JPMorgan Chase (NYSE: JPM) Chase announced today that we were informed by Epsilon, a marketing vendor we use to send e-mails, that an unauthorized person outside their company accessed files that included e-mail addresses of some Chase customers. We are advised by Epsilon that the files that were accessed did not include any customer financial information, but are actively investigating to confirm this. As always, we are advising our customers of everything we know as we know it.

Chase will never ask customers for personal information or credentials in an email.

Information for Chase customers is available on

They have your credit card and all they do is buy music?

Hackers compromising some iTunes accounts

April 1, 2011 by admin

Matt Liebowitz reports:

Hacked accounts and fraudulent purchases are leaving iTunes users singing a sad song — again.

Crafty computer criminals are compromising users’ iTunes accounts and purchasing hundreds of dollars worth of music, apps, gift cards, ringtones and games, the security firm Kaspersky Lab reported.

The hacks, discussed in detail in an Apple Discussions blog and an “iTunes Account Hacked!” Facebook page, all share similar characteristics: The assailants gain access to the victims’ credit card information, modify the billing address and use the stolen info to make the fraudulent purchases.

Read more on MSNBC.

Even Security firms are not immune...

RSA Says SecurID Hack Based On Phishing With Flash 0-Day

"RSA confirmed on Friday that the attack that compromised the company's high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file."

Is the RIAA crazy? Is Amazon 'crazy like a fox?'

Amazon’s Cloud Player Tests The Limits Of The Record Labels’ Patience

Amazon may have introduced its digital locker music service, the Cloud Player, before similar services from rivals Google and Apple (that are widely believed to be launching this year), but that doesn’t mean it will be an easy existence. Not long after the company published a note on its Web site inviting users to give Cloud Player a try did one of the major record labels offer a warning. “We are disappointed that the locker service that Amazon is proposing is unlicensed by Sony Music,” a Sony spokesman said. [Why would Amazon need a license from Sony for me to store my music on their servers? Bob]

… The idea of streaming music isn’t new. Services like Spotify in Europe and Rdio in the U.S. have long given users the ability to stream music using a variety of desktop and mobile applications. The key difference between these services and the Amazon Cloud Player is that Amazon’s allows you to upload your own music to its servers (“the cloud”), and then access those as you see fit.

… Sony Music has been the most vocal opponent thus far. It told Reuters that it didn’t think its licensing agreement with Amazon would permit streaming music. (The record labels differentiate between giving users the ability to download a song once versus being able to call upon that same song as you see fit. Think you own a song when you download it from iTunes? Think again, as you’ve only purchased a license to download the file once. Ownership of digital music is a thing of fiction.) More ominously for Amazon, it also said that it was “keeping its legal options open.” But what type of problems could Amazon run into?

Julie Samuels, a staff attorney at the Electronic Frontier Foundation, says that Amazon may model its defense on how Cablevision successful argued for its remote storage digital video recorder, or RS-DVR, in 2006TKTK.

(Related) Or, you could do it yourself...

DIY Cloud: Two Hard Drives That Let You Access Files Anywhere

Some other Cloud Computing tools for individuals...

4 Great Uses For Amazon’s S3 Web Services

Despite Amazon being most well known for their retail services, they actually also offer a host of web services for developers and home users that take advantage of Amazon’s experience and scalability with massive amounts of data warehousing.

[My pick: Storage

5GB free, then $0.15/GB per month (100GB = $15)

Backup Your Computer Files

The most obvious use is for cloud-backup of your important files. While I don’t suggest you spend the next 6 months uploading your entire 4TB video collection to S3, they do claim to achieve 99.999999999% file durability, which means anything you upload will most certainly not get destroyed. For critical files you couldn’t stand to lose, it is the most cost effective and secure way of ensuring you have a solid backup.

Ubiquitous surveillance. You might as well start subjecting them to 24/7 surveillance at birth... (It must be Okay, it's for the children!)

Evoz: Baby Monitoring 2.0 Comes Of Age

One of those unbearable things young parents need to purchase without further ado, is a baby monitoring system.

Me and my wife already bought one, but while we were evaluating existing systems I couldn’t help but notice that even the more advanced ones on the market today seem little more than glorified walkie-talkies.

A couple of weeks ago, knowing that I would soon become a dad, Jyri Engestrom nudged me and said he had stumbled upon a fledgling company, Evoz, that set out to build a baby monitoring system for the always-connected generation, and that I should check it out.

… Imagine if you had an iPhone or iPod touch to spare, and that you’d simply install it in a charger in your young child’s room like you would any baby monitor.

Now imagine that an always-on application installed on the device would let you call in from anywhere in the world to hear how your baby is sleeping (or exactly how hard he or she is crying, or if you’re lucky, laughing or playing). Imagine that you could also opt to receive ‘quiet’ alerts by SMS or email whenever your kid cries for longer than, say, 5 minutes, so you can give the babysitter a quick call to see what’s up after e.g. a meeting or dinner.

Imagine that the app also automatically collects data on the sleeping and crying behavior of your child, and that you could analyze that data to see if he or she matches the behavior of children of the same age. And that you could just as easily get in touch with a network of baby health experts or sleep consultants if you have any questions or concerns.

Evoz lets you do all that, and more. The company isn’t quite ready to launch yet, but intends to roll out its service more broadly in the next few months.

Video for my Computer Security students.

How to Remove Keyloggers


Personnal Digital Disasters

Friday, April 01, 2011

A breach is a breach. Why should porn actors be treated any differently? Does their business model really lower the security of health records? Are they the only industry that shares medical test results?

AHF: Breach of Porn Actors’ Data Reveals Failure of AIM Clinic Testing Model

By Dissent, March 31, 2011

The following is a press release from AHF:

After over 12,000 current and former adult film performers who tested for HIV and other STDs at the Adult Industry Medical Healthcare Foundation’s (AIM) HIV Testing Clinic in Sherman Oaks had their privacy breached when their personal data collected from AIM was published illegally on a Wiki-leaks type website earlier this month, the AIDS Healthcare Foundation (AHF), which has separately been spearheading a workplace safety campaign to require the use of condoms in porn, harshly condemned the release of such personal patient data, yet also noted that the privacy breach underscores the vulnerability of AIM’s entire clinic business model. The industry-funded clinic serves 1,500 to 2,000 active adult film performers each year; however, over the past year it has faced mounting trouble. According to the LA Times (3/30/11), “The AIM clinic opened in 1998 but was shut down in December by Los Angeles County public health officials two days after state health officials denied its application to operate as a community clinic based on what regulators called “business-related issues.” The clinic was sold and allowed to reopen last month as AIM Medical Associates P.C., part of a doctor’s office regulated by the Medical Board of California, according to state officials.”

“Despite our differences with AIM and segments of the industry over condom use, we are indeed saddened by the news of this privacy breach of personal information of over 12,000 current and former AIM patients,” said Michael Weinstein, President of AIDS Healthcare Foundation. “However, this breach should not come as a surprise to any care provider who dutifully manages and cares for populations of patients. The entire business model of the AIM clinic has been flawed from the start, and as a result, its patients’ privacy has been violated. Performers—not producers—should be the ones to have password-protected access to their own testing results and health data from the AIM Testing Clinic. Performers should also be the ones who choose to share that information with producers they intend to work for. As it stands, AIM views the producers as their clients, not the performers walking through its doors each day to get tested.”

While AIM charges each patient (and potential adult film performer) for HIV and other testing (something that is illegal under California law), they also require patients to sign overly broad patient release forms allowing industry producers to view the test results and health data. Producers in turn pay a regular monthly subscription fee for unlimited access to AIM’s entire database of test results for current and previous performers.

It is unclear where or how the privacy breach occurred—from inside AIM, or from a subscriber to AIM’s testing results database.

AIDS Healthcare Foundation (AHF) is the largest global AIDS organization. AHF currently provides medical care and/or services to more than 156,000 individuals in 26 countries worldwide in the US, Africa, Latin America/Caribbean and the Asia Pacific Region.

A statement on AIM’s web site – dated today – says:

AIM Medical Associates, P.C. is investigating the possibility of a criminal breach of the medical record database. Substantial amounts of information posted on the site in question could not come from the AIM* database because we do not possess that information. Specifically, home addresses and identification documents are not within the AIM* database. Other testing businesses may or may not have such information on their databases.

AIM is utilizing every available resource to conduct a thorough forensic investigation to confirm if a breach of security occurred here. If such a breach occurred, we shall take all available steps to see that the felonious behavior is criminally prosecuted to the maximum extent under the law. Accessing a database for improper purposes, violating medical privacy and extortion are all crimes in California. There is preliminary information indicating that criminal behavior by persons or entities may have occurred.

In any case, the malicious nature of the site cannot be overstated. It is reprehensible that the site characterizes all adult actresses as “whores,” and refers to some women as “baby killers.” It is gratifying that the website has been largely unavailable at least over the past few days. We hope the hosting company removes this scurrilous site altogether.

Apparently, there was no procedure in place to check the data before release.

WA: Wenatchee Valley College notifies former students of data breach

March 31, 2011 by admin

Rachel Schleif reports on another breach that occurred in the context of responding to a public records request:

Wenatchee Valley College accidentally released Social Security numbers of students who attended classes there 10 years ago.

The college sent letters of apology to more than 3,800 former students Monday, and urged them to place fraud alerts on their credit files as a precautionary step.

The mistake happened as the college responded to a public records request from a local law firm asking for 10 years of financial records.

Until fall 2002, the college’s record system tracked students by their Social Security numbers instead of student identification numbers.

In December, the college sent 84,000 pages of data in the response to the request and inadvertently included the Social Security numbers. A student analyzing the data found the numbers and alerted the college on March 24, said Fiscal Services Director Jonah Nicholas.

Nicholas said it’s hard to say how many of those 3,800 former students were included in the records release, [“We have no idea what we did...” Bob] but he sent letters to students who attended WVC before 2002, just in case.

The student, Brent Magarrell, said the records also included legal names of students since 2000, along with their corresponding student identification numbers. With an identification number and a birthday, one could hack into students’ college email, registration and financial records, he said.

Magarrell said he filed a complaint about the security breach with the federal Department of Education for a violation of the Family Educational Rights and Privacy Act.

Source: Wenatchee World.

Well, Magarrell may be a cockeyed optimist, as the U.S. Education Department generally does nothing in response to breaches. Oh, maybe they’d say they do something, but when you consider how many breaches there have been by FERPA-covered entities and ask yourself, “Has USED ever once cut off funding or done anything significant to a breached entity?” the answer is “no.”

At least in this case, the risk of the data being misused does seem really low. But even so….

Another resource for Breach data is improved...

When it comes to compiling breaches, more is better

March 31, 2011 by admin

As announced by the good folks at today, I’ve agreed to work with them in terms of maintaining and developing their database. and will continue as they always have, but expect to see more breaches show up in DataLossDB in a timely fashion and expect to see more backfilling over time and more primary sources that I will be requesting under FOIA. We have some big plans, so do stay tuned.

Their announcement:

The Open Security Foundation is pleased to announce that Dissent, the publisher and maintainer of and has now joined DataLossDB as a curator for the project.

OSF has worked with Dissent over the years and she is already known to us a DataLoss Archaeologist, as she took third place in our “Oldest Incident” contest. She found the 1984 TRW incident, where computer hackers gained access to a system holding credit histories of some 90 million people which happens to be the 3rd largest breaches of all time in DataLossDB. Her more active involvement with the project on a day-to-day basis will help us remain the most complete archive of dataloss incidents world-wide and will enhance our ability to keep current on more breaches in a timely manner. Dissent will continue to maintain her own web sites as a resource on breach news and issues.

For those who do not know Dissent, she’s a practicing health care professional with a special concern for health care sector breaches, and we expect to see increased coverage of medical sector breaches in the database in months to come. As Dissent notes, “With recent changes to federal laws making more information available to us about health care sector breaches, we are now beginning to get some sense of how common these breaches are and the common breach types. Including these incidents in the database will enable analyses that would not have been possible or meaningful just a few years ago.”

Open Security Foundation’s CEO, Jake Kouns says, “Dissent has been a supporter of DataLossDB from the very beginning and is an extremely dedicated and thorough researcher.” “We are extremely fortunate to have her as part of the DataLossDB team and look forward to working more closely with her.”

Welcome Dissent, our newest curator and resident research queen!

Note that Jake was being diplomatic/professional. Personally, I would have preferred the title of “resident research bitch,” which is reminiscent of how my grad students fondly nicknamed me “Stat Bitch” back in my days as an academic teaching research design and statistical analysis.

Well, I think it was fondly, anyway…

The electronic version of “Playing Doctor?”

The Sext Wars: Consent, Secrecy, and Privacy

April 1, 2011 by Dissent

Mary Anne Franks writes:

The sexting phenomenon reveals much about contemporary social attitudes towards sexual expression, consent, and privacy, especially with regard to minors. One of the most troubling aspects of the debate over what can and should be done about “sexting-gone-bad” scenarios is the tendency to treat the parties involved as more or less moral and legal equivalents. A typical “sexting-gone-bad” scenario is one in which a young person takes an intimate cellphone photograph of him- or herself, forwards it to an actual or potential romantic interest, and discovers that this photograph has been forwarded to many other individuals, including strangers, classmates, and family members. There are at least four distinct categories of individuals involved in such a scenario: the creator of the image, the intended recipient, the distributor, and the unintended recipient. The second and third categories are sometimes the same person, but not always, and the number of individuals in the fourth category is potentially enormous. The legal response in many of the first sexting cases was to bring child pornography charges (creation, distribution, or possession) against all the individuals involved; the social response has likewise treated the various players as roughly morally equivalent. In some sexting cases, the distributors of the images have not been charged at all, whereas the creators have been. The view that the creators of sexual cellphone images are as bad as or worse than the distributors of those images combines many troubling social attitudes about sexual expression and privacy.

Read more on Concurring Opinions.

Hey, It's a way to catch stupid people...

Ninth Circuit Decides Cotterman Case, Reversing District Court on Laptop Seizure at the Border

March 31, 2011 by Dissent

Orin Kerr writes:

Back in 2009, I blogged about United States v. Cotterman, a fascinating Fourth Amendment case from the District of Arizona involving a forensic search of a computer seized at the U.S./Mexico border. Ninth Circuit precedent holds that the government can search a computer at the border with no suspicion under the border search exception, just like it can search any other property. The question in Cotterman was whether the government could seize the computer, bring it to a forensic specialist 170 miles away, and have the forensic specialist search the computer there two days later. Is that still a border search? Or does the delay in time, or the change in location, mean that the border search exception doesn’t apply (or applies differently)? The District Court held that the delay in time and the moving of the computer required applying the ‘extended’ border search doctrine, which requires reasonable suspicion, instead of the traditional border search exception, which does not. As I noted here, the Government appealed but has not argued that the search was justified by reasonable suspicion. As a result, the case presents a pure legal question: Does the Fourth Amendment require reasonable suspicion in these circumstances, or is the seizure and subsequent search permitted without any cause?

In a decision released this morning, United States v. Cotterman, a divided Ninth Circuit reversed and held that the seizure and search were permitted without cause.

Read more on The Volokh Conspiracy.

“We can, but Trust US, we won't.” I wonder which 3-letter agencies already use this?

Google rebukes CNN over facial recognition story (updated with CNN’s response)

March 31, 2011 by Dissent

Yesterday it was a report about Samsung causing a privacy scare. Today it’s a story about Google.

While I was working, it seems that CNN published a story claiming that Google was developing an application that would do facial recognition and provide corresponding contact information. The CNN story, by Mark Milian, quoted Google’s Hartmut Neven, engineering director for image-recognition development for Google for some of its statements.

Google reacted strongly. In a statement to Android Community, they wrote:

We are NOT “introducing a mobile application” (as the CNN piece claims) and as we’ve said for over a year, we would NOT add face recognition to any app like Goggles unless there was a strong privacy model in place. A number of items “reported” in the story, such as a potential app connecting phone numbers, email addresses and other information with a person’s face, are purely speculative and are inventions of the reporter.

CNN does not seem to have updated its story to reflect Google’s response.

So let’s see: if I just work longer hours each day, can I miss having to post a story and then its refutation or correction?

Update: Greg Sterling of Search Engine Land provides the next round:

Here’s where it gets strange and interesting. I just got a statement from CNN saying that Google that was full of it:

Google’s claims do not fit the facts of the situation. This interview was prearranged – on the record – and staffed by a Google PR rep, who raised no objections at the time and did not deny what the engineer said. Additionally, we have an audio recording of the interview, as does Google. We stand firmly behind Mark’s reporting.

Recorded interview. On the record. Google PR person in the room.

Clearly the technology exists; Google’s not denying that. The question is whether the app or update to Goggles is about to be released.

He said/she said: where’s the truth? I guess we’ll find out if Google does release such a capability in the near future.

h/t, @PrivacyMemes

(Related) Another trivial application of technology...

Creepy,” a New Locator App, Is Creepy

March 31, 2011 by Dissent

Nick Greene writes:

​26-year-old Yiannis Kakavas has invented Creepy, an application that he describes as a “geolocation information aggregator,” reports. What that means: Type in someone’s Flickr or Twitter account into Creepy, and it will cultivate all the information available from the user’s photos or tweets and draws a map of their locations at the time of posting. If you feel that this is an invasion of privacy, keep in mind that all the information used is already public. Scary, huh?

Read more on Village Voice.

One of the risks of over-reliance on Cloud Computing... I'll bet the contract they signed makes them responsible for backups.

'Zodiac Island' Makers Say ISP Worker Wiped an Entire Season

"The creators of 'Zodiac Island' say they lost an entire season of their syndicated children's television show after a former employee at their Internet service provider wiped out more than 300GB of video files. eR1 World Network, the show's creator, is suing the ISP, CyberLynk of Franklin, Wisconsin, and its former employee, Michael Jewson, for damages, saying CyberLynk should have done a better job of protecting its data."

(Related) I'm a day late, but it is still worth mentioning...

It's World Backup Day

"Today is World Backup Day, an occasion to back up your personal data and financial information and check your restores. For those needing motivation — a group that apparently includes 15 percent of data centers — the Slashdot archives bear witness to date disasters at providers small (Ma.gnolia) and large (Microsoft). The World Backup Day initiative grew out of a thread at Reddit, and invites online backup services to observe the occasion by offering discounts."

Legal extortion?

How Mass BitTorrent Lawsuits Turn Low-Budget Movies Into Big Bucks

On March 7, Camelot Distribution Group, an obscure film company in Los Angeles, unveiled its latest and potentially most profitable release: a federal lawsuit against BitTorrent users who allegedly downloaded the company’s 2010 B-movie revenge flick Nude Nuns With Big Guns between January and March of this year. The single lawsuit targets 5,865 downloaders, making it theoretically worth as much as $879,750,000 — more money than the U.S. box-office gross for Avatar.

At the moment, the targets of the litigation are unknown, even to Camelot. The mass lawsuit lists the internet IP addresses of the downloaders (.pdf), and asks a federal judge to order ISPs around the country to dig into their records for each customer’s name.

Sound very much like my RSS feed reader. If they send the user to the originating site, how does this hurt the publishers?

Publishing Heavyweights Target iPad Media App ‘Zite’

An unusually large group of media companies (including Advance Publications, the parent company of the company that publishes Wired) have issued a strongly-worded legal warning to Zite, a relatively new iPad media app which aggregates news stories based on your Twitter and Google Reader activity.

… Zite calls itself a magazine, but is more of a enhanced news reader, very much in the mold of Pulse and Flipboard. Zite doesn’t provide original content but rather leverages the link economy to display the content behind URLs in an eye-pleasing ways reminiscent of newspapers and, yes, print magazines. It excerpts the first few dozen words of each story and displays a thumbnail picture (if any). The reader can click on a story and see either a faithfully-produced webpage on the app’s internal browser, ads and all — or an undesigned text-only distillation, a la Instapaper and Read It Later.

For my “Global Security” students and our continuing debate “are low level terrorists stupid or ignorant”

Convicted Terrorist Relied On Single-Letter Cipher

"The Register reports that the majority of the communications between convicted terrorist Rajib Karim and Bangladeshi Islamic activists were encrypted with a system which used Excel transposition tables which they invented themselves. It used a single-letter substitution cipher invented by the ancient Greeks that had been used and described by Julius Caesar in 55BC. Despite urging by the Yemen-based al Qaida leader Anwar Al Anlaki, Karim rejected the use of a sophisticated code program called 'Mujhaddin Secrets' which implements all the AES candidate cyphers, 'because "kaffirs," or non-believers, know about it so it must be less secure.'"

Nothing unusual in a politician misspeaking. The downside would be a search for “John Kerry” that returned “No Results.” (or worse?)

Kerry: I misspoke regarding Google privacy commitment

March 31, 2011 by Dissent

Mark Arsenault reports:

US Senator John Kerry misspoke yesterday in saying that the Internet giant Google was on-board with the senator’s efforts to craft an Internet privacy bill, his office said this morning.

The Massachusetts Democrat has discussed the bill with Google officials but those talks are still ongoing, according to Kerry’s office.


(Related) Some politicians have never heard of the Streisand Effect. Actually, this suggests that the Congressman does not have other sources of income – probably proving that he is new rather than honest...)

Congressman Wants YouTube Video Covered Up

"Wisconsin Republicans claim that no one else can republish a video of United States Representative Sean Duffy (R-WI) complaining about how he is 'struggling' to get by on his $174,000 salary without their permission, even though they originally released the video on YouTube for the whole world to see. Now the GOP is trying to take legal action to stop anyone else from republishing the video. The tape caused a stir for Duffy, a first-term conservative best known for his past as a reality TV show star on MTV's The Real World after Democrats flagged the comments about his taxpayer-funded salary, which is nearly three times the median income in Wisconsin, and criticisms began to flow Duffy's way. Here's a one-minute clip, excerpted from roughly 45 minutes of video of the public Duffy townhall, that the Polk County GOP doesn't want anyone to see."

April First means.... (

Thursday, March 31, 2011


Failure to encrypt portable devices inexcusable, say analysts

March 31, 2011 by admin

Following the report earlier this week that a laptop containing 13,000 BP claimants’ personal data was missing, Jaikumar Vijayan reports that data breaches involving unencrypted laptops and portable drives continues at inexcusably high rates:

The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks, and other mobile devices account for a substantial portion of breaches these days…. a distressingly large number of companies have continued to ignore the advice — some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.

“There really is no excuse for not encrypting laptops,” said Avivah Litan, an analyst with Gartner.

Read more on Network World.

Clearly, as my occasionally snarky comments on this blog and suggest, I agree with the analysts quoted in the news story. For how many years will we continue to read that entities were “in the process of encrypting” at the time of a breach, or now that they’ve had a breach, the entity is “speeding up” its efforts to harden their security and to use encryption. Encryption meeting NIST standards offers safe harbor for HIPAA-covered entities and can save time and money in terms of the costs of a breach. Would entities really rather spend $10-$15 per person offering free credit monitoring after a breach, or should they invest much less in preventing the breach? And how much is brand harm or bad press worth? Isn’t it worth the cost of encrypting your laptops and thumb drives?

Entities that collect information need to protect it. Anything else is just playing fast and loose with our information and our privacy and should incur fines or penalties. The “grace period” should be over.

[From the article:

"Enterprises that are not putting in laptop encryption are just being lazy," she said.

The growing cost of data breaches in particular should be pushing companies to adopt portable encryption more aggressively, say analysts. The Ponemon Group released a report last month showing how companies that experience data breaches these days can end up paying close to $214 per compromised record on average .

"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst with Spire Security.

… That lack of adoption is a problem not just in the private sector, but also within the federal government.

In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on over 26 million veterans, the Office of Management (OMB) issued a memorandum requiring all agencies to encrypt sensitive data (PDF document) on portable devices.

Close to five years later, several federal agencies are not even close to compliance, according to an OMB report to Congress released earlier this month.

What is “insider information” worth?

U.S. Spy Agency Is Said to Investigate Nasdaq Hacker Attack

The National Security Agency, the top U.S. electronic intelligence service, has joined a probe of the October cyber attack on Nasdaq OMX Group Inc. amid evidence the intrusion by hackers was more severe than first disclosed, according to people familiar with the investigation.

The involvement of the NSA, which uses some of the world’s most powerful computers for electronic surveillance and decryption, may help the initial investigators -- Nasdaq and the FBI -- determine more easily who attacked and what was taken. It may also show the attack endangered the security of the nation’s financial infrastructure.

“By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack or it’s an extraordinarily capable criminal organization,” said Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, now at the Washington offices of the law firm Cooley LLP.

Investigators have yet to determine which Nasdaq systems were breached and why, and it may take months for them to finish their work, two of the people familiar with the matter said.

Czech court bans telephone data retention

March 31, 2011 by Dissent

Associated Press reports:

The Czech Republic’s Constitutional Court has overturned parts of a law that force telephone operators to retain data on telephone calls and Internet traffic.

The court said Thursday the practice is unconstitutional. It says the provisions ordering data on all calls, faxes, text messages and e-mail exchanges to be retained for six months enabled a “massive” invasion into citizens’ rights and were not in line with the rule of law.


Read more on SeattlePI.

[Czech constitution:

AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements

March 30, 2011 by Dissent

A new research report from CMU’s CyLab:

Online behavioral advertisers track users across websites, often without users’ knowledge. Over the last twelve years, the online behavioral advertising industry has responded to the resulting privacy concerns and pressure from the FTC by creating private self-regulatory bodies. These include the Network Advertising Initiative (NAI) and an umbrella organization known as the Digital Advertising Alliance (DAA). In this paper, we enumerate the notice and choice requirements the DAA and NAI place on their members and check for compliance with those requirements by examining members’ privacy policies and reviewing ads on the top 100 websites. We also test DAA and NAI opt-out mechanisms and categorize how their members define opting out. Our results show that most members are in compliance with some of the notice and choice requirements, but there are numerous instances of non-compliance. Most examples of non-compliance are related to the “enhanced notice” requirement, which requires advertisers to mark behavioral ads with a link to further information and a means of opting out.

Read the full report by Saranga Komanduri, Richard Shay, Greg Norcie, and Lorrie Faith Cranor on CyLab (pdf).

A lab experiment for my Computer Forensics students: recover all the data, determine who was alerted. Extra credit: Activate this app remotely.

U.S. Gov't to thank for panic button app to wipe phones

There's a new app being developed by the U.S. Government and it seems like everyone should want to add it to their phone for all kinds of different reasons. If a cell phone is confiscated by police or government agency, the panic button app will wipe the cell phone's address book, history, text messages and broadcast the arrest as an emergency alert to fellow activists.

If we don't like an article, do we have a responsibility to “correct” it?

Wikipedia Wants More Contributions From Academics

"University professors don't feel their role as intellectuals working for the public good extends to contributing to the world's largest encyclopedia, the Guardian reports. Wikimedia foundation is currently surveying academics as part of a search for ways to encourage them to pitch in alongside anonymous civilians and raise quality. The main problem seems to be the academic ego: papers, talks and grant proposals build reputation but Wikipedia edits do not."

For my geeky friends...

FCC Giving Away Wi-fi Routers For Broadband Tests

"The Federal Communications Commission (FCC) will be giving away 10,000 Wireless-N routers as part of their program to perform a number of broadband tests, for the benefit of a better connection in the future. They are striving to work on improving a number of issues including latency, packet loss, connection speeds and much more."

[From the article:

They have extended their research efforts to the public, but there are some minor requirements which need to be met. For example, your connection must be consistent (suffer very few disconnections), users must be considered average Internet browsers and not heavy downloaders, and that you currently use a standalone device to connect to the web.

Most users may be eligible for one of 10,000 Netgear WNR3500L wireless routers, for use during the trial, and they will get to keep it one the test period is over, obviously for the time and effort invested.

You can find out more about the offer at the FCC Test My ISP website.

[You will also need to know your Service Tier (advertised connection speeds) You can measure you actual speeds at: Bob]

Because not all my students have subscriptions...

5 Ways To Get Around The New York Times Paywall

Did you know that the New York Times spent an incredible $40 million on their recent paywall solution? Did you also know that it can be circumvented with all but a few clicks? There are in fact a surprising number of methods that currently allow you to browse the NY Times for free, despite the small fortune involved in protecting this content. As newspapers take slow, unsure steps in a bid to generate revenue online, clearly there are still lessons to be learned.

If you’re interested in how the Internet has rendered $40 million worth of effort redundant, then read on.

Wednesday, March 30, 2011

A CyberWar technique. Allows the government to offer protestors communications that are “safe from government spies.”

FBI probes Comodo Web security breach

The FBI is investigating how a hacker tricked a New Jersey company into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other major Web sites, the firm's chief executive said today.

Comodo CEO Melih Abdulhayoglu told CNET this afternoon that "it is an ongoing investigation" that has drawn in both the FBI and Italian law enforcement.

Abdulhayoglu confirmed that a reseller in Italy called GlobalTrust had its network compromised by a hacker traced to Iran. That person, or multiple people, obtained fake digital certificates for nine Web sites that also included Skype and Mozilla. Those certificates, which have since been revoked, allowed someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled.

(Related) Forewarned is forearmed.

Australian Prime Minister Hacked

Computers belonging to the Australian prime minister and at least nine other federal ministers were recently hacked, according to a news report.

Besides Prime Minister Julia Gillard, Foreign Minister Kevin Rudd and Defense Minister Stephen Smith were also targeted.

Several thousand e-mails were accessed by the intruders beginning in February, before Australian authorities were tipped off to the breach by U.S. intelligence officials at the CIA and FBI, according to the Daily Telegraph.

The attack reportedly targeted the e-mail system for Australia’s Parliament House, which is used for nonsensitive communications among parliament members. Ministers use a more secure departmental network for more sensitive communications, according to the paper.

Hackers also recently struck Canadian government computers. That attack reportedly involved more-sensitive systems, allowing the attackers to access highly classified information, according to the CBC News. The hackers breached systems belonging to the Finance Department and Treasury Board as well as Defence Research and Development Canada, which conducts scientific and technological research for the Department of National Defence.

Just another laptop.

Missing BP laptop had personal data of claimants (updated)

March 29, 2011 by admin

Associated Press reports that a BP employee lost a laptop containing unencrypted personal information on approximately 13,000 people who had filed compensation claims prior to August 2010 stemming from the Gulf oil spill.

Read more on Quad-Cities Online. BP did not provide any details on the types of information for each claimant or any gap between the loss of the laptop and their discovery that it was lost. I’ve sent an inquiry to BP to try to get additional details as there is no press release on their web site, either.

Thanks to @jslarve for the heads-up on this one.

Update: NPR has a more complete version of the AP report that indicates that the laptop, which was lost on March 1, contained a spreadsheet of claimants’ names, Social Security numbers, phone numbers and addresses.

The employee lost the laptop on March 1 during “routine business travel,” said Thomas, who declined to elaborate on the circumstances.

“If it was stolen, we think it was a crime of opportunity, but it was initially lost,” Thomas said.

BP is offering to pay for claimants to have their credit monitored by Equifax, an Atlanta-based credit bureau.

"Ontogeny recapitulates phylogeny" Every new technology (or old technology given a new name by the Marketing Dept.) starts from 'square one' – without security, privacy, backups or and other “Best Practice” learned through bitter experience by earlier technology generations.

No Privacy on Amazon’s Cloud Drive

March 30, 2011 by Dissent

Steven J. Vaughan-Nichols writes:

Who couldn’t love the idea ofthe new Amazon Cloud Drive? You get at least 5GBs of free cloud-based storage, and its trivial to get 20GBs of free storage on Amazon Cloud Drive. Used in concert with theAmazon Cloud Player you get a fine cloud-based music player that can be used either from a Web browser or on Android tablets with the Amazon MP3 App. The newAmazon consumer cloud service also works well. It’s just too bad that you have to give up all privacy to use it.

Don’t believe me? Read the Amazon Cloud Drive Terms of Use for yourself.

Read more on Networking (ZDNet)

I thought everything was fair in Divorce Court...

Lewton v. Divingnzzo: Hidden Audio Recorder in Teddy Bear Violates Federal Privacy Law

March 29, 2011 by Dissent

Gary Juskowiak discusses a court decision reported here last month:

Parents who are concerned about their child’s well being might use hidden electronic monitoring devices such as hidden audio recording devices and nanny cams. Unfortunately, parents who use these devices may unwittingly violate federal and state law. In Lewton v. Divingnzzo (PDF), a mother was convicted of violating the Wiretap Act of The Electronic Communications Privacy Act (ECPA) 18 U.S.C. §§ 2510-2522 after she concealed an audio recording device in her daughter’s teddy bear (“Little Bear”) for the purpose of gathering evidence to sabotage the child custody rights of her ex-husband. Over five months she downloaded the recorded conversations from the audio recording device to her computer, burned CDs of the conversations, and ultimately had transcripts made of the conversations.

Read his analysis of the case and relevant federal law on Berkeley Technology Law Journal.

h/t, @TheCyberLawyer.

Still not sure what happened. If it was a bug, why were Middle Eastern countries impacted and no others? Improbable, at least.

Microsoft Denies HTTPS Shutdown Was Intentional

"Microsoft acknowledged that Hotmail's HTTPS encryption service was shut off for users in some countries, but denied that it was because of an intentional ploy to limit email security in countries that have experienced anti-government protests and limits on freedom of expression. 'We do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world,' Microsoft said. Syria, Morocco, Bahrain, Iran, Lebanon, Jordan and Algeria were among the affected countries, but the problem is now resolved."

Why would the FTC parrot what the lobbyists tell them?

A Response to Commissioner Rosch on Do Not Track

March 29, 2011 by Dissent

Jonathan Mayer writes:

Late last week FTC Commissioner Rosch penned a column in which he repeated a number of hackneyed criticisms of Do Not Track. Senators McCaskill and Pryor articulated similar concerns at a recent hearing. This piece sequentially deconstructs Rosch’s column and replies to each of his substantive critiques.

Read Jonathan’s counterpoint on CIS. Here’s a snippet:


Consumers may also lose the free content they have taken for granted. Not only could consumers potentially lose access to free content on specific websites, I fear that the aggregate effect of widespread adoption by consumers of overly broad do-not-track mechanisms might be the reduction of free content, free applications and innovation across the entire internet economy.


On the contrary, there is substantial reason to believe Do Not Track is no threat to ad-supported businesses. This conclusion is bolstered by the news that thirty online advertising firms are willing to implement Do Not Track.

Well of course they are...

NASA Vulnerable To Crippling Cyber Attacks

"The computer network NASA relies upon to carry out its billion dollar missions is just like your Mac or PC at home; vulnerable to cyber attacks. NASA's servers contain vulnerabilities that could enable a cyberattack to cripple the entire agency, according to a recent audit report from The Office of the Inspector General. The report was an unflattering look at NASA's internal computer security operations, as the Inspector General recommended the agency expedite the implementation of a new agency-wide program to oversee the network security problem."

Fluff or is DHS preparing to mandate security?

March 28, 2011

DHS - Enabling Distributed Security in Cyberspace

Enabling Distributed Security in Cyberspace - Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action, March 23, 2011

  • "Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life. This discussion paper explores the idea of a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near‐real time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state. In this future cyber ecosystem, security capabilities are built into cyber devices in a way that allows preventive and defensive courses of action to be coordinated within and among communities of devices. Power is distributed among participants, and near‐real time coordination is enabled by combining the innate and interoperable capabilities of individual devices with trusted information exchanges and shared, configurable policies."

[From the report:

We know today that users are not routinely complying with cyber best practices and configuration guidelines. Adoption of security standards is decidedly slow, and early indications are that cybersecurity continuous monitoring will face impediments to adoption.

A persistent challenge in today’s ecosystem is the inability to establish level of harm as a result of a cyber incident – be it loss of intellectual property, privacy, consumer confidence, business opportunity, or essential services.

Virtual Court? Might as well sentence them too...

Florida Detectives Use Skype to Obtain Warrants

The Palm Bay Police Department is using Skype -- an online service that allows video conferencing and phone calls -- to help officers in the field obtain warrants to draw blood from suspects in DUI cases. Police spokesman Darin Morgan said Monday that time is of the essence when it comes to impaired driving cases.

Morgan says the system is "like a virtual office and courtroom." He worked with Judge David Silverman and prosecutors to develop the system.

Field officers email document to the judge, then hold conference calls via Skype to obtain necessary warrants.

They say the technology can be expanded to other types of crime.

Evidence in the IBM antitrust lawsuit arrived in semi-trailers. Can you get you head around a discovery request for “all the raw data and all post-algorithmic results delivered for the past 10 years...”

Has Google learned Microsoft's antitrust lessons?

For anyone who followed Microsoft's testy battles with competition regulators 10 years ago, Google's current antitrust problems may provoke more than a little sense of deja vu.

Google dominates the Internet search advertising business and has allegedly used that hegemony to thwart rivals in adjacent markets. Regulators in the United States and Europe are looking into claims by smaller niche search companies, such as 1plusV, which runs the site in France and in Columbus, Ohio, that Google is manually altering search results, [Trillions of them every day? Bob] demoting where rivals show up in its ranking, making it harder for customers to find their services. Google points out that its algorithms naturally push those sites down in rankings because those search engines offer little more than links to other sites, created solely to generate revenue as a middleman.

(Related) Of course we read everyone's mail...

Gmail To Roll Out Ads That Learn From Your Inbox

Gmail is in the process of rolling out a new ad system that could prove to be quite powerful: ads that learn what you’re interested in based on your email habits. The feature first showed up in my Gmail account earlier this afternoon (there’s a prompt informing users about the new ads), and a Google spokesperson has confirmed that they are indeed in the process of rolling this out worldwide. Here’s the full information page describing the feature, found by clicking the ‘Learn More’ button.

Google says that while this notification will be rolling out to users gradually over the coming days, the personalized ads won’t actually go live for around a month. In the mean time, users can opt-out of the new system through Gmail’s settings panel (the default is that you’re opted-in).

[From the Information Page:

For example, if you’ve recently received a lot of messages about photography or cameras, a deal from a local camera store might be interesting. On the other hand if you’ve reported these messages as spam, you probably don’t want to see that deal.

This may be redundant, but I think it's worth a read.

Wall St. J. Covers Tragedy of the Data Commons

March 30, 2011 by Dissent

Derek Bambauer writes:

Today’s Wall Street Journal has an article discussing data privacy that draws on Jane Yakowitz’s great new paper, Tragedy of the Data Commons, which is presently making the rounds of the law reviews in the spring submission cycle. The article examines contemporary attitudes towards privacy and, as Jane’s paper describes, the tradeoffs between enhanced (and perhaps unnecessary) privacy measures and the loss of valuable data for research and innovation.

Read more on Info/Law.

This is news? I have to admit it makes writing articles easier.

Newspaper Plagiarizes Blog, Taunts Real Author

"I've been keeping an eye on this viral marketing campaign called Petite Lap Giraffe — it's the DirecTV ads with the Russian guy and the tiny giraffe. I was pretty quick to debunk the existence of the giraffes, so a lot of people have been visiting my blog as a result. Today, I noticed a New-York area newspaper that was represented my research as their own, so I asked them to link to my blog (i.e. provide attribution). What ended up happening perfectly illustrates that newspapers just don't understand how the Internet works ..."

Poor Facebook

Is there really 'Facebook depression?' (podcast)

Clinical Report: The Impact of Social Media on Children (PDF) starts out with data showing that teen and pre-teen use of social media has "increased dramatically" over the last five years, as has use of cell phones and texting. It also points out that "because of their limited capacity for self-regulation and susceptibility to peer pressure, children and adolescents are at some risk as they navigate and experiment with social media."

For my Computer Security class

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its unusually high level of sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead's final target -- and its covert origins. In a fascinating look inside cyber-forensics, he explains how.

Geeky stuff

Report: Microsoft sending Windows 8 to PC vendors