Tuesday, March 27, 2007

Why would this information be taken off the base?

http://www.wavy.com/Global/story.asp?S=6282161&nav=23ii

Laptop computer containing info on 16,000 Fort Monroe employees stolen

FORT MONROE, Va. (AP) -- A laptop computer containing the names, Social Security numbers and payroll information for as many as 16,000 civilian employees at Fort Monroe was stolen from one of the employee's personal vehicle, officials said Monday.

The computer was password protected, [see next article Bob] Army officials said, and did not contain bank account or bank routing information. The potentially affected employees all work at the U.S. Army Training and Doctrine Command, which has Fort Monroe as its headquarters.

Officials said the Army Criminal Investigation Command and local law enforcement were investigating, and TRADOC was looking into whether some policies need to be changed.

Lt. Gen. Thomas Metz, in a letter to each of the potentially affected employees, said the Army is committed to preventing similar incidents from occurring, and gave each of them tips on how they can guard against unauthorized use of their personal information.


This is a fairly simple article that illustrates why “password protected” is often an oxymoron.

http://onemansblog.com/2007/03/26/how-id-hack-your-weak-passwords/

Monday, March 26th, 2007 at 2:17 am

How I’d Hack Your Weak Passwords



How many reasons does Wal-mart have to sue TJX? (Plus a few other questions...)

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=286966&source=rss_topic17

8 Million Reasons

Frank Hayes

March 26, 2007 (Computerworld) Wal-Mart is now out $8 million because of TJX’s security problems. You remember TJX, the big retailer that in January reported a series of data security breaches. Those breaches, involving credit card transactions that date back to 2003, let thieves walk off with an unknown quantity of credit and debit card numbers.

No, we don’t know how many. But there were enough. Last week, Florida police arrested members of a ring that used some of those numbers to steal at least $8 million from Wal-Mart stores.

That’s twice in a row that IT didn’t help protect the business.

The first time, of course, was when intruders stole TJX’s customer data. That probably wasn’t the Florida gang, according to police. But once the Florida thieves got the stolen credit card numbers, the gang allegedly used them to buy Wal-Mart gift cards, then redeemed them at different Wal-Mart stores for items that included computers, electronic game consoles and big-screen TVs — $8 million worth.

There’s nothing new about that scam; thieves have used it for years at Wal-Mart, Target, Sears and other retailers. Sometimes thieves even bring the merchandise back for a cash refund. What the thieves depend on is the fact that they’re repeatedly laundering their transactions — from stolen credit card numbers to gift cards, then to merchandise, then to cash.

And that’s the second place that IT could be providing protection. At every step in that gift card scam, IT could help spot the fraud. But that mostly doesn’t happen.

Yes, when a credit card is reported stolen, it’s quickly deactivated and transactions using the card are no longer authorized. That’s IT at work protecting the business.

But there’s a lot more IT could do. What if Wal-Mart used the list of stolen card numbers to automatically search its own recent transactions [How would Wal-mart get that list? Bob] for suspicious activity — such as sales of gift cards? Then those gift cards could be deactivated and Wal-Mart could actually recover some of the money lost to thieves.

And even if the gift cards had already been used, those transactions could be flagged so that if the thieves brought the merchandise back for cash refunds, they could automatically be spotted at that point. That translates to merchandise recovered and cash back in the bank.

That’s two extra chances to catch the thieves and reverse the loss. Sure, Wal-Mart probably did something like that after it discovered it was losing millions of dollars. That kind of forensic database work is likely how the gang in Florida was eventually caught.

But IT should be making all that possible automatically and continuously. And at most retailers, that just doesn’t happen.

Why not? Those transaction systems aren’t set up to aggressively watch for the gift card scam. The data is all there, but the software isn’t, and neither is the database performance.

Isn’t it time they should be?

These thieves have figured out how to work the system. They count on the fact that retailers could spot fraud in near real time but don’t bother to, once the initial fraudulent credit card transaction goes through. [Is that the credit card industry's fault? Bob] And now that the fraudsters have the system pegged, they’ll keep ramping it up. Remember, that $8 million Wal-Mart loss is from a single gang. It’s just the tip of the iceberg, and it’s likely to get a lot worse unless IT changes the game.

Yes, beefing up transaction systems so they can handle constant hammering to watch for fraud will cost real money. But for once, there’s real money to be saved — not in fictional return-on-investment guesstimates, but from fraud blocked and cash recovered.

Better still, for once, IT can step up to the job of actively protecting the business, not just sitting in the back room waiting for bad news.

Best of all, for once, every retail CEO is ready to listen to a proposal for a project like this. With Wal-Mart $8 million in the hole from just one fraud ring, there are 8 million very good reasons to start solving the problem.



SEC is also considering removal of that hitching post out front... Seems they noticed there are fewer horses these days

http://www.investmentnews.com/apps/pbcs.dll/article?AID=/20070326/FREE/70326006

SEC soon may file its first privacy case

By Dan Jamieson March 26, 2007

... The SEC last month told NEXT Financial Group Inc. of Houston that it intends to file charges related to the firm’s practice of instructing broker recruits to provide customer information to the firm in anticipation of a move.

... The case has been in the works for more than a year and is causing consternation among the broker-dealer community (InvestmentNews, Nov. 27).

... Under Reg S-P, even such basic client information as an address or phone number — unless it is clearly public information — cannot be shared with outside entities without consent or notice. As a result, NEXT has changed its privacy policy statements to say that brokers leaving the firm may take some information.



Does this make you feel insecure? Good!

http://www.infoworld.com/article/07/03/26/HNieattackcodeposted_1.html?source=rss&url=http://www.infoworld.com/article/07/03/26/HNieattackcodeposted_1.html

Code posted for Internet Explorer attack

Malicious code exploits a known vulnerability in Internet Explorer 6; Microsoft had already released a patch for IE6, and the code does not work on IE7

By Robert McMillan, IDG News Service March 26, 2007

New software has been published on the Internet that could be used to exploit a known flaw in Internet Explorer.

The code, which was posted Monday to the Milw0rm.com Web site, exploits a recently patched flaw in Microsoft's browser. It could be used to run unauthorized software on a computer that was not updated with the latest Microsoft patches, security experts warn.

... Protas said that more reliable exploit code likely will be published in the future.



How to open another e-discovery can of worms... If the RNC knew (and they should have) they should have stopped it immediately.)

http://www.bespacific.com/mt/archives/014388.html

March 26, 2007

Oversight Committee Directs RNC to Preserve White House Emails

"Citing evidence that senior White House officials are using RNC and other political email accounts to avoid leaving a record of official communications, Chairman Waxman directs the Republican National Committee and the Bush-Cheney ’04 Campaign to preserve the emails of White House officials and to meet with Committee staff to explain how the accounts are managed and what steps are being taken to protect the emails from destruction and tampering."

Documents and Links:


This is what poor control of your email can buy you...

http://ralphlosey.wordpress.com/2007/03/25/morgan-stanley-wins-two-this-week/
Morgan Stanley Wins Two This Week

Posted: 25 Mar 2007 10:04 PM CDT

Morgan Stanley received two favorable rulings this week: one the well known reversal of the $1.5 Billion Dollar Coleman Judgment; and the other an order in an employment case by Arthiur Riel, the former head of Morgan Stanley's Legal IT department. Riel claims that he was made the scapegoat for the loss in Coleman and fired under pretext. The facts alleged in Riel, especially as they pertain to discovery of the 1600 backup tapes that so disturbed the trial judge in Coleman, are especially interesting.

The big win for Morgan Stanly was the reversal by Third District Court of Appeals in Florida. Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co. Inc., 2005 Extra LEXIS 94 (Fla. Cir. Ct. Mar. 23, 2005). The decision said nothing at all about e-discovery, and only reversed because two out of three members of the panel felt that Coleman failed to prove damages. There was a strong dissent and so Coleman will now almost certainly move for rehearing and en banc consideration. Then whoever loses that will likely go to the Florida Supreme Court. Although Morgan Stanley is no doubt greatly relieved by this reversal, the story is far from over. Moreover, so far at least, the e-discovery aspects of the lower court's rulings have not been reversed, or even commented on.

The other new Morgan Stanley decision comes from the suit by Arthur Riel, the former Executive Director of its "Law IT Department." Riel v. Morgan Stanley, 2007 U.S. Dist. LEXIS 11153 (S.D.N.Y. Feb. 16, 2007). The facts of this case are what make it interesting, and will bear watching as the pared down suit continues. Arthur Riel and his IT team developed a searchable email archive to capture all emails to and from Morgan Stanley from January 1, 2003, forward. He was also asked to add all of Morgan Stanley's earlier emails to this archive by restoring emails from 39,000 backup tapes. The harvesting of the emails from the tapes was performed by an outside vendor, not Riel's IT team.

During the course of Riel's work he and his team noticed some suspicious emails to and from a few management personnel wherein gifts, including sporting tickets, were offered by company vendors. Although this was not part of his assigned task, Riel pursued an investigation of these email strings, and concluded that they revealed illegal misconduct, including the rigging of a technology contest. In January 2004, Riel anonymously sent copies of the e-mails to Morgan Stanley's Chief Financial Officer via interoffice mail with a post-it note that read: "Needs investigation." Apparently Riel was not too adept at maintaining his anonymity because his supervisor later learned that these tips came from him.

A few months later, in April 2004, the Florida court in Coleman [Parent) Holdings, Inc. v. Morgan Stanley & Co., Inc., No. CA 03-5045 AI (Fla. Cir. Ct.), ordered Morgan Stanley to conduct a search of its e-mails dating back to 1988, to produce materials by May 16, 2004, [Probably only through 2002, so it was only 14 years of emails... Bob] and to certify, in writing, its compliance with the order. In April 2004 the outside vendor harvesting emails from the 39,000 backup tapes became aware of still more backup tapes: a set of 1,423 "DLT" backup tapes found in a warehouse in Brooklyn, and another set of 177 old style 8-millimeter backup tapes. On June 7, 2004, Riel alleges that he sent an email to two Morgan Stanley in-house lawyers notifying them that these additional 1,600 backup tapes had been discovered, and that they could contain pre-2000 emails.

At the direction of the Morgan Stanley in-house counsel the Riel team performed searches of the email archive. The search did not include the newly discovered 1600 backup tapes as they had not yet been added to the archive. Riel was then called upon to sign a written certification prepared by Morgan Stanley's in-house attorneys, which certified compliance with the court order to search and produce emails. Riel's complaint alleges the following concerning this certification:

73. Mr. Riel had no specific information concerning the Coleman Litigation and only general information concerning the search that his Law IT team conducted on the Archive. Nor did Mr. Riel, a non-lawyer, have any understanding of Morgan Stanley's discovery obligations in the Coleman Litigation. Mr. Riel believed that the Certification operated as a confirmation that Morgan Stanley conducted a search of its Archive and that the responsive materials from that search were forwarded to Morgan Stanley's lawyers for production.

74. At the time, Mr. Riel had no understanding that he was certifying, in any sense, that all responsive e-mail from any Morgan Stanley source, including older back-up tapes, had been produced.

Still, Riel signed the erroneous court certification on June 23, 2004, and the rest, as they say, is history, leading to the $1.5 Billion Dollar Judgment which was just reversed.

After this certification Riel's prior action to try and anonymously tip off the illegal conduct came back to bite him. On August 18, 2004, Riel was placed on paid administrative leave while his supervisors investigated the propriety of his reading the content of emails of Morgan Stanley executives while performing his IT tasks. There is no mention of an investigation into the alleged illegal activities the emails supposedly revealed.

Two months later, in October 2004, SEC investigators contacted Riel at home to question him regarding Morgan Stanley's email retention practices. Riel advised the SEC of the newly discovered 1600 backup tapes. The SEC then provided Morgan Stanley with a "Wells Notice" advising that an action was imminent. Carlson v. Xerox Corp., 392 F. Supp. 2d 267, 279 (D. Conn. 2005). Morgan Stanley responded by blaming Riel and claiming that he never told them about these 1600 tapes. Apparently they never received the emails Riel claims he sent about the newly discovered tapes.

Later that year, on May 16, 2005, the Wall Street Journal published an article entitled, "How Morgan Stanley Botched a Big Case by Fumbling Emails." This was about the Florida case. Riel claims that Morgan Stanley attempted, in what it said to the Journal, to lay the blame on Riel for problems with the Florida court arising from the handling of e-mails in the document production.

Finally, on September 27, 2005, Morgan Stanley sent Riel a termination letter stating that he was terminated for cause for reading other employees' e-mails. Riel claims that this deprived him of 1,600 stock units and 5,000 vested stock options worth several hundred thousand dollars.

Riel sued alleging eight counts, including beach of contract, defamation in connection with the Wall Street Journal article, fraud and negligence. Morgan Stanley moved to dismiss all counts except for Count three. It alleges that Morgan Stanley breached its Executive Incentive Compensation Plan by firing Riel for cause, in bad faith, with the effect of depriving him of stock and options. Morgan Stanley's motion was granted, and thus this action will continue solely on the breach of contract claim in Count three. Like the much larger Coleman case, this is a victory for Morgan Stanley, but the saga continues.

Apparently one of the key elements of Riel's case going forward will be whether Riel in fact sent an email to Morgan Stanley's attorneys advising them of the 1600 tapes. This should be easily discoverable by the mail archive system that Riel himself established. The metadata of these emails, if in fact they exist, should reveal the truth.



What strategy are these guys following?

http://techdirt.com/articles/20070326/132725.shtml

Diebold Insists Its E-Voting Machines Are So Good, It Must Be Illegal To Use Any Other Voting Machine

from the vote-here dept

E-voting machine provider Diebold has made some crazy statements over the years trying to defend its e-voting machines, but the company may have set a new level of craziness. ScaredOfTheMan writes in to let us know that Diebold is suing the state of Massachusetts after the Secretary of State chose e-voting machines supplied by a Diebold competitor. Diebold doesn't seem to have any evidence that anything was done wrong -- but it insists that it has the best machines, and therefore, it wants the court to award the contract to Diebold instead. Diebold's statement on the matter is bizarre, saying that since the company competes across the country it knows it has the best machines and that it's "worth the time and money" to go to court to find out why it lost. It's nice to see that Diebold doesn't mind wasting taxpayer money in forcing Massachusetts to defend its vendor picking decisions when the company doesn't appear to have any evidence at all that something illegal actually happened. In fact, they're not even claiming anything illegal happened at all. They just think the state made the wrong choice. Given the long and well-documented history of problems with Diebold and its e-voting machines, including Diebold's repeated attempts to brush off all of the damning evidence against it, it seems perfectly reasonable that a state might think twice about awarding a multi-million dollar e-voting contract to Diebold. In fact, the state is saying that security was an important point in making the decision over which vendor to select -- and the overall consensus vote was in favor of AutoMark, rather than Diebold. Apparently, though, Diebold feels someone cooked the vote against it -- which seems a bit ironic.



I think the court got this one wrong. How is this service different from an in home video recorder?

http://www.law.com/jsp/article.jsp?id=1174640632758

Federal Judge Rules Cablevision's Remote Storage DVR System Violates Copyright Laws

By Beth Bar New York Law Journal 03-26-2007

... The Bethpage, N.Y.-based cable company had argued that it was not required to receive a license from the networks because its customers, not Cablevision, choose content and record programs for personal viewing. It cited to Sony Corp. v. Universal Studios, Inc., 464 U.S. 417 (1984), in which the U.S. Supreme Court held that Sony could not be held liable for infringement because it supplied Betamax recorders, video cassette recorders or DVRs to consumers for recording TV programs for in-home personal viewing.

Cablevision said its RS-DVR was no different from those devices, and argued it could not be held liable for copyright infringement for merely providing customers with the machinery to make copies.

"The RS-DVR is clearly a service, and I hold that, in providing this service, it is Cablevision that does the copying," Chin wrote.

He noted that, at most, Cablevision contended that "its role with respect to the RS-DVR establishes indirect infringement, but plaintiffs have waived such a claim."

But the entertainment companies argued the RS-DVR technology was unique and unauthorized because a complete copy of a program selected for recording would be stored indefinitely on a customer's allotted hard drive space on the company's facility. [How long do consumers store their video tapes or DVDs? Is that germane? Bob] It also said the fact that portions of the programs are stored temporarily in "buffer memory" on the company's servers was problematic.

The networks also said Cablevision was directly infringing on their copyright because it was the one "doing" the copying. Chin accepted the plaintiffs' arguments.

... He said the RS-DVR may have the look and feel of an STS-DVR, but "under the hood" the two types are vastly different. The judge said the RS-DVR is more akin to video-on-demand (VOD) than to a VCR, STS-DVR, or other time-shifting devices. [Only if I can get a copy of the program after it airs. If I specify I want a recording before it airs, I'm using it like a recorder... N'est-ce pas? Bob]

"In fact, the RS-DVR is based on a modified VOD platform," the judge concluded. "In its architecture and delivery method, the RS-DVR bears striking resemblance to VOD."

Cable companies have been eager to experiment with network DVRs because the technology could greatly increase their ability to add DVR customers, who pay a monthly fee, without having to provide new set-top boxes for each one.



Useful quotes?

http://news.bbc.co.uk/2/hi/technology/6472723.stm

Many net users 'not safety-aware'

Fewer than half of the UK's 29m adult internet users believe they are responsible for protecting personal information online, a survey suggests.

One in six of the 2,441 people surveyed felt responsibility rested with banks.

The research, for a government-backed online safety campaign, found 12% had suffered online fraud in the last year - at an average loss of £875.

The same number (5%) had experienced fraud while shopping online as had had their bag, wallet or mobile stolen.

... Get Safe Online [ http://www.getsafeonline.org/ ] managing director Tony Neate said: "The internet now is the real world.

... One in six thought it was their bank which was wholly responsible, while 13% thought it was up to their internet service provider.

With 93% of web users going online daily, it is no longer good enough to assume technology will work for itself, Mr Neate said.

... Other key findings of the survey include the discovery that 18% had responded to spam messages.

A further 10% had clicked on a link in a spam message.

Almost 50% do not have anti-spyware, while 13% of broadband users do not have a firewall on their PC.

[Key findings: http://news.bbc.co.uk/2/hi/technology/6482543.stm



And how will you prove this was the cause of an accident? Another reason to subpoena ISPs?

http://www.eweek.com/article2/0,1759,2107863,00.asp?kc=EWRSS03119TX1K0000594

New Jersey Lawmakers May Ban Texting While Driving

March 26, 2007 By Jon Hurdle, Reuters

PHILADELPHIA (Reuters)—New Jersey drivers who insist on sending text messages on their cell phones or personal digital assistants may find themselves on the wrong side of the law if legislators approve a new bill.

The plan is in response to a recent Nationwide Insurance survey finding that one in five drivers are texting while driving, a figure that rises to about one in three among people aged 18 to 34, said Democratic Assemblyman Paul Moriarty.

... The measure would allow police to pull over any driver found texting [and if they were only selecting songs on their iPods, that's okay? Or using their portable GPS? Bob] while driving, a tougher approach than currently allowed under the state's ban on drivers using a mobile phone on the highway.

... Critics have asked why the bill does not also seek to outlaw other sources of driver-distraction such as coffee or food, but Moriarty said such a bill would never pass the state legislature.



Tools & Techniques

http://googleblog.blogspot.com/2007/03/flying-high-with-google-sms.html

Flying High with Google SMS

Monday, March 26, 2007 at 7:58:00 PM Posted by Deepak Sethi, Software Engineer, Mobile Team

Ever spent 15 minutes on the phone shouting answers at the automated airline attendant while rushing to the airport? How cool would it be to get real-time flight info just by sending a quick text message? Well, now you can using Google SMS. [This (and many other queries) also works with an old fashioned computer... Bob]

Simply text your flight number to 466453 (‘GOOGLE’ on most mobile devices), and the status information will be sent back to you. Or text a specific airline name, and Google will send back the main phone number to call.

This is available for flights departing or arriving in the U.S., and all of the information is provided by flightstats.com. And as always, it’s free.



It's about time!

http://hosted.ap.org/dynamic/stories/T/THE_ONION_VIDEO?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

The Onion Brings Fake News to Web Video

By SETH SUTEL AP Business Writer Mar 26, 10:32 PM EDT

http://www.theonion.com

No comments: