Friday, July 28, 2006

It's Friday, so here are the latest identity theft stories...

http://630ched.com/news/news_local.cfm?cat=7428654912&rem=43854&red=80165423aPBIny&wids=410&gi=1&gm=news_local.cfm

Laptop and Personal Data Stolen

Jul, 26 2006 - 6:30 AM

EDMONTON/630 CHED - The theft of a laptop from a financial services company containing thousands of personal files has hundreds of angry clients asking how it could have happened.

M-D Management president Guy Belanger (ghee beh-LAHN'-zhay) says the company is working to improve its information handling procedures.

The laptop containing information on eight-thousand clients was stolen from a parked car in an Edmonton shopping mall parking lot on June 19th.

The computer has not been recovered.



http://www.foxnews.com/wires/2006Jul26/0,4670,ArmstrongDataStolen,00.html

Laptop With Armstrong Worker Data Stolen

Wednesday, July 26, 2006

LANCASTER, Pa. — A laptop stolen from a payroll auditor contains personal information on 12,000 current and former Armstrong World Industries Inc. employees, the company said.

The data include home addresses and phone numbers, Social Security numbers and how much the people were paid. A two-page letter sent by Armstrong last week said the company was not aware of any misuse of the information, and that a password was required to access the information on the computer.

The laptop was stolen from a locked car belonging to a Deloitte&Touche LLP employee, Armstrong said. Deborah G. Harrington, a spokeswoman for the consulting firm, declined to comment.

Armstrong advised employees to watch their bank accounts, credit cards, bills and financial statements for signs of unusual transactions. It also suggested that for three months they place a fraud alert on their credit files.

Lancaster-based Armstrong makes flooring, ceilings and cabinets.

Armstrong spokeswoman Dorothy Brown Smith did not reply to a voice mail message seeking comment Wednesday.

There have been a number incidents in recent months involving sensitive information stored on laptops that have been lost or stolen. Earlier this year, a notebook PC with information on 26.5 million veterans and active-duty troops was swiped from the home of a Veterans Affairs analyst in Maryland. The machine was later recovered.

On the Net: Armstrong:http://www.armstrong.com



http://www.latimes.com/news/local/politics/cal/la-me-email28jul28,1,6596448.story?coll=la-news-politics-california

Riverside City Workers' Personal Data Are Sent to 2,300 Employees

The computer operator who sent the e-mail, intended for payroll officials, is put on leave. There's been 'no indication' that the information has been misused, official says.

By Susannah Rosenblatt Times Staff Writer July 28, 2006

Personal and financial data of nearly 2,000 Riverside city employees were sent out across City Hall's e-mail system because of a computer operator's error, officials confirmed this week.

The message, intended for payroll department databases, reached the inboxes of about 2,300 city employees late last week, said Assistant City Manager Tom DeSantis.

City officials did not learn of the mistake until the following morning, when they shut down the city's internal e-mail system, blocking access to inboxes for about 12 hours while they deleted the messages, DeSantis said.

The correspondence contained workers' Social Security numbers and financial deduction information for 401(k) and other accounts, as well as "specific identification information," DeSantis said, without elaboration.

About 20 copies of the confidential e-mail were opened, [What action would you take? Bob] DeSantis said, although there was "no indication" that any personal data had been misused.

Preliminary investigations by local law enforcement suggested that the transmission was accidental; Riverside police and the Riverside County district attorney's office were continuing their inquiries, DeSantis said.

The computer operator who sent the e-mail was put on administrative leave during the investigation. That employee did not follow newly established city procedures to encrypt sensitive material, [If he had encrypted the data, would sending it be okay? (or is this just another nonsequetor? Bob] DeSantis said.

City Hall converted to a new e-mail system last week, [also irrelevant Bob] officials said.

"Trust is paramount," DeSantis said, adding that steps had been taken to ensure that employees were protected.

The Riverside employees union, which just wrapped up negotiations with city officials, complained that security safeguards should have been in place. [Ya think? Bob]

"It was just an accident waiting to happen," said Greg Hagans, a senior office specialist with the city parks department and president of the Riverside chapter of Service Employees International Union, Local 1997, which represents about 850 municipal employees.

City officials notified workers of the situation with several faxes and mailed a letter to employees' homes Thursday. The city also offered $50,000 in identity-theft insurance to anyone whose information was in the e-mail.



http://blog.wired.com/27BStroke6/#1529043

27BStroke6

by Ryan Singel and Kevin Poulsen Thursday, 27 July 2006

Kaiser Joins Lost Laptop Crowd

Kaiser Permanente mailed letters this week to 160,000 of its Northern California-based HMO subscribers, informing them that a laptop containing their personal information, including their phone numbers and Kaiser numbers, had been stolen.

The data was being used to market Hearing Aid Services to 160,000 Health Plan members in Northern California, though the person who tipped Wired News to the story has no history of hearing problems.

No social security numbers were on the laptop, which was stolen sometime in late June from a "secure office" in the Permanente Medical Group Business Development Group, according to a Kaiser spokeswoman and a member represent answering a toll free number for Kaiser members.

The letter suggested that the risk may be limited, as the laptop required a user name and password, but made no mention of encryption.

The Oakland Police Department is investigating, according to a written statement released Thursday night.

"We believe it was a random and isolated crime," the statement read, in part. "We apologize to all patients affected by this unfortunate incident and we regret that it occurred. We take protecting the privacy and security of our members' personal medical information seriously, and are taking appropriate actions to further guard against future such incidents."

A Kaiser spokesperson was unable to provide any more information immediately.

It's unclear whether the letters were required by California's disclosure law or federal medical privacy rules, known as HIPAA.

California's rule (.pdf) generally only requires disclosure when a person's financial information, such a social security number, credit card number, or debit number-and-PIN are acquired by an unauthorized person.



Is the the future of class actions suit “techniques?”

http://microisvjournal.wordpress.com/2006/07/28/googles-lawyers-admit-to-gmail-privacy-leak/

Google’s Lawyers Admit To gmail Privacy Leak

The background: Google was sued recently regarding their efforts to prevent click-fraud in AdWords. It was a class-action suit, which basically means that there are a large number of people who were “harmed” by the tortious action at issue and that some lawyer has taken it upon themselves to sue on behalf of all of the ones who don’t opt out. Class action suits are a huge scam but that is another matter altogether.

Google attempted to settle the suit. In the process, the would have to contact class members (the people who have theoretically lost money due to fradulent clicks), and they hired a firm which specializes in this sort of work. So far so good. And that firm zealously tried to contact class members in a variety of ways, including through snail mail and email. So far so good.

Now, we all know the problems with getting mail to large numbers of people. Mail addresses changed, people go on vacation, challenge-response systems are engaged, what have you. The firm zealously tried to correct for all of these, by investigating new email addresses, tracking people down after vacation, clicking through the “I am a human” tests, etc. So far so good.

Now, what is the other main way for a mail delivery to fail? Spam filters. Now, remember, as a class member you haven’t opted-in to the lawsuit or the settlement. You might not even think you’ve been harmed by the action at issue, or you have no desire to waste your time for what is typically a sliver of a credit (the attourneys, of course, get 25%-33% of millions — in this case attourney fees will probably go above $20 million). So you might understandably not want to really talk to someone wanting to talk to you about the lawsuit. In this case, service from an agent of Google’s to tell you about your rights regarding the lawsuit is spam. You didn’t ask for it, you don’t want it, and it has a commercial purpose (they’re being paid to get the email to you, and the email is sent to divide up a pot of money — although unlike most spam its not your money).

So, as can be expected, lots of these advertisers have Gmail accounts. And what did Google do? It checked them. Google algorithmically [i.e. A program rather than a person “looked” Bob] peaked at all the accounts on the list their agent had developed which they had access to, to see if the mail was marked spam or not. There were 75,000 accounts in which it was marked spam, and an unknown (larger) amount of accounts must have been compromised to get that statistic.

Unhinged rantings of a conspiracy nut? Well, no. Google’s lawyers bragged about this in a recent document they filed to the court regarding the settlement (which is tied up in legal wrangling). In relevant part (page 13 of the pdf of the document which Matt Cutts provided on his blog while responding to concerns about click fraud):

Gilardi [ed: the firm Google was using to contact people] also re-sent 74,591 email notices to intended recipients whose addresses ended in “gmail.com” and “googlemail.com”, and for whom Google had information that the first email notice had been directed to the recipient’s spam folder. (italics mine)

Google is apparently hunky-dory [Legal term Bob] with this. Its essential for the Google lawyers to demonstate that their notices stand up to certain legal requirements regarding legitimately trying to notify class members (note that its completely non-essential to go peeking). Google brags on page twelve:

[T]here is no question that Google complied with the notice procedures ordered by this court. In fact, Google did more than was required to provide the best notice practicable. (italics mine)

I’m sorry Google, I just don’t remember telling you you could go peeking at the mail, even to “provide the best notice practicable”. As a matter of fact, given that I know you’ll be storing it for life I actually bothered to read that privacy policy of yours. Lets see, where was it… aha.

Information sharing

Google only shares personal information with other companies or individuals outside of Google in the following limited circumstances:

* We have your consent. We require opt-in consent for the sharing of any sensitive personal information.

* We provide such information to our subsidiaries, affiliated companies or other trusted businesses or persons for the purpose of processing personal information on our behalf. We require that these parties agree to process such information based on our instructions and in compliance with this Policy and any other appropriate confidentiality and security measures.

* We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Google, its users or the public as required or permitted by law.

Hmm, thats what I remember: opt-in consent for all disclosures of private data. I think the contents of my inbox is pretty darn private. So that ones out. You’ve already explained in your own words that the peeping was more than the court required, so excuse #3 is out. So what about #2: were you “processing information on [Google’s] behalf”? If you were, then this exemption swallows the entirety of the policy policy!

I’m less than happy, and now seriously wondering if all those business documents I’ve got floating around my Gmail inbox are going to end up in the hands of your lawyers without so much as a by-your-leave if your lawyers, in their sole discretion, think its for my own good strategically a good idea to get Google out of a lawsuit.

Do no evil, indeed.



Inventing new ways to violate privacy?

http://www.weau.com/home/headlines/3434901.html

Voter Privacy Becoming an Issue

With a revised policy on voting in Wisconsin, a government watchdog group now says allowing a unique voter identification number to be made public violates state privacy laws.

The Wisconsin Democracy Campaign is taking issue with a recent memo from the State Elections Board. In it, the board says voter I.D. numbers are public information. The Wisconsin Democracy Campaign is pointing to a Wisconsin law that certain information contained in the state database is not public.

The campaign's executive director says it's up to the elections board to decide which voter privacy protections should be upheld and which ones should be ignored.



So are emoticons “pictures?” :)

http://www.newsday.com/news/local/longisland/ny-liporn0728,0,2561855.story?coll=ny-leadhealthnews-headlines

Court rules sexually explicit e-mails are legal without pics

BY ANN GIVENS Newsday Staff Writer July 27, 2006, 9:11 PM EDT

One of the strongest tools local law enforcement officials use to prosecute pedophiles was snatched away from them this week when a state appeals court ruled that sending children sexually explicit e-mails is only illegal if the e-mails include photographs.



http://www.mondaq.com/article.asp?articleid=41482

United States: Navigating The Privacy Maze In The U.S. And Abroad

27 July 2006 Article by Demetrios Eleftheriou

We continue to see a growing number of reported data security breach incidents in the U.S. They involve such things as hacking, stolen or missing computers and backup tapes, inside jobs and stolen passwords. According to one source, approximately 85 million accounts have been compromised since the ChoicePoint incident in February 2005.



I think this process is a disaster waiting to happen.

http://www.technewsworld.com/rsstory/52046.html

Microsoft to Distribute IE7 as Automatic Update

By Jennifer LeClaire TechNewsWorld 07/27/06 10:40 AM PT

Microsoft has announced that it will distribute its next-generation Internet Explorer 7 browser as a "high-priority" update through its Automatic Updates for Windows XP systems. The software giant's latest IE version includes a variety of safety and security enhancements, as well as a more streamlined look and more efficient printing features.



Typical – they don't know how may laptops they have or who has them, and they have no strategy for securing them.

http://www.bespacific.com/mt/archives/011961.html

July 27, 2006

DHS OIG Report on Enhancing Laptop Computer Security

Improved Administration Can Enhance Science and Technology Laptop Computer Security (Redacted), OIG-06-42 (PDF, 36 Pages), July 27, 2006.



If you have no other strategy, greed is good.

http://techdirt.com/articles/20060727/1420220.shtml

Utility Stalling Muni WiFi, But It's Not A Telco

from the be-a-shame-if-these-packets-were-to-get-dropped dept

We've seen plenty of cases before where incumbent utilities have done their best to stymie municipal broadband projects (unless they can profit from it, of course). Typically, it's a telco or cable company trying to put up the obstacles, but in southern California, it's the electric company. As Glenn Fleishman notes, just because a municipality might control an area's utility poles, it may not control who supplies power to them -- and in several cities around Los Angeles, that's Southern California Edison Co., which says it needs to "understand the technology better" before it starts providing the power to WiFi access points on utility poles. What's so difficult to understand about a piece of equipment that draws a consistent amount of power on par with a reading lamp? In one city, where a year of discussions have been fruitless, the company told officials they might be able to come to some sort of agreement if they paid rates on par with what cellular carriers pay to hang their antennas on utility poles, a quite reasonable $2,000 a month, compared to the $36 per year one WiFi provider cites as the average rate it pays. Other than the obvious greed, it's hard to figure out exactly why the company could be stalling: indifference, incompetence or perhaps some telco-style roadblocking in an attempt to boost some future broadband over power line offering?



http://techdirt.com/articles/20060728/0246239.shtml

How The FBI Tracks Down An Online Criminal

from the a-little-more-advanced-than-just-getting-an-IP-address dept

Yesterday, we noted how weak the RIAA's "evidence" is in the civil cases they bring against people for file sharing. In the comments, a few people tried to compare that to the way law enforcement officials go about tracking down online criminals. However, thanks to Steve Bryant we have at least one example of how much more thorough the FBI is. He details the process the FBI used to track down someone who made a threat online using a gmail account. They got a grand jury subpoena to get Google to hand over some info, including the IP address of the user and the alternate email he used, which happened to be from Yahoo. They then got info from Yahoo to link the email address to a person -- and got more IP info from Yahoo as well. Both IP addresses were linked to a law firm, which was interviewed. From the law firm, they discovered that there was an annex office attached to an apartment. The office had an open computer. The apartment, not surprisingly, had been rented to the guy earlier identified as the person who registered those email addresses. It certainly seems like they have a bit more proof concerning who was involved.



Another reason to bash McDonalds?

http://www.treehugger.com/files/2006/07/fast_food_cooki.php

Fast Food Cooking Worse for Air Than All the Trucks on the Road

July 27, 2006 07:41 AM - Lloyd Alter, Toronto

Here is a great statistic to bite into: Cooking four normal sized hamburgers in a fast food joint emits the same amount of VOC's (volatile organic compounds) as driving a current model car for 1,000 miles.



Good

http://biz.yahoo.com/prnews/060726/nyw073.html?.v=60

Downloadable Episodes of Favorite PBS Programs Make Their Debut on Google Video

Wednesday July 26, 1:00 pm ET

PASADENA, Calif., July 26 /PRNewswire/ -- PBS Press Tour -- PBS today announced the launch of PBS content on Google Video (http://www.video.google.com/pbs.html), making it possible for users to download and own a selection of PBS primetime and children's programming for the first time ever. The announcement was made by PBS President and CEO Paula Kerger at the Television Critics Association Press Tour.



Gooder? (Convergence?)

http://pulverblog.pulver.com/archives/005088.html

July 26, 2006

Jeff's Quick Guide to TV on the Net (TV/IP) - July, 2006

No comments: