Why carry a heavy laptop? It probably isn't even running Linux!
http://www.pogowasright.org/article.php?story=20071017174737939
Thief Walks Off With ID Data On Former UC Students
Wednesday, October 17 2007 @ 05:47 PM EDT Contributed by: PrivacyNews News Section: Breaches
Sensitive information about more than 7,000 former University of Cincinnati students was stolen, officials said.
The data, which included Social Security numbers, was encoded onto a Flash drive taken from an employee’s desk.
Source - WLWT
Follow-up. “Our procedure is to sign for all four packages, put all three on our truck, then remove them both at the storage site, and put that package securely under lock and key!”
http://www.pogowasright.org/article.php?story=20071017100549536
(update) Contractor loses La. scholarship account data dating back to 1998
Wednesday, October 17 2007 @ 10:05 AM EDT Contributed by: PrivacyNews News Section: Breaches
Backup data for the Louisiana Office of Student Financial Assistance, dating back to dating back to 1998, were reportedly not loaded properly onto an Iron Mountain truck on Sept. 19 during a move.
Information about this incident can be found at http://www.osfa.state.la.us/notice.htm. To determine if your data were among those lost, there is a secure web site set up at https://osfantweb.osfa.state.la.us/Notice.nsf/.
Source - Associated Press
Interesting (but obviously flawed) defense. “When we started keeping credit card data, these rules didn't exist.” The flaw is, that when the data was spilled, the rules did exist. Maybe this time we will get a good look at what happened?
http://www.eweek.com/article2/0,1895,2200254,00.asp
Court Zeros In on What TJX Didn't Say
October 17, 2007 By Evan Schuman
TJX knew how "antiquated and deficient" its security efforts were and yet never told MasterCard or Visa, resulting in negligent misrepresentations. That's how U.S. District Judge William Young summed up what the banks are going to have to prove to win at trial in his courtroom.
In an hourlong federal court hearing Oct. 16 in Boston, Young peppered attorneys from TJX, TJX processor Fifth Third Bank and banks suing TJX, providing a good sense of where a TJX bank trial might go.
TJX has reached a settlement with a class-action consumer lawsuit, and Young is preparing to approve that settlement. That case went relatively easy on TJX because there were minimal—and often no—monetary damages suffered by consumers, thanks to zero-liability credit card programs.
But the banks are the ones that had to reissue credit cards and handle fraud losses, so TJX is in for a more fierce fight in that arena.
The court hearing involved whether Young would certify many of the banks to sue together as a class—making this another class-action lawsuit—or have them proceed individually. Unlike the consumer case, the banks involved could indeed sue on their own, so the question of class certification isn't likely to kill the case, regardless of how the judge ultimately rules.
The core accusation against TJX is that it was not truthful with the banks—and with Visa and MasterCard specifically—as to the state of its data security operations for its credit cards.
In what is widely considered the worst-ever data breach reported, the Framingham, Mass., retail chain in January disclosed that the credit card data of some 46 million consumers fell into unauthorized hands in a series of penetrations from July 2005 to December 2006. TJX filings have raised questions about its encryption practices, its wireless security choices, and whether intruders successfully planted Trojan horses into the system and whether they had the company's encryption key.
In summarizing the plaintiff's claim, Young said the fraud accusations seem to come down to what TJX did not say, rather than what it did.
... TJX attorney Richard Batchelder argued that the complicated nature of the relationships between banks and the credit card companies and the processors and TJX—coupled with the long duration of these data breaches—makes a class certification inappropriate.
"You described it as an implied security assurance. That means when some customer goes into a store and their card is swiped, that there's some implied security assurance that in some way, through this complex web, [the assurance] gets back to these member banks and they somehow relied upon that," Batchelder said. "When you look at that as their basis for the negligent misrepresentation case, you can see how class certification isn't appropriate. Think about it. They're talking about transactions in 2003, '04, '05, '06, '07. They're talking about operating regulations that weren't even in existence in '03 and '04 that then came into effect in '05 and then changed in '06. They're talking about a security system that in '03, '04, '05, '06, '07 is developing and evolving, as every merchant's security systems was. So what exactly is the representation being made every single time? How are we possibly going to try that on a class basis? It would be impossible."
... One important theme that has underscored much of the TJX data breach saga has been secrecy, starting with TJX having learned of the breach in mid-December 2006 but not reporting it publicly until mid-January 2007. With so much of the law on its side in the consumer lawsuit, the most pressing matter for TJX was the fear of having to reveal embarrassing internal security details in open court.
... The judge then ordered all attorneys to halt sending documents directly to his chambers labeled confidential.
"You will not in the future file any document other than electronically, pursuant to the rules of this court," he said. "And the documents you file will be public. Entirely public. You will not file a document under seal and some [cleaned up] document that the public can't look at. You will file a public document. If you think anything needs to be filed under seal, you will file a public document, supported by public affidavits, detailing why the specifics, and I am extraordinary skeptical of your view of what's confidential. I've told you what's confidential: Things that bear on the actual operation of the computers, the actual security standards for the computers, and the like."
Young also said he wants attorneys to reveal much more to the public. "Given the nature of this case, I don't see why any of this case, any of it, should be conducted out of the public's spotlight, and it will not be, unless there is a specific reason, persuasive to me, made in public documents," he said.
Related...
Cafe Latte attack steals data from Wi-Fi PCs
Security researcher uncovers technique that exploits holes in WEP encryption to log onto supposedly secure wireless networks
By Robert McMillan, IDG News Service October 17, 2007
If you use a secure wireless network, hackers may be able to steal data from your computer in the time it takes to have a cup of coffee.
At the Toorcon hacking conference in San Diego this coming weekend, security researcher Vivek Ramachandran, will demonstrate a technique he's developed to attack laptops that use the WEP encryption system to log on to secure wireless networks.
Developed in the late 1990s, WEP was the default method of securing Wi-Fi networks. Though the WPA (Wi-Fi Protected Access) system replaced it, about 41 percent of businesses continue to use WEP. [Hey! It was good enough for Dad! Bob] That percentage is even higher among home users, security experts say.
That's unfortunate because WEP has been riddled with security problems. In fact, WEP was blamed for the recent TJX Companies data breach in which thieves were able to access 45 million credit- and debit-card numbers.
To date, however, researchers have tended to focus on exploiting WEP flaws in order to break into wireless networks. That generally meant that the attacker would roll up near the WEP-encrypted router, crack the WEP key used to encrypt network traffic, and then log on to the network.
Ramachandran, a senior wireless security researcher with AirTight Networks, has taken a look at the client side of things and developed a way of tricking a WEP-enabled client into thinking that it is logging on to a network that it already knows.
His technique, which he calls the Cafe Latte attack, allows an attacker to circumvent firewall protection and attack the laptop or to set up a "man in the middle" attack and snoop on the victim's online activity. "Until now, the conventional belief was that in order to crack WEP, the attacker had to show up at the parking lot," he said. "With the discovery of our attack, every employee of an organization is the target of an attack." [Oh, joy. Bob]
Related. Wouldn't you fix any problem you encountered? Apparently not! (When did Forrest Gump become our philosopher of choice?)
http://www.pogowasright.org/article.php?story=20071017183535140
No Breach, No Foul
Wednesday, October 17 2007 @ 06:35 PM EDT Contributed by: PrivacyNews News Section: Breaches
If you find a new security vulnerability on your Website, do you have to fix it? Not necessarily.
As long as the vulnerability isn't detected in a compliance audit scan, or doesn't get exploited by an attacker, a business could theoretically just sit on a Website bug -- either for cost reasons, a lack of resources, or ignorance of its implications, security experts said this week.
Source - Dark Reading
...and now, from our “Well, DUH!” department:
http://www.pogowasright.org/article.php?story=20071017130139964
NSA may be Reading Windows Software in your Computer
Wednesday, October 17 2007 @ 01:01 PM EDT Contributed by: PrivacyNews News Section: Surveillance
... European investigative reporter Duncan Campbell claimed NSA had arranged with Microsoft to insert special "keys" in Windows software starting with versions from 95-OSR2 onwards.
And the intelligence arm of the French Defense Ministry also asserted NSA helped to install secret programs in Microsoft software.
Source - Scoop
Welcome to the Forrest Gump law firm! (“You can't look at our ads, either. Or our phone number in the Yellow Pages. Or our office building...”)
http://techdirt.com/articles/20071017/092927.shtml
Law Firm Uses Copyright Claim To Say You Can't View Its Website's HTML Source
from the that's-a-new-one dept
Greg Beck writes in to let us know that the law firm that was recently challenged for claiming that it was a copyright violation to post its cease-and-desist letter also has some other interesting ideas about copyright, including banning people from looking at the firm's source code. You can view the entire user agreement, but the amusing part is:
"We also own all of the code, including the HTML code, and all content. As you may know, you can view the HTML code with a standard browser. We do not permit you to view such code since we consider it to be our intellectual property protected by the copyright laws. You are therefore not authorized to do so."
As Beck says, "That's kind of like a puppet show invoking copyright to prohibit the audience from looking at the strings. The user agreements of the law firm and one of its clients also contain a bunch of terrible terms that have become all too common: a prohibition on linking to the site, copying anything from the site (even if its fair use), and even referring to the website owner by name. The law firm doesn't even allow its own clients to say they're represented by the firm without permission." He also notes that the law firm in question is demanding that another website remove criticism of one of their clients because it did not receive permission to use the client's name or link to the website -- two things that the laws and the courts have been pretty clear in saying is perfectly legal over the years.
E-Disaster. If we keep irritating everyone (China, Turkey, etc.) this is inevitable... Isn't it?
http://www.news.com/8301-10784_3-9799403-7.html?part=rss&subj=news&tag=2547-1_3-0-5
Will cyberintrusions crash U.S. electrical grid?
Posted by Anne Broache October 17, 2007 4:10 PM PDT
WASHINGTON--Some critics of the U.S. government's cybersecurity efforts might argue that nothing short of a bomb going off--or, well, purported Chinese cyberattacks on feds' machines--will land the issue more notice.
This time around, the wake-up call for politicians was, indeed, an explosion: In September, U.S. Homeland Security officials revealed that researchers at the Idaho National Laboratory had managed to destroy a small electrical generator through a simulated cyberattack. A few weeks ago, CNN aired a gloom-and-doom segment featuring snips from the once-classified video showing the device going up in smoke.
Although the prospect of that sort of incident causing massive disruption to the U.S. electrical grid has been around for years, the success of the experimental hack is drawing new calls from Congress for tougher federal security standards on the computer systems that control the nation's power systems.
... It's widely agreed that the threats to so-called "control" systems--sometimes known by the acronym SCADA, short for "Supervisory Control And Data Acquisition"--have grown in recent years. That's because more and more of them are being hooked up to "open" networks, including corporate intranets and the Internet, in an effort by their owners and operators to improve efficiency and lower costs.
But there was never much focus on the idea of building security features into those systems when they were first created, and that trend, unfortunately, continues today, [See TJX article, above Bob] said Joseph Weiss, a consultant and nuclear engineer who spent more than 30 years designing, implementing and analyzing control systems.
Feds: We're on it
Government regulators, for their part, say they are growing increasingly aware of those shortcomings and working valiantly to address the problem.
... The proposed rules are written in such a way that they would not even require electric grid operators and owners to install comprehensive security measures on all critical pieces of their systems that, if compromised, could cause significant disruptions, they argued. Instead, they'd have some latitude to focus only on certain components and neglect others.
... After all, the first prominent recorded incident of such an act came in 2000, when a software developer in Australia, apparently miffed after being turned down for a government job, used stolen radio equipment to hack into a system controlling a sewage plant. On nearly 50 occasions, he sent malicious code that opened control valves, causing refuse to ooze into nearby rivers and parks.
Related? Imagine sending SWAT to the local gun club on swap night...
http://it.slashdot.org/article.pl?sid=07/10/17/197221&from=rss
Man Hacks 911 System, Sends SWAT on Bogus Raid
Posted by Zonk on Wednesday October 17, @03:33PM from the word-dumb-doesn't-cover-it dept. Security The Courts
An anonymous reader writes "The Orange County Register reports that a 19 year old from Washington state broke into the Orange County California 911 emergency system. He randomly selected the name and address of a Lake Forest, California couple and electronically transferred false information into the 911 system. The Orange County California Sheriff's Department's Special Weapons and Tactics Team was immediately sent to the home of a couple with two sleeping toddlers. The SWAT team handcuffed the husband and wife before deciding it was a prank. Says the article, 'Other law enforcement agencies have seen similar breaches into their 911 systems as part of a trend picked up by computer hackers in the nation called "SWATting"'"
Related. Sometimes extremes point out where trends are heading. (Think of it as “lowering the common denominator”)
http://techdirt.com/articles/20071011/225126.shtml
When Your Backup Brain (i.e., Technology) Takes On Primary Memory Functions
from the i'd-say-it's-bad,-but-my-computer-disagrees... dept
For years, we've talked about the idea that computers and the internet are becoming something of a backup or second brain. The more we use these technologies, the more we allow them to remember stuff for us -- knowing we can always track down that information. In fact, Clive Thompson's latest column is about how the generation of kids growing up online tend not to remember little things that older generations definitely remember, like phone numbers and birthdays. Why remember those things when they're easily stored away and easily accessed thanks to technology? While Thompson talks about how nice it is that he can feel much smarter while he's connected, he also worries that it makes him "mentally crippled" when not connected. There may be something to that idea. After all, a few years ago there was a story about Steve Mann, a professor who had been living his life with a wearable computing system for 20 years. At an airport, he was forced to take the apparatus off and immediately had trouble functioning normally. He had become so reliant on the technological enhancements, that being without them left him somewhat crippled. While few people will have reached that point, it's certainly suggestive of what happens if we become too reliant on those external backup brains. That's not to say we shouldn't be using technology for this purpose -- or even that it's not a good thing. However, we should be aware of what it means and potentially the impact should it go away (temporarily or permanently).
Is this too related? Can some 12-year-old in Bolivia choose our next President?
Ohio brings in experts to review troubled e-voting systems
Review by a testing lab and experts from three universities is aimed at finding and fixing potential problems with Ohio's e-voting hardware, software, and processes
By Todd R. Weiss, Computerworld, IDG News Service October 17, 2007
A Denver-based e-voting testing laboratory and experts from three universities have been hired by the state of Ohio to undertake independent evaluations of the states' e-voting hardware, software, and processes. The move is aimed at finding and fixing potential problems before the 2008 presidential election.
The work is being done under a $1.7 million contract awarded earlier this summer by the state to get an in-depth picture of how the e-voting system is working. Since the 2000 presidential election, critics of e-voting systems have voiced concerns about the accuracy, integrity, and security of e-voting results and have pushed for tougher means of ensuring that every vote cast is properly counted.
Ohio has faced e-voting problems in several elections in which electronic machines were used, including a May 2006 primary election, when a host of accuracy problems were reported.
Hey! I know how to generate random numbers – give me a grant! I'll call it the Center for Improbable Events! (Is this a precursor to Asimov's Psycho-history?)
http://slashdot.org/article.pl?sid=07/10/17/2227238&from=rss
Computer Software to Predict the Unpredictable
Posted by samzenpus on Wednesday October 17, @07:13PM from the zombo-com dept. Software Technology
Amigan writes "Professor Jerzy Rozenblit at the University of Arizona was awarded $2.2Million to develop software to predict the unpredictable — specifically relating to volatile political and military situations."
From the article: "The software will predict the actions of paramilitary groups, ethnic factions, terrorists and criminal groups, while aiding commanders in devising strategies for stabilizing areas before, during and after conflicts. It also will have many civilian applications in finance, law enforcement, epidemiology and the aftermath of natural disasters, such as hurricane Katrina."
Politics decrypted! Video well worth watching.
http://www.theonion.com/content/video/poll_bullshit_is_most_important
The Onion: Bullshit Is Most Important Issue For 2008 Voters watch!
theonion.com — For a majority of likely voters, meaningless bullshit will be the most important factor in deciding who they will vote for in 2008.
http://www.theonion.com/content/video/poll_bullshit_is_most_important
It's not just humor, it's true politics!
http://www.killerstartups.com/Video-Music-Photo/barelypolitical--Home-of-Obama-Girl/
Attention fellow teachers! Since I already have CDs full of multiple choice questions, I should be able to use this site for most of my classes. (Trivial Statistics, Trivial Math, Trivial Computing... Okay, maybe not.) Perhaps this will help some of those who hate homework?
http://www.killerstartups.com/Web20/qtoro--Create-Your-Own-Trivia-Game/
Qtoro.com - Create Your Own Trivia Game
Qtoro.com is a site where you can create your own trivia questions, then play your own game online. Create a profile at Qtoro.com and start to make your own game. You can make trivia questions on whatever subject you would like, history, science, pop culture, etc…. Write your questions, write four answers, three which are false one which is correct, and then include an explanation for the correct answer. When you create the game you can include an image, such as a photograph, map or diagram. Once you are finished you are able to play your game and so are other Qtoro users. Other users can vote on your questions, whether or not they think they are good, they can add comments and email the questions to a friend. The way the game works is the question appears on screen and you have 20 seconds to answer the question. The timer starts out green and as time goes by it starts turning red. After 10 seconds it crosses out one of the incorrect choices, and after another 5 seconds it crosses out a second incorrect choice. You get 10 points for every correct answer and the game keeps track of your score. Visit Qtoro.com to crate your own trivial game and have fun playing the games other users have created.
Another student tool?
http://www.killerstartups.com/Web20/toluna--A-Community-For-Creating-Polls/
Toluna.com - A Community For Creating Polls
Once known as dpolls, Toluna.com, is a community that focuses on the creation of polls and surveys. Do you want to know what the popular opinion is on a certain topic, get answers from the 400,000 Toluna.com users. Register at Toluna.com and become a user so you can create your own polls and surveys. Your polls can be on any topic, you can have as many answer options as you like, although t is recommended only to have a few, and you can upload images for your poll as well. You can choose the category and sub-category for your poll along with tagging it so other users can easily find it. Toluna.com has a points system where you can earn virtual money that you can spend on vouchers and prize draw tickets. You earn points by being an active user, creating polls and opinions and participating in surveys. Your points are saved in your account for 2 years, if they haven’t been spent after that long they will expire. You can easily export polls and opinions to your blog. Make new friends in the Toluna.com community or browse through the site by category or list of polls, such as, most recent and most popular. You can also browse through surveys and opinions. Toluna.com is an active and fun community where you can express your opinion and discover the opinions of others.
No comments:
Post a Comment