Tuesday, July 24, 2012

Why we never use the same UserID and password on multiple sites.
Gamigo breach exposed 8.24 million passwords, and now they’re public
July 24, 2012 by admin
JR Brookwalter reports:
Gamigo, an online game publisher based in Germany, was the subject of a security breach back in late February – but apparently, the worse was yet to come.
After notifying its customers about the security breach back on March 1 via email, the email addresses and encrypted passwords of all 8.24 million accounts have finally been made public this week.
Read more on TechRadar.

Note that this was found during a “Privacy Commissioner's investigation.” Does anyone in the US conduct such investigations? Might ensure that organizations checked their own security...
By Dissent, July 24, 2012
Here’s a follow-up on a breach originally reported last year. Michael Lee reports:
Following a leak of client information, the Australian Privacy Commissioner has determined that Medvet Laboratories breached the Privacy Act, despite there being no client bank account details, customer names or test results exposed online.
The privacy bungle was first reported by The Australian on 16 July 2011, which stated that the South Australia Health-owned organisation had compromised the privacy of customers who had ordered kits to test for illicit drugs and alcohol.
Read more on ZDNet.
[From the Australian:
An investigation by The Weekend Australian has revealed that the complete home and work addresses of customers and others who ordered paternity test kits, drug and alcohol test kits and other products this year and last year are published and accessible on Google.
[From ZDNet:
According to the Privacy Commissioner's report, the source of the leak of information was Medvet's online web store, which was developed by Canadian software development company Iciniti Corporation. The Commissioner found that the software did not include appropriate security and that the development and quality management practices associated with it were deficient. In the Commissioner's investigation, the software was found to have multiple security flaws, and the Commissioner believed that very little security testing had been performed.

The dangers of Facebook...
Another group of malicious people have started a new Facebook scam that will spam your poor unsuspecting friends with wall posts and constant annoyances. Chances are, you will stumble across this scam via a friend who themselves fell for it. You may see a wall post or message that “tells” you how many people viewed your Facebook profile today. It will also give you the number of male and female viewers.
Of course, it is impossible for the app to grant you this information as Facebook does not allow developers to get access to any data on visitors to a specific profile. This does not prevent people from being interested in such a feature, and when an app like this comes along promising to deliver, people are far too quick to install.
… If you already installed this app, you can lessen any damage by uninstalling it as soon as possible. Click the triangle on the top right of any Facebook page, click account settings and then apps. From here, you will be able to uninstall this app, which will be called “profile viewer,” from your profile.

There is nothing like a firm “Maybe.” Should they have said “legally OR technically possible?”
Skype refuses to confirm or deny eavesdropping rumours
July 23, 2012 by Dissent
Liat Clark reports:
Video chat provider Skype has refused to deny that wiretaps can now be used to infiltrate its hosted conversations, according to a news report.
After repeatedly putting the question to Skype representatives, a Slate reporter’s inquiries were met with the vague response: “[Skype] co-operates with law enforcement agencies as much as is legally and technically possible.” The problem is, it looks as though interception is now a legal and technical possiblity.
Skype’s latest statement has raised a few eyebrows because it is so markedly different from the company’s previous public declarations that because of its “peer-to-peer architecture and encryption techniques,” wiretapping would be impossible.
Read more on Wired.co.uk

I post these on occasion so we don't forget that many breaches go unreported in the “real” media. Also because my threshold is now somewhere north of a few hundred thousand.
By Dissent, July 23, 2012
HHS added another batch of reports to its breach tool last week. Here are the ones I hadn’t known about already from either the media or reports to state attorneys general:
Upper Valley Medical Center,OH,,”15,000″,10/01/2010-03/21/2012,Unauthorized Access/Disclosure,Other,7/3/2012,,
The breach went on for over one year? There doesn’t seem to be any media coverage of this breach, so I’ emailed UVMC last week to inquire and will update this entry when I get a response.
In researching this entry, though, I discovered that UVMC had a second, and more recent, breach involving a missing hard drive.
“Luz Colon, DPM Podiatry”,FL,,”1,137″,3/20/2012,”Theft, Loss”,Laptop,7/3/2012,,
Another one where there was no media coverage that I can find.
Independence Physical Therapy,CT,,925,8/1/2011,Theft,Desktop Computer,7/3/2012,,
The computer was stolen in August 2011 and we’re first learning of this now? I cannot find any archived news coverage of this one and there is nothing on IPT’s web site.
Titus Regional Medical Center,TX,,500, 3/29/2012, Theft,Other,7/3/2012,,
This appears to be TRMC’s second reported breach this year. On May 24th, they posted a notice on their web site that says, in part:
Public Notice 5/24/12 – EMS Laptop and X-Ray Storage Breach
In compliance with ARRA/HITECH provisions of HIPAA, the following is a public notification of lost and/or stolen patient information in two separate unrelated incidents:
On March 28, 2012, a laptop computer owned by Titus Regional Medical Center’s Emergency Medical Services was confirmed lost during a routine patient transportation. The laptop is not believed to have been stolen, rather inadvertently left on the fender of ambulance with subsequent fall and loss during route. The data was encrypted and password protected and the computer may have been damaged and rendered inoperable. There is a possibility that personal data, including name, address and social security number, as well as a limited amount of medical data related to the services provided by the EMS department could have been accessed in the unlikely event the computer was opened, running and undamaged.
Lutheran Community Services Northwest,WA,,756,03/29/2012-03/30/2012,Theft,”Desktop Computer, Other Portable Electronic Device”,7/3/2012,,
In an undated notice on their web site, they explain, in part:
On March 30, 2012, we became aware that there had been a break-in at our Bremerton office. Computers and electronic devices were taken, some of which contained sensitive information. A police report was immediately filed and every effort made to recover the information.
A thorough assessment was conducted to determine what sensitive information may have been compromised. Every effort has been made to contact people whose information may have been affected. A total of 3,040 LCSNW clients, volunteers and staff were sent letters notifying them of the situation.
The kinds of sensitive information involved differed a lot by program, but could include:
  • Name, Address, Phone Number or Email
  • Date of Birth
  • Social Security Number
  • Driver’s License or Washington ID Number
  • Income or payment information about services received
  • Information about client conditions, treatment and/or service information or diagnosis
West Dermatology,CA,,”1,900″,04/21/2012 – 04/22/2012,Theft,Other,7/3/2012,,
I could find no media coverage on this one nor any statement on their web site. Since they’re in California and the breach affected over 500, it’s not clear to me why this isn’t on California’s site.
Physician’s Automated Laboratory,CA,,745,03/23/2012 – 03/26/2012,Theft,Paper,7/3/2012,,
A notice dated May 23rd on their web site says, in part:
On March 26, 2012, we discovered that our Patient Service Center located at 2012 17th Street, Bakersfield California 93301 had been broken into and that, among other things, lab requisition forms which were kept in a locked cabinet were missing from the center. We were able to determine that the missing forms are related to certain laboratory services provided between February 1, 2012 and March 23, 2012. So, if you received services at this location during that timeframe, the confidential information taken may have contained your name, address, phone number, date of birth, insurance information, ordering practitioner’s name and laboratory tests ordered.
The Bakersfield Police Department was notified of the break-in for investigation and possible prosecution of the person(s) responsible. Since then, PAL has taken additional steps to ensure this type of information is more secure, as these documents are no longer kept at PAL patient service centers.
Volunteer State Health Plan, Inc.“,TN,,”1,102″,03/16/2012-04/20/2012,Loss,Paper,7/3/2012,,
VSHP posted a notice on their site that says, in part:
Damaged Mail Leads to VSHP Information Disclosure
CHATTANOOGA, Tenn. — Volunteer State Health Plan (VSHP) has notified approximately 1,100 of its BlueCare members that some of their protected health information was lost last month when envelopes mailed to a West Tennessee clinic were damaged in shipping through the U.S. Postal Service. No patient addresses or Social Security numbers were among the data.
VSHP, a Medicaid managed care organization, investigated the report immediately and discovered that the damaged mail had been sent to Comprehensive Counseling Network. Each envelope contained a check to pay for medical visits and a list of claims for those visits. The checks were not damaged, but the lists of claims were lost at the post office. The postal service has not found them.
The data contained on the missing lists includes:
* First and last name of member
* BlueCare ID number
* Date of service
* Procedure code
* Claim number
* Total charged
* Amount paid
* Provider name and address
In addition to notifying BlueCare members about the incident, VSHP has implemented a new procedure of sending payments and claims lists in reinforced envelopes. This process will continue until clinics are transitioned to electronic fund transfer, eliminating the need to mail checks.
So there you have it: the HHS breach tool serves a valuable function in alerting us to the occurrence of incidents, but it generally fails to provide us with sufficient information to understand the incidents. I continue to think that HHS should be posting more details about incidents.

I always try to relate technical capabilities back to their “pre Information Age” equivalents. Would that be possible here?
Notice and Opportunity to Challenge Evidence Collection Under ECPA: What’s the Best Rule?
July 24, 2012 by Dissent
Orin Kerr writes:
… As a matter of policy, when should targets of digital evidence investigations receive notice of the court orders? And when and how should they be allowed to challenge the orders as unlawful? In a traditional criminal case, suspects don’t receive notice that they are subjects of monitoring. When the government decides to “tail” a suspect around town, they don’t send them a letter letting them know. Suspects receive notice only in specific contexts, such as if their home is searched pursuant to a warrant. And they have to wait to bring challenges until late in the game. In the case of a warrant, for example, the defendant challenge the warrant until after it has been executed. [Should all warrants eventually be disclosed? Bob] The question is, if you were writing the statutory network surveillance laws, when would you impose a statutory notice requirement and when would you allow challenges to be brought? Would you try to match overall amount of notice in digital investigations to that of traditional physical investigations? Or would you aim for more or less notice in the electronic setting than in the physical setting? Would you allow challenges to surveillance practices as they were ongoing, or would you require challenges to wait until the order had been executed?
Read more on The Volokh Conspiracy.

How to make my Ethical Hackers jealous...
Stalkbook: Stalk anyone, even if you're not Facebook friends
MIT graduate Oliver Yeh recently built a service called Stalkbook that he claims allows you to stalk people on Facebook even if you're not friends with them on the social network. Yeh has a simple but malicious trick: he uses other Facebook users' credentials to view whichever profile you want to stalk.
When I went to the site, typed in "Mark Zuckerberg" and clicked "Stalk," I was greeted with the following message: "Stalking is considered to be morally wrong. Why don't you try talking to the person instead." Stalkbook hasn't been released publicly, but Yeh has demoed it to select individuals.
In an interview with IEEE, Yeh explained in further detail how Stalkbook works:

Ethical Hackers: I know your are saying, “Well, Duh!” But, not everything we teach is common knowledge. Use your skills for good, Grasshopper.
Hotel cardkey locks said to be vulnerable to bypass hack
Brocious, who is expected to present his findings at the Black Hat security conference tomorrow, showed Forbes how he is able to open hotel doors with a gadget he built with materials costing less than $50.

For my “Geeks with ideas” I wonder how many teachers have had this experience?
Noodlecrumbs Is A Crowd-Funding Platform For Thinkers, Not Doers
With successes like the Pebble smart watch, crowd-funding is becoming more and more attractive to startups. But maybe you aren’t even at the startup stage in your idea. Maybe all you have is an idea and a computer. That’s where Noodlecrumbs comes into the picture.
It’s a new type of crowd-funding for those of who don’t quite know how much we need to make the dream a reality. In fact, Noodecrumbs could be used by someone who doesn’t even want to build the actual product, but just wants it to be built. I have friends who pitch me ideas all the time, and I say, “sounds good, build it.” Most of the time, they say they don’t have time or don’t know how, but they’d love to use the product. That’s the perfect situation for Noodlecrumbs.

No comments: