I reported this yesterday. This article makes a few more points... The more I look at it, the less I like it. It looks like the information gathering arm of the reviled TIA. Can you say, “Big Brother?”
Want a Passport? Better Find Your Circumcision Records!
The State Department has proposed a new “Biographical Questionnaire” that, if approved, you might have to complete to receive a passport.
Sample entries on the proposed Form DS-5513 include:
Your mother’s residence one year before your birth
Your mother’s residence one year after your birth
Your mother’s place of employment at the time of your birth
Details of your mother’s pre-natal or post-natal medical care, if any
Your mother’s place of employment at the time of your birth
Details of the type of document, if any, your mother used to enter into the United States before your birth
The circumstances of your birth including the names (as well as address and phone number) of persons present or in attendance at your birth.
If there were any religious or institutional recoding of your birth or event occurring around the time of birth (Example: baptism, circumcision, confirmation or other religious ceremony).
A list of every address at which you’ve ever resided since birth.
The name and telephone number of every supervisor you’ve had at every job in your life, including as a temporary worker.
The name, address, and telephone number of every school you’ve ever attended.
Stuff happens. You have to expect human error. But...
Sealed Records Exposed In Major Court Gaffe
April 22, 2011 by admin
In a shocking failure to protect sensitive details about dozens of ongoing criminal investigations, federal officials somehow allowed confidential information about sealed cases to be publicly accessible via the court system’s online lookup service, The Smoking Gun has learned.
Over the past nine months, details of 40 separate sealed court applications filed by federal prosecutors in Alabama were uploaded to PACER, the web-based records system that counts nearly one million users, including defense lawyers, prosecutors, journalists, researchers, private investigators, and government officials.
The court applications, made by ten separate prosecutors, included requests to install hidden surveillance cameras, examine Facebook records, obtain credit information on certain individuals, procure telephone records, and attach devices on phone lines that would allow agents to track incoming and outgoing calls. Remarkably, the U.S. District Court records–which covered filings as recent as April 11–included specific names, addresses, and phone numbers that should never have appeared on PACER.
Read more on The Smoking Gun.
[From the article:
It is likely impossible to determine if the sensitive information was viewed or disseminated by other PACER users, let alone gauge whether any cases were jeopardized by the posting of the sealed material. [Now this is a management failure. No logs of access were kept? Granted this system is intended to be accessible by the public, but how could you learn anything about patterns of access without records of that access? Bob]
… In a statement provided late yesterday to TSG, the Middle District’s chief judge, Mark Fuller, noted that, “The confidential information has been sealed. I regret the error was not identified earlier and have adopted procedures to ensure that it will not occur in the future.” [Referred to as “Locking the barn door after the horse has bolted” Bob] It remains unclear why U.S. District Court personnel believed that, while the documents themselves had to be kept in a safe in the clerk’s office, details from those records could be made available through PACER.
An interesting point for debate by my Computer Security students, however the examples they chose seem to suggest a slap or two was required. Also, where are these fines “driving security policy?” If they drive improvements in security, isn't that a worthy strategic objective?
Data breach fines can risk more harm than good, experts say
April 22, 2011 by admin
George V. Hulme writes:
Are regulatory and security breach fines protecting the consumer, or beginning to unduly drive security policy? As penalties begin to be levied against organizations who have been attacked, or employees violated data policy, some experts now question whether the government is penalizing one of the victims in a crime, rather than helping to mitigate the risk of identity theft — as the laws were first intended.
Read more on NetworkWorld.
[From the article:
Consider the move by the Massachusetts Attorney General against restaurant chain owner the Briar Group LLC. A few weeks ago the attorney general announced that it reached an agreement with Briar Group to pay $110,000 in penalties. The settlement stems from allegations that the restaurant chain didn't adequately protect customer payment data after a malicious application was installed on its systems. The malware was on its network from April, 2009 through December, 2009. [Failure to detect Bob] The allegations against the chain say that the group didn't change employee login information and continued to take credit and debit cards after it discovered the breach, [“We know our customers are at risk, let's ignore it?” Bob] this statement from the Massachusetts Attorney General says. The compliant also alleges that the chain failed to properly secure its remote access utilities and wireless network.
Interesting if true. I have stated (too many times, some say) that each generation of technology fails to learn governance techniques earlier generations learned the hard way...
Weaponizing GPS Tracking Devices
Those low-cost embedded tracking devices in your smartphone or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, a researcher has discovered.
… Bailey also released tools today for each of the three attacks he demonstrated at SOURCE Boston.
"Embedded devices are low-cost, easy to use, and easy to debug. And the security landscape is very small," Bailey says. "There is very little capability for integrating secure communications on the devices and ensuring that it's your code executing on there."
The underlying issue is that the low-cost and rapid commoditization of these embedded systems precludes their being properly secured. "There's a low entry point for people to develop them, so you have a serious problem because new developers and new startups don't have an understanding of security. It's an insecure product by default," he says.
… In the first attack, Bailey forced the device to send him its physical location using techniques to grab the GPS coordinates and local cell tower information. "I can force those devices to bypass the manufacturer's controls and give me their information and they have no idea that I've intercepted their location," he says.
… If it's a truck on I-70, I can take the device and force it to send false location to the server and meantime, could hijack the truck," he explains. Zoombak's command and control channel is in the clear, unencrypted.
… Another protection would be to ensure that when a device on a 3G network that it cannot interact with other 3g devices: it should only be able to speak with the manufacturer's server, he says.
(Related) Let that be a lesson to you. Don't drive a “classic.”
Seattle police say 'wardrivers' are hitting small businesses
Seattle police are investigating a group of criminals who they say have been cruising around town in a black Mercedes stealing credit card data by tapping into wireless networks belonging to area businesses.
The group has been at it for about five years, according to an affidavit signed by Detective Chris Hansen, a fraud investigator with the Seattle Police Department.
… Hansen believes the group has been "wardriving" the Seattle area in a customized 1988 Mercedes Benz, looking for companies using an unsecure Wi-Fi standard called Wired Equivalent Privacy (WEP). WEP has well-documented security flaws and has been considered for years to be unsecure, but was widely used in routers built between about 2000 and 2005. Many consumers and small businesses still use it.
Because WEP's encryption can be cracked using easy-to-find tools, even unsophisticated hackers can break into WEP networks and mine them for data.
… Police impounded the Mercedes last October after arresting its owner for allegedly using stolen gift cards at a local wine bar. In the car they found a range-boosting antenna and a Wi-Fi-enabled laptop with a passenger-seat mount, so that it could be used while driving.
Something for the Mobile Stalker?
Free Reverse Phone Lookup
Look up a cell, land line or unlisted phone number in the USA and Canada. Free directory search. Results include name, address, age and more. NOTE: Free results available ONLY for land line numbers. For mobile numbers full results are not free.
(Related) and something to protect jailbroken phones
Tools wipe location data from (some) iPhones
Want to wipe location-tracking data that's being stored on your iPhone without your permission? There's an app for that, but you've got to jailbreak your iPhone first.
Didn't we used to have the best communications network in the world?
AT&T Admits Network Can't Handle iPhone, iPad Traffic
"AT&T has admitted that the rise of tablets and smartphones like the iPad and iPhone has taken a major toll on its network. In its public filing to the Federal Communications Commission yesterday, the company admitted that its network has been under increasing strain as more and more high-bandwidth devices have been connected. This not only includes smartphones like the iPhone, but tablets like the iPad as well. AT&T says that in many cases tablets put a greater stress on their network (PDF) than smartphones do."
For my Intro to Computer Security class.
A Glimpse Inside Google's South Carolina Data Center
"Google today released a video showcasing the security and data protection practices in its data centers. Filmed at the company's South Carolina data center, it provides a look at Google's wiping of data and (literal) shredding of hard drives."