Saturday, July 14, 2007

There seems to be some confusion on the total count. Last story I posted claimed about 860,000 total, or perhaps I didn't read it carefully enough.

http://www.ohio.com/mld/beaconjournal/17485407.htm

Ohio data theft deepens

Stolen device has information on 1.1 million people and businesses

By Dennis J. Willard Beacon Journal Columbus Bureau

... Strickland moved quickly to mail notices to taxpayers, former state employees dating back to 1999, vendors who had conducted business with the state and others as the seemingly minor crime continues to broaden and possibly threaten the financial security of an estimated 859,852 individuals and 258,529 businesses, vendors, school districts and others for a total of 1,118,381.

... “While the state continues to believe it is highly unlikely that the information contained in the stolen device has been accessed, individuals affected by this latest announcement will be offered service by Debix,'' Strickland said, referring to the firm hired to provide identity theft protection to anyone affected for up to a year.

About 58,400 people have signed up for Debix. The newly found names will cost the state an estimated $890,000 more.

Although Strickland continues to stress that the information would be difficult to decode without a high degree of technological finesse, a top official in the Ohio Department of Administrative Services (DAS) admitted that an outside vendor, Interhack Corp. of Columbus, hired to assist the state, has been able to access information contained within a similar database encrypted by the same software.

... State Rep. Kevin DeWine, R-Fairborn, who co-chairs the Ohio Republican Party, said each weeks brings surprises and more bad news about how badly the data theft has been managed.

... State Sen. Kevin Coughlin, R-Cuyahoga Falls, said the cost to taxpayers is $2.2 million and growing.

... A subgroup of 14,874 individuals has had some business dealings with the state, but state officials have yet to determine the exact source of the data. [That can't be true, can it? “We do business with these folks, but don't know what business we do?” Bob]

... State officials acknowledged three people whose information is on the tape have reported incidents of identity theft, but the patrol believes there is no connection between the crimes and the data.



...and another trickle of information.

http://techdirt.com/articles/20070712/204012.shtml

More People Busted With Credit-Card Numbers From TJX Breach

from the cha-ching dept

The Secret Service has busted four people in Florida, and recovered 200,000 credit cards from the TJX breach that was disclosed earlier this year. Recovering the credit-card numbers at this point does little more than link the fraudsters to the breach, but they're said to have been used to rack up more than $75 million in fraudulent charges. The people busted here didn't apparently participate in the theft of the credit-card data, but bought them from "known cybercriminals in Eastern Europe" and then used the numbers to make counterfeit cards. In any case, they're way more productive than another group of Florida scammers busted back in March, who only managed to rack up $8 million worth of goods at Sam's and Wal-Mart. Since banks get left holding the bag for this type of fraud, expect more lawsuits as they look to recover their losses from TJX's astounding level of incompetence. [Perhaps we could get them to adopt this as a new corporate motto? Bob]



He wasn't actually a disgruntled employee, but he expected to be in the near future. Looks like they would never have noticed this if the employee didn't brag to his peers...

http://www.pogowasright.org/article.php?story=20070713141038901

MSD worker fired in security breach

Friday, July 13 2007 @ 02:10 PM CDT Contributed by: PrivacyNews News Section: Breaches

The Metropolitan St. Louis Sewer District has fired an employee after executives learned the employee had downloaded Social Security numbers of about 1,600 current or former district employees to a home computer. The Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay.

The employee had worked more than 10 years in the finance department. Lance LeComb, a district spokesman, said the employee had insinuated to fellow workers that file could be used to retaliate against the district if that person was disciplined for poor performance. [“But fortunately we detected this and “pre-taliated” before he could re-taliate. Bob]

Source - STLtoday.com



At least some interesting quotes...

http://www.informationweek.com/security/showArticle.jhtml?articleID=201001203

IT Security: The Data Theft Time Bomb

While viruses and worms remain the most pesky security problems, data theft concerns simmer beneath the surface, according to InformationWeek's 10th annual Global Information Security survey.

By Larry Greenemeier, InformationWeek July 14, 2007

... InformationWeek Research's 10th annual Global Information Security survey, conducted with consulting firm Accenture, shows that two-thirds of 1,101 survey respondents in the United States and 89% of 1,991 respondents in China are feeling just as vulnerable to security attacks as last year, or more so.

Contributing to this unease is the perception that security technology has grown overly complex, to the point where it's contributing to the problem. The No. 1 security challenge identified by almost half of U.S. respondents is "managing the complexity of security." So-called "defense-in-depth" is just another way of saying "you've got a bunch of technologies that overlap and that don't handle security in a straightforward manner," says Alastair MacWillson, global managing director of Accenture's security practice. "It's like putting 20 locks on your door because you're not comfortable that any of them works."

Yet a case can be made that respondents aren't worried enough, particularly about lost and stolen company and customer data. Only one-third of U.S. survey respondents and less than half of those in China cite "preventing breaches" as their biggest security challenge. Only one-quarter of U.S. respondents rank either unauthorized employee access to files and data or theft of customer data by outsiders in their top three security priorities, and even fewer put the loss or theft of mobile devices containing corporate data or the theft of intellectual property in that category.

... Instead, as with last year, the top three security priorities are viruses or worms (65% of U.S. respondents, 75% in China), spyware and malware (56% and 61%), and spam (40% in both countries).

... For example, the No. 1 reason for feeling more vulnerable to attack this year, according to 70% of U.S. respondents, is the increased sophistication of threats, including SQL injections.

... The next three reasons for feeling vulnerable: more ways for corporate networks to be attacked (including wireless access points); increased volume of attacks; and more malicious intent on the part of attackers (i.e., theft, data destruction, and extortion).

... Similarly, viruses, worms, and phishing are the top three types of security breaches reported by U.S. Respondents. Seventh on the list: identity theft. But that doesn't mean that identity theft isn't a greater threat. Identity theft and fraud are worst-case scenarios for a company whose data has been compromised, but not having experienced them could be as much about luck as it is security.

... Perhaps the most surprising stat of the entire survey is that nearly a quarter of U.S. respondents don't measure the value of their security investments at all.

... Such intrusions, however, aren't the only concerns. Of the 804 U.S. respondents admitting to having experienced breaches or espionage in the past 12 months, 18% attribute the problem to unauthorized employees, and 16% suspect authorized users and employees.

... ... Some companies prefer the Big Brother approach. Of the U.S. respondents who say their companies monitor employee activities, 51% monitor e-mail use, 40% monitor Web use, and 35% monitor phone use, roughly consistent with last year's findings. However, other sources of data leakage are given less attention: Only 29% monitor instant messaging use, 22% the opening of e-mail attachments, and 20% the contents of outbound e-mail messages. And only a handful keep a close eye on the use of portable storage devices.

... A significant number of respondents want to put the responsibility for porous security on the companies selling them security technology. Forty-five percent of U.S. companies and 47% of companies in China think security vendors should be held legally and financially liable for security vulnerabilities in their products and services.

Some of the unease about corporate IT security may stem from the fact that most companies don't have a centralized security executive assessing risks and threats and then calling the shots to address these concerns. [see next... Bob]

... The number of chief information security officers has grown significantly in the last year. Roughly three-quarters of survey respondents say their companies have CISOs, [Yet they apparently are not responsible for security! See below Bob] compared with 39% in 2006. CISOs predominantly report to the CEO or the CIO.

When it comes to the ultimate sign-off, however, half of U.S. companies say that the CEO determines security spending. In the United States, the greatest percentage of respondents, 37%, say their companies assess risks and threats without the input of a CISO, while an astounding 22% say they don't regularly assess security risks and threats at all.

... If it all sounds overwhelming, don't panic. While information security has gotten more complex--as attackers alter both their methods and their targets, and companies layer more and more security products on top of each other--the good news is that the measures required to plug most security holes often come down to common sense, an increasingly important quality to look for in any employee or manager handling sensitive data.


