Tuesday, September 25, 2007

Since TJX announced on Friday, the comments are just starting to appear. (No damages, no foul!)

http://www.pogowasright.org/article.php?story=20070924125609442

What Was Behind the TJX Settlement? (opinion)

Monday, September 24 2007 @ 12:56 PM EDT Contributed by: PrivacyNews News Section: Breaches

When TJX announced Sept. 21 that it had worked out a settlement for all of the consumer lawsuits that had been filed against it, it provided an anticlimactic ending to much of this data breach saga.

But in many ways, this resolution—with a settlement offer that will cause TJX very little material pain—was inevitable. Despite the background of the most massive data breach in retail history, where credit card data of some 46 million consumers fell into unauthorized hands, TJX had virtually nothing to fear from the U.S. judicial system.

The area of data breaches with the goal of identity theft is a relatively unexplored one for both federal legislation and U.S. courts, with little legal precedent to help. With no help there, attorneys representing the consumers whose data was stolen had very little to work with.

Source - eWeek


http://www.digitaltransactions.net/newsstory.cfm?newsid=1525

TJX Settlement Leaves the Bigger Card-Security Issues Unsettled

(September 24, 2007) Off-price retailer TJX Cos. Inc. late Friday announced it had settled the consumer class-action lawsuits it faced in the wake of a security breach that compromised nearly 46 million payment card records in its computers, but big-picture issues facing card networks, processors, and merchants about the best ways to enhance card security and who should be responsible for it are far from settled.

The tentative settlement, which includes Fifth Third Bancorp, TJX’s U.S. merchant acquirer, includes free credit-report monitoring and identity-theft insurance for some customers, $30 vouchers for others, and a three-day “customer-appreciation” event featuring 15% price cuts at an unspecified future date. Those provisions drew fire from two analysts contacted by Digital Transactions News. “They’re getting off pretty easy,” says Larry Ponemon, chairman of the Ponemon Institute LLC, an Elk Rapids, Mich.-based privacy and security think tank. “It seems ludicrous to me. The cost of someone’s privacy can be reduced to a voucher for $30?”

Avivah Litan, a vice president at Stamford, Conn.-based research firm Gartner Inc. who has followed the breach since it was announced in early January, calls credit-report monitoring a “knee-jerk reaction” other companies have taken in the wake of computer breaches. It does nothing to solve the source of the problem or prevent some types of potential fraud, she argues. “Basically the winner in this case is the credit bureaus,” says Litan, who has long advocated that the card networks’ Payment Card Industry (PCI) standards place too much of the security burden and expense on merchants. Financial institutions should consider wider use of one-time PINs and other technologies to enhance security, she says.

... TJX denied the lawsuits’ claims, but said defending itself would be time-consuming and expensive. The company didn’t disclose the settlement’s cost, but said estimated expenses were reflected in a $107 million after-tax reserve for potential losses recorded in its fiscal 2008 second quarter and previously reported, estimated non-cash, after-tax charges of $21 million to be taken in fiscal 2009. In all, TJX had spent $215.9 million in the 26 weeks ended July 28 on the breach, according to its latest quarterly report, and its expected future charges mean total costs will exceed $236 million. Gartner’s Litan estimates TJX has spent about $125 million before taxes on enhanced computer security.

Curiously, even though a TJX filing with the Securities and Exchange Commission says Fifth Third also entered into the settlement agreement, the bank is not making a financial contribution to any settlement fund.

... The settlement, which is subject to court approval and other conditions, affects class-action lawsuits in the U.S., Canada, and Puerto Rico that had been filed on behalf of consumers and consolidated in U.S. District Court in Boston. It doesn’t cover lawsuits filed by others such as financial institutions that reissued cards.

... The settlement is contingent on completion of an evaluation by the plaintiffs’ independent security expert of TJX’s computer-security enhancements, and that expert’s acceptance of the enhancements. [First mention of 'acceptance' I've seen. Bob]

... In an August survey of TJX customers, Gartner estimated that 2.4% of TJX customers actually had account information stolen, resulting in estimated losses—include reissuance costs by their bank or credit unions—of $23.5 million.


Some details?

http://www.pogowasright.org/article.php?story=20070924124857276

Ca: Privacy Commissioners to release report on Winners/HomeSense breach

Monday, September 24 2007 @ 12:48 PM EDT Contributed by: PrivacyNews News Section: Breaches

The results of a joint investigation into a major privacy breach affecting the personal information of millions of shoppers, including Canadians who shopped at Winners and HomeSense stores, will be released tomorrow.

Jennifer Stoddart, the Privacy Commissioner of Canada, and Frank Work, the Information and Privacy Commissioner of Alberta, will summarize their findings into how intruders breached the computer system at TJX Companies Inc., the US-based owner of Winners and HomeSense stores, at a news conference in Montreal.

Source - PRNewswire

[Want to listen in?

Press conference details are as follows:
WHEN: 10:30 a.m., Tuesday, September 25th, 2007.
WHERE: Sheraton Montreal; 1201 Boulevard Rene-Levesque West. Frechette
Room, Level A.
PHONE-IN: Out-of-town media can join a teleconference by journalists can
call in to 1-888-265-0903 or 1-613-954-9003 and quote Conference
ID # 17628241.
The press conference is being held on the opening day of the 29th International Conference of Data Protection and Privacy Commissioners, which runs through September 28th. Information about the conference, a gathering of the world's top privacy experts, is available at http://www.privacyconference2007.gc.ca.



This one is easy to fix. Delete all employees! Or at least the managers who say, “We don't know/care/bother looking at what our employees are doing.”

http://www.pogowasright.org/article.php?story=20070924124606912

(update) Loans.co.uk finds source of data leak

Monday, September 24 2007 @ 12:46 PM EDT Contributed by: PrivacyNews News Section: Breaches

Loans.co.uk has identified the source of a database breach which led to the personal details of customers being passed on to rival companies.

The company said this week that an audit of its IT systems had shown an employee had accessed the company database without authorisation.

"Loans.co.uk has controls and systems in place to protect individuals' information, and this is evidenced by the fact that these systems detected unauthorised activity on the database," said a spokeswomen.

... A spokesman for the [Information Commissioner's Office] said it would help Loans.co.uk to ensure that this does not happen again. He added that individuals within companies can be prosecuted for breaching the Data Protection Act.

Source - ComputerWeekly.com


Related.

http://www.pogowasright.org/article.php?story=20070924133033411

Prying eyes: Protecting patient records

Monday, September 24 2007 @ 01:30 PM EDT Contributed by: PrivacyNews News Section: Medical Privacy

Electronic access to patient data has made it easier to look up information -- sometimes too easy.

You've probably heard stories about employees or others tapping patient information systems for identity theft. But the more frequent problem is snooping -- curious staff or others with system access who look at information they're not authorized to see.

It sounds innocent, but HIPAA and an increasing number of state laws that cover disclosure of information breaches don't make distinctions based on intent. An information breach is an information breach, which means physician practices not only have to find ways to keep gawkers away but also must be ready to carry out consequences -- or face them -- if a breach occurs.

Source - American Medical News (sub. req. for full access)



More...

http://www.pogowasright.org/article.php?story=20070923205548368

Data “Dysprotection:” breaches reported last week

Monday, September 24 2007 @ 07:59 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent



How does one enforce this rule?

http://www.pogowasright.org/article.php?story=20070924172306905

Official: DRS worker could use laptop out of state, but not data

Monday, September 24 2007 @ 05:23 PM EDT Contributed by: PrivacyNews News Section: Breaches

Officials say a state employee whose stolen laptop contained the names and Social Security numbers of more than 100,000 Connecticut taxpayers had permission to take the computer out-of-state, but not the data.

The laptop was stolen from the worker's car last month in Long Island, New York.

Source - Boston Globe

Related - Stolen state laptop has income information


Also related.

http://www.pogowasright.org/article.php?story=20070925072046737

(update) Former Pfizer Worker Could Face Charges

Tuesday, September 25 2007 @ 07:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

Pfizer Inc. has contacted federal authorities in hopes they will prosecute a former employee responsible for a data breach that affected 34,000 people, according to information released Monday by the Connecticut attorney general's office.

Pfizer attorney Bernard Nash, in a five-page response to questions posed earlier this month by state Attorney General Richard Blumenthal, said the company last month contacted “a management-level federal prosecutor” and now hopes the former employee will be prosecuted “to the fullest extent of the law.”

Nash, in his letter dated Sept. 21, said Pfizer learned of the data breach after the suspect had left the New York-based pharmaceutical company. The suspect's new employer sent Pfizer a DVD containing the missing data that had been discovered on his new computer.

Source - The Day



Probably not a “feature”

http://it.slashdot.org/article.pl?sid=07/09/24/2339203&from=rss

Excel 2007 Multiplication Bug

Posted by kdawson on Monday September 24, @10:37PM from the be-fruitful-and-all-that dept.

tibbar66 writes with news of a serious multiplication bug in Excel 2007, which has been reported to the company. The example first that came to light is =850*77.1 — which gives a result of 100,000 instead of the correct 65,535. It seems that any formula that should evaluate to 65,535 will act strangely. One poster in the forum noted these behaviors:

"Suppose the formula is in A1. =A1+1 returns 100,001, which appears to show the formula is in fact 100,000... =A1*2 returns 131,070, as if A1 had 65,535 (which it should have been). =A1*1 keeps it at 100,000. =A1-1 returns 65,534. =A1/1 is still 100,000. =A1/2 returns 32767.5."



Probably not something marketing will tout.

http://www.technewsworld.com/rsstory/59484.html

Microsoft Lets Vista Users Trade Down to XP

By Erika Morphy TechNewsWorld 09/24/07 2:37 PM PT

Microsoft has buckled under pressure from enterprises and computer manufacturers who aren't ready to put all of their eggs into the Vista basket. The software giant is offering users of the Business and Ultimate versions of the operating system the option to return to XP.



Why would you need a database to track earmarks?

http://www.bespacific.com/mt/archives/016068.html

September 24, 2007

Citizen Group Launches Online Tool to Investigate and Evaluate Earmarks

"Today, Sunlight and Taxpayers for Common Sense launched EarmarkWatch.org, a user-friendly, online investigative tool that lets citizens connect the dots between lawmakers, lobbyists, campaign contributors and earmarks, plus share info and comments on whether earmarks meet pressing needs, pay off political contributors, or are simply pure pork. Currently, the site includes nearly 3,800 earmarks from three bills: the House Defense Appropriations bill and both the House and Senate versions of the Labor, Health and Human Services, and Education Appropriations bill. We will continue to insert more bills for citizen scrutiny, and will continuously publish the results of ongoing investigation."

[The 109th Congress (from 2005-2006) indroduced 6,436 bills and passed 316. You do the math. Bob]



This is a far wiser use of the subpoenas that what the RIAA pulls...

http://www.denverpost.com/business/ci_6966387

Video Professor wants the book thrown at anonymous critics

By Al Lewis Denver Post Business Columnist Article Last Updated: 09/23/2007 10:49:01 PM MDT

There's one computer skill that the Video Professor, John Scherer, does not want anybody to learn: how to anonymously post disparaging remarks about his company on the Internet.

Scherer - a national infomercial sensation for two decades - has filed a lawsuit in Denver's federal court against 100 "John and Jane Does" who've trashed his computer tutorial products and sales practices online.

His lawsuit claims some of these writers may be competitors and seeks damages for false advertising and defamation.

"I have a right to find out who those people are," Scherer said Friday, "and I fully intend to exercise my right."

Scherer has been granted a subpoena that asks the owner of two websites - infomercialratings.com and infomercialscams.com - to cough up the identities of people who've posted messages.

... John Soma, a University of Denver law professor and the executive director of the Privacy Foundation, said that if Scherer can prove that his competitors are posing as anonymous consumers and flaming him, he may have a case.

"The First Amendment does not protect you from fraud," he said.



Win some, lose some.

http://www.privacydigest.com/2007/09/24/man+wins+partial+victory+circuit+city+arrest

September 24, 2007 - 11:11am — MacRonin

Man Wins Partial Victory In Circuit City Arrest: "JeremyDuffy writes 'Michael Righi, the man who was arrested at Circuit City for failing to show his reciept/driver's license, has fought a moral battle against the city for almost a month now. The case has already been settled and he emerged victorious... sort of. It turns out that he's already spent almost $7500 and would have kept fighting them too, but because his family would have been dragged into it, he was forced to take a deal. They've expunged his record and dropped all charges, but he had to give up his right to sue the city to do it.'



Tools & Techniques

http://www.privacydigest.com/2007/09/24/source+code+mediadefender+anti+piracy+tools+leaked

Source Code for MediaDefender Anti-Piracy Tools Leaked

September 24, 2007 - 5:10pm — MacRonin

Source Code for MediaDefender Anti-Piracy Tools Leaked: Hackers who seized more than 6,000 internal company e-mails from anti-piracy company MediaDefender, have made good on their promise to release additional material from the company. Today's trove includes source code for dozens of tools MediaDefender uses (or, perhaps, used to use) to thwart the trading of copyrighted content on file-sharing networks. These include tools like BTSeedInflator and BTDecoyClient that target the BitTorrent network.

The code is a boon to admins on the targeted file-sharing networks since it exposes MediaDefender's methods for seeding the networks with decoy files and, therefore, will help the admins combat those strategies.


Tools & Techniques: An attack by any other name...

http://www.infoworld.com/article/07/09/24/New-activist-tool-cyber-sit-ins_1.html?source=rss&url=http://www.infoworld.com/article/07/09/24/New-activist-tool-cyber-sit-ins_1.html

New activist tool: Cyber sit-ins

Civil disobedience gets an update, as protestors stage DoS-like attacks on Web sites to gain attention for their causes

By Robert McMillan, IDG News Service September 24, 2007

Dan Lohrmann, Michigan's chief information security officer, found out about the cyber sit-in from a reporter. It was Tuesday, May 15, 2007, and a group calling itself the Electronic Disturbance Theater asked Michigan residents to voice their opposition to proposed cuts in state health care programs by targeting the Michigan.gov Web site. Over the next two days, participants accessed the group's Web site and downloaded a small browser plug-in that repeatedly hit Michigan.gov.

Though Electronic Disturbance Theater sees its actions as a mixture of performance art and civil disobedience, to Lohrmann, it looked very much like a DoS attack. "Had a million people joined in, it would have been interesting," says Lohrmann. "Not in a good way."

To Lohrmann's relief, far fewer than 1 million people hit the Michigan.gov site on the day of the sit-in. Web counters reported a jump of several hundred thousand page views -- about a 10 percent bump in traffic. Cyber sit-ins came of age nearly a decade ago, but recently, these disruptions have been cropping up again.

There was a "sit-in element" to the attacks on Estonia's online infrastructure, according to Jose Nazario, senior security engineer at Arbor Networks. Though many of these attacks were conducted via networks of hacked, botnet computers, the attackers also created code that anybody could download to voluntarily turn their PC into part of the protest.

Lohrmann was struck by the type of people who were drawn into the Michigan protest. "This was parents working with bad guys," he says.

Unlike DoS attacks, cyber sit-ins do not really have to disrupt service to be effective, says Dorothy Denning, professor of defense analysis at the Naval Postgraduate School in Monterey, Calif. Like the sit-in protests of the 1960s, these actions are effective whenever they bring publicity to a particular cause. "That's mostly what they do," she says. Electronic Disturbance Theater may not have taken down Michigan.gov last May, but the Michigan press and this magazine covered the cyber sit-in, Denning points out. "Obviously they're getting a little publicity," she says. And that may just be enough for the activists.



You can't protect it if you don't know it's there!

http://www.computerweekly.com/Articles/2007/09/24/226959/law-firm-maps-infrastructure-to-net-savings.htm

Law firm maps infrastructure to net savings

Author: Posted: 16:22 24 Sep 2007

Global law firm Linklaters has implemented a network discovery and application-dependency mapping tool across 30 offices in 23 countries to gain a clear and accurate view of its IT infrastructure.

"We spent considerable time doing manual checks as we did not have a clear view of existing servers and relationships between the hardware, the applications on them, and the network infrastructure," said Simon Gilhooly, head of global technical systems at Linklaters.

The firm said it chose Tideway Foundation from Tideway Systems because, unlike competing products, it did not require any existing server monitoring and network management systems to be replaced or the installation of software agents throughout the network.

"Agentless tools do not install anything on servers and clients, making them easier and faster to implement. It also enables them to cover more of the infrastructure, including previously unknown servers, because you cannot install an agent on a server you do not know you have," said Gilhooly.

Linklaters had relied on spreadsheets filled in manually by IT teams [The shoemaker's children... Bob] to get an overview of the infrastructure. The mapping tool allows it see exactly what hardware is deployed and pinpoint the cause of incidents quickly, said Gilhooly.



I've suggested this technique to many of my “subscribers.” Here is a specific example of how to translate your expertise for a broader audience. Any takers?

http://ralphlosey.wordpress.com/2007/09/23/this-blog-to-become-a-book-and-you-are-invited-to-contribute-to-it/

This Blog to Become a Book! AND You Are Invited to Contribute to It

I am very pleased to announce that the American Bar Association will soon publish a book based on this blog. It will be called e-Discovery: Current Trends and Cases. This will be, to my knowledge, the first time a legal blog has become a book, now sometimes called a “blook.” Although the book will not be exactly the same as the blog, it will be derived from and based on it.

... The ABA is rushing the book to print so that it will be available by December. That is extraordinarily quick for a book publisher, far faster than any of the other major legal publishers who also expressed an interest in the project.

... So how can you be a part of this blog-to-book project? Leave a good, substantive comment on any of the blogs I have ever written, and it may be included in the book. One of the unique things about the new book is that it will include select comments by blog readers, and occasionally, my responses to these comments.

No comments: