Wednesday, December 20, 2006

Would you want to steal identities from people will bad credit?

http://www.zone-h.org/content/view/14448/31/

Russian Banks in the eye of the storm

Written by Roberto Preatoni (SyS64738) Tuesday, 19 December 2006

A huge attack against several major Russian banks ended up with the leak of a database containing the personal details of about 3 million individuals. The data is now being sold for between 2,000 - 4,000 roubles (around $76 - $150) at Russian black market.

This case represents a further example about the low level of security that is supposed to protect people but it wouldn’t be so worth noticing if it wasn’t for the outcry this news has caused :a media fuss that might have negative effects on data security as well.

The aspect of this story that mostly aroused journalists’ curiosity is the fact that this specific database contain information about clients of Russian banks who’ve been refused credit, and those who’ve defaulted, either partially or fully, on their payments.

Moreover, the archive includes personal details such as name, address, and passport numbers since in Russia, in credits applications in Russia such details are required.

Some journalists made questions about the damages that a similar data leak could provoke, but this isn’t that difficult to guess: anyone could buy the database and call a creditor pretending to be calling from the bank to collect the debt… Can you imagine the number of swindles that might be carried out?

Data leaks, online frauds and scams do not usually provoke such an uproar in Russia, but now the media attention could represent a good moment to work on the increase the public awareness about Security issues.

But “public awareness” is not enough, and Russian people should hope in a review of Russian cyber crime legislation and in the introduction of standard security policies for banks.

Russian black market is definitely well stoked, and this is not the first time that a database containing classified information is available for sale: recently, it was highlighted how database including data coming from customs and passport authorities are freely available.



http://www.clarionledger.com/apps/pbcs.dll/article?AID=/20061219/NEWS/61219032

December 19, 2006

Security breach affects about 2,400 MSU students, workers

By Richard Lake rlake@clarionledger.com

Social Security numbers and other private information from about 2,400 Mississippi State University students and employees were “inadvertently” posted on a publicly accessible Web site, the university said Tuesday.

Everyone who was affected has been sent a letter explaining the situation and will be offered free credit monitoring service for one year, the university said.

“We’ve taken this very seriously and we’ve worked hard to try to solve it,” said university spokeswoman Maridith Geuder.

The security breach was discovered last week, officials said. Geuder would not identify the department responsible for the slip up, but said the information was removed from the Web immediately.



Inside job?

http://www.azstarnet.com/sn/hourlyupdate/161119.php

ID theft ring targeted Raytheon employees, authorities say

By Alexis Huicochea Arizona Daily Star Tucson, Arizona | Published: 12.19.2006

An identity theft ring that was busted earlier this month targeted current and former Raytheon employees, the Pima County Sheriff’s Department said Tuesday.

Because the investigation is ongoing, the Sheriff’s Department warned that other Raytheon employees may still be at risk of being victimized.

The investigation began in August and culminated with the arrests of five people said to be heavy methamphetamine users, said Deputy Dawn Barkman, a Sheriff’s Department spokeswoman.

About 40 people had personal information stolen over a few months, which was then used to open fraudulent credit card accounts online, Barkman said.

“Obviously, there has been a compromise of employee information,” Barkman said. “It is unknown how the information on Raytheon employees is being obtained.”

Six search warrants have been served and a number of computers, fraud and identification documents, including personal IDs, Social Security cards and other documents, were seized, Barkman said.

The potential loss as a result of the identity theft is more than $100,000, she said.



Add this to what it has already cost Sony in reputation and sales...

http://www.businessweek.com/ap/financialnews/D8M446200.htm

Sony BMG settles suit over CDs

By ALEX VEIGA BW Exclusives The Associated Press December 19, 2006, 2:52PM EST

LOS ANGELES Sony BMG Music Entertainment will pay $1.5 million and kick in thousands more in customer refunds to settle lawsuits brought by California and Texas over music CDs that installed a hidden anti-piracy program on consumers' computers.

Not only did the program surreptitiously monitor users' behavior, but the method Sony BMG originally recommended for removing the software also damaged computers.

The settlements, announced Tuesday, cover lawsuits over CDs loaded with one of two types of copy-protection software -- known as MediaMax or XCP.

Under the terms of the separate settlements, each state will receive $750,000 in civil penalties and costs.

In addition, Sony BMG agreed to reimburse consumers whose computers were damaged while trying to uninstall the XCP software. Customers in both states can file a claim with Sony BMG to receive between $25 to $175 in refunds.

The company had previously settled a class-action case over the episode.

"Companies that want to load their CDs with software that limits the ability to copy music should fully inform consumers about it, not hide it, and make sure it doesn't inflict security vulnerabilities on computers," California Attorney General Bill Lockyer said in a statement.

------On the Net: Sony BMG information on settlement: http://www.sonybmgcdtechsettlement.com



Next on the Class Action hit list...

http://games.slashdot.org/article.pl?sid=06/12/19/1731210&from=rss

Wiimote Straps Result in Class Action Suit

Posted by Zonk on Tuesday December 19, @12:41PM from the sigh dept.

Kotaku reports the news that problems with breaking Wiimote straps has resulted in a class action lawsuit against Nintendo. From the press release about the suit: "Green Welling LLP filed a nationwide class action lawsuit on behalf of the owners of the Nintendo Wii against Nintendo of America, Inc., in the U.S. District Court for the Western District of Washington. The class action lawsuit arose as result of the defective nature of the Nintendo Wii. In particular, the Nintendo Wii game console includes a remote and a wrist strap for the remote. Owners of the Nintendo Wii reported that when they used the Nintendo remote and wrist strap, as instructed by the material that accompanied the Wii console, the wrist strap broke and caused the remote to leave the user's hand. Nintendo's failure to include a remote that is free from defects is in breach of Nintendo's own product warranty."



Recognizing that the world has changed: This presents management with an interesting problem. How would you write a policy to control (not ban) use of consumer tools?

http://it.slashdot.org/article.pl?sid=06/12/20/0227259&from=rss

Consumer Technologies Driving IT

Posted by kdawson on Wednesday December 20, @07:46AM from the not-invented-here dept.

fiannaFailMan writes to point out The Economist's reporting on the way consumer-driven software products are increasingly making their presence felt in the corporate world. Some CIOs are embracing the influx while others continue to resist it.

From the article: "In the past, innovation was driven by the military or corporate markets. But now the consumer market, with its vast economies of scale and appetite for novelty, leads the way. Compared with the staid corporate-software industry, using these services is like 'receiving technology from an advanced civilization,' [Great quote! I'm gonna use that (in a non-plagiarizing kinda way...) Bob] says [one university CIO]... [M]ost IT bosses, especially at large organizations, tend to be skeptical of consumer technologies and often ban them outright. Employees, in return, tend to ignore their IT departments. Many young people... use services such as Skype to send instant messages or make free calls while in the office. FaceTime, a Californian firm that specializes in making such consumer applications safe for companies, found in a recent survey that more than half of employees in their 20s and 30s admitted to installing such software over the objections of IT staff."



Corporate Governance, basic management skills, and a recognition that these things do matter... (Also food for the e-discovery world)

http://hosted.ap.org/dynamic/stories/M/MORGAN_STANLEY_E_MAILS?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

Dec 19, 5:39 PM EST

NASD Says Morgan Stanley Withheld Emails

WASHINGTON (AP) -- Securities regulators on Tuesday accused big investment firm Morgan Stanley Inc. of repeatedly withholding documents sought in connection with customer complaints and falsely claiming that millions of e-mails it had were lost in the Sept. 11, 2001 terror attack on the World Trade Center.

Morgan Stanley disputed the allegations by the National Association of Securities Dealers, the brokerage industry's self-policing organization, saying that it would contest them through NASD's administrative process.

It was not the first time that regulators alleged repeatedly withholding of e-mails by Morgan Stanley, the second-biggest investment house on Wall Street. In May, the firm agreed to pay a $15 million civil fine to settle charges by the Securities and Exchange Commission that it failed to provide tens of thousands of e-mails that the agency sought in major investigations over several years.

Morgan Stanley neither admitted nor denied the allegations in that case but did consent to a permanent injunction against future violations of the securities laws and agreed to overhaul its system for handling e-mails.

In the new action, the NASD alleged that retail brokerage arm Morgan Stanley DW Inc. failed to provide e-mails sought by the industry regulators and by customers who had entered arbitration proceedings against the firm from October 2001 through March 2005. The organization also said Morgan Stanley falsely claimed in many instances that the e-mails in question had been destroyed in the attack on the World Trade Center, where its computer servers were located. [So if I presented my version... er... copy of that e-mail, it would be the only version of the evidence, right your honor? Bob]

In fact, the NASD said, Morgan Stanley had millions of e-mails that were restored to its computer system using backup tapes soon after Sept. 11, 2001. Many other e-mails were retained on individuals' computers and were never affected by the attack, yet the firm often failed to search those computers when e-mails were requested, according to the NASD.

Morgan Stanley later destroyed many of the e-mails by overwriting backup tapes and by allowing users of the e-mail system to permanently delete them, the NASD said.

In a statement Tuesday, Morgan Stanley said the 9/11 attack destroyed the e-mail servers and archives it had inherited from Dean Witter when it acquired the brokerage firm. When the previous management learned that there were still backup e-mails from the earlier time that might be relevant to investigations, it informed regulators and attorneys, built new databases, produced e-mails and cooperated fully, Morgan Stanley said.

It said its current management has tried to settle the matter, but NASD's "disproportionate and unprecedented demands leave us no choice but to litigate."

Morgan Stanley said it would request a hearing before an NASD disciplinary panel, which it is entitled to do under the organization's rules.

If the complaint is upheld, sanctions can include a civil fine, censure, payment of restitution and suspension from the securities industry.



This is very interesting. I see direct application to the “free music” issue. The RIAA is doomed, and here's the evidence.

http://hbswk.hbs.edu/item/5580.html

The Value of a "Free" Customer

Published: December 2006 Authors: Sunil Gupta, Carl F. Mela, and Jose M. Vidal-Sanz

Executive Summary:

Traditional models for calculating customer lifetime value (CLV) cannot assess the profitability of customers in networked settings such as job agencies, realtors, and auction houses, where the presence of one type of customer can affect the value of another. Monster.com, for example, is free to job-seekers and obtains revenue by charging fees to employers, but without job-seekers the employers will not sign up, and without these firms Monster would have no revenues or profits. An indirect network effect extends to any exchange with multiple buyers and sellers. This study computed the value of such customers by developing a joint model of buyer and seller growth using one data set. As a study of customer valuation it may be useful to firms that want to better manage their customer portfolio in a networked economy. Key concepts include:

* This study examined one data set.

* The network effects of buyers on sellers were nearly six times the effect of sellers on buyers, according to the data set used here. This effect may be quite different in another empirical application.

* Customer value increased over time as the network was built. The network may eventually reach a point at which an additional customer no longer enhances the effect of the network.

* Though there were 4.6 sellers for each buyer, buyers and seller had roughly equal value.

* As the network effect becomes stronger, marketing plays less of a role in attracting buyers and sellers, according to this data set. [Suggesting the death of the RIAA? Bob]

* This new method offers a good approximation of firm value compared with traditional CLV methods that may capture only 2 percent of firm value.



I'll have to think about this one...

http://michaelzimmer.org/2006/12/19/entrenchment-of-non-privacy-norms-online/

Entrenchment of Non-Privacy Norms Online

Posted on Tuesday, December 19th, 2006 at 12:33 am

Gaia Bernstein, an Associate Professor at Seton Hall University School of Law (and guest blogger over at Law & Technology Theory) has a thoughtful post about how particular diffusion characteristics made the Internet vulnerable to the establishment of what she calls “non-privacy norms.” She writes:

I believe two diffusion characteristics made the Internet vulnerable to this paradox and may make other technologies that share these qualities susceptible to the same paradox. First, the Internet is characterized by a critical mass point quality. This characteristic is prevalent among interactive technologies. A critical mass of people needs to adopt them before they are of value. For example, the telephone was far less useful before there were many people to call. Once the critical mass point is reached the rate of diffusion accelerates. At that point a technology is less likely to be affected by a privacy threat. It is less likely to be abandoned because of the threat. When the critical mass point is reached and diffusion accelerates, social norms become quickly entrenched.

The Internet reached its critical mass point in 1990 with 4 million users worldwide. The privacy threats appeared around the mid-1990s at a time of rapid diffusion, and non-privacy norms became quickly entrenched.

The second relevant diffusion characteristic is decentralization. The entrenchment of non-privacy norms is also enhanced where a technology is decentralized. Where a technology is decentrally diffused all users can re-invent it. In the case of the Internet, many users could act to develop privacy threatening tools, such as cookies. This exacerbated the entrenchment of non-privacy norms.

I suggest that where a technology is characterized by a critical mass point and decentralized diffusion the window of opportunity for intervention is much narrower. Privacy protection, whether through technological design or legal rules, is likely to be effective earlier before social norms are entrenched.

This is important work, and Gaia has two papers that develop these ideas further: The Paradoxes of Technological Diffusion: Genetic Discrimination and Internet Privacy and When New Technologies are Still New: Windows of Opportunity for Privacy Protection.



Consider the source...

http://www.insurancetech.com/feed/showArticle.jhtml?articleID=196700953

Keep Your Guard Up: Privacy & Information Management Trends for 2007

Given the ease and speed with which information flows globally, privacy and information security must remain at the top of the legislative and corporate agenda for 2007. Attorney Lisa Sotto, privacy and information management leader at New York-based law firm Hunton & Williams, discusses trends and offers predictions for the new year.

By By Lisa J. Sotto Insurance & Technology December 19, 2006

Information security is one of the most pressing concerns for businesses today. The high level of criminal activity involving personal information (sometimes leading to ID theft or account fraud) affects every company that maintains personal information, whether customer or employee data. In addition, the publicity surrounding the many high-profile data breaches during the past year has focused CEOs and boards of directors on this topic. Information security is no longer an issue that is relegated to the dusty basement.

1. Security Breach Notification In the U.S., when there is a security breach that involves unencrypted, computerized sensitive personal information (such as Social Security or credit card numbers), the company that maintains the information must notify all the individuals whose data was reasonably likely to have been compromised. There currently are over 30 state security breach notification laws. While they are similar, they are not harmonized. This lack of uniformity makes compliance in the event of a security breach a logistical nightmare.

How do the state laws differ? First, the type of information covered by the laws varies from state to state. In addition, in some states, there is a harm threshold for notification -- that is, an entity that experiences a data breach does not need to provide notification in certain states unless there is a "substantial" or "reasonable" risk of harm. In other states, there is a private right of action so that individuals can sue if an entity does not provide the required notice. In yet other states, an entity that experiences a data breach must notify the state attorney general. These are just a few examples of the legal nuances that make compliance with over 30 state security breach laws daunting.

The federal government is likely to step in to resolve the lack of consistency among the states. In 2007, with a Democratic Congress at the helm, we are likely to see a federal breach notification law that preempts state law. In addition to U.S. initiatives, officials in the E.U. and Canada have taken up the issue of breach notification. In the E.U. in particular, there is a proposed directive that would require certain entities to provide notification to individuals if their data were compromised.

2. Information Security Requirements In the U.S., most businesses are not subject to any federal requirement to safeguard personal information. There is no federal law that requires entities other than those in the financial and health care sectors to keep data safe. In 2007, Congress is likely to pass a federal law requiring all entities that maintain sensitive personal information to implement a comprehensive information security program. Such a law probably will resemble the security standards currently in place for financial institutions, requiring businesses that handle sensitive data to develop administrative, technical and physical safeguards to protect the data.

3. Privacy Litigation and Enforcement To date, there have been surprisingly few lawsuits brought in connection with information security breaches and other privacy events. But plaintiffs are becoming more creative in pursuing new grounds for lawsuits and bolder in bringing actions against major global entities. We are likely to see a rise in litigation and more willingness on the part of courts to grant relief to plaintiffs.

Recently, the Federal Trade Commission formed a new division to handle privacy and data security matters (called the Division of Privacy and Identity Protection). This indicates a new focus by the FTC on privacy and data security matters. Indeed, the FTC considers privacy and data protection to be a central part of its consumer protection mission. We will likely see more FTC privacy investigations and enforcement actions against companies that have suffered serious security lapses or data breaches.

4. New Privacy Laws Overseas While many countries have extant privacy regimes, a number of high-profile countries do not yet have comprehensive data protection laws in place. In 2007, we are likely to see serious discussions about a new privacy law in China. In addition, reacting to a number of significant data breaches, India will likely amend its existing rules to enhance security requirements and penalties for data compromises.

5. Data Sharing to Combat TerrorismThere has been significant confusion surrounding the sharing of information both among governments and between the private sector and governments for use in anti-terrorism activities. There are inadequate guidelines globally to assist companies in determining to which jurisdiction they are subject and whether sharing data with one nation will violate the laws of another nation. There will likely be extensive dialogue about this issue on a global level. Given the global nature of information, this issue cannot be governed by individual countries' laws but instead must be managed through agreement among the nations.

Conclusion Privacy and data protection laws are evolving rapidly. The number of regulatory enforcement and individual privacy actions is increasing. Individuals are growing more aware of and concerned with protecting their privacy. We can anticipate more high-profile privacy events, putting this area even higher on the corporate compliance agenda. Companies would be well advised to prepare for the onslaught.

Lisa J. Sotto is a partner in the New York office of Hunton & Williams and heads the firm's Privacy and Information Management practice. She also serves as Vice Chair of the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee. Ms. Sotto has testified before Congress and an executive branch agency on privacy and data security issues. She writes and speaks extensively on these topics. Ms. Sotto can be reached at lsotto@hunton.com.



http://www.bespacific.com/mt/archives/013323.html

December 19, 2006

FBI's Semiannual Uniform Crime Report , January - June 2006

FBI press release: "Preliminary figures indicate that, as a whole, law enforcement agencies throughout the Nation reported an increase of 3.7 percent in the number of violent crimes brought to their attention in the first half of 2006 when compared to figures reported for the first six months of 2005."

  • The data presented in Tables 1 and 2 indicate the percent change in offenses known to law enforcement for 2005 and 2006 by population group and geographic region, respectively. Table 3 reflects the percent change within the Nation for consecutive years (each year compared to the prior year). Table 4 presents the number of offenses known to law enforcement for agencies having a resident population of 100,000 and over and providing 6 months of complete data for 2006. In addition, Table 4 presents 2005 data for the first half of the year, where available, as a point of comparison. All data in this report are preliminary. [Download Spreadsheets]




http://www.bespacific.com/mt/archives/013322.html

December 19, 2006

New on LLRX.com

The following articles are available in the December 2006 issue of LLRX.com:

  • Bloggers Beware: Debunking Nine Copyright Myths of the Online World - Updated, by Kathy Biehl

  • Criminal Justice Resources - Criminal Justice Blogs, by Ken Strutin

  • A Compilation of State Lawyer Licensing Databases, by Trevor Rosen and Andrew Zimmerman

  • Deep Web Research Research 2007, by Marcus P. Zillman

  • Librarianship - Promoting Public Service and Philanthropy, by Kara Phillips

  • CongressLine by GalleryWatch.com: Voting in Congress, by Paul Jenks

  • E-Discovery Update - by Fios Inc.: Choosing An E-Discovery Vendor, by Conrad J. Jacoby

  • Reference from Coast to Coast: An Overview of Selected SEC Resources on the Web, by Jan Bissett and Margi Heinen

  • Faulkner's Practical Web Strategies for Attorneys: Planning Your 2007 Web Strategy, by Frederick L. Faulkner IV

  • The Government Domain: 2007 Calendars and Schedules, by Peggy Garvin

  • After Hours: But Wait! There's More, by Kathy Biehl

  • FOIA Facts: Rapid Response Team for FOIA, by Scott A. Hodes

  • The Tao of Law Librarianship: Reaching Across the Generations in the Profession, by Connie Crosby

  • Commentary: The Military Commissions Act and The Habeas Corpus Act, by Beth Wellington



Cultures differ...

http://techdirt.com/articles/20061219/232949.shtml

YouTube's Solution To Unauthorized Japanese Videos: A Warning Written In Japanese

from the well-that-will-solve-everything dept

Earlier this month, the Japanese Society for Rights of Authors, Composers and Publishers sent a nastygram to YouTube demanding they cease allowing copyrighted materials to be uploaded to their site. This came soon after the same group demanded the removal of approximately 30,000 videos from the site, and was disappointed to find that many were put back on the site some time later. Of course, since YouTube just provides the platform, it's pretty much impossible to completely prevent such uploads. However, YouTube has responded by promising to put up a warning in Japanese about copyright violations and to send a delegation to Japan to meet with JASRAC over these concerns. So far, it seems like JASRAC is satisfied by the response, but at some point they're going to have to realize that there is no real way to prevent the content from being uploaded. Should some sort of magic bullet ever actually show up that YouTube could use to block uploads, the content would simply migrate to sites that just don't care as much about copyright violations. In other words, it's a time-consuming and totally ineffective game of whack-a-mole. One of these days, they'll have to realize that there are ways to benefit from letting people upload shows -- and the whole "problem" goes away.



This could be a valuable resource for accessing old files.

http://digg.com/software/How_old_can_you_go_Oldversion_com_because_newer_isn_t_always_better

How old can you go? Oldversion.com "because newer isn't always better!"

A great site that archives older version of software. Maybe you're looking for a pre-bloatware favorite application, or maybe you having been able to get AIM to work right on granny's Pentium II. This is the place for you.

http://www.oldversion.com/



Just because we are nerds doesn't mean we can't cook!

http://digg.com/offbeat_news/So_you_can_t_cook_well_can_you_count_Make_meals_the_nerd_way

So you can't cook, well can you count. Make meals the nerd way!

Simply click on what you've got in the fridge (it's assigned a number) and they'll show you what you can cook.. Their catchphrase: "Don't worry, Skills By Numbers will make you look great in the kitchen..... Can't make up your mind about what to cook? Click I feel lucky as well....." You gotta love it.

http://www.cookingbynumbers.com/frames.html



Now this is new... (Bugmenot.com works here...)

http://www.pogowasright.org/article.php?story=20061219075200135

N.D. patrol probes WSI privacy law

Tuesday, December 19 2006 @ 07:52 AM CST - Contributed by: lyger - State/Local Govt.

BISMARCK – The North Dakota Highway Patrol is investigating whether criminal acts took place when Workforce Safety and Insurance used state-held driver’s license photos to identify current or former employees it suspected of sending e-mails to the agency. [How would your drivers license photo help you ask? See below... Bob]

Source - The Forum

[From the article: When investigators determined the e-mail had come from a public library computer, they used their access to driver’s license records to get images of four current or former employees suspected of sending the e-mail. Investigators showed the photos to library workers in their attempt to identify who sent the e-mails.



We should be seeing lots more of this!

http://www.pogowasright.org/article.php?story=20061219083403793

New Policy On Use of Student SSNs Adopted

Tuesday, December 19 2006 @ 08:34 AM CST - Contributed by: PrivacyNews - Minors & Students

The provost and Council of Deans recently approved, and the university has adopted, a more formal policy on the protection and use of student Social Security numbers. The detailed and specific measures were passed in an effort to reduce reliance on the SSN for identification purposes and to increase student confidence involving the handling of the numbers. Johns Hopkins considers the student SSN, or any part thereof, to be "personally identifiable information" under the Family Educational Rights and Privacy Act of 1974.

Source - Johns Hopkins University

No comments: