Saturday, June 11, 2011

Are these the right guys or are they being truthful when they claim not to be the first hackers? (Just started after Sony when it became apparent Sony had lousy security...)

(In)security update: Arrests in Sony hacking, plus Acer breach

June 10, 2011 by admin

Levi Sumagaysay writes:

Spain has arrested three people in connection with hacking Sony’s PlayStation Network. According to the Wall Street Journal, Spanish police say the three are members of hacker group Anonymous, which has recently claimed responsibility for various attacks on companies such as MasterCard and Visa, as well as Sony. (Although Anonymous has said it was not responsible for the theft of credit-card information of more than 100 million Sony customers. See Sony said, Anonymous said: No real answers yet in outage and data breach.) The New York Times reports today that according to police, the same computer server, found in one of the suspect’s homes, was used to attack the PSN online gaming store was also used to attack banks and various government websites, from Spain to Egypt to New Zealand. The three suspects, all 30-somethings from Spain, have been released but are facing charges including disruption of a computer system.

Read more on Good Morning Silicon Valley.

I'm sure the wise and honorable legislature in Connecticut were aware the Amazon had promised to do this (and had done it before) so they must be going after some other Internet based company. I just can't figure out who that would be...

Amazon Shuts Down Associates Affiliate Program In Connecticut Over Online Sales Tax

Similar to a move made in Illinois a few months ago, Amazon has shut down its Associates program in Connecticut after the state imposed a sales tax measure that would tax any purchases made online starting July 1. We’ve embedded the note sent to participants in the Amazon Associates Program below.

As you may know, the program allows website owners to earn money from advertising and linking to Amazon product on their sites. Connecticut has not been able to collect local sales tax on online purchases because these online retailers don’t have an actual brick and mortar presence in the state. But states like Illinois and Connecticut are maintaining that large e-commerce sites like Amazon and, who both run affiliate programs, have a presence because of these local affiliates.

… Amazon has shown in the past that its not afraid to shut down Associates programs in States that impose an online sales tax. The e-commerce giant has made similar moves in Hawaii, Colorado, North Caroline and most recently, Illinois. In fact, Overstock exited Connecticut in late May for the same reason.

This will attract lawyers like ants to a picnic...

Clothing Designer Tory Burch Wins $164M In Lawsuit Against Online Counterfeiters

Women’s clothing designer Tory Burch has been awarded $164 million in damages from online counterfeiters that have been selling copies of her shoes, bags and clothing on the web. According to Women’s Wear Daily, this is the largest amount of money awarded to a fashion designer for damages from online counterfeiters. For background, in 2008, eBay was forced to pay Louis Vuitton $61 million over the sale of counterfeit bags and accessories on the auction marketplace.

… In addition to monetary damages, the court ordered that 232 domain names that were being to used to sell counterfeit Tory Burch products be permanently disabled and turned over to Tory Burch. The financial accounts used to sell the counterfeit goods were restrained as well. And the court has also allowed for Tory Burch to disable additional rogue websites that the counterfeiters set up in the future without needing a new lawsuit.

… Isen says that so far, Tory Burch has collected hundreds of thousands of dollars from PayPal, which many of the online counterfeiters used to collect funds for goods from customers.

What’s interesting about the ruling is how the massive amount in damages will affect future rulings against online counterfeiters. And that online payements companies like PayPal are also held accountable. Clearly, the precedent is set and I wouldn’t be surprised if we see similar lawsuits (and judgements) in the future.

How could this possibly happen? “Bad research is easier than good research.” “Find something that supports your argument, then stop.” “You can find anything on the Internet.”

Canadian IP Lobbyists Caught Faking Counterfeit Data

"The Canadian IP Council, the Canadian Chamber of Commerce's IP lobby arm, has been caught floating false claims about the scope of counterfeiting in Canada. Recent claims include citing a figure based on numbers the FBI rejects ($22.5 billion), a figure the Canadian police won't support ($30 billion), and when pressed on the issue, it now points to yet another source that upon review indicates it fabricated its claims."

Now here is reliance on technology... How long before this is in the US?

Russian Lie Detector ATM

"Apparently the Russians are starting to add lie detectors to their ATMs in an attempt to prevent identity theft and bad withdraws. 'Consumers with no previous relationship with the bank could talk to the machine to apply for a credit card, with no human intervention required on the bank’s end. The machine scans a passport, records fingerprints and takes a three-dimensional scan for facial recognition. And it uses voice-analysis software to help assess whether the person is truthfully answering questions that include “Are you employed?” and “At this moment, do you have any other outstanding loans?”'"

I see Business Opportunities here... Consider a highly customizable, “What you need to know” newsfeed.

Information Needs of Communities: The Changing Media Landscape in a Broadband Age

...because it amuses me.

NSA Declassifies 200-Year-Old Book

Earlier this week, the National Security Agency announced that it had declassified and released to the National Archives “over 50,000 pages of historic records,” according to an agency statement. The document dump was “the first in a series of releases planned over the next two years” as part of NSA’s “commitment” to comply with President Obama’s January, 2009 memo demanding more transparency from federal agencies. Last month, the CIA released a trove of allegedly-explosive information from World War I, including the 90 year-old German formula for invisible ink.

See Also:

For my Geeky friends...

DOWNLOAD Go Google: Free Email & More On Your Domain

DOWNLOAD Go Google: Free Email and More on Your Domain or Read now on Scribd


The Geek’s Guide to Getting Almost Anything for Free

1. Craigslist’s Free Section

2. Freecycle


4. Yes All 4 Free

Friday, June 10, 2011

I still don't understand what's going on here. Why so few lawsuits? Are Lower Merion's lawyers that good?

Lower Merion School officials fight back against latest webcam suit

June 9, 2011 by Dissent

Richard Ilgenfritz reports:

Lower Merion school officials are fighting back against the latest webcam suit that was filed this week by a former Harriton student.

Monday, Joshua Levin, a 2009 graduate of Harriton High School, filed a new lawsuit in connection with Lower Merion use of a technology that allowed certain school officials to activate the webcams on the laptop computers the schools issued to high-school students. Levin listed his address as Spruce Street in Philadelphia in court documents.

In a response to the suit, school officials say Levin is motivated by cash.

“The district views this lawsuit by a 2009 graduate as solely motivated by monetary interests and a complete waste of tax dollars,” district spokesman Doug Young wrote in an e-mail to Main Line Media News. “The former student’s computer was one of six that were stolen from school property in 2008 and eventually recovered by the Lower Merion police. No Lower Merion School District employee ever viewed the images recorded on the stolen laptop.” [Yet they installed the software so they could trace stolen computers. Are they claiming they never used it? (other than to turn it on and forget to turn it off?) Bob]

Read more in The Times Herald.

Apple said much the same thing yesterday. I'm sure they wish this was true, but I suspect this view is unlikely to be adopted by the courts.

Google Asks 'Who Cares Where Your Data Is?'

"The chief security officer for Google Apps, Eran Feigenbaum, said popular concerns over data sovereignty in outsourced environments are unwarranted. He said businesses should worry about security and privacy of data, rather than where it is stored. The comments clash with those made by IT pros including Gartner, who said cloud providers like Google can't be trusted with sensitive data."

Start with completely outrageous, negotiate it down to merely rude and obnoxious.

Facebook may have privacy battle on two fronts

June 9, 2011 by Dissent

Sharon Gaudin reports:

Facebook said it’s working with European Union regulators to resolve criticism of its new facial recognition feature, but trouble may also be brewing for the social network here in the U.S.

On Wednesday, Facebook’s move to enable facial recognition across its entire social networking site raised complaints from privacy advocates and some users over the feature’s privacy implications.

The EU’s data protection regulators were quick to jump on the issue, telling the Bloomberg news service that they will launch an investigation into it. Bloomberg also reported that authorities in the U.K. and Ireland are looking into the matter.

Read more on Computerworld.


500,000 Danish Facebook users visible to “Big Brother”

June 10, 2011 by Dissent

Do you know who’s watching you on Facebook? Despite the raft of security measures put in place to restrict who can see the information you post, many people are oblivious of to how to alter their privacy settings.

So says a new survey from Statistics Denmark that showed that 22 percent of the 2.2 million Danish Facebook users didn’t know how to change their privacy settings.

Facebook profiles are fully public until the privacy settings are changed, meaning the information on accounts of almost 500,000 Danes is publicly available.

Read more in The Copenhagen Post.


Los Angeles To Turn Off Traffic-Light Cameras

"The LA Times reports that the Los Angeles Police Commission has voted to kill the city's controversial red-light camera program, rejecting claims that the system makes streets safer while costing the city nothing. The police department says the cameras help reduce accidents, largely by deterring drivers looking to run red lights or make illegal turns while critics of the technology question officials' accident data, saying the cameras instead cause rear-end collisions as drivers slam on their brakes and liken the cameras to Big Brother tactics designed to generate revenues. More than 180,000 motorists have received camera-issued tickets since the program started in 2004 but the commission estimates that the program costs between $4 million and $5 million each year while bringing in only about $3.5 million annually. Members of the public who attended the meeting urged the commission to do away with the cameras, which trigger seemingly boundless frustration and anger among drivers in traffic-obsessed LA. 'It's something that angers me every time I get in my car,' says Hollywood resident Christina Heller. 'These cameras remove our fundamental right in this country to confront our accuser. And they do not do anything to improve safety.'"

Don't see how this will work...

Tennessee Bans Posting 'Offensive' Images Online

"Last Monday, Tennessee's Governer Bill Haslam signed a law prohibiting the transmission or display of an image that is likely to 'frighten, intimidate or cause emotional distress to' anyone who sees it. In Tennessee, it is already illegal to use other methods of communication, such as telephones or e-mail, to offend someone; the new law updates legislation to include images sent or posted online. However, the scope of this law is broader, in that anyone who sees the image is a potential victim. If a court finds that a violator should have known that someone would be offended by the image in question, they face up to a year in prison or up to $2,500 in fines."

Thursday, June 09, 2011

I couldn't ask for a better summary for my Intro to Computer Security class.

Check Point and Ponemon Survey Reveals 77% of Businesses Experienced Data Loss Last Year

June 8, 2011 by admin

Check Point and the Ponemon Institute released the results of a new survey today. From their press release:

77 percent of organizations surveyed have experienced data loss in the last year. Key findings from the report, “Understanding Security Complexity in 21st Century IT Environments,” show respondents cited customer information (52%) as the most common type of information compromised — in addition to intellectual property (33%), employee information (31%) and corporate plans (16%). With the adoption of Web 2.0 applications and more mobile devices connecting to the network, organizations are challenged with enforcing better data security and IT Governance, Risk and Compliance (GRC) requirements.

According to the survey of over 2,400 IT security administrators, the primary cause for data loss resulted from lost or stolen equipment, followed by network attacks, insecure mobile devices, Web 2.0 and file-sharing applications and accidentally sending emails to the wrong recipient. In addition, approximately 49 percent of all respondents believe their employees have little or no awareness about data security, compliance and policies — encouraging business to integrate more user awareness into their data protection strategies, as people are often the first line of defense.


The survey, “Understanding Security Complexity in 21st Century IT Environments,” was independently conducted by the Ponemon Institute in February 2011, surveying IT security administrators located in the U.S., U.K. France, Germany and Japan. The survey sample represents organizations of all sizes and across 14 different industries. For more information about Check Point DLP or access to the full report, visit:

Okay, let’s do the math. 77% of 2400 organizations = 1848 organizations that had data loss from their sample. If half of those losses involved customer data, that’s 924. Did we have 924 data breach disclosures last year from their sample? And that’s without counting the ones where employee data were compromised. It would appear that the media or sites that track breaches did not find out about most of these breaches. And that’s just from one sample. Hmmmm….

How valuable are accurate logs? Notice that two out of three students didn't report the problem.

VA: University of Mary Washington notifies students of data breach (update1 with memo to students)

June 8, 2011 by admin

Jeff Branscome reports UMW sent the following e-mail to all employees to remind them of security policies in the wake of a breach involving student information:

To All Faculty/Staff:

This is to advise you that UMW experienced an information security incident, which you may read about in the news media. The attached letter was sent to all students whose personal information was subject to unauthorized exposure. The exposure was very limited and we have no reason to believe that there will be further harm to the privacy of the individuals involved. In compliance with the policies and procedures of UMW and the Commonwealth of Virginia, the incident was brought to the attention of all affected students. In brief, a UMW student who was searching the EagleNet portal for his own information found student data files on a departmental EagleNet site. The data files included personal information for a large number of UMW students. The student proactively and responsibly reported this fact to university officials and immediate steps were taken to prevent further access to this information and to remove the files from the departmental EagleNet site. Based upon our review of the situation, we have determined that a total of three currently enrolled students opened these files. [That's why you keep logs! Bob] We have spoken with all three students and have no reason to suspect there was any malicious intent involved or that any student data will be targeted for identity theft.

Earlier this year, all faculty and staff were notified of the requirement to complete Information Security Awareness training. This training reviewed various information security related policies, including the Electronic Storage of Highly Sensitive Data Policy. These policies require all of us to diligently safeguard and protect the university’s data, and to take extra precautions to ensure the protection of highly sensitive, personally identifiable information involving members of the UMW community. All university employees should review these policies, found at:

So far, I don’t see any notice on UMW’s web site or in the media, but have e-mailed the university to request more information and I imagine we’ll see more details revealed soon.

Update 1: The university kindly sent me a copy of the notice sent to students, which indicates that Social Security numbers were involved. In a separate email, a university spokesperson informs that 7,566 students were notified of the problem.

Another rash of card skimmers on their ATM's?

Citibank confirms hacking attack

June 9, 2011 by admin

Hackers have stolen data from thousands of Citibank customers in the US, the bank has confirmed.

The breach exposed the names of customers, account numbers and contact information.

But other key data, such as date of birth and card security codes were not compromised, the bank said in a statement.

Citigroup is the latest in a string of high profile companies to be targeted by cyber criminals.

It has been criticised for not telling customers about the breach when it happened in May.


Around 200,000 customers were affected the statement said although earlier the bank had said it could affect up to 1% of its 21 million users.

It did not detail how the breach had occurred.

Read more on BBC or any of the hundreds of news sources that are covering this breach this morning. I expect we’ll have more to add to this one. I don’t see any statement linked from at the time of this posting.

Huge (and wrong)

Court Rules Passwords+Secret Questions=Secure eBanking

"A closely-watched court battle over how far commercial banks need to go to protect their customers from cyber theft is nearing an end. Experts said the decision recommended by a magistrate last week — if adopted by a U.S. district court in Maine — will make it more difficult for other victim businesses to challenge the effectiveness of security measures employed by their banks. This case would be the first to add legal precedent to banking industry guidelines about what constitutes "reasonable" security. The tentative decision is that a series of passwords + some device fingerprinting is enough to meet the definition of "something you know" + "something you have". The case has generated enormous discussion over whether the industry's "recommended" practices are anywhere near relevant to today's attacks, in which crooks usually have complete control over the victim's PC"

[From the article:

The magistrate was unswayed by evidence presented by Patco’s lawyers that modern malware threats like ZeuS can modify content in the victim’s browser (and thus prompt users for the answers to all of their secret questions). ZeuS also allows attackers to tunnel their communications through a victim’s own PC and browser, an attack method that can negate the value of a device ID as a second factor. Navetta said Patco’s main theory concerning the weakness of the bank’s security was that the lower dollar threshold set by the bank made customers easier prey for predators like the ZeuS Trojan, but that the magistrate was unconvinced by that argument because Patco did not have actual forensic evidence that a keystroke logger was the culprit. The magistrate said Patco erred by “having irreparably altered the evidence on its hard drives by running scans on its computers and continuing to use them prior to making proper forensic copies.”

… The FFIEC was on the verge of releasing updated guidance at the end of last year to clarify the new and stronger types of multi-layered defenses required in 2011. Litan said those updates were expected to explain that the examples of strong online banking security measures which they listed in 2005 have been rendered useless and obsolete by next-generation cybercrime techniques.

“It’s truly disappointing that the much-needed update was never issued, no doubt because of internal politics and disagreements among the regulatory agencies,” she said. “The regulators should not leave these matters in judges’ hands to decide and should protect U.S. businesses from bank shortcomings that compromise the safety and security of their accounts, just as consumers are protected under Regulation E. In my opinion, this judge did not correctly interpret the 2005 FFIEC authentication guidance.”

… “The one thing the judge mentioned in his decision is that there is basically zero case law on [question of what constitutes reasonable security] for the banks,” Patterson said. “Not anymore. That’s why we’re concerned this could have national implications. Tons of small businesses continue to be at a huge risk for this type of thing happening to them.”

… A copy of the recommended decision is available here (PDF).


June 08, 2011

Commerce Department Proposes New Policy Framework to Strengthen Cybersecurity Protections for Businesses Online

News release: "The U.S. Department of Commerce today released a report that proposes voluntary codes of conduct to strengthen the cybersecurity of companies that increasingly rely on the Internet to do business, but are not part of the critical infrastructure sector. The report, Cybersecurity, Innovation and the Internet Economy, focuses on the “Internet and Information Innovation Sector” (I3S) – these are businesses that range from small and medium enterprises and bricks-and-mortar firms with online services, to social networking sites and Internet-only business, to cloud computing firms that are increasingly subject to cyber attacks."

Welcome to the Cloud... Not just a jurisdictional question – how do you shut down users who are breaking the country's law?

Google Redirects Traffic To Avoid Kazakh Demands

"Google has rejected attempts by the Kazakh government 'to create borders on the web' and has refused a demand to house servers in the country after an official decree that all Internet domains ending with the domain suffix for Kazakhstan be domestically based. Bill Coughran, Google senior vice president said in his blog that from now on, Google will redirect users that visit to in Kazakh: 'We find ourselves in a difficult situation: creating borders on the web raises important questions for us not only about network efficiency but also about user privacy and free expression. If we were to operate only via servers located inside Kazakhstan, we would be helping to create a fractured Internet.' Mr. Coughran said that unfortunately, it would mean that Kazakh users would have a poorer experience as results would no longer be customized for the former Soviet republic."

(Related) Apple's vision for the Cloud... Out of sight, out of mind, out of control?

It Just Works.”

With iCloud, Apple is transforming the cloud from an almost tangible place that you visit to find your stuff, to a place that only exists in the background. It’s never seen. You never interact with it, your apps do — and you never realize it. It’s magic.

“Why should we follow our own Privacy guidelines?”

June 08, 2011

EPIC: to Track Users for Two Years

EPIC: "The White House modified its privacy policy for on June 3, 2011. The new policy is more than twice as long as the old policy. The new policy states the White House web site now uses persistent Google Analytics cookies that track users for up to two years. Previously the site employed only single-session cookies, which were automatically deleted when users closed their browsers. The site does not provide a means for visitors to opt out of receiving cookies. The present policy reflects changes the administration made last year to allow for use of tracking cookies by federal websites. For more information, see EPIC: White House Adopts Weird Opt-Out Privacy Policy for Public Access to Government Web Sites.", no doubt there will be more incidents like Weiner's...

Adult sexting tied to power, 'unlimited partners'

Embattled Rep. Anthony Weiner, D.-N.Y., may have been the only person in the past week to gain national media attention for sending suggestive pictures of himself via social media, but his behavior follows a common pattern.

Though research exists into so-called "sexting" by teens, including a widely publicized study by the Pew Internet & American Life Project in 2009, studies on the sexting and online flirtation habits of adults are much more sparse.

Some information does exist, albeit with widely varying estimates on how widespread the behavior is. Findings from Pew in October suggest 6% of adults have sent sexually explicit messages over the Internet.

But some other recent surveys point to higher numbers.

A 2009 survey of more than 1,200 respondents by the Cranfield School of Management in the U.K. showed that more than half of participants have used the Internet for flirting, affairs and sexual advances.

And a 2009 online survey of 323 people ages 13 to 72 by psychologist Susan Lipkins of Port Washington, N.Y., found 66% of the sample had sent sexually explicit messages.

(Related) Attention Congressman Weiner!)

Twitter Has Begun Rolling Out New Photo Service To Users

For your personal toolkit.

3 Free Real-Time Malware Protection & Removal Tools



Spyware Terminator

Malware protection and removal tools are only one level of security. In addition, you should use a firewall and a traditional anti-virus program. Please check out these MakeUseOf articles for more advice on how to keep your system protected:

Wednesday, June 08, 2011

Kick that sleeping dog! I thought they got off too easily. Let's see if this lawyer can provoke a more adequate response.

Another family sues Lower Merion School District over “webcamgate”

June 7, 2011 by Dissent

If you thought the soap opera involving Lower Merion School District’s “webcamgate” was over, guess again. Reuben Kramer reports that another lawsuit has been filed by another student whose images were captured when the webcam on his district-provided laptop was remotely activated:

Plaintiff Joshua Levin’s suit describes an ominous night when he and his family discovered the surveillance.


Levin says his parents subsequently received a letter from the district around June 2010, advising them that “4,404 webcam photographs and 3,978 screenshots” were remotely captured by the district from the laptop he was issued.

The letter then instructed Levin that if he wanted to view the fruits of the district’s surveillance, he’d have a one-hour window on a specific day in June to do so at a federal courthouse, according to the suit.

Levin says he accepted the offer, “and was shocked, humiliated and severely emotionally distressed at what he saw.”

His attorney, Norman Perlberger of Bala Cynwyd, Pa., did not immediately respond to a call requesting clarification, although the suit claims that many images captured by the laptops may have depicted minors and their parents “in compromising or embarrassing positions,” including in “various stages of dress or undress.”

Read more on Courthouse News, where they have also uploaded the complaint filed Monday in District Court for Eastern District in Pennsylvania. The lawsuit alleges violations of ECPA, SCA, CFAA, and violations of privacy under the Fourth Amendment.

Didn't his lawyers have a duty to ensure this information was protected?

The Worst Example of Executive Data Security Ever?

June 7, 2011 by admin

Daniel Nolte writes:

Fabrice Tourre of Goldman Sachs has the distinction of being the only person sued by the Securities and Exchange Commission for fraud in selling mortgage backed securities. While that may remain his primary claim to fame (thanks to a front-page article in the New York Times), there may be a secondary distinction added: the worst handling of computer security ever.

The Times article contains numerous e-mails between Tourre and his co-workers and legal counsel as they prepared for the case. How did the reporters get access to private Goldman Sachs e-mails including attorney-client discussions?

Read more about the gaffe that led to what emails being exposed in public

[From the article:

These legal replies, which are not public, were provided to The New York Times by Nancy Cohen, an artist and filmmaker in New York also known as Nancy Koan, who says she found the materials in a laptop she had been given by a friend in 2006.

The friend told her he had happened upon the laptop discarded in a garbage area in a downtown apartment building. E-mail messages for Mr. Tourre continued streaming into the device, but Ms. Cohen said she had ignored them until she heard Mr. Tourre’s name in news reports about the S.E.C. Case. She then provided the material to The Times.

What does it take to motivate politicians to pass Privacy laws?

CO: Prostitution-ring records stolen in reported break-in

June 8, 2011 by admin

Another low-tech data theft could have embarrassing consequences. Chuck Plunkett of the Denver Post reports:

Hundreds of documents kept by the former owner of a high-profile prostitution ring in Denver were reportedly stolen Monday in a home break-in.

Scottie J. Ewing, who once owned Denver Players and Denver Sugar escort services — identified by federal agents as a prostitution ring — told Denver police that thieves broke into his home Monday between 6 and 8 p.m., entered an upstairs office and took off with his computer and a large container of files.

Read more in The Denver Post.

In related coverage, Marshall Zelinger of 7News reports:

7NEWS had seen the list from the “Denver Players” in the last week. It contains the names and numbers for high end clientele. For hundreds of dollars, the service matched escorts with clients for sex.


7NEWS was allowed to record video of the documents on Friday, on the condition they would not be recognizable on camera. The documents piled in front of our camera included the black book phone list, appointment logs, schedule books and credit card slips from the escort service.

And Deborah Sherman of 9News reports:

9Wants to Know has learned that secret documents that belonged to a former prostitution business were stolen on Monday night. The documents included a list of clients’ real and fake names, phone numbers, credit card and cash receipts, according to a Denver Police report.

So clearly there is a lot of sensitive, personal and financial information involved, much of which is already in the hands of prosecutors who had initiated legal action against the operation in the past.

But no, I don’t expect we’ll see data breach notifications sent out on this one.

For my Computer Security students. Points out some failures in Security management and is quite amusing too...

Lieberman CEO goes on the warpath - accuses RSA of greed and neglect

Philip Lieberman, the President and CEO of Lieberman Software, issued a press statement on Wednesday that ripped RSA and their senior management to shreds. There is simply no other way to describe his opinions.

… Like RSA, Lieberman Software is also in the privileged identity management space. They offer an alternative to SecurID called Random Password Manager. Their CEO’s comments come in reaction to the news that data taken during the security breach against RSA’s networks, led to an attempt on Lockheed Martin. As a result, RSA announced on Monday that they would be replacing 40 million SecurID tokens.

… “By my estimates this breach is going to cost RSA a minimum of $400M to replace 40 million tokens. This is not just bad news for RSA Security – it paints the rest of the IT security industry in a bad light,” he said.

Placing the fault squarely on the senior management of EMC, the parent company of RSA, the lack of investment in SecurID is viewed as one of the root causes for the breach.

“A quick review of the SecurID products show that the SecurID product line has languished in innovation and development investment since the takeover. EMC is guilty of milking the RSA cow dry, neglecting it, getting it sick, and then selling the tainted beef.

Another way to track individual preferences?

Facebook quietly switches on facial recognition tech by default

June 7, 2011 by Dissent

Kelly Fiveash reports:

Facebook has rolled out its facial recognition technology to countries outside of the US, but has switched the feature on by default without telling its users first.

UK-based security expert Graham Cluely noted earlier today that Facebook had slotted the tech into the social network.

The Mark Zuckerberg-run company started using its facial recognition software in December last year for its Stateside users in a move to automatically provide tags for the photos uploaded by Facebook users.

The tech works by scanning newly uploaded pics and then identifies faces from previously tagged photos already stored in Zuckerberg’s internet silo.

Read more in The Register.

Shame on Facebook. Again.

(Related) Not surprising we see article like this one...

How to get around Facebook's new face recognition

FACEBOOK wants to know what you look like, and it wants you to like it.

The social networking website has been rolling out a facial recognition feature called Tag Suggestions since late last year.

Now the feature has become available for Australian users, and by default, it's turned on.

… Professor Brian Lovell of the University of Queensland said Tag Suggestions posed serious privacy risks for some users.

"The software might actually be labelling people who don’t want to have their faces known," Dr Lovell told

"You put these things up in innocent way and they can be used against you."

Dr Lovell, who heads the university's Advanced Surveillance team, said users with assumed or suppressed identities were particularly at risk.

"If your photo was taken before you enter witness protection, it's very hard to remove those photos," he said.

Tuesday, June 07, 2011

Sony... Again...

Daily Sony Hacking Occurs On Schedule

"LulzSec was compromised and a member of the group, Robert Cavanaugh, was arrested by the FBI on June 6. Meanwhile, LulzSec hacked Sony again, this time leaking the Sony Developer Network source code through file sharing websites."

(Related) Sony users may be as bad at security as Sony!

A brief Sony password analysis

June 6, 2011 by Dissent

I usually post security breach analyses and commentaries over on, but an analysis by Troy Hunt of the hacked passwords used by millions of people on Sony and Gawker sites is worth a complete read if you’re concerned about your privacy. Read his analysis of the patterns of passwords and see if you fall into any of the problems he describes. Then start generating better passwords that are unique for each site or service you register for.

This is no surprise. Real loss of face for RSA as well as an expensive fix.

RSA to replace SecurID tokens following breaches

Following recent cyberattacks against several defense contractors, in which hackers breached security using stolen SecurID keys, SecurID maker RSA is promising to replace the tokens for customers concerned about the vulnerabilty of their network data.

In an open letter to all SecurID customers, RSA Executive Chairman Art Coviello acknowledged that the likely motive behind the March theft of SecurID token information was to obtain defense secrets and related intellectual property. RSA specifically warned customers at the time that the theft could breach their security.

The next “Big Thing?” Personal information required for the charges, but not released? Apple's billing systems unreliable?

Has iTunes Been Hacked?

"Betanews has a series of articles talking about an apparent hack in iTunes that has resulted in fraudulent charges for some users involving Sega's Kingdom Conquest game. The reports start with a personal account from reporter Ed Oswald, who was a victim of the hack itself. The next story adds reports from readers, and the most recent story adds additional reports, with Oswald saying the number of reports received are in the 'dozens.' Apple has yet to confirm the existence of a hack, although reports have appeared on Sega's own support forums, Apple discussion boards, and through other news outlets."

“We're a bank. What do we know about protecting financial data?” Apparently they can't read regulations either.

Scotiabank loses CDs with customer bank accounts, social insurance numbers

June 6, 2011 by admin

Mary Gazze of The Canadian Press reports:

Scotiabank says it will use digital locks [Interesting choice of words. Google 'digital locks' and you don't get encryption... Bob] on data discs after three CDs containing unencrypted information, such as customer social insurance and account numbers, were lost in its internal mail system.

The bank said a “small percentage” of customers are affected, but it is warning clients as a precaution so they can monitor accounts for any fraudulent activity.


The information on the discs was not encrypted, and was set to be transferred to the Canada Revenue Agency as part of the bank’s requirements to report the information.

The data included names, mailing addresses, social insurance numbers, account types, and numbers for registered accounts such as RRSPs, RESPs and RRIFs. It does not include savings or chequing account numbers, any account balances or employment information.

It is clear that there was non-compliance with the bank’s policy of encrypting portable storage devices that contain confidential personal information,” the bank said.

This appears to have been due to a belief that Canada Revenue Agency (CRA) would not accept encrypted files that, upon further examination, appears to be inaccurate.”


Okay, so the bank misunderstood. Not good, obviously. But assuming that this would not be the first time the bank was transferring required information to Canadian Revenue, why didn’t Canadian Revenue ever contact them and say, “Hey, you’re supposed to be sending this stuff encrypted?”

On the other hand...

Important Information about a Ravelry Security Breach

June 6, 2011 by admin


From: “Ravelry”
Date: Jun 6, 2011 2:41 AM
Subject: Important information about a security breach at

(Wondering if this email is real? You can also see a similar notice by logging in to

*Important Information about a Ravelry Security Breach*

Dear Ravelry member,

An attacker recently managed to break in to one of Ravelry’s secondary servers. Once inside, they were able to access user names, *encrypted*passwords, and possibly email addresses. Your passwords could not be seen and no financial or other sensitive information was accessed as we do not collect or store this type of data.

We think that it is important to be overly cautious and we need you to change your password on Ravelry and on any other sites where you’ve used the same or similar password, even if you used different usernames. Because passwords were encrypted, we do not think that your password has been exposed but it is important to change your passwords just to be safe. There is a chance that some passwords could be decrypted given enough time and computer power and we don’t want to put anyone at risk.


*More information regarding the security breach,* including the steps we are taking to make Ravelry more secure, can be found in our full notice at Additionally, we are listing answers to Frequently Asked Questions and fielding further questions in our forums . You are also welcome to reply to this message if you have any questions or concerns.

We are deeply sorry that this has happened. We care very much about everyone on Ravelry and we’re taking steps to make sure that we are all more safe from this sort of attack.

We are also very sorry that some people who are not active members may have been affected. If you’d like to delete your Ravelry account, please use the information above to do so.

Casey, Jess, Mary-Heather and Sarah

Nice. A bunch of knitters and crocheters knew to encrypt passwords when Sony didn’t?

Even volunteer organizations aren't safe. creates public domain audio books...

LibriVox Forum Hacked

June 6, 2011 by admin

Via DataLoss-Discuss mail list:

From: Date: May 26, 2011 11:37:21 PM CDT

To: undisclosed-recipients:;

Subject: URGENT: LibriVox Forum Hacked

The following is an e-mail sent to you by an administrator of “Librivox Forum”. If this message is spam, contains abusive or other comments you find offensive please contact the webmaster of the board at the following address:

Message sent to you follows:
Dear Librivoxer,

This is Hugh, the founder of LibriVox, writing to let you know that, unfortunately, a hacker broke into the LibriVox forum, caused a bit of damage (now fixed), but more worryingly, got access to our complete database including emails and encrypted passwords. We have locked them out of the system, and we’ve fixed the vandalism, but they still have our database.

So, in order to protect our users & the LibriVox accounts:

* we have RESET ALL USER PASSWORDS (including yours)
* the next time you login your password will be invalid
* you will have to reset your password, using this link:



In the interests of full disclosure, here is some extra information:
(1) The database contained every piece of communications sent through the forum, including all private messages. This information is now in the possession of the hacker.

(2) All forum passwords in the database are encrypted. However, if your password was very simple, it will be trivial for the hacker to break the encryption using “brute-force” techniques. They will likely attempt exactly this, so if you use the same password on any other Internet service, you should immediately change your password at those services.

We are very sorry that this happened, and once this is sorted out as best as it can be, we?ll be doing a more thorough security review.

If you have questions, please don?t hesitate to contact me.


Hugh McGuire Founder, Librivox

Broader application. Well worth a read.

12 Steps for Surviving an HHS/OCR Privacy Breach Investigation

Implications for Cloud computing and off-shoring in general?

American Express’s call centers put customer data at risk of warrantless search and seizure – complaint

June 7, 2011 by Dissent

Seen at Courthouse News:

A federal class action claims that American Express routes customers’ calls to foreign call centers without their permission or knowledge, subjecting them to intrusive, warrantless snooping by the U.S. government.

The case is Pickman v. American Express Travel Services and was filed in Superior Court of California in Alameda on June 3.

If I understand the complaint, Pickman argues that on “information and belief,” the federal government is scooping up all data transferred to American Express’s non-U.S. call center personnel during customer interactions, that under U.S. law, there is nothing to stop this widespread surveillance, and that customers are not notified that their data are being sent outside of the U.S., that the data are seized and searched by the federal government or at the very least, are at risk of being searched without Fourth Amendment or constitutional protections. The complaint alleges various violations of California state law.

Is our government scooping up all of our data as it is transferred to outsourced call centers?

I'd look for people who want political power – like MP's. Clearly they have that “Big Brother is Good” attitude...

UK: Doctors asked to identify potential terrorists under government plans

By Dissent, June 6, 2011

Alan Travis reports:

Doctors and other health professionals will be asked to identify people who are “vulnerable to being drawn into terrorism” as part of the government’s redrawn counter-terrorism programme to be detailed on Tuesday.


One “key message” of the document is that it is not a programme to spy on Muslim communities, but doctors will be asked to identify people who may be “vulnerable” to recruitment by terrorist groups.

The British Medical Association said doctors were allowed to breach patient confidentiality in the public interest – for example, if they thought someone was going to blow up a bus.

But a spokeswoman said the plan “goes a lot further and we would have an issue with that”.

She said: “Doctors cannot look into the future and say how someone might behave. This would threaten the trust of the doctor and patient relationship. A doctor’s role is to treat the patient in front of them, not predict how the patient will behave in future.”

Read more in The Guardian.

I’ve blogged in the past on Chronicles of Dissent about not putting tin stars on doctors. Not only does the plan put doctors in the position of breaching confidentiality, but it asks them to make forensic predictions when there is no clear empirical basis to think that general practitioners or others who are not specially trained in this specialized area can make accurate predictions like this.

It will be interesting to see where this goes...

Google remedial measures address privacy deficiencies, Privacy Commissioner say (updated)

June 6, 2011 by Dissent

Privacy Commissioner satisfied with Google’s response to her Office’s investigation into the company’s inappropriate collection of personal information from unsecured wireless networks across Canada, but plans further follow-up.

OTTAWA, June 6, 2011 – An investigation that revealed Google Inc. lacked proper controls to protect personal information has led to a commitment by the company to implement remedial measures that will reduce the risk of future privacy violations, says Privacy Commissioner of Canada Jennifer Stoddart.

“Google appears to be well on the way to resolving serious shortcomings in the way in which it addresses privacy issues,” says Commissioner Stoddart. “However, given the significance of the problems we found during our investigation, we will continue to monitor how Google implements our recommendations.”

The Privacy Commissioner has requested that Google undergo an independent, third-party audit of its privacy programs within a year and share the results with her Office. An audit will help measure the effectiveness of Google’s proposed measures vis-à-vis its overall privacy compliance regime.

This is the first time the Commissioner has asked a company to undergo an independent audit. In order to strengthen accountability going forward, organizations may, in appropriate cases, be asked to file independent, third-party reports attesting to the fact that they have lived up to their commitments and have complied with the Commissioner’s recommendations.

“Google is a world leader in innovation and, by its own admission, it pursues ideas which push the limits of social norms and technologies. As such, the company has an added responsibility to ensure that privacy protection gets the attention it deserves. Unfortunately, past history suggests that has not been the case until now,” she says.

The Privacy Commissioner initiated an investigation under the federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, after Google admitted that its cars – which were photographing neighbourhoods for its Street View map service – had collected data transmitted over unprotected wireless networks installed in homes and businesses around the globe. It’s likely that thousands of Canadians were affected.

The personal information collected included complete e-mails, e-mail addresses, usernames and passwords, names, home telephone numbers and addresses, and even the names of people suffering from certain medical conditions.

The investigation concluded that the incident was largely a result of Google’s lack of proper privacy policies and procedures.

The Office of the Privacy Commissioner issued its findings and recommendations in October 2010 and asked for a response by February 2011. Google responded and subsequently provided clarification of certain issues at the request of the Office of the Privacy Commissioner.

The Privacy Commissioner is now satisfied with the measures that Google has agreed to implement, including:

  • Significantly augmenting privacy and security training provided to all employees;

  • Implementing a system for tracking all projects that collect, use or store personal information and for holding the engineers and managers responsible for those projects accountable for privacy;

  • Requiring engineering project leaders to draft, maintain, submit and update Privacy Design Documents for all projects in order to help ensure engineering and product teams assess the privacy impact of their products and services from inception through launch;

  • Assigning an internal audit team to conduct periodic audits to verify the completion of selected Privacy Design Documents and their review by the appropriate managers; and

  • Piloting a review process whereby members of Google’s Privacy Engineering, Product Counsel and Privacy Counsel teams review proposals involving location-based data, as well as the software programs that are to be used for the collection of data.

Additionally, Google has advised that it has begun to delete the data it collected in Canada. This process has been complicated by various rules and regulations that the company is subject to under Canadian and U.S. Laws. The company has stated that, until such time as the data can be fully destroyed, it will remain secured and will not be used.

The Office of the Privacy Commissioner will follow up with Google next year to gauge full implementation of its recommendations. At that time, the Privacy Commissioner will determine whether and how best to pursue the matter in accordance with her authorities under the Act.

The Report of Findings and a Backgrounder on the Google investigation is available on the Privacy Commissioner’s website,

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two pieces of federal legislation: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act(PIPEDA), which applies to commercial activities in all provinces, except British Columbia, Alberta and Quebec, which have enacted substantially similar legislation.

Source: Office of the Privacy Commissioner of Canada.

I’m trying to find out if Google has actually agreed to undergo the independent third-party audit. Will update this post when I find out.

Update 1: The Privacy Commissioner’s Office didn’t give me a yes or no and referred me to one of Google’s attorneys. I’ve emailed her to ask. More when I have it….

Update 2: I received a response from a Google spokesperson:

As we have said before, we are sorry for having mistakenly collected payload data from unencrypted networks. We have worked with the Office of the Privacy Commissioner throughout their investigation. We are pleased that the OPC has determined that our proposed measures will meet their requirements.

We have received the recommendation for third party assessment and look forward to discussing with the Office of the Privacy Commissioner.

So it appears that they haven’t agreed to the request – at least, not yet.

Non-combatants held hostage in Cyber war?

Chinese Paper Warns Google May Pay Price For Hacking Claims

"Google has become a 'political tool' vilifying the Chinese government, an official Beijing newspaper said on Monday, warning that the US internet giant's statements about hacking attacks traced to China could hurt its business. The tough warning appeared in the overseas edition of the People's Daily, the leading newspaper of China's ruling Communist Party, indicating that political tensions between the United States and China over Internet security could linger. Last week, Google said it had broken up an effort to steal the passwords of hundreds of Google email account holders, including US government officials, Chinese human rights advocates and journalists. It said the attacks appeared to come from China."

A tricky legal area? Somewhat like a “sting” but with the potential to send real information to criminals... Could be amusing, if true.

25% of US Hackers Are FBI/CIA Informers

"The Guardian reports that the FBI and CIA have 'persuaded' up to 25% of US hackers to 'work' for them. 'In some cases, popular illegal forums used by cyber criminals as marketplaces for stolen identities and credit card numbers have been run by hacker turncoats acting as FBI moles. In others, undercover FBI agents posing as "carders" – hackers specialising in ID theft – have themselves taken over the management of crime forums, using the intelligence gathered to put dozens of people behind bars. ... The best-known example of the phenomenon is Adrian Lamo, a convicted hacker who turned informant on Bradley Manning, who is suspected of passing secret documents to WikiLeaks.' What implications does this hold for privacy? Or is it just good work by the authorities?"

As you may have guessed, the estimate appears to be based only on the number of black hats, rather than all hackers.

Would this extend to cell phones?

Sixth Circuit agrees with the Third, Seventh, and Tenth Circuits: a computer is not a file cabinet under the Fourth Amendment

June 7, 2011 by Dissent

Alain Leibman comments:

An earlier post considered the wide array of analyses employed by the courts of appeal in assessing under the Fourth Amendment the constitutionality of searches of computers and other electronic storage devices. (An article by the author, expanding substantially on the short-form blog entry, may be found at “Computer Search and Seizure Under the Fourth Amendment: The Dilemma of Applying Old-Age Principles to New-Age Technology,” Criminal Law Reporter (March 2, 2011)). The differences among the courts turn on the degree to which they view the search of an electronic storage medium as like, or as unlike, a traditional search of a file drawer or other container of papers. A plurality of circuit courts have required law enforcement agents to proceed cautiously in searching through computers, cognizant both of the quantity of private data housed in a computer and the potentially corrosive effect on expectations of privacy when the “plain view” doctrine is used to justify a close review of data far afield from the original object of the search.

Read more on Lexology.

[Full article here:


Do GPS Tracking Devices Violate the Fourth Amendment?

June 7, 2011 by Dissent

Law professor Laurie L. Levenson writes:

…Now it appears that the issue may be headed to the U.S. Supreme Court. On April 15, acting Solicitor General Neal Katyal petitioned the Supreme Court for review of U.S. v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), petition sub nom, U.S. v. Jones, No. 1259 (April 15, 2011), a landmark decision striking down the warrantless use of GPS devices to conduct round-the-clock surveillance of suspects’ vehicles.

Read her summary of the history of judicial decisions and analysis of cases that have led to this point in The National Law Journal. Via

This should amuse the IP Lawyers...

Russian President: Time To Reform Copyright

"While most of the rest of the world keeps ratcheting up copyright laws by increasing enforcement and terms, Russian President Dmitry Medvedev appears to be going in the other direction. He's now proposing that Russia build Creative Commons-style open and free licenses directly into Russian copyright law. This comes just a few days after he also chided other G8 leaders for their antiquated views on copyright."

How the (I won't call it) Extortion works...

The Anatomy of a BitTorrent Piracy Settlement

Don't read too much into this. It looks more like budget cuts that a position on TSA searches.

June 06, 2011

EPIC: House Passes Budget for TSA, Cuts Funding for Body Scanners

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "The House has approved the 2012 budget for the Transportation Security Administration, cutting $270 million from the amount originally requested by the Agency. The cuts include $76 million that had been designated for the purchase of 275 airport body scanners. Leading lawmakers and activists have called attention to the health risks associated with the scanners, as well as their invasiveness. Representative Jason Chaffetz (R-UT) criticized the machines as “slow” and “ineffective.”