Related

http://it.slashdot.org/article.pl?sid=07/07/13/2018236&from=rss

How to Backup Your Smart Phone

Posted by Zonk on Friday July 13, @04:52PM from the smartness-of-user-not-guaranteed dept. Communications Handhelds IT

Lucas123 writes "According to a Computerworld story there will be 8 million cell phones/smart phones lost this year. The site describes how to easily back up data on handhelds. The piece also addresses the future of these technologies: 'In Dulaney's opinion, traditional USB syncing "will die." Gartner is telling its corporate customers they should hasten this process by not permitting their employees to sync to their PCs. He explains this by saying that individual end users can create distributed computing and security problems because they are poor data administrators. Moreover, he adds, PCs are not necessarily more reliable than cell phones. Drake gives a qualified endorsement of wireless e-mail as the master application for backing up and syncing data, saying the technology is fine for dedicated e-mail environments but insufficient for corporate environments that require a vast array of wireless applications.'"



This could never happen here... Oh, wait.

http://www.pogowasright.org/article.php?story=20070713133914849

U.S. is building database on Iraqis

Friday, July 13 2007 @ 01:39 PM CDT Contributed by: PrivacyNews News Section: Fed. Govt.

The U.S. military is taking fingerprints and eye scans from thousands of Iraqi men and building an unprecedented database that helps track suspected militants.

U.S. troops are stopping Iraqis at checkpoints, workplaces and sites where attacks have recently occurred, and inputting their personal data using handheld scanners or specially equipped laptops. In several neighborhoods in and around Baghdad, troops have gone door to door collecting data.

The rapidly expanding program has raised privacy concerns at the Pentagon, although it has met little resistance from Iraqis. U.S. commanders say the data help to keep suspected militants out of neighborhoods and to identify suspects in attacks against U.S. troops and Iraqi civilians. Iraq has no other reliable ID system.

Source - USA Today



Law as a business strategy (or compensation for not having a strategy that works)

http://techdirt.com/articles/20070713/090110.shtml

Another Telco Says Muni WiFi Is OK Only If It's Providing It

from the le-hypocrisy dept

Telcos' resistance to municipal WiFi broadband projects is pretty well documented, but it's been interesting to see how their position changes once they realize they can make some money from running the muni networks. Over in France, the country's incumbent operator, France Telecom, has filed a legal challenge to Paris' plan to roll out free hotspots (via MuniWireless), saying they will illegally compete with its network of 2,250 paid hotspots in the city. This argument has been made before in Europe, like in Barcelona, where the city was forced to shut down its hotspots after a similar complaint -- even though they blocked access to everything except 60 sites with city information and services. What makes France Telecom's suit even more ridiculous is that its mobile phone unit, Orange, bid on the tender to provide the service for the city. Now, after it's lost out, the company cries foul. [How can you lose the bid in a market where you are the monopoly and already have the infrastructure in place? Bob]



The young think differently (or not at all?)

http://politics.slashdot.org/article.pl?sid=07/07/14/0137239&from=rss

Japan Bans Use of Web Sites in Elections

Posted by Zonk on Friday July 13, @09:49PM from the defeats-the-point-a-bit dept.

couch_warrior writes with a BBC article about Japan's choice to restrain political speech in the 21st century. The nation of Japan bans the use of internet sites to solicit voters in its upper house elections. Based on election laws drawn up in the 50s, candidates are restricted in the ways they can reach their constituents. Candidates are even restrained from distributing leaflets that will reach more than 3% of the voters. What's more, people who are trying to change the laws are failing. Despite heavy internet usage and a strong installed base of high-speed connectivity, young people just don't feel involved in politics. "In Japan, 95% of people in their 20s surf the web, but only a third of them bother to vote. Some, though, do not seem keen on politicians using the web to try to win their support. 'I believe that internet resources are not very official,' says Kentaro Shimano, a student at Temple University in Tokyo. 'YouTube is more casual; you watch music videos or funny videos on it, but if the government or any politicians are on the web it doesn't feel right.' Haruka Konishi agrees. 'Japanese politics is something really serious,' she says. 'Young people shouldn't be involved, I guess because they're not serious enough or they don't have the education. ' There cannot be many places in the world where students feel their views should not count. Perhaps it is really a reflection of the reality — that they do not."

[From the article:

... it is now illegal for candidates to create new websites or update existing web pages between now and election day, 29 July.



Another symptom of youth? (When Alzheimer's hits this generation, they'll forget where they left their iPods...)

http://hardware.slashdot.org/article.pl?sid=07/07/14/0651241&from=rss

Gadgets Have Taken Over For Our Brains

Posted by Zonk on Saturday July 14, @04:38AM from the let's-get-started-with-the-implants dept. Toys Handhelds Technology

skotte writes "According to a Trinity College survey released Friday, the boom in mobiles and portable devices that store reams of personal information has created a generation incapable of memorizing simple things. In effect, the study argues, these devices have replaced our long-term memory capabilities. 'As many as a third of those surveyed under the age of 30 were unable to recall their home telephone number without resorting to their mobile phones or to notes. When it came to remembering important dates such as the birthdays of close family relatives, 87 per cent of those over the age of 50 could remember the details, compared with 40 per cent of those under the age of 30.'"



"Alice laughed: "There's no use trying," she said; "one can't believe impossible things."

"I daresay you haven't had much practice," said the Queen. "When I was younger, I always did it for half an hour a day. Why, sometimes I've believed as many as six impossible things before breakfast."

http://www.treehugger.com/files/2007/07/vandals_vs_veri.php

Verizon Gets Out of The Copper Business

by Mark Ontkush, Boston, Massachusetts, USA on 07.12.07

Science & Technology (electronics)

Copper hit $3.66 a pound today on the COMEX exchange - that's a lot. Copper is heavier than iron, and the weight really adds up quickly. For example, it only takes 146 pre-1982 pennies to make a pound. Yes, that means you can make $2.20/lb. by melting down your pennies. Except, of course, it is explicitly illegal to do so. At current rates, A cubic inch of copper is worth a little over a dollar; a cubic foot is (get this) worth over $2000.

It's not just copper; aluminum, zinc, bronze and stainless steel are all commanding high prices these days. These may seem like novel facts until one more novel fact is added; that is, a lot of public infrastructure is made out of these metals. Enterprising folks are literally ripping off anything that isn't nailed down - bleachers for example. Beer kegs aren't being returned, and some police departments can't get ammunition. Fortune, for all its glory, printed a veritable how-to guide on how to pick and choose the Choice items in publo-sphere. And some big companies, like Verizon, are taking big hits.

Verizon, the telcom provider, is bleeding from every pore; vandals stole over $300,000 in copper from their cell phone towers last year, and that was just in California! In addition, their copper cable network is collapsing, because subscribers are abandoning it in favor of their faster FIOS (fiber optic) network. Maybe that's why Verizon made the decison to kill off their copper infrastructure.



Report from the license war...

http://linux.slashdot.org/article.pl?sid=07/07/13/2123235&from=rss

Linux Creator Calls GPLv3 Authors 'Hypocrites'

Posted by Zonk on Friday July 13, @06:34PM from the family-fued dept. Linux Business

AlexGr writes "We've heard conflicting tales regarding Linus Torvalds' acceptance of GPLv3. InformationWeek reports on comments by Mr. Torvalds that would seem to decide the issue: 'Torvalds said the authors of a new software license expected to be used by thousands of open source programmers are a bunch of hypocrites ... For Torvalds' part, it appears unlikely he'll ever adopt GPLv3 for the Linux kernel. He accused the Free Software Foundation leadership, which includes eccentric, MIT-trained computing whiz Richard Stallman, of injecting their personal morality into the laws governing open source software with the release of GPLv3. "Only religious fanatics and totalitarian states equate morality with legality," Torvalds wrote.'"



e-Discovery I'm sure Microsoft planned to do this... (But be careful of “Subversive” bots that someone will certainly write to diddle the data and befuddle the lawyers.)

http://it.slashdot.org/article.pl?sid=07/07/14/071237&from=rss

Vista Makes Forensic PC Exam Easier for Lawyers

Posted by Zonk on Saturday July 14, @07:07AM from the can-i-introduce-you-to-some-nice-encryption dept. The Courts Windows Encryption Privacy IT

Katharine writes "Jason Krause, a legal affairs writer for the American Bar Association's 'ABA Journal' reports in the July issue that Windows Vista will be a boon for those looking for forensic evidence of wrongdoing on defendants' PC's and a nightmare for defendants who hoped their past computer activities would not be revealed. Krause quotes attorney R. Lee Barrett, 'From a [legal] defense perspective, [Vista] scares me to death. One of the things I have a hard time educating my clients on is the volume of data that's now discoverable.' This is primarily attributable to Shadow Copy, TxF and Instant Search."



Another forensic tool. The dot pattern the printer use has been decoded. (it's Braille?)

http://blog.wired.com/27bstroke6/2007/07/mit-group-start.html

MIT Group Starts Campaign to Stop Printer Companies From Spying On You

By Ryan Singel EmailJuly 13, 2007 | 12:02:56 PM

Manufacturers of color, laser printers quietly cooperated with the Secret Service to print nearly invisible tracking codes on every color page printed through laser printers individuals buy, ostensibly as a way to track down forgeries.

The Computing Counter Culture Group at MIT Media Labs now wants laser printer owners to start asking hard questions of the manufacturers. And they say that one person who contacted his printer manufacturer got a visit a few days later from Secret Service agents who wanted to know why that person hated freedom.

All the info is on their site, Seeing Yellow.



Interesting question... Next thing you know, they'll try to make us into a democracy! (You know, this would be so easy to do it could be a student project...)

http://www.technewsworld.com/rsstory/58298.html

Open Legislation, Part 1: What If Everybody Got to Write Laws?

By Katherine Noyes LinuxInsider Part of the ECT News Network 07/13/07 4:00 AM PT

Wikis and other online tools make possible a level of collaboration that couldn't have been imagined a few decades ago, noted Peter Leyden, director of the New Politics Institute. "Wikis are still a new technology that many people don't fully understand, but they're just useful tools to help collaboration, which ultimately is what much legislation comes down to," Leyden said.



Some areas were dropped because congress changed the definition – not because DHS is keeping secrets!

http://www.bespacific.com/mt/archives/015443.html

July 13, 2007

DHS Privacy Office 2007 Data Mining Report to Congress

2007 Data Mining Report (PDF, 42 pages) - DHS Privacy Office Response to House Report 109-699, July 6, 2007: "This is the second report by the Privacy Office to Congress on data mining. This report describes data mining activities deployed or under development within the Department that meet the definition of data mining as mandated in House Report No. 109-699 - Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2007, and for Other Purposes."



This is sure to spread... (Of course it also raises the barrier to entry...)

http://www.dmeurope.com/default.asp?ArticleID=6655

ISP sues Dutch government for wiretapping costs

11/03/2005 by Joe Figueiredo

XS4ALL, the internet service provider and subsidiary of Dutch telecom concern KPN, is suing the Dutch government for the cost of enabling its network to handle wiretaps.

The handling of wiretaps is required by the Dutch Telecommunication Act of 1998, which was further expanded in 2004 to include European Union requirements.

XS4ALL says it has invested some €500,000 - a significant slice of its profits - since the end of 2001 in order to comply with the wiretapping requirements of the law, something the service provider finds unreasonable as such investments do not profit the company and are not reimbursable (as they are made in the public interest).

... Currently, the EU is proposing legislation that would oblige telecom providers save all traffic data on internet and telephony usage for a period of one to three years. This data retention requirement could financially affect Dutch telecom ISPs and telecom operators still further.

No comments: