Wednesday, March 21, 2007

Another case of poor security planning?

http://cbs5.com/business/local_story_079213034.html

Private Tax Files Stolen From SoCo Accounting Firm

Thousands Of Records Stored On Stolen Computer

Jeffrey Schaub Mar 20, 2007 6:35 pm US/Pacific

(CBS 5) SANTA ROSA The private financial records of thousands of people are potentially at risk for identity theft after thieves stole three years' worth of tax returns from a Santa Rosa accounting firm.

Tax Service Plus has alerted up to 4,000 of its clients that all of their private financial records have been stolen. The records contained Social Security numbers, addresses, credit card information, and documents with signatures.

Authorities say the theft happened on March 7 when someone used a sledgehammer to break through the steel back door of the tax preparer's offices. Then thieves stole the company's backup computer, which contained financial data on thousands of tax returns dating back three years, police said.

"For a tax business, this is our worst nightmare," [If in fact it was a nightmare BEFORE the theft, why didn't you do something about it? Bob] said Tax Service Plus owner Terry Brown. "That the whole file is in the hands of someone who may want to use the information to use the wrong way is just a nightmare."

... Brown said his company takes precautions to protect its clients' information.

"We have all sorts of safeguards in place to make sure that the information from even one of our customers doesn't get to anybody that it's not supposed to get to," he said. [Perhaps a re-think is in order? Bob]

... Scott Gaidano, who heads data recovery giant Drive Savers in Novato, said companies can still safeguard data -- even if it ends up stolen -- by having it encrypted.

... Tax Service Plus' files were apparently not encrypted.



Small, but interesting....

http://www.computerworld.com.au/index.php/id;582756140

HSBC Australia exposes sensitive customer data

Privacy commissioner launches investigation

Sandra Rossi 21/03/2007 17:21:19

More than 100 HSBC Australia customers had their banking details, names and home addresses, as well as other personal financial information exposed today in a serious security breach by staff.

The extraordinary breach was exacerbated by the sheer volume of documents and sensitive nature of the information that was exposed.

The documents, which were found on an early morning peak hour train in Sydney, left HSBC customers dangerously exposed as the paperwork listed customer names and addresses along with their banking details such as branch and account numbers.

Computerworld sighted up to 50 letters of approval for mortgages which included property values, repayment information, even deposits with six digit cheques that had been photocopied.

In addition to personal customer information there was training material that featured customer black lists.

.... A HSBC Australia spokeswoman confirmed the breach adding that the "incident had already been addressed."

... The spokeswoman did not disclose the disciplinary action taken but did confirm there were no plans to notify customers affected by the breach.

"It was extremely limited data relating to 24 separate accounts," the HSBC spokeswoman said.

"It included no sensitive information as defined by the Privacy Act. All records have been retrieved and we're of the view no customers have been impacted.

... "Unfortunately this isolated incident is simply a case of human error."



Politics is as politics does

http://www.lockportjournal.com/local/local_story_080030706.html

IDENTITY DISCLOSURE: City unions angry over Social Security disclosure

By Paul Lane/lanep@gnnewspaper.com Greater Niagara Newspapers Published: March 21, 2007 03:07 am

Unionized municipal workers in the city are upset that a Freedom of Information request the city clerk recently fulfilled included employees’ Social Security numbers.

For a story that ran March 14 on city workers’ salaries, the Union-Sun & Journal received a list of city employee pay and benefits. Also accidentally included in the documents sent to the newspaper by City Clerk Richard Mullaney were the workers’ Social Security numbers.

... “Over the past week or so, a local newspaper chose a convenient target — the employees of the City of Lockport — upon which to lay blame for the taxes we all pay. In its zeal to assist the newspaper, the leadership of the city quickly provided the salary, pension, health care costs and ... the Social Security numbers for all city employees,” the unions’ release said. “The reporter who received the information and had it in her possession for an estimated three days failed ethically by not returning the information immediately.”

... “It was human error,” he said. “It’s an unfortunate thing. I don’t take it lightly ... We certainly apologize for that.”

... The city’s health care provider is also removing employees’ Social Security numbers from all documentation, Tucker said. [Is this where the data came from? Much more serious if so... Bob]

... He’s glad that action was taken, but Chenez disagrees with any people who have said that the matter is incidental.

If it’s not that big a deal, give me your name, your address and your Social Security number, and I’ll put it on a desk and I’ll leave it there for a few days,” he said.



Like identity theft, but with immediate consequences.

http://blogs.zdnet.com/security/?p=131

Xbox Live hacked, accounts stolen

Posted by Ryan Naraine @ 2:01 pm March 20th, 2007

Online gaming forums are buzzing with reports that Xbox Live accounts linked to Microsoft's Windows Live ID service are being hijacked by malicious hackers.

Kevin Finisterre, a security researcher at Digital Munition, raised the issue on the Full Disclosure mailing list over the weekend, calling attention to rumors that Microsoft's Bungie.net was the victim of a breach that exposed a portion of Xbox Live.

"Some folks are having their Microsoft points stolen and or points purchased via their stolen gamer tag," Finisterre said.

A quick search of user forums at xbox.com and other gaming sites turned up multiple messages from Xbox Live users complaining about hijacked accounts, which typically link gamer tags to Windows Live ID (formerly .NET Passport).

According to Finisterre, there is a group online called "Infamous Clan" brazenly offering to "jack" Xbox Live accounts and boasting about successful account theft.

Several Xbox Live users contacted me to confirm the rumors and make it clear that the stolen accounts are being used for nefarious purposes.

One reader writes:

"I have been involved with Microsoft Support for days on this exact issue and have spent many hours on the phone trying to prove to them that, first, my Windows Live ID was stolen and, second, the ID and password associated with my ID were changed; two actions that Microsoft swears can NEVER happen; and third that the thief was able then use my credit card information associated with one of my Windows Live ID accounts to purchase over $800 of Microsoft products.

Thank goodness for other websites that still contained my old Windows Live ID information and also the fact that, in order to gain access to those other websites, you NEED a Windows Live ID. After spending over 20+ hours on the phone with support and finally getting them to realize that I did indeed have a Windows Live ID, after pointing them to the other websites, I was told by a supervisor that "Yes, in fact, we have heard of some instances where a user's Windows Live ID had been compromized!"

After finally getting this confirmation and having a case number assigned and forwarded to Microsoft Security Investigations, they, also, confirmed it as a breach, issued me another Windows Live ID and then reinitialized the stolen Microsoft Products that were associated with the old ID over to the new ID."



AT LAST! Someone is trying to find out what TJX has to hide!

http://www.businessweek.com/ap/financialnews/D8O00IVG0.htm

TJX sued by shareholder over records

BW Exclusives The Associated Press March 20, 2007, 12:18PM EST

WILMINGTON, Del. A big shareholder of TJX Cos. has filed a lawsuit to obtain records showing how the retailer handled computer problems that exposed customer information to hackers.

Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, said the company rebuffed its request to see documents detailing the safeguards on the company's computer systems and how the company responded to the theft of customer data.

The suit was filed Monday afternoon in Delaware's Court of Chancery, under a law that allows shareholders to sue to get access to corporate documents for certain purposes.

Court papers state the Arkansas pension fund wants the records to see whether TJX's board has been doing its job properly in overseeing the company's handling of customer data.

... Shares of TJX rose 31 cents, or 1.2 percent, to $26.54 in midday trading Tuesday on the New York Stock Exchange. [Closed at $29.56 on January 17th (day the breach was announced) I make that a 10.22% decline. Bob]


Related (Article includes mug shots of the suspects. None appear to be on the TJX board.)

http://www.gainesville.com/apps/pbcs.dll/article?AID=/20070320/LOCAL/703200338/-1/news

Officials bust statewide theft ring

LISE FISHER Sun staff writer Article published Mar 20, 2007

Two theft cases reported in Gainesville launched an investigation leading to the arrest of six Miami area residents.

Stolen consumer data, taken from computers of the company that owns stores including T.J. Maxx and Marshalls, ended up in the hands of thieves who then launched a multimillion-dollar credit card scam throughout Florida, including Alachua County, officers reported Monday.

... Officers now hope those arrested will lead investigators to others who may have purchased stolen information or pilfered data from TJX Companies Inc.

... Gainesville Police contacted FDLE late last year after receiving reports in November [Two months before TJX announced the breach. Bob] of thefts valued at about $42,000 from Wal-Mart stores on Archer Road and NW 13th Street.

Officers learned stolen credit card numbers had been placed on encrypted magnetic strips, which were put on the back of fake credit cards. The cards then were used to purchase large amounts of gift cards.

... Usually these kind of cases are committed for less money and involve individuals whose personal or credit card information has been stolen, not a corporation and millions of dollars, Pape said.

"The kicker is the dollar amount," Pape said. Officers estimate at least $8 million in losses to the banks that issued the credit cards. That figure could grow, he said. The suspects traveled to about 50 counties throughout the state to use the gift cards and stolen credit card numbers.

... Employees can check the name on the credit card against the user's photo ID [I think the credit card companies forbid that. Bob] and should verify that the number on the transaction receipt matches the number shown on the card. People should never carry too many cards and shred all account-related information before throwing it away.



Well that clears things up...

http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1248216,00.html

The cost of data breaches: Looking at the hard numbers

Khalid Kark 03.21.2007

As the frequency and gravity of security breaches has increased over the past few years, there have been several attempts to estimate their cost.

The estimates, however, have churned out vastly different figures, further adding to the confusion. For example, a U.S. Department of Justice study, published in August 2006, determined that the average loss per incident was $1.5 million. These calculations conflicted with a 2005 CSI/FBI survey that estimated the cost to be $167,000. Meanwhile, a 2006 Ponemon Institute survey figured expenses at $4.8 million per breach, while some CISOs put the cost to recover from a security incident at $1,000 per hour.

And if that dizzying array of estimates wasn't bewildering enough, a recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Puzzlingly, of companies that confirmed a personal data loss, 11% said that they did not incur any additional costs. But let me tell you, if you have a data breach, you will incur additional costs, significant enough to even put you out of business.

Tangible costs

Tangible costs are the unbudgeted expenses resulting from a security breach. These costs typically include legal fees, mail notification letters, calls to individual customers, increased call center costs and discounted product offers. Surprisingly, most estimates agree on this cost to be around $50 per record. This cost has increased slightly over previous years, but will continue to be somewhere around this number.

Regulations and lost employee productivity
When employees and contractors are diverted from their normal duties in order to address data breach controls, a company loses money. According to a Ponemon Institute survey, this cost had increased 100% in 2006 from $15 per record in 2005, to $30/record in 2006. The primary reason for this increase has been the growing number of entities and regulations that must be satisfied. Previously, if a company had a data breach, a security team fixed the problem, tested the mitigation and then the company resumed normal activities. Now, the threat of a data breach forces companies to satisfy the industry regulators, like the Payment Card Industry (PCI) Security Standards Council for credit card breaches, or the HIPAA auditors for healthcare regulations.

As the ChoicePoint data breach has shown, where the personal financial records of more than 163,000 consumers had been compromised, the Federal Trade Commission and other judiciary committees may also get involved and impose their own requirements and restrictions. This cost is bound to increase in the future, as well.

Stock price

In the long run, a security breach does not have a significant effect on a company's stock price, but it could. A stock typically dips immediately after a data breach, but the price rebounds quickly, and after one year there is very little evidence of the breach affecting the stock.

The aftermath of the ChoicePoint data breach was an exception: its stock price fell 3.1% on the day the breach was reported, and then continued to fall. Five days after the story made the papers, its stock plummeted by nearly 10%. Now, almost two years after the data debacle, the stock is about 20% lower. The reason for its unique long-term loss can be linked to a change in its top-line offerings. ChoicePoint reacted to the breach by dropping some of its information products. So even though a company's stock may recover soon after a security blunder, a lengthy recovery period is certainly a possibility.

Opportunity cost

Companies also typically experienced customer losses after a breach, but the severity varies significantly as well. Typically, banks and hospitals have had the lowest churn rates, and retail outlets have had the highest.

A more significant issue at hand is the difficulty in acquiring new customers after a security breach. This number is hard to quantify, but most estimates compare these expenses to tangible costs. A Ponemon study, for example, puts opportunity cost at $98 per record, a 31% increase from 2005. This number is expected to grow as customers' security expectations increase and businesses compete on data protection technology.

Regulatory requirements and fines

When a breach occurs, both customers and regulators need to be satisfied. Regulators may impose additional security requirements or fines. For example, Visa levied $4.6 million in fines, penalizing companies that mismanaged sensitive customer data; the company levied $3.4 million in 2005. Similarly, ChoicePoint paid $10 million in civil penalties and $5 million in consumer redress to settle the Federal Trade Commission's demands. As laws and regulations increase, this cost will become much more significant.

Conclusion

All things considered, a security breach can cost you anywhere between $50 to $250 per record. Depending on how many records are at stake, individual breach costs may run into millions or even billions of dollars -- and organizations still aren't prepared to protect their environments. Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped.



First speeding cameras, then red light cameras, now littering cameras? (I think I translated that correctly)

http://www.timesonline.co.uk/tol/news/uk/article1546268.ece

Cameras in cans to spill the beans on fly-tippers

Jack Malvern March 21, 2007

Householders who flout strict rules on putting out their rubbish face the prospect of being caught by spy cameras mounted in baked bean tins and household bricks.

Ealing council, in West London, is using hidden surveillance cameras to catch troublesome residents who fly-tip rubbish on main roads or spray graffiti.

Councillors said that anyone who broke rules on rubbish disposal would be regarded as an “enviro-criminal”. The cameras, which cost £200 each, are activated by movement and can e-mail images to the council’s CCTV control centre. The Tory-controlled council said that the devices were designed to catch vandals, graffiti artists and large scale fly-tippers.

... The council said that the cameras were unlikely to be used on householders, but would not rule it out.



As if we needed proof that porn is big business...

http://www.informationweek.com/news/showArticle.jhtml?articleID=198100250

Spam Scam Can Swamp Blogs With Porn Links

Spammers use blogs' trackback technology to post thousands of links to porn sites.

By Sharon Gaudin, InformationWeek March 20, 2007

Security experts are warning bloggers and Web site administrators that trackback spam is flooding legitimate sites with links to pornography.

Sophos, an antivirus and anti-spam company, reports that Newsbreak, a Filipino online news service, found more than 27,000 links to pornographic Web sites posted on its own Web site. According to an advisory posted by Sophos, Newsbreak was hit by a flood of spammers posting the links to the illicit Web sites. The Web site has since suspended the trackback feature, and users are being asked to log on before posting any comments.

The trackback technology is used to let blog authors know who has seen and linked to their postings. It also enables readers to easily locate Web postings related to the subject matter. The problem is that it's also easy to abuse, allowing spammers to connect themselves automatically via trackbacks to postings on legitimate blogs, in the hope of directing surfers to their own sites.


Speaking of porn...

http://www.law.com/jsp/article.jsp?id=1174307783120

Before You Blog, Check With Your Insurance Carrier

By Lisa Brennan New Jersey Law Journal 03-20-2007

Law firms of all sizes have turned to blogs to showcase their expertise, but at least one New Jersey firm has put the plan on hold out of liability concerns.

The reason: Its malpractice carrier said blogging would make the firm uninsurable.

... The Freehold, N.J., firm's experience may be an aberration, since blogging has become epidemic among lawyers over the past three years as a way of informing existing clients and demonstrating intellectual prowess to potential ones.

... "The key here is for law firms to have a strong disclaimer," says Ariel Hessing, executive vice president of Walnut Advisory Group, which arranges malpractice coverage for law firms.



Could this be the end?

http://yro.slashdot.org/article.pl?sid=07/03/20/2158241&from=rss

IBM Asks Court To Declare Linux Non-Infringing

Posted by kdawson on Tuesday March 20, @06:56PM from the decisive dept.

The Courts Caldera IBM Linux

A Cyclic Graph writes "We finally have a redacted version of IBM's Reply Memorandum in Support of Summary Judgment on Counterclaim 10 in SCO v. IBM. In short, IBM is asking the Court to declare that Linux doesn't infringe upon any of SCO's purported intellectual property. This document is the last word on that matter until the Court either declares there to be no doubt that Linux is free of infringement, or decides that that issue has to be decided by the jury. In their brief, IBM points out that SCO puts forth a convoluted set of non-answers referencing each other to disguise it's inability to answer IBM. Their set of cross-references is so complex that Groklaw readers graphed the claims to make what little sense of them they could." [Is this a common legal technique? Bob]



Another step on the lemming-like suicide run of the scientific journals?

http://yro.slashdot.org/article.pl?sid=07/03/20/2135201&from=rss

MIT Drops DRM-Laden Journal Subscription

Posted by kdawson on Tuesday March 20, @05:54PM from the whose-intellectual-property? dept.

Gibbs-Duhem writes with news that MIT has dropped its subscription to the Society of Automotive Engineers' web-based database of technical papers over the issue of DRM. The SAE refuses to allow any online access except through an Adobe DRM plugin that limits use and does not run on Linux or Unix. Also, the SAE refuses to let its papers even be indexed on any site but their own. SAE's use of DRM is peculiar to say the least, as they get their content for free from the researchers who actually do the work. And those researchers have choices as to where they send their work, and some of the MIT faculty are pretty vocal about it. From the MIT Library News: "'It's a step backwards,' says Professor Wai Cheng, SAE fellow and Professor of Mechanical Engineering at MIT, who feels strongly enough about the implications of DRM that he has asked to be added to the agenda of the upcoming SAE Publication Board meeting in April, when he will address this topic."



The first time was legal strategy. This time it's legal stupidity. Perhaps their lawyers are brain damaged former players?

http://yro.slashdot.org/article.pl?sid=07/03/21/014232&from=rss

NFL Caught Abusing the DMCA

Posted by kdawson on Wednesday March 21, @12:14AM from the poorly-chosen-victim dept. Censorship

Implied Oral Consent writes "You know how the NFL puts up those notices before every game saying 'This telecast is copyrighted by the NFL for the private use of our audience, and any other use of this telecast or of any pictures, descriptions or accounts of the game without the NFL's consent is prohibited?' Well, Ars Technica is reporting that Wendy Seltzer thought that that was over-reaching and posted a video of the notice on YouTube. Predictably, the NFL filed a DMCA Take Down notice on the clip. But Ms. Seltzer knows her rights, so she filed a DMCA Counter Notice. This is when the NFL violated the DMCA, by filing another Take Down notice instead of taking the issue to court — their only legitimate option, according to the DMCA. Unfortunately for the NFL, Ms. Seltzer is a law professor, an EFF lawyer, and the founder of Chilling Effects. Oops!"



Perhaps a joint Computer Science/JD program?

http://ralphlosey.wordpress.com/2007/03/20/national-e-discovery-counsel-are-key-to-98-of-all-cases/

National e-Discovery Counsel are Key to 98% of All Cases

Posted: 20 Mar 2007 06:30 AM CDT

The faculty of Judges, in-house counsel and attorneys at the BNA conference yesterday observed a new trend in legal practice, national e-discovery counsel. Here one attorney or law firm serves as a corporation's national counsel to handle or supervise the electronic discovery aspects of all of its cases around the country. The corporation's various local counsel handle all other aspects of the case. They said they are seeing this new model now more and more. All agreed that it makes good sense, especially in view of the tremendous time and effort it takes for an attorney to learn the complexities of today's typical IT environment. It is far too expensive to try and educate all of a corporation's various outside counsel. Besides, most of them would not be up to the task. [Think the lawyers would agree? Bob] The panelists noted that there are not that many lawyers with an IT background capable of learning these complex systems. Most of the lawyers like that have already formed their own speciality IT firms, or have been hired by e-discovery vendors, which is now a Two Billion Dollar a year industry.

The panelists all agreed that there appears to be a sea shift going on in the litigation world, where the importance of discovery is coming to be recognized. Merrill Lynch's Jonathan Eisenberg noted that for all practical purposes discovery today mean electronic discovery. This is consistent with his experience, and is also consistent with recent studies of business practices indicating that 98% of all records today are ESI.

The 98% statistic comes up again in the world of federal litigation. The panel of Judges noted that only 2% of their cases ever go to trial. An astounding 98% of all cases in federal court settle. The settlements occur after sufficient discovery has been conducted to allow the parties to access their relative positions, and evaluate the strengths and weaknesses of their case. Therefore most all of the attorney fees and costs of litigation today are for discovery to evaluate and narrow the issues, and only a small amount to actually try the issues. Litigators are, like it or not, not really trial lawyers at all, they are discovery lawyers, negotiators and mediators. This means that the task of discovery, which used to be assigned to new associates, and was considered unimportant, is in reality the key task of litigation. It is also the task that consumes the bulk of the attorney fees and costs.



http://ralphlosey.wordpress.com/2007/03/19/practice-under-the-new-rules-an-e-discovery-cle-by-bna/
Practice Under the New Rules: an e-Discovery CLE by BNA

Posted: 19 Mar 2007 08:53 PM CDT

... Under Jonathan Eisenberg's guidance Merrill Lynch has done the same in its field, providing a sharp contrast to their competitors such as USB Warburg and Morgan Stanley. Jon's promotion and development of an internal e-discovery team arose out of his observation that in-house counsel without expertise in this area were rendered ineffective in modern securities cases. Now under his leadership Merrill Lynch carries out what he described as an eight step process:

1) litigation hold procedures; 2) custom search software; 3) filtration before export to vendors; 4) document destruction policy; 5) dedicated in-house electronic discovery team; 6) Encase type software tools to search for non-email ESI; 7) pool of reliable contract lawyers to review pre-productions; 8) in-house forensic experts.

Jonathan then went out to provide detail on the litigation hold procedures his team has developed. This is a seven step process:

1) ID the custodians; 2) map the data sources; 3) send written notices and reminders; 4) monitor and enforce compliance; 5) interview key players; 6) collect information; 7) export data for production to outside counsel.



Background

http://www.f-secure.com/weblog/#00001146

Anti-Spyware Coalition

Posted by Kamil @ 17:41 GMT

On March 15th, the Anti-Spyware Coalition released the finalized versions of two documents. One is titled Best Practices Suggestions and the other is on the topic of Conflicts Resolution. F-Secure is a member of the coalition and one of our security researchers was involved with the drafting process.

So, if you want to read a detailed description of what spyware is, then visit the coalition's document page.



Where does security research cross the line?

http://news.com.com/2100-1002_3-6169034.html

Tool turns unsuspecting surfers into hacking help

By Joris Evers Story last modified Tue Mar 20 17:29:58 PDT 2007

A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.

That's possible with a new security tool called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites, said Jikto creator Billy Hoffman, a researcher at Web security firm SPI Dynamics. Hoffman, who developed the tool as a way to advance Web security, plans to release Jikto publicly later this week at the ShmooCon hacker event in Washington, D.C.

"This is going to drastically change the scope of evil things you can do with JavaScript," Hoffman said. "Jikto turns any PC into my little drone. Your PC will start attacking Web sites on my behalf, and you're going to give me all the results."

No comments: