Tuesday, October 02, 2007

Ohio data spill just keeps on growing...

http://www.pogowasright.org/article.php?story=20071002070822995

(update) More Ramsey County workers told personal data was stolen

Tuesday, October 02 2007 @ 07:08 AM EDT Contributed by: PrivacyNews News Section: Breaches

Another 380 Ramsey County employees and retirees have been told that their names and Social Security numbers were stolen this past summer in Ohio, bringing the total to more than 900.

The data were on a computer storage device that was stolen from the car of an intern for the state of Ohio who had worked with Accenture, a consulting firm that had worked on a 2001 Ramsey County payroll project.

Source - Star Tribune


So does this one...

http://www.pogowasright.org/article.php?story=20071002071059771

(update) Hackers open data of group’s workers

Tuesday, October 02 2007 @ 07:10 AM EDT Contributed by: PrivacyNews News Section: Breaches

PogoWasRight.org Editor's note: This incident seems to have involved more people than what the Nature Conservancy reported to NH on Sept. 12.

A hacker illegally gained access to a computer of The Nature Conservancy containing personal information on about 14, 000 people, including current and former Nature Conservancy employees and their dependents, the nonprofit organization confirmed Monday.

According to an e-mail the Arlington, Va., organization sent its employees, the hacker used a Web site to gain access to a Nature Conservancy computer Sept. 12.

Nature Conservancy spokesman Jim Petterson said when employees accessed a particular Web site, the site planted a program on the employees’ computers that copied the contents of the hard drives and sent the information to the hacker.

Source - Arkansas Democrat Gazette

Previous Coverage



I can't wait for this to happen in the next presidential election... We are still certifying machines for Colorado elections.

http://techdirt.com/articles/20070930/001319.shtml

Judge Voids Election Results Over E-Voting Results That Couldn't Be Audited

from the nice-work dept

Apparently a judge in Alameda County, California, has voided some election results after the e-voting tallies from Diebold machines couldn't be audited. The vote was on a controversial ballot measure, where the end result was quite close. Some activists went to court to demand a recount, but elections officials had already sent the machines back to Diebold, who had conveniently erased 96% of the necessary audit information. The issue will return to the ballot in the next election. Either way, this highlights one of the problems of e-voting machines that have no verifiable audit trail, and it's nice to see a judge actually recognizing that. Of course, this time it was for a ballot measure that can wait until the next election. What about cases where these machines were used for electing officials?



What is privacy worth? (Also, note the confusion about proper procedure...)

http://www.pogowasright.org/article.php?story=20071001144203551

Court Imposes Punitive Damages For Disclosing Abortion To Woman's Family

Monday, October 01 2007 @ 02:42 PM EDT Contributed by: PrivacyNews News Section: In the Courts

New York's Public Health Law § 2803-c[1], [3][f] protects every individual's right to keep medical treatment private and personal and medical records confidential. What are the consequences if a medical provider wrongfully discloses such private medical records? Last Tuesday, in Randi A. J. v Long Is. Surgi-Center, 2007 NY Slip Op 06953 the Second Department held that punitive damages were properly imposed against a medical provider which revealed information sufficient to allow a woman's mother to conclude that she had had an abortion.

Source - New York Legal Update



Risk Analysis: Do you see the trade offs this way?

http://www.infoworld.com/article/07/10/01/PCI-experts-say-deadline-is-just-the-beginning_1.html?source=rss&url=http://www.infoworld.com/article/07/10/01/PCI-experts-say-deadline-is-just-the-beginning_1.html

PCI experts say deadline is just the beginning

The Payment Card Industry Security Standard compliance deadline has passed, but few large firms have completed compliance work

By Matt Hines October 01, 2007

... At midnight on Monday, the PCI DSS version 1.1 guideline officially went into effect, requiring that all credit and debit card handlers adhere to a stricter set of data protection rules implemented by the PCI Security Standards Council -- which is backed by prominent card issuers including AMEX, MasterCard, and Visa.

... Despite having over a year to examine the PCI DSS requirements -- which include stipulations for businesses to encrypt any sensitive customer account information they store -- those people most familiar with the individual elements of the standard and the methods being employed by businesses to meet them claim that most organizations still have a long road ahead.

... Other firms, emboldened by the fact the peers like TJX Companies have been able to experience major data exposure events without any apparent impact on their core business, have begun pushing back on their IT departments and asking why they need to sink so much time and money into the process of meeting the regulation at all, the expert said.

... "Most large companies at least have PCI initiatives in place if they're not already compliant, but because the TJX incident has not had the impact on sales that some have predicted, we are hearing about some CIOs who are pushing back and saying it's not as big of a deal," Pironti said. "Because the only real consequences are financial and, unlike some of the other regulations, no one going to jail for not following PCI, some companies aren't rushing to get prepared like they might have been in the past."

... Many companies are taking a "fail the first audit" approach to find out exactly what is expected of them in the future, he said, and the expert contends that it might be one of the most practical ways for smaller firms to approach the standard. [Not uncommon to 'use the auditors' this way... Bob]



It's not only retailers who don't get security...

http://blog.wired.com/27bstroke6/2007/10/boeing-employee.html

Boeing Employee Fired for Discussing Computer Security Problems at Company

By Kim Zetter EmailOctober 01, 2007 | 12:38:16 PM

Boeing has fired an employee for speaking to the Seattle Post-Intelligencer after the newspaper published a story in July saying that Boeing couldn't properly protect data in its computer systems from theft, manipulation and fraud. The story also suggested that the company may have misrepresented the security of its data in filings to the Securities and Exchange Commission.

The fired employee says he was trying to save the company but was treated badly after he raised ethical concerns internally about how the company was conducting security audits of its systems. He then spoke with a reporter as well as the SEC about his concerns. Now he says the company is retaliating against him, instead of trying to fix its problems. An anonymous e-mail sent to the Seattle P-I also disclosed that Boeing is spying on other employees to ferret out whistleblowers by videotaping workers and reading their e-mail.

The Seattle P-I's July story about Boeing's alleged security problems revealed that the company had failed repeatedly to comply with the Sarbanes-Oxley Act -- a law that requires companies to prove that they have internal control of their data to prevent anyone from manipulating financial numbers and deceiving stockholders. The law requires companies to, among many other things, implement controls that restrict access to data and computer systems to only those people who need it, and that access and changes to systems -- including code changes -- are well documented.

Companies have complained that the SOX Act is poorly written and places vague and expensive burdens on them to implement -- especially for companies the size of Boeing. Documents that the Seattle P-I obtained discussing internal and external audits of Boeing show that the company struggled to meet the law's requirements but could never quite get it together, and that the IT division had failed year after year to demonstrate that it had "a robust control environment."

Among the problems the Seattle paper found were:

Boeing's internal audit findings were so poor -- meaning that so many computer system controls were failing or evidence was missing -- that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.

Boeing exposed sensitive information about computer systems' holes to employees who did not need access to all of the data, according to e-mails and interviews.

An internal complaint was filed with the company's ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.

Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were "on the line," and they were being pressured to produce evidence for audits "ahead of events occurring normally."

In July this year, another Boeing whistleblower was charged with 16 counts of computer tresspass for allegedly stealing 320,000 company files and giving some of them to the Seattle Times to document flaws in the company's inspection process for one of its new planes. Police say they discovered password-cracking tools on the employee's computer. The company estimated that the stolen data could have cost the company between $5 billion and $15 billion if the information got into the wrong hands -- presumably meaning the hands of competitors.

Boeing also recently suffered three separate cases of data theft in which the personal information of more than 400,000 employees was stolen by thieves who made off with company laptops containing unencrypted data.



More for my Business Continuity class...

http://www.technewsworld.com/rsstory/59579.html

Web 2.0 Is Security Soft Spot for Enterprises, Report Says

By Jack M. Germain TechNewsWorld 10/01/07 9:23 AM PT

A recent Forrester study, which surveyed 153 IT professionals and security decision makers, found that organizations spend up to $13 billion globally for direct malware remediation costs. Based in part on that spending, 97 percent of all enterprise IT staff consider themselves prepared to deal with Web 2.0 security issues. However, 79 percent reported frequent attacks from malware.

... IT professionals also largely lack risk awareness, user training and consistent policies related to Web 2.0 threats, according to a security Webroot AntiSpyware 30-Day Free Trial. Click here. report by Forrester Research commissioned by enterprise gateway security firm Secure Computing.



We are a global economy. Search locally, buy globally?

http://techdirt.com/articles/20071001/002223.shtml

Looking For A Travel Deal? Have Your Browser Do The Walking... Out Of The Country

from the go-local dept

With the Internet, we now have a whole range of options when we need to book travel, ranging from online travel services to "name your own price" services. Whether or not we are better off still is up for debate, but now a new angle has emerged in the quest for lower prices. Booking travel through non-US websites may yield travelers a better deal -- even for the same exact offering. In one example, the rental car price quoted was 58 percent lower when booked through the foreign site. Travel companies defend this practice, claiming that they need to be able to set different prices in different markets in order to compete. But, this is merely the economic principle of price discrimination at work -- if you're able to get a higher price for any reason, then it technically is exactly what the market will bear. The mere fact that American customers visit different websites than Spanish customers naturally segments the market. So, by being able to increase their utilization by lowering prices in the appropriate markets, the price of the goods is driven down in the long run by this practice. That said, people will still be pissed off by this practice because buying from a different website does not seem like a "reasonable" explanation for that price difference. At least companies have not implemented higher prices for the wealthy -- that would definitely raise some eyebrows.



Well, I find it interesting...

http://techdirt.com/articles/20070930/202500.shtml

NHL Sued For Trying To Take Over Team's Website

from the fight!-fight!-fight! dept

A few years back, Major League Baseball demanded that all MLB baseball teams hand over their websites to the league as part of their effort to create MLB Advanced Media, a division devoted to managing the online presence of Major League Baseball. While MLB may go way overboard in claiming control over certain content, its online efforts have been quite a success. There was a rumored (and later scrapped) IPO plan -- but the company is apparently still doing amazingly well, with talk of it being valued somewhere around $5 billion. Already, MLBAM has tried to expand its coverage by running websites for other sports and even musicians.

All of that success apparently caught the attention of the National Hockey League, who had apparently let teams run their own damn sites for a while. However, it recently decided to bring them all in house -- but teams aren't thrilled with the idea. In fact, the NY Rangers are now suing the NHL for antitrust violations in trying to take over their site. The Rangers claim that the site is an important part of their team's marketing efforts and it acts as a competitive differentiator. They're also not happy that they've spent all this time building up traffic only to turn it over to the NHL. There are a few important differences with the NHL's plan compared to the MLB's. First, MLB took over all team sites years ago, before web sites were so important. These days, most teams recognize how valuable those sites are and have already built up a ton of traffic. Much more importantly, Major League Baseball has a special antitrust exemption that no other sports have. So, even if a baseball team had wanted to charge MLB with antitrust violations, it would have been difficult given the exemption. Since the NHL doesn't have that exemption, it's going to have to put up a fight to get the Rangers to hand over their website.



Ubiquitous surveillance: When license plates are not enough...

http://www.newschannel8.net/news/stories/1007/459879.html

Highway People-Scanners Raise Privacy Concerns

Monday October 01, 2007 5:08pm

Washington (AP) - A proposed new technology to scan the insides of vehicles driving on future carpool lanes on the Capital Beltway is raising privacy concerns.

Private companies building a network of new high-occupancy and toll lanes as part of a beltway expansion are planning to use scanners that flash a vehicle and its occupants with infrared light to detect human skin - and track whether an individual should pay his or her way around congestion, or ride for free as a carpooler.

... People are uneasy about being scanned, but also fear the images could be used in divorce proceedings or by insurance companies.

One expert says that people who can't handle the idea can just not use the lanes. [Obviously not a PR expert... Bob]



More ubiquitous? (Ubuquitouser?) Some of the quotes in the article are almost unbelievable...

http://www.pogowasright.org/article.php?story=20071001143117713

NYC Mayor: Surveillance a City Necessity

Monday, October 01 2007 @ 02:31 PM EDT Contributed by: PrivacyNews News Section: Surveillance

Residents of big cities like New York and London must accept [or else? Bob] that they are under constant watch by video cameras, New York Mayor Michael Bloomberg said Monday.

Bloomberg, holding talks with his London counterpart Ken Livingstone, said such measures as London's "ring of steel" -- a network of closed-circuit cameras that monitors the city center_ were a necessary protection in a dangerous world.

Source - Newsday

[From the article:

... Bloomberg, holding talks with his London counterpart Ken Livingstone, said such measures as London's "ring of steel" -- a network of closed-circuit cameras that monitors the city center_ were a necessary protection in a dangerous world. [How do they protect? Bob]

... We live in a dangerous world, and people want to have security cameras."

... The mayor said New York lagged behind London in the number of cameras on trains and buses.

"We are way behind, and we really do have to catch up," Bloomberg said.

"There are some people who don't like cameras," he acknowledged. "But the alternative is so much worse." [for example? Bob]



Won't this be a fun hack! Schedule a call at 2AM to someone you “love”

http://www.killerstartups.com/Mobile/wakerupper--Your-Personal-Reminder/

Wakerupper.com - Your Personal Reminder

Can’t seem to drag yourself out of bed in the morning? Or do you have an important business meeting that you absolutely can’t forget about? If you need to be reminded about certain events you should visit Wakerupper.com. Wakerupper.com is available for the United States and Canada. At Wakerupper.com you can schedule a telephone reminder for anytime. Simply visit the site enter the date and time you want to be called at, remember to pick the correct time zone, then enter your phone number, email address, and any short message that you would like to receive. It is that simple. The service is free and works with any type of phone. All of your personal information remains private, so you don’t need to worry. Don’t forget your anniversary, or to pick up the kids at soccer practice. Let Wakerupper.com remind you of what you should be doing.

http://www.wakerupper.com/



One worse than the other...

http://ralphlosey.wordpress.com/2007/10/01/update-of-two-prior-sanctions-blogs-qualcomm-and-morgan-stanley/

Update of Two Prior Sanctions Blogs: Qualcomm and Morgan Stanley

This entry provides an update to two prior blogs concerning e-discovery sanctions: the Qualcomm attorney sanctions case, and the Morgan Stanley 9/11 disaster email case.



Free money!

http://www.researchbuzz.org/wp/2007/10/01/noza-announces-free-grant-search/

NOZA Announces Free Grant Search

1st October 2007

NOZA, a database for nonprofit fundraisers, announced today free access to its database of foundation grants. There are over 825,000 foundation grant records at its site and you can search ‘em at https://www.nozasearch.com/.

No comments: