Friday, April 27, 2007

How accidental does this sound? (I can't find anything on their web site...)

http://twincities.bizjournals.com/twincities/stories/2007/04/23/daily36.html

Ceridian: Data from NY firm accidentally leaked

Minneapolis / St. Paul Business Journal - 1:00 PM CDT Thursday, April 26, 2007

by Carissa Wyant Staff Writer

Payroll processing firm Ceridian Corp. said employee data from a New York advertising firm had been accidentally leaked on a Web site, the company confirmed Thursday.

Bloomington-based Ceridian (NYSE: CEN) notified New York advertising company Innovation Interactive last week, after it learned that ID and bank-account data on 150 employees had been posted online, company spokesman Pete Stoddart said.

Ceridian said a former employee accidentally posted the information on a personal Web site. The employee took the data by accident after leaving the company in March 2006.



Web pages are often named following a scheme that makes it easy to follow the flow (Home-page, employee-access, public-access, Secret-data-1, Secret-data-2, etc.). After a breach, expect hackers to analyze that scheme and try accessing other pages by “guessing” the next page name...

http://rhetoricallyspeaking.blogspot.com/2007/04/nhs-data-breaches-worse-than-thought.html

Friday, April 27, 2007

nhs data breaches worse than thought

On Wednesday, Channel 4 discovered that anyone could access the personal information of doctors and students through the NHS Medical Training Application Service website. The BBC reported that the NHS claimed to have closed the breach by the end of the day.

Yesterday, Channel 4 discovered that the website was still wide open:

For the second day in a row there has been a breach in the security on the MTAS computer system - used by 32000 junior doctors to apply for training posts. [...]

All it took was a simple changing of a number on the URL. Personal messages and details could be found. Initially we thought it was just MTAS applicants who have their own registration number who could do this.

Now we have learned that if an email was sent with the URL to anyone - not just an applicant - they could access the private sites without even logging in.

And the "short period of time" of the breah wasn't so much a couple of hours as several days - most likely since Monday afternoon, right up until Channel 4 contacted the department of health.


Speaking of hackers...

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=2768

April 27, 2007

Teenager charged with hacking into AOL databases

Alleged acts cost AOL over $500,000

By Juan Carlos Perez, IDG News Service

A teenager broke into AOL networks and databases containing customer information and infected the servers with a malicious program to transfer confidential data to his computer, AOL and law enforcement officials have alleged.

In a complaint filed in the US courts, the Manhattan district attorney's office alleges that 17 year old Mike Nieves committed offences including computer tampering, computer trespass and criminal possession of computer material between 24 December 2006 and 7 April 2007.

He is accused of:

accessing systems containing customer billing records, addresses and credit card information

infecting machines at an AOL customer support call centre in India, with a program to funnel information back to his PC

logging in without permission into 49 AIM instant message accounts of AOL customer support employees

attempting to break into an AOL customer support system containing sensitive customer information

engaging in a phishing attack against AOL staff, through which he gained access to over 60 accounts from AOL employees and subcontractors

Nieves faces four criminal charges and one misdemeanour charge. He appeared in court earlier this week and has been remanded in custody, a spokesperson for the Manhattan district attorney's office said.

The complaint filed against Nieves claims that he admitted to investigators that he had committed the alleged acts, because AOL took away his accounts. "I accessed their internal accounts and their network and used it to try to get my accounts back," the defendant is quoted as saying in the complaint. The court papers also claim Nieves admitted to posting photos of his exploits in a photo web site. [Sometimes, evidence gathering is easy... Bob]

Nieves was arrested after AOL provided law enforcement authorities with information from an internal investigation into the alleged acts. AIM subscriber information and IP address data led AOL to Nieves, whose address and phone number AOL had on file, the court papers say.

The alleged acts cost AOL more than $500,000 (£250,000). It is not clear whether customer data was stolen. [Aren't they required to disclose in NY? Bob] AOL declined to comment.


...and sometimes the hacking is automated...

http://www.zdnet.com.au/blogs/securifythis/soa/Facebook-e-mail-notifications-breach-privacy/0,139033343,339275127,00.htm?feed=rss

Facebook e-mail notifications breach privacy

By Munir Kotadia, ZDNet Australia 27 April 2007 11:59 AM

Shortly after joining the social networking site Facebook, I received an e-mail telling me a friend had "written on my wall". Within two clicks I was logged-in and had full access to her account.

... I logged out (of her account) and then tried clicking on the link again to try and recreate the effect but it didn't work. However, when I opened the main Facebook page and typed the first letter of my friend's name, the browser had somehow remembered her username and password and allowed me to log into her account at will.

... As Facebook doesn't list a contact phone number, I haven't been able to get in touch with them yet. However, I will be sending them a copy of this blog as soon as it is published -- in the hope of finding out what is going on.


...or you could hire a hacker... (pretexting r us?)

http://techdirt.com/articles/20070426/001211.shtml

Suggestion: Don't Name Your Illegal Computer Spying Business 'Hackers Are Us'

from the just-a-tip dept

While everyone has different ways of going about marketing various businesses, you would think that if you're involved in something illegal, you wouldn't refer to your organization in a way that reveals the illegality of what you're doing. Apparently, a private detective firm in the UK had a separate group which they proudly named "Hackers Are Us," which was making quite a bit of money by helping people get info from the computers' of others. There's no real mystery (and no real "hacking") in how they did so. They just sent an email and used some social engineering to convince people to click on the attachment, which loaded a keylogger. Pretty straightforward. Of course, the group is now in court trying to defend these actions -- but the use of the name probably doesn't help.



This is the second mention of this report...

http://www.mcafee.com/us/about/press/corporate/2007/20070424_000000_f.html

McAfee, Inc. Releases New Research Suggesting Data Loss Will Lead To Next Major Corporate Collapse

A Third of Enterprises Surveyed Believe a Major Breach Could Put Their Companies Out of Business

INFOSEC, LONDON, April 24, 2007 - McAfee, Inc., today announced it has released a report, Datagate: The Next Inevitable Corporate Disaster?, revealing a widespread belief that a major security breach, even an unintentional one, could lead to the collapse of a major corporation. The global research, conducted for McAfee® by Datamonitor, surveyed more than 1400 IT professionals at companies with at least 250 employees in the United States, the United Kingdom, France, Germany and Australia. Thirty-three percent of respondents said they believe a major data loss incident involving accidental or malicious distribution of confidential data could put them out of business.

The research also suggests that while awareness regarding the danger of breaches is high, the problem continues to grow. Sixty percent of respondents said they had experienced a data breach in the past year, and only six percent of respondents could say with certainty that they had not experienced one in the previous two years. However, despite the prevalence of breaches, enterprises are still devoting just a fraction of their IT budgets to the problem. On average respondents spend just one-half of one percent of their overall IT budgets on data security. [Would spending 1% make your security “better than average?” Bob]

... For more information and to download a copy of “Datagate: The Next Inevitable Corporate Disaster?” visit http://www.mcafee.com/us/enterprise/products/promos/data_loss_protection/default.html.



These all end with close-up pictures of politician's pockets?

http://www.bespacific.com/mt/archives/014695.html

April 26, 2007

Web Mashups Help Citizens Track the Political Money Trail

From Wired, Web Mashups Turn Citizens Into Washington's Newest Watchdogs: "Sites like Maplight.org, Opensecrets.org and Follow the Money, along with wiki-based political reporting resources like Congresspedia, are increasingly giving ordinary citizens the ability to easily document the flow of special-interest money and how it influences the legislature. These new tools are providing an unprecedented level of transparency, exposing patterns of influence that otherwise would have remained invisible to ordinary citizens."

  • See also Citizen-mapped agency data - A quick guide to citizen-mapped agency data sites: "The Web is awash in citizen-run sites that map government-generated data. These sites use free services such as Google Maps and Microsoft Virtual Earth and public records from agencies such as the Environmental Protection Agency and the Geological Survey. With these sites, Web surfers can enter their addresses and see government data in their area, or to browse a certain region to find items of interest."



I don't think this is a good idea, unless politicians are smarter than all of their constituents (and the rest of the world)

http://techdirt.com/articles/20070426/011631.shtml

Malaysia To Set Up Government Agency To Respond To Blogs

from the respond-in-kind dept

Over the last few weeks we've been following the hubbub in Malaysia, where some government officials were quite upset with some bloggers leading to at least two bloggers being sued and the possibility of forcing bloggers to register with the government -- a plan that was later rejected. However, now the government has come up with a new plan to deal with what it still calls "lies" being spread online: it will create a special government unit to monitor and respond to what various internet sites are saying. Assuming they identify themselves as working for the government, this sounds like a pretty good idea. Rather than trying to intimidate or force critics offline, take them on with facts. If sites are not telling the truth or even being misleading, respond and explain why. That's the great thing about the internet. You can always counter whatever is being said about you, and it doesn't require the use of any lawyers or lawsuits.



Shouldn't you assume any new technology comes with risks?

http://www.knoxnews.com/kns/local_news/article/0,1406,KNS_347_5507506,00.html

Judge: Cellular GPS data can be used as a tracking device

By JAMIE SATTERFIELD, satterfield@knews.com April 27, 2007

Expect a little privacy, cellular phone user?

Quit talking on it in public and turn it off.

That may seem like a simple concept, but the conclusion is actually plowing new legal ground in Knoxville's most high-profile pot-peddling case in recent times.

In a groundbreaking ruling, U.S. District Magistrate Judge Bruce Guyton on Thursday ruled that law enforcement can use global positioning satellite data from cellular phones as tracking devices.

"To say that case law is substantially undeveloped as to what rights are accorded a cell phone's user, particularly in these circumstances, would be an understatement," Guyton wrote.

The ruling comes in the case of a father and son accused of ferrying nearly 1,000 pounds of marijuana in an RV as part of the case of Market Square businessman Scott West, his brother, sister-in-law and wife.

In a move reminiscent of a James Bond flick, U.S. Drug Enforcement Administration agents Michael Davis and Dave Lewis had used real-time data from a GPS unit installed on a cellular phone to find accused couriers Melvin Skinner and Samuel Skinner at a Texas truck stop on the eve of a July raid of West's Market Square properties.

The agents didn't even know the alleged couriers' names. All they had was a pay-as-you-go cell-phone number issued in a fake name. A confessed Arizona drug dealer testified it was one of dozens he bought to use in his illegal trade.

It is the latest trend among dope peddlers trying to outsmart law enforcement.

Once nabbed, the Skinners, via attorneys Ralph Harwell, Tracy Jackson Smith and Mike McGovern, cried foul, arguing that federal prosecutors David Jennings and Hugh Ward themselves violated the rules in their zeal to take down West and his brother. The attorneys had tried at hearings earlier this year to convince Guyton that law enforcers should not be allowed to use GPS devices on cell phones as tracking devices without jumping through some serious legal hoops.

Faced with what he termed a "novel" issue, Guyton turned to all manner of research, ranging from case law on beepers to National Public Radio reports.

The judge's conclusion: Cellular phone users give up privacy rights every day.

"Generally, a defendant can claim little expectation of privacy in a cell phone that he utilizes in public," Guyton wrote. "As to cell-phone signals, a cell phone can only be used to locate a person if the phone is within the person's possession and the user has turned the phone on. Moreover, these signals are knowingly exposed to a third party, the cell-phone company, when a party uses the phone. [Would that automatically breach attorney-client privilege? Bob]

"This third-party exposure diminishes an expectation of privacy," the judge continued. "Therefore, if the cell-phone's possessor intended to keep the phone's location private, the possessor could turn off the phone, which would disallow signal transmission."

Besides, Guyton wrote, a wide range of people and businesses already use cell phone GPS data, so why should law enforcers be treated any differently? Police, after all, still have to get the court's permission to glean the data.

"If rescue operations, employers, and friends can all track the location of a person using the GPS capability in the cell phone, it is reasonable to allow law enforcement officers to do the same," the judge ruled.



This could be hard to interpret. At least I find it so...

http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=13&articleId=9017839&intsrc=hm_topic

California eyes stronger cyberstalking laws

Jaikumar Vijayan

April 25, 2007 (Computerworld) California legislators are considering a new bill that would extend the state's antistalking laws to the Internet.

The proposed bill (AB 919) is authored by Republican state Rep. Guy Houston and is designed to prevent individuals from using Web sites such as MySpace.com and Craigslist to deliberately incite harassment or abuse against an individual.

Such harassment can include the posting of digital images or messages on Web sites in an effort to cause fear, harassment or harm to an individual, according to an official description of the bill. The measure would allow California law enforcement officials to pursue stalking charges against people responsible for such messages.

More than 40 states already have some form of cyberstalking legislation in place. But most of these laws, including the one in California, deal with crimes involving intimidation and harassment of a person via, for instance, e-mail messages, pagers, phones and cell phones.

AB 919 is believed to be the first state law that extends the notion of stalking to messages and images posted on Web sites, a spokesman for Houston said.



Useful background!

http://www.govtech.net/magazine/story.php?id=105197

NIST Issues Guidelines for Ensuring RFID Security

April 26, 2007 News Report

Retailers, manufacturers, hospitals, federal agencies and other organizations planning to use radio frequency identification (RFID) technology to improve their operations should also systematically evaluate the possible security and privacy risks and use best practices to mitigate them, according to a report issued today by the National Institute of Standards and Technology (NIST).

... The new NIST report focuses on RFID applications for asset management, tracking, matching, and process and supply chain control. It lists of recommended practices for ensuring the security and privacy of RFID systems, [Quite a lot actually. Is it enough? Bob] including firewalls that separate RFID databases from an organization's other databases and information technology (IT) systems, encryption of radio signals when feasible, shielding RFID tags or tag reading areas with metal screens or films to prevent unauthorized access, and other security measures.

Two case studies -- in health care and supply chain settings -- provide examples for identifying and minimizing security risks throughout the various stages of an RFID project.

Guidelines for Securing Radio Frequency Identification (RFID) Systems (Special Publication 800-98), 154 pages. Available on-line at http://csrc.nist.gov/publications/nistpubs/800-98/SP800-98_RFID-2007.pdf.



First you grab the video of President Bush dancing(?) to the beat of African drums, then you whip up some (in)appropriate lyrics, then you share it with the world on Youtube...

http://www.reuters.com/article/internetNews/idUSL2512381420070425

Rocker Townshend unveils song composing software

Wed Apr 25, 2007 6:45PM EDT By Sylvia Westall

LONDON (Reuters) - British rocker Pete Townshend on Wednesday unveiled an Internet-based software program that will help music fans compose personalized tracks at the click of a button.

The Who guitarist/songwriter said that with a voice recording, a digital image and a rhythm clapped into a microphone, his new "Method" software will create spontaneous digital music and allow anyone to be a composer, and possibly a rock star.

... From May 1, users will be able to get free access to the Web site (http://www.lifehouse-method.com) for three months, and will be able to compose instrumental tracks that they can e-mail or post on their Web sites. From August 1, it will become a subscription-based service.

No comments: