Wednesday, June 20, 2007

Old Identity Theft cases never die...

http://www.infoworld.com/article/07/06/19/FTC-looks-for-more-victims-of-ChoicePoint-breach_1.html?source=rss&url=http://www.infoworld.com/article/07/06/19/FTC-looks-for-more-victims-of-ChoicePoint-breach_1.html

FTC looks for more victims of ChoicePoint breach

Breach victims have until August 18 to file claims with the FTC and get reimbursed from a fund ChoicePoint set up as part of its settlement

By Grant Gross, IDG News Service June 19, 2007

The U.S. Federal Trade Commission (FTC) is looking for victims of a data breach at ChoicePoint announced in early 2005.

Victims with out-of-pocket expenses due to the breach have until Aug. 18 to file claims and be eligible for payments from a $5 million fund that ChoicePoint agreed to pay in its January 2006 settlement with the FTC.

The FTC has now mailed reimbursement claim forms to 2,400 consumers who may have been victims of identity theft due to the breach, the agency said in a speech. The FTC has mailed claim forms to 1,000 consumers since December 2006, it said.

In addition, the FTC has created a Web site where consumers who do not receive a claim letter can download a claim form and get more information about the claims process.

Data broker ChoicePoint announced in early 2005 that identity thieves had set up fake businesses as a way to buy personal information from the company. The breach, affecting about 163,000 U.S. residents, set off a debate in the U.S. Congress about data breach protections, but Congress has yet to pass a data breach notification bill.

In its January 2006 settlement with the FTC, ChoicePoint agreed to pay a $10 million fine in addition to the $5 million victims fund. The company also agreed to third-party security audits every other year until 2026.

ChoicePoint also agreed in May to pay a $500,000 fine and change the way it screens new customers in a settlement with 43 states and the District of Columbia.



Tip on encryption, but interesting statistics...

http://news.com.com/Locking+down+laptops+before+its+too+late/2010-1029_3-6192001.html?part=rss&tag=2547-1_3-0-5&subj=news

Locking down laptops before it's too late

By Bill Watkins Story last modified Wed Jun 20 04:00:02 PDT 2007

... During 2005, 20 percent of all banks, 18 percent of credit card companies, 13 percent of government organizations and 9 percent of health care companies reported data breaches--and that number is growing.

... On a state by state basis, 29 states thus far have enacted data protection legislation and 28 of these laws have provisions calling for the encryption of digital content.

The flaw with current legislation is that it does not specify how to encrypt data--and that's critical. If agencies and companies encrypt their data using software, it's like locking individual car engine components–-time-consuming, expensive and fraught with failure points. By contrast, hard drive full disc encryption is similar to a car key: it protects everything from the engine to the dashboard with a single mechanism and point of entry.



Wishing is not a very effective plan...

http://www.technewsworld.com/rsstory/57918.html

Massachusetts Far Behind on Open Document Format Adoption

By Eric Lai Computerworld 06/19/07 10:32 AM PT

Massachusetts' open formats policy is off to a slow start with only 250 of the government's 50,000 PCs outfitted with the necessary technology. Since the policy was publicly introduced last year, the plan has seen resistance from state employees and Microsoft, lobbying heavily against the format change.



Just an observation, but when the big boys start acquiring security companies it indicates (to me) that security is about to become a service differentiator.

http://www.securityfocus.com/brief/530?ref=rss

HP to acquire SPI Dynamics

Published: 2007-06-19

Hewlett-Packard announced on Tuesday that the technology giant has agreed to buy Web security assessment company SPI Dynamics for an undisclosed sum.

The Atlanta-based security firm develops technology to assess Web site and application risks from development to deployment. The number of vulnerabilities in Web applications has skyrocketed in recent years, making up the lion's share of software flaws disclosed each year.

"Today, HP Software provides solutions that ensure that business applications run well," Jonathan Rende, vice president of products for HP's Quality Management Software group, said in a statement. "Now with the addition of SPI Dynamics, we can make sure it is also secure.”

The acquisition news comes two weeks after IBM revealed it had agreed to buy compliance and security firm Watchfire. IBM did not disclose the terms of that deal.



I wonder if they would be available for seminars?

http://www.securityfocus.com/news/11471?ref=rss

Amero case spawns effort to educate

Robert Lemos, SecurityFocus 2007-06-19

A group of security professionals, legal experts and educators who helped former Connecticut substitute teacher Julie Amero overturn a conviction on charges of exposing her students to pornographic pop-up ads has formed a permanent organization that aims to educate the courts and legislators about technology, crime and digital forensics.

Taking the name of the person who brought them together, the members of the Julie Group intend to teach lawyers and end user about issues of technology and criminal law, lobby policy makers for fairness in criminal codes and regulations, and bring to light unfair prosecutions. The group will likely again offer their computer-security expertise to prosecutors and defense attorneys in future cases.

"Our helping Julie Amero was about two things: Getting Julie out of jail and making sure that something like this doesn't happen to other people," said Alexander Eckelberry, president of security firm Sunbelt Software. "We learned with Julie that giving people a voice makes a big difference."

On January 5, a six-person jury found Amero, a former substitute teacher at Kelly Middle School in Norwich, Connecticut, guilty of four counts of risk of injury to a minor, a Connecticut law that includes endangering a the morals of a minor. The charges stem from an incident on October 19, 2004, when Amero's classroom computer started displaying pornographic pop-up advertisements.

Prosecutors argued that the images appeared because Amero visited porn sites while in class, while the former teacher's defense attorney argued that spyware installed from a hairstyling Web site caused the deluge of digital smut. The four convictions could have resulted in a maximum of 40 years in prison for the former schoolteacher.

Following the conviction, Eckelberry and others formed a group to analyze the evidence, producing a digital-forensics report that refuted many of the statements made by the prosecution's cybercrime expert, Mark Lounsbury, a detective with the Norwich Police Department, Eckelberry said.

The analysis was not straightforward. Other people, including the middle school's information technology administrator, had accessed the hard drive of the classroom's computer -- a Windows 98 SE machine sporting Internet Explorer 5 and expired security software -- following the pop-up incident. [“Contaminating the e-Crime Scene” Might be an interesting paper... Bob] Moreover, the investigators only gave the defense a copy of the files on the hard drive, not a bit-for-bit copy of the disk, said Joe Stewart, senior researchers for security firm SecureWorks and a member of the Julie Group's forensic analysis team.

"We had to go with what the prosecution gave to the defense," Stewart said. "You couldn't tell after the fact what had happened. You could tell that things were changed, but you couldn't tell how they were changed."

The security researcher hacked together a Web server that could use the browser cache and temporary files to recreate the last Web pages that appeared on the computer. The researchers used that and other digital forensics techniques to piece together some of what happened and refute the prosecution's interpretation of events.

The independent group's analysis of the classroom computer, and vocal criticism from technology professionals across the Internet, convinced the prosecution to request its own digital forensics report from the state's crime laboratory. Following that analysis -- and after delaying Amero's sentencing four times to allow any new evidence to be uncovered -- the judge granted on June 6 a motion by the defense to overturn the verdict and allow a new trial.

... The Amero case would not the first time that confusion about technology has led problematic prosecutions. In 2002, a 29-year-old network administrator was convicted under the Computer Fraud and Abuse Act for sending 5,600 e-mail messages to customers of his former employer -- the now-defunct e-mail provider Tornado Development -- warning about a security hole in Tornado's service that left private messages vulnerable to unauthorized access. The prosecutors in the case argued, and the judge agreed, that McDanel was guilty of unauthorized access and abused Tornado's e-mail servers to send the messages. The prosecutors have since admitted their mistake and the case was overturned on appeal, but not before McDanel served 16 months in prison.

While such cases appear to account for a small number of prosecutions, the increased sophistication employed by bot masters and fraudsters in compromising victims' computer could mean that more muddled cases might be ahead.

"Thinking about the implications -- that any teacher could get infected after going online, have porn show up on their computer and go to jail for 40 years -- that's bad," said SecureWorks' Stewart.



I haven't seen details of the presentations yet, but I'll check back...

http://blogs.zdnet.com/Howell/?p=132

Global legal challenges: General Counsel Forum, Stanford’s E-Commerce Best Practices conference

Posted by Denise Howell @ 5:34 pm June 18th, 2007

... The session focused on legal issues related to doing business globally. My notes follow.


Unrelated?

http://www.bespacific.com/mt/archives/015196.html

June 19, 2007

May 2007 Global Legal Monitor Now Online

Law Library of Congress Global Legal Monitor, May 2007, Issue 5 (58 pages, PDF)



Should we abandon “need to know?” Very “Internet”

http://www.bespacific.com/mt/archives/015192.html

June 19, 2007

DNI McConnell's Foreign Affairs Article

DNI McConnell's Foreign Affairs Article, "Overhauling Intelligence" (10 pages, PDF): "Before World War II, the United States' defense, intelligence, and foreign policy apparatus were fragmented, as befitted a country with a limited role on the world state. With U.S. entry into the war, interagency collaboration developed out of crisis-driven necessity. Wartime arrangements, although successful, were ad hoc. And after the war, President Harry Truman and Congress realized that the United States could not meet its new responsibilities without a national security structure that ratinoalized decision-making and integrated the intelligence and military establishments."



I just love these lists. Always something new to check out...

http://www.webware.com/8301-1_109-9728770-2.html

Webware 100 winners announced!

By Rafe Needleman – June 18, 2007, 3:00 PM PDT



Dilbert's advice to drivers of gas guzzlers...

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2004073470620.gif

No comments: