Saturday, April 14, 2007

Would someone please write an Identity Theft guide for reporters! I'd like them to at least point out the unanswered questions if not the outright impossible statements.

http://www.sptimes.com/2007/04/13/Business/Port_of_Tampa_employe.shtml

Port of Tampa employees victimized by ID thief

By Steve Huettel, Times Staff Writer Published April 13, 2007

A contractor's employee took personal information on thousands of people with Port of Tampa access badges and applied for credit cards in the names of about 20 of them, law enforcement officials said Thursday.

Daniel E. Glenn, 29, was arrested near his Lakeland home Thursday and charged with an offense against intellectual property to defraud/obtain property.

A computer technician for Siemens Building Technologies, Glenn was working on a computer upgrade at the Tampa Port Authority on Feb. 28.

He told port authority employees he needed access to the security badge database to fix corrupted data, according to an arrest report. [...and no one questioned this? Bob] The agency has issued 39,000 badges for longshoremen, truckers and workers at port businesses to enter secure areas along the waterfront.

"He copied thousands of names but only acted on only a very small number," said Mark Dubina, a supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa. "He basically copied the database."

FDLE agents and local police recovered the copied data [and the copies of the copies? Bob] from Glenn's home Thursday, wrote port director Richard Wainio in a memo to agency employees.

Glenn used stolen data from about 20 people to make applications to at least four different credit card companies over the Internet, the FDLE said.

Investigators don't believe he got any cash or merchandise with cards issued in their names. Most of the victims are port authority personnel. They included a port authority governing board member and two managers, said Wainio, who declined to identify them.

Glenn was suspended with pay from Siemens Building Technologies, a subsidiary of German conglomerate Siemens AG, said spokesman Steve Kuehn. The company is investigating the allegations.

"In any instance like this, we take the issue very seriously," he said. "We want to assure customers of the integrity of our service and our relationship."

About 10 days ago, several port authority employees reported receiving calls from companies about credit card applications they'd never filled out, said Wainio. They asked if the port's computers had been hacked into. [How would they know to contact the Port? Bob]

Officials told the FDLE about the earlier computer work by Siemens and identified Glenn as the technician.

Investigators notified the three consumer credit agencies. They monitored Glenn's home mail and found correspondence from financial services companies addressed to people in the port database, according to the arrest warrant.



No worries, mate! We're the police, you can trust us to keep data secure!

http://www.theage.com.au/news/national/secret-police-files-infiltrated/2007/04/13/1175971353176.html

Secret police files infiltrated

Andrea Petrie April 14, 2007

THE girlfriend of a Melbourne crime figure has gained access to confidential police records in a serious security breach.

The woman, who was not a police officer, was working at the force's criminal records branch.

She was suspended from the force last month, resigned 14 days ago and has been interviewed by Purana taskforce detectives for inappropriately checking [Must be an Australian legal term Bob] the law enforcement assistance program (LEAP) and VicRoads databases.

Force command confirmed yesterday that an employee from the corporate support area had resigned because of "one occasion in which she inappropriately accessed" the database.

But senior police sources have told The Age she has been accused of wiping the records of possibly hundreds of criminals and selling information from the confidential files. The Age believes that a taskforce has been set up to check the records examined by the woman while she worked at the unit.

It is also believed to be checking records seen by all other staff in the unit, in case the woman had used their computers without their knowledge. [and you will prove that how? Bob]

The criminal records branch checks on about 1000 people a week to issue national police certificates for employment or voluntary duties.

All employees at the branch are civilians rather than sworn police.

The oversight is the latest of several embarrassing security breaches of the LEAP system, which last year forced the State Government to commit to a $59 million replacement system.

The upgrade is not expected to be introduced for several years.

One source said the woman's actions may have helped convicted criminals get clearance to work in prohibited areas such as the education system.

"The whole system has been compromised because no one bothered to check who this woman's boyfriend was," he said.

He said police had no idea until recently that the boyfriend was involved in organised crime.

"She was a senior officer who had a clearance check of the entire system so she could check anyone on LEAP and do anything she wanted to their file. [Security no-no! Bob] She's believed to have given a lot of people a clean bill of health and wiped their criminal records forever, which is absolutely astounding."

He said her alleged actions would make it easy for those with criminal convictions to get international visas.

"Wiping someone's criminal records could have also helped pedophiles, for instance, get work at child-care centres or in the education system, because employers can only go by what the police tell them about someone's criminal record. [Oh? Bob]

"There's also talk that a heap of bikies' records have been cleared and that crooks from interstate are coming down here and given Melbourne addresses and are cleared of everything they've been investigated or charged for in the past."

The LEAP database contains details of 4.42 million people, 1.22 million vehicles and 5.24 million incidents.

A police spokeswoman confirmed that the woman had resigned on March 30.

She said: "The ethical standards department has established a system of regular audits of the law enforcement assistance program in a pro-active strategy to identify instances of misuse.

"Victoria Police will not tolerate any misuse of LEAP. These regular audits clearly show that any inappropriate use of LEAP will be subject to discipline, including dismissal."

The woman's resignation took effect on the same day that Victoria's Commissioner for Law Enforcement Data Security, Laurie Bebbington, released new mandatory standards that police and authorised personnel must follow to protect the sensitive data available to them.

Under the standards, tighter controls and full security clearance are required for anyone with access to police files; police must maintain a formal disciplinary regime for those suspected of misusing law enforcement data, and police files may be disposed of only in an authorised and specified manner.



Where would you go if you wanted social security numbers?

http://www.informationweek.com/security/showArticle.jhtml?articleID=199000813&cid=RSSfeed_IWK_News

Social Security Administration Worker Charged In Identity Theft Scheme

A California woman is charged with conspiracy and fraud in connection with a scheme that racked up $2.5 million in credit card charges.

By Sharon Gaudin, InformationWeek April 13, 2007

A former Social Security Administration employee surrendered to federal authorities Wednesday to face charges of illegally disclosing personal information she took off a government computer that was then used in an identity theft scheme that racked up $2.5 million in credit card charges.

... Batiste is charged with conspiracy, accessing a protected computer to conduct fraud, and disclosure of a Social Security number. [I wonder if TJX could be charged with 45 million counts... Bob] If she is convicted of the three counts in the indictment, Batiste faces a maximum sentence of 15 years in federal prison.

The indictment alleges that Batiste conspired with her cohort Craig Harris and others by agreeing to access the Social Security Administration's computer system to run search queries for Harris.

Harris, a 50-year-old Los Angeles resident, pleaded guilty in September to conspiracy and unlawful possession of a means of identification. Harris, who faces a maximum sentence of 10 years in prison, is scheduled to be sentenced on July 17.

The government contends that Harris would give Batiste some identifying piece of information about someone -- either a name or Social Security number -- and Batiste would then query the government system to pull up enough other identifying information to put the person's identity at risk.

According to a government report, Bastiste allegedly was paid $20 for every search query she ran on the government computer system to obtain information for Harris. The indictment goes on to allege that Harris and his co-conspirators used the information to make approximately $2.5 million worth of unauthorized charges to credit card accounts.



What hath TJX wrought? Companies are looking to replace credit cards?

http://www.financialexpress.com/fe_full_story.php?content_id=160928

Lightening your stuffed wallet

... Hackers are not the only ones making a killing from plastic. Every time a customer uses a card, retailers must pay an “interchange” fee. This levy is, in effect, a toll for using the payment networks of Visa, MasterCard and others, which is mostly paid to the banks that issue such cards.

According to Nilson Report, a trade magazine, American merchants shelled out $56 billion in payment-card fees last year (see chart), over twice the amount they paid five years earlier. Small retailers feel the pinch the most. Celent, a research outfit, estimates that a small grocer with $1m in sales has seen interchange costs jump by 16% a year on average since 2000.

Taking aim at both of these flaws is GratisCard, a new payments system backed by Steve Case, the founder of AOL, launched later this month. The card, which can function as a debit, credit or prepaid card, is entirely anonymous. A thief who steals one will not find a customer’s name or account number on it, nor will a hacker find anything to decode in the card’s magnetic strip. Instead, customer data are stored in GratisCard’s data centre [AKA “the target” Bob] in Florida and sent to the till only as needed.

GratisCard will be the first to use the internet to zip data among merchants and banks. This allows it to side-step the big payment networks and their stiff interchange fees. Merchants that accept GratisCard simply pay a processing fee capped at 0.5% of a transaction.

Others are also hoping to profit from undercutting interchange fees. A handful of companies have sprung up offering payment cards that pull money directly from a customer’s bank account through the “automated clearinghouse” network, which was originally set up to settle cheque payments and now also handles electronic ones. One such outfit, Tempo Payments, charges a fee of 15 cents or less per transaction. Another, Pay By Touch, lets a customer pay from his bank account with an imprint of his finger. Almost half the accounts at PayPal, the popular online payments service, are financed directly from customers’ bank accounts.



Another follow-up. I'm beginning to suspect there is more going on here than has been reported...(Perhaps something like the next article?)

http://www.nbc6.net/news/11862075/detail.html

ChildNet Agency's Stolen Laptop Issue Warrants FBI Coverage

POSTED: 6:23 pm EDT April 13, 2007 UPDATED: 7:02 pm EDT April 13, 2007

FORT LAUDERDALE, Fla. -- A Broward County child welfare agency is under fire, officials said, and workers were told Friday to stay home as Federal Bureau of Investigation agents moved in.

Related Content: Video



Have you always wanted to be an e-criminal?

http://www.f-secure.com/weblog/#00001168

Friday, April 13, 2007 Posted by Sean @ 13:42 GMT

Video - Rock Phish

We have another phishing related demo for you today. This time it's a Rock Phish Kit in action. Rock Phish allows nontechnical individuals to create and carry out phishing attacks.

Demo (AVI – 8201k) Demo (SWF – 2821k) The video is also available via our YouTube Channel.



Breathing? Here comes the IRS

http://news.com.com/2100-1028_3-6176041.html?part=rss&tag=2547-1_3-0-5&subj=news

Selling stuff online? Here comes the IRS

By Declan McCullagh Story last modified Fri Apr 13 18:44:00 PDT 2007

Americans who sell items through Internet auction sites could be in for an unpleasant surprise at tax time next year, thanks to an IRS proposal designed to identify taxpayers who don't report income from those sales.

The U.S. Treasury Department wants Congress to force auction sites like eBay, Amazon.com and uBid.com to turn over the identities and Social Security numbers of a large portion of their users to the IRS--so tax collectors know how much each person made through online selling.

The effort is part of a larger plan, which enjoys enthusiastic support from both Democrats and Republicans, to close what's known as the "tax gap." It's a broad term that covers Americans who don't file tax returns or those who underreport their income, and the IRS believes it to total around $345 billion for the 2001 tax year.

But the proposal is likely to encounter stiff opposition from Internet auction aficionados, free-market advocates and the auction Web sites themselves, not all of which are large enough to be able to comply with the rules without financial hardship.

"It's a total nightmare," said Matt Stinchcomb, vice president of marketing for Etsy.com, which allows people to sell handmade goods. "Our goal as a company is to allow people to make a living making things, and this is just another impediment to that."

Stinchcomb said Etsy would be uncomfortable asking its users to divulge their Social Security numbers, which are required on the IRS 1099 forms used to report untaxed income. "There are so few things now that are private and sacred," he said. "I feel like your SSN is one of them. Imagine, too, if every e-commerce site starts requiring this, the amount of times that data will be collected or falsely collected. There's a huge potential for fraud and identity theft."

But Washington politicians are looking around for any idea that will increase tax revenue without a formal vote to raise taxes.

... "What's happening is there's this assumption that people aren't reporting," she said. "There are a good number of people who are professional sellers on eBay. However, there's no evidence or any kind of statistic out there to indicate those folks aren't already accurately reporting to the IRS."

... "The IRS coveted this kind of data for years and they didn't have a chance of forcing you to collect it from garages, from flea markets," said Steve DelBianco, vice president for public policy at the Association for Competitive Technology, which represents thousands of technology companies. "But they have a chance in the online world. They're getting the data because they can, not because it'll generate significant amounts of income."



Show me a better tool and I'll use it. Tell me my tax dollars should support your research and I'll say “Pork!”

http://hardware.slashdot.org/article.pl?sid=07/04/13/2130206&from=rss

National Projects Aim to Reboot the Internet

Posted by Zonk on Friday April 13, @09:09PM from the do-it-right-this-time dept.

iron-kurton wrote with a link to an AP story about a national initiative to scrap the internet and start over. You may remember our discussion last month about Stanford's Clean Slate Design project; this article details similar projects across the country, all with the federal government's blessing and all with the end goal of revamping our current networking system. From the article: "No longer constrained by slow connections and computer processors and high costs for storage, researchers say the time has come to rethink the Internet's underlying architecture, a move that could mean replacing networking equipment and rewriting software on computers to better channel future traffic over the existing pipes. Even Vinton Cerf, one of the Internet's founding fathers as co-developer of the key communications techniques, said the exercise was 'generally healthy' because the current technology 'does not satisfy all needs.'"



What a shock! Perhaps they are learning about sex from other sources?

http://news.yahoo.com/s/ap/20070413/ap_on_go_ot/abstinence_study

Study: Abstinence classes don't stop sex

By KEVIN FREKING, Associated Press Writer Fri Apr 13, 5:37 PM ET

WASHINGTON - Students who took part in sexual abstinence programs were just as likely to have sex as those who did not, according to a study ordered by Congress.


Perhaps I should ask for a review copy... Purely for academic purposes. (Probably available on YouTube)

http://www.chicagotribune.com/news/local/chi-070413lynwoodapr13,1,1860377.story?coll=chi-news-hed&ctrack=3&cset=true

Principal, teacher resign after racy DVD made public

Tribune staff report April 13, 2007, 9:47 PM CDT

Cook County sheriff's police are trying to figure out who recorded a south suburban school principal engaging in sex acts with two school employees on separate occasions in his office.

The sounds and images, burned to DVD, were mailed this week to parents and news outlets.

Leroy Coleman, principal of Sandridge Elementary School, near Lynwood, resigned Thursday, citing health reasons, said John Izzo, an attorney for the district. A female teacher resigned the same day, citing family illness, and a teacher's aide quit Friday without explanation, he said.

John Palcu, first deputy chief with the Cook County sheriff's police, said investigators were working with the state's attorney's office to determine if charges could be brought against any or all of the adults caught on video or the person who recorded them. [Has the law been broken? Bob]

Palcu noted that parents of Sandridge students were concerned about the principal's lack of judgment and the fact that the sexual encounters could have happened while school was in session. [Clearly, this is an after-school activity! Bob] If that's true, Coleman could face official misconduct charges, Palcu said.

Izzo expressed concern about the incidents on many fronts.

"Somebody without permission gained access to confidential district office space and planted a surreptitious recording device, [What makes you think it was surreptitious? Bob] and that's frightening," Izzo said. "There are confidential records there—student records."

He said no one at the district level had seen the DVD, but he was told the images could be a few months old.

The principal and the women are also to blame, Izzo said.


All you need to attract your own personal “monitor” is an audience and a viewpoint they disagree with. (Pay attention politicians.)

http://politics.slashdot.org/article.pl?sid=07/04/14/0524206&from=rss

Blogger Spurs US Radio Host's Firing

Posted by Zonk on Saturday April 14, @06:26AM from the those-tubes-they-reach-everwhere dept. Media The Internet Politics

jas_public writes "The Wall Street Journal reports on the controversial events which ultimately led to the firing of radio shock jock Don Imus. 'At 6:14 a.m. on Wednesday, April 4, relatively few people were tuned into the "Imus in the Morning Show" ... Ryan Chiachiere was. A 26-year-old researcher in Washington, D.C., for liberal watchdog organization Media Matters for America, he was assigned to monitor Mr. Imus's program. Mr. Chiachiere clipped the video, alerted his bosses and started working on a blog post for the organization's Web site.' The article breaks down how that viral video clip and word of mouth outrage reached the ears of the presidents of CBS and MSNBC, ultimately leading to Imus' dismissal."

Friday, April 13, 2007

Remember, this is the same TJX who assured us the breach was smaller that initially reported and certainly “not millions”

http://www.boston.com/business/personalfinance/articles/2007/04/12/analysts_tjx_case_may_cost_over_1b/?page=1

Analysts: TJX case may cost over $1b

Insurance, tax credits could trim expenses for Framingham firm

By Ross Kerber, Globe Staff April 12, 2007

If the loss of millions of customer credit- and debit-card records from TJX Cos. plays out like previous data-breach cases, the final cost of the theft could add up to more than $1 billion, some technology analysts say.

The exact cost to TJX itself is unclear and may be lower. Insurance and tax credits [the government encourages security breaches? Bob] may offset the Framingham retailer's expenses, which could be spread over several years. Banks that issue the credit cards may also have to pick up part of the costs.

Regardless, the liability would be among the highest associated with lost or stolen data, say analysts.

... Because TJX's breach was so extensive, they say, regulators and business partners will be looking for hefty penalties. "When you hit a million or more records, then you get much more scrutiny," said Jon Oltsik, senior analyst for Milford consulting company Enterprise Strategy Group, who is among those who estimates that the TJX breach could cost more than $1 billion.

TJX, which operates stores such as TJ Maxx, Marshalls, and HomeGoods, has said it spent $5 million through the end of January on costs such as technical and legal fees and customer communications related to the breach. The company believes that hackers tapped into its computer system and compromised more than 45 million customer records going back as far as 2003, the largest data breach to date.

In a recent securities filing, TJX said it may incur unspecified losses due to claims by banks, customers, and shareholders, and from costs like technical and legal expenses, all of which "could be material to our results of operation and financial condition."

TJX spokeswoman Sherry Lang called the $1 billion cost estimates "pure speculation by people who are outside the company." She said it is hard to compare the cost of TJX's breach with previous cases since every example has "many variables and no two situations are the same, and no two companies are the same."

So far, investors and Wall Street analysts haven't reacted strongly. TJX's shares closed at $27.82 yesterday, compared to $29.85 on Jan. 16 the day before TJX disclosed the matter. One reason is that most investors don't expect the final costs to be so significant.

"The worst case here is that there's some financial penalty to them, and I don't see how it could be major in relation to their business," said Richard Pzena of Pzena Investment Management LLC in New York, one of TJX's largest shareholders.

... Forrester study author Khalid Kark said in an interview that $1.35 billion is a realistic minimum estimate of TJX's costs over several years, though he acknowledged it could be lower because of insurance and other factors. But Kark added that regulators and business partners like banks are primed to seek big payouts from TJX amid increasing concerns about protecting customer data and will be "looking for a scapegoat, basically. "

TJX already faces more than a dozen lawsuits seeking damages over the breach. One brought by AmeriFirst Bank of Alabama seeks to represent other institutions that will have to reissue credit cards at a cost of $20 each, money it seeks to recover from TJX.

... "They could handle it out of their cash flow over the next few years, if necessary, so it doesn't threaten their financial viability," Pzena said. For the 12 months ending Jan. 27, 2007, TJX reported a profit of $738 million on sales of $17.4 billion.

Pzena also noted TJX recently increased its dividend and authorized repurchasing more shares. "They don't seem to be worried that there is a significant cash drain coming in the near future," he said.


http://techdirt.com/articles/20070412/181810.shtml

Will TJ Maxx Lose 77% Of Its Customers Over Data Breach?

from the somehow,-we-doubt-it dept

It's easy to get people to say what you want them to say concerning how they would act in a specific situation, but try watching how they actually act and you'll realize that actions definitely do speak a lot louder than words. Some researchers are reporting that approximately 77% of people say they would stop shopping at stores that suffer data breaches. Interesting timing, given the huge data breach by TJX, owners of stores chains like TJ Maxx and Marshalls. While it is likely that the publicity around this story (including the fact that some of the data has already been used in various scams) will have some people thinking twice about shopping at TJX stores -- somehow we doubt they're going to lose anywhere near 77% of their business. It's easy to say you won't shop there, but when it comes time to buy the kids cheap clothes for the new school year, people will go right back to their old habits. Perhaps that's why companies don't seem to take these data breaches very seriously. Despite lots of anger, it doesn't seem like people actually follow through. Another study that came out today tries to quantify just how costly data breaches are, and finds that it tends to cost companies from $90 to $305 per lost record, suggesting TJX's breach will cost it $1.35 billion -- however, many people say that's probably a lot higher than what it will turn out to be in reality. TJX will get a slap on the wrist, people will keep shopping there and the company will probably be just as likely to lose your data in the future as it was in the past.


A good start, but you could adjust this as needed to reflect your environment.

http://www.bespacific.com/mt/archives/014534.html

April 11, 2007

Corporate Data Loss Cost Calculator

Tech//404® Data Loss Cost Calculator: "Data loss resulting from network security breaches and identity theft has become a regular occurrence. While the number of affected records can vary widely in any given data loss scenario, a recent study by the Ponemon Institute found that the average number was roughly 99,000. For recent examples and media reports, visit the data loss archive. Darwin created the Tech//404® data loss cost calculator as a tool to demonstrate the scope of negative financial impact an organization may face as a result of a data breach or identity theft data loss scenario. The calculator will automatically generate an average cost, and a plus/minus 20% range, for expenses associated with internal investigation, notification/crisis management and regulatory/compliance if the incident were to give rise to a class action claim."


Numbers to plug into the calculator above...

http://www.idtheftcenter.org/breaches.shtml

Identity Theft Resource Center

SECURITY BREACHES & FREEZES

Click here for ITRC's 2007 breach list. To date, it appears that there are more breaches than before but a trend to password protect or encrypt information is finally being seen. Please check regularly as this list will be updated at least twice a month.



Pretty good indication that the problem is systemic...

http://www.pittsburghlive.com/x/pittsburghtrib/news/cityregion/s_502354.html

UPMC apologizes for posting private patient informaton

By The Associated Press Thursday, April 12, 2007

The University of Pittsburgh Medical Center was trying to figure out how private information for about 80 patients, including names and Social Security numbers and even radiology images of their bodies, wound up on the Internet.

The information was first put on the Web inadvertently in 2005 then taken down. The information from a medical symposium held in 2002 was posted on an area of the Web site where the health system's faculty members are encouraged to share their work and other data, UPMC said in a statement Thursday.

Once the health network discovered patient names and other information were included, it was removed, but somehow it was posted again and remained on the Web site until UPMC was notified again on Tuesday, said Robert Cindrich, a former federal judge who now serves as UPMC's chief attorney.



If nobody cared (see last paragraph) why was the information online in the first place?

http://www.keloland.com/News/NewsDetail6374.cfm?Id=0,56215

BHSU Website Lists Personal Information

04/12/2007 7:32 AM

Several students at Black Hills State University in Spearfish were notified Wednesday that their Social Security numbers were mistakenly posted on the college's Web site.

A document announcing scholarship winners included the names and Social Security numbers for 56 students. It was placed online March 29th.

The document was immediately removed Tuesday after officials learned about the goof-up.

The affected students were also provided with information about identity theft and ways they could protect themselves if it should happen. There have been no reports so far of any problems, however.

Statistics indicate that the Black Hills State University scholarship document was accessed 12 times. [“Statistics” here probably means the network log... Bob]



Is the fact that they were dumped in someone else's dumpster an indication that someone other than the Elections Office had the cards?

http://www.theweekly.com/news/2007/April/11/voter_cards.html

Secretary of State Recovers Thousands of 'Active' Fulton County Voter Registration Cards

Voters' personal information exposed investigation initiated immediately

Atlanta, GA (April 11, 2007) - Secretary of State Karen Handel today initiated an investigation regarding the disposal of approximately 75,000 voter registration application cards. The investigation will be led by the Georgia Bureau of Investigation (GBI), in conjunction with the Fulton County Solicitor General's Office and the Secretary of State's Inspector General.

The seized voter registration cards contain the voter's full name, address and complete Social Security Number. A preliminary review of a random sampling of the cards by investigators in the Secretary of State's office revealed that many of the discarded cards and forms are for active voters.

... "Additionally, because this breach also creates serious concerns about the overall operations of the Fulton County Elections Office, we will conduct an independent audit of the office to examine its policies and procedures, particularly the maintenance and security of records and information," Secretary Handel said.
The Secretary of State's Inspector General's office,
acting on a call from a concerned citizen, recovered more than 30 boxes of voter registration application cards, voter precinct cards, and other forms and documents from a construction dumpster located in South Atlanta late Monday evening.

In a letter dated April 11, 2007, Secretary Handel asked Fulton County Chairman John Eaves and Fulton County to immediately begin contacting all Fulton County voters [Overreaction? Bob] of the potential exposure of their personal information.



This may be a follow-up

http://www.charlotteobserver.com/123/story/83747.html

Stolen laptop has BofA employee data

BofA notifies affected workers by letter, says no misuse detected

RICK ROTHACKER rrothacker@charlotteobserver.com Posted on Fri, Apr. 13, 2007

A stolen Bank of America Corp. laptop has resulted in lost personal information of current, former and retired employees, according to a letter sent this week to those affected.

The letter said a "limited" number of people were affected, but the Charlotte bank on Thursday would not provide a number. Employees at various levels of the company were affected, spokesman Scott Silvestri said.

... According to the letter, the laptop was stolen when an employee was a "victim of a recent break-in." Silvestri said he could not provide further information because the crime is under investigation.

... Bank of America's best known breach came in 2005 when it lost data tapes holding customer information for 1.2 million federal employees.

... In the letter, Bank of America said it was taking steps to "strengthen practices for the handling and storage of associate data to avoid future occurrences." Silvestri said the stolen laptop had "information protection features."



Interesting follow-up

http://www.sun-sentinel.com/news/local/southflorida/sfl-cchildnet12apr12,0,5437573.story?coll=sfla-home-headlines

Stolen ChildNet Laptop puts 12,000 at risk of ID theft

By Brian Haas and Bill Hirschman South Florida Sun-Sentinel April 12, 2007

FORT LAUDERDALE -- A laptop computer containing personal information on 12,000 ChildNet applicants has been stolen from the agency, the latest in a string of recent thefts at the nonprofit that runs Broward County's child welfare programs.

... Peter Balitsaris, president and CEO of ChildNet, acknowledged at a Wednesday afternoon press conference that the laptop contains financial and credit data, Social Security numbers, driver's license data and passport numbers for ChildNet program applicants. He said the computer doesn't have information about foster children and cannot be accessed without a password. He also said that there are no known full backups of the computer's hard drive, though his staff can work from paper copies of the information.

... Balitsaris said none of the 12,000 Broward residents affected had been notified of the theft as of Wednesday because ChildNet hadn't had time to mail letters out.

... Balitsaris said ChildNet has already corrected several problems. He said the agency's computer system will be backed up regularly and the laptop's contents will be deleted daily, the agency will hire a security consultant and at least 25 of the agency's first hires will have their criminal backgrounds re-examined.

... Police have named a 35-year-old Fort Lauderdale man who was employed as an assistant facility manager by ChildNet until Wednesday as a suspect in the laptop theft. They also said the man and his former ChildNet boss, a 47-year-old Coral Springs man who also had a criminal record, were suspects in the recent thefts of gift cards from the agency.

The agency fired both men Wednesday.



Debate all you want, this will happen.

http://www.pogowasright.org/article.php?story=20070412073847788

Biometrics in K-12: The Legal Conundrum

Thursday, April 12 2007 @ 07:38 AM CDT - Contributed by: PrivacyNews - Minors & Students

Biometrics are among the latest implementations for school security. There are many issues to consider, which have been voiced by parents, students, and civil liberties groups. It's an international issue. Just look at LeaveThemKidsAlone.com, and you will see the extent of the uproar raised in the United Kingdom regarding fingerprinting of children in schools. For the most part, questions are the same ones being posed in our own country. Blogs are in use to discuss the issue in the United States and abroad, such as Pippa King's Biometrics in Schools.

Source - The Journal via Biometrics in schools: Valid concerns from the USA



Who determines what speech can be free?

http://techdirt.com/articles/20070411/171341.shtml

MySpace Accused Of Trampling Man's Right To 'Use Site In Peace'

from the ooooooooooooookay... dept

MySpace is at the center of another free-speech case, only this time it's the one that's alleged to be doing the infringing. A Missouri man has sued MySpace (unsurprisingly, pro se) for infringing his freedom of speech by "arbitrarily deleting TWO profiles" established by the man and a host of other complaints, including violating his "freedom to use the social networking site in peace". We're still looking through our copy of the Constitution to find the part about the right to use social-networking services, but maybe we've got an old version. Never mind that we thought the part about freedom of speech really only applied to the government; we weren't aware that it also meant private companies had to provide anyone and everyone with a platform to speak, and ensure it conforms to that person's every wish. They guy's stolen a few pages out of MySpace founder Brad Greenspan's playbook, and his blog-comment threats to bankrupt MySpace, bulldoze its headquarters and turn the area into a housing estate -- and then to sway Fox News' coverage even further to the right -- would seem to suggest that this case will meet the same kind of response as Greenspan's



What's that crime worth?

http://www.pogowasright.org/article.php?story=20070412064633116

UK: Jail for unlawful computer access

Thursday, April 12 2007 @ 06:46 AM CDT - Contributed by: PrivacyNews - Non-U.S. News

Police officers had to realise that accessing the police national computer for an improper purpose was an offence that required an immediate prison sentence.

The Court of Appeal, Criminal Division, so stated in allowing an application by the Attorney-General under section 36 of the Criminal Justice Act 1988 to refer as unduly lenient a prison sentence of 28 weeks, suspended for two years, and 300 hours of unpaid work imposed on James Andrew Hardy by Judge Pugsley at Derby Crown Court on December 8, 2006 following his plea of guilty to misfeasance in a public office. A prison sentence of nine months was substituted. [NOTE: Three months per person? Bob]

... The offender had used the police national computer system to down-load information on three people. He gave that information to Jolley, a known criminal whose record included offences of violence, in order to enable Jolley to take the law into his own hands by dealing with those who had, so he believed, committed offences against himself or a close friend.

Source - Times Online



A computer is a computer, and a hacker is a hacker. (Bob's words of wisdom for today.)

http://it.slashdot.org/article.pl?sid=07/04/13/068222&from=rss

Sri Lankan Terrorists Hack Satellite

Posted by CowboyNeal on Friday April 13, @05:52AM from the can't-make-this-stuff-up dept. Security Television Wireless Networking IT

SorryTomato writes "The Tamil Tigers Liberation Front a separatist group in Sri Lanka, which has been classified as a terrorist group in 32 countries has moved up from routine sea piracy to a space-based one. They have been accused of illegally using Intelsat satellites to beam radio and television broadcasts internationally. Intelsat says that they will end the transmissions 'within days.' Intelsat has been accused of having business links with Hezbollah before, but claim that they are blameless this time and LTTE was using an empty transponder."



Is this how HP should have done it?

http://www.infoworld.com/article/07/04/12/HNmspressureonleak_1.html?source=rss&url=http://www.infoworld.com/article/07/04/12/HNmspressureonleak_1.html

Microsoft pressures testers after software leak

The company is cutting off a group of testers until it finds the identity of the one who leaked a preview of Windows Home Server

By Elizabeth Montalbano, IDG News Service April 12, 2007

Microsoft is taking tough measures to find out who leaked a CTP (Community Technology Preview) of Windows Home Server to The Hotfix.net blog after the software preview was posted on the site by a user named "Richard" soon after it was released to a small group of testers.

In a e-mail to testers obtained by the IDG News Service, Kevin Beares, the Windows Home Server community lead at Microsoft, wrote to MVPs (Most Valuable Professionals) whose name contain "Richard" [because no one could use an alias... Bob] that they will not have access to the beta until he finds out who leaked the software to The Hotfix.net site.



Google's plan to take over the world is starting to reveal itself. Note what you can offer when you have lots of cash laying around...

http://googleblog.blogspot.com/2007/04/google-checkout-open-in-uk.html

Google Checkout arrives in the UK!

Friday, April 13, 2007 at 12:36:00 AM Posted by Jerry Dischler, Senior Product Manager

We're excited to tell you that as of this morning the speed, security, and convenience of Google Checkout is available to online shops and shoppers in the United Kingdom. Here's Google Checkout UK.

From now until 2008, merchants that offer Checkout in the UK will receive free credit and debit card processing for all of their Checkout sales. And just so buyers don't feel left out, we're giving them £10 off all orders over £30.



Take a hike!”

http://googleblog.blogspot.com/2007/04/hikes-on-fly.html

Hikes on the fly

Thursday, April 12, 2007 at 3:19:00 PM Posted by Larry Fox, Business Development, Trimble Outdoors

Many of you reading this may already know that Trimble Outdoors has partnered with Google to provide Google Earth viewers with GPS-based interactive hiking information. We’re very excited about being able to share all the great GPS content we’ve developed over the years and through partnerships with magazines including Backpacker, Bicycling and Mountain Bike. It’s an outstanding resource for outdoors enthusiasts, or really, anyone who wants to do a little research before setting out on a hike.

... you can click one button, and the exact trail route is exported to your GPS-enabled phone.

Thursday, April 12, 2007

Security costs now, breach costs later. That's what risk analysis is about!

http://www.informationweek.com/news/showArticle.jhtml?articleID=199000222

Security Breaches Cost $90 To $305 Per Lost Record

Forrester Research surveyed 28 companies that had some type of data breach and found it difficult to calculate the expenses that resulted.

By Sharon Gaudin, InformationWeek April 11, 2007

While security breaches can cost a company dearly when it comes to a marred public image and a loss in customer confidence, the actual financial costs can be staggering.

The average security breach can cost a company between $90 and $305 per lost record, according to a new study from Forrester Research. The research firm surveyed 28 companies that had some type of data breach.

"After calculating the expenses of legal fees, call centers, lost employee productivity, regulatory fines, stock plummets, and customer losses, it can be dizzying, if not impossible, to come up with a true number," wrote senior analyst Khalid Kark in the report. "Although studies may not be able to determine the exact cost of a security breach in your organization, the loss of sensitive data can have a crippling impact on an organization's bottom line, especially if it is ill-equipped, and it's important to be able to make an educated estimate of its cost."

Kark said calculating the cost of a breach is murky territory and he did the survey to shed some light on the costs associated with breaches, which seem to be reported with increasing frequency.

A recent Forrester survey found that 25% of respondents do not know, or do not know how to determine, the cost of data security breaches. Kark said the majority of organizations will incur a wide array of associated costs, sometimes significant enough to even put them out of business

... He reported that discovery, response, and notification costs can be substantial. He averaged them out to be about $50 per lost record.

... Lost employee productivity also is a significant cost.

... The report also noted that managers need to plan ahead for possible regulatory fines, loss in the company's customer base, restitution fees, and additional security and audit requirements.



Looks like the first case study of the TJX breach, and it's only $1250.00

http://www.pogowasright.org/article.php?story=20070411123643776

Study: Data Breaches Break Consumer Trust

Wednesday, April 11 2007 @ 12:36 PM CDT - Contributed by: Lyger - Breaches

E-commerce sites that have not been diligent in protecting their consumer information from attacks may find their customer bases drop off as a result.

If you want to keep people visiting your site, you need to provide them with a secure environment and take steps to keep it that way. A study from Javelin Strategy showed that breached merchants will be hard-pressed to keep customers.

Source - SecurityProNews



Naked justice? (There are so many potential jokes I could make...)

http://www.pogowasright.org/article.php?story=20070411130750528

CO: See-through machine installed at courthouse

Wednesday, April 11 2007 @ 01:07 PM CDT - Contributed by: Lyger - State/Local Govt.

Technology normally used at the airport has made its way to the El Paso County Courthouse. Starting April 18, the Terry R. Harris Judicial Complex will begin using its new $140,000 body scanning machine to check for security threats. The ProVision Body Scanning Checkpoint Security System uses radio waves to see through clothing in search of weapons.

However, the nature of this technology raises privacy concerns. ProVision Vice President of International Sales John Marsala says the public should not be worried about exposing themselves to security screeners.

Source - KOAA



Why would anyone want to be an identity thief?

http://www.ajc.com/metro/content/metro/stories/2007/04/11/0411metmortgage.html

ID theft 'poster child' nets $7 million

By BILL TORPY The Atlanta Journal-Constitution Published on: 04/11/07

He drove sports cars, took European vacations, got hair plugs for himself and breast augmentation surgery for a girlfriend.

For nearly four years, Matthew Cox lived the high life by assuming other people's identities and committing mortgage fraud on a massive scale.

The former University of South Florida art student's spree was remarkable: He stole more than $7 million. He did it in at least four states, including Georgia. He assumed nearly 50 identities. His scams included 125 properties, some of which he took out several loans against.

... "The homeless are underutilized," he once told some friends, said Paula Hutchinson, a defense attorney for one of Cox's co-defendants.



This could be true. Consider that the RNC has a policy with a faster “time-to-delete” requirement than the White House. An e-Discovery consideration?

http://thinkprogress.org/2007/04/11/rnc-claims-it-lost-white-house-emails/

White House Claims It Lost RNC Emails

“The White House said Wednesday it had mishandled Republican Party-sponsored e-mail accounts used by nearly two dozen presidential aides, resulting in the loss of an undetermined number of e-mails concerning official White House business.”

White House spokesman Scott Stanzel “could not say what had been lost, and said the White House is working to recover as many as they can. The White House has now shut off employees’ ability to delete e-mails on the separate accounts, and is briefing staffers on how to better make determinations about when — and when not — to use them, Stanzel said.”

UPDATE: The Politico has more details:

This is a big problem for the White House, and Waxman said it raised ’serious legal and security concerns’ about the e-mail related activities of Bush administration aides.

Waxman’s staff are supposed to meet with RNC officials on Thursday about the “rnchq” and “gwb.43″ e-mail accounts, which some White House officials, like Deputy Chief of Staff Karl Rove, use for authorized political work. Waxman suspects that White House aides were using the accounts to evade presidential record-keeping requirements.

The Politico also reports that the White House held a private briefing on the situation for some reporters, who relayed the message, “it’s really bad for the White House.”



Remember the exploding battery story?

http://www.eweek.com/article2/0,1759,2112974,00.asp?kc=EWRSS03119TX1K0000594

Sanyo Sees $17 Million Loss from Battery Recall

By Reuters April 11, 2007

TOKYO (Reuters)—Japan's Sanyo Electric Co. Ltd. said on Wednesday it is set to book a loss of 2.04 billion yen ($17 million) in its earnings for the year that just ended to cover part of the cost to recall mobile phone batteries.



The downside of success...

http://www.redorbit.com/news/technology/898498/google_faces_brain_drain_as_anniversaries_hit/index.html

Google Faces Brain Drain As Anniversaries Hit

SAN JOSE, Calif. -- Less than three years after going public, Google is confronting one of the more confounding consequences of its phenomenal success: a potential brain drain if its earliest -- and richest -- employees quit after earning the right to cash in the last of the stock options that made them millionaires.

Hundreds of the 2,300 Googlers hired before the Internet juggernaut's initial public offering in August 2004 are hitting their fourth anniversary. When they do, they'll be free to cash in the final portions of their pre-IPO options, collectively worth an estimated $2.6 billion before taxes.



Nothing in government can move this fast...

http://www.bespacific.com/mt/archives/014519.html

April 11, 2007

DNI Announces 100 Day Plan for Integration and Collaboration

Press release: "Today, as in the past, the United States and our allies face dangerous challenges to our security, freedom, and way of life. The current global environment, however, is more interconnected, complex, and dynamic than the bipolar world of the Cold War. The advance of globalization has enabled, amplified, and accelerated threats stemming from international terrorism, weapons of mass destruction (WMD) proliferation, failed states, and illegal drug trafficking. These threats, among others, move at increasing speeds due to technology and across geographic and organizational boundaries, blurring the distinction between foreign and domestic threats, and between strategic and tactical events."



How can you use data mining? (why would anyone want to do this? See next article...)

http://yro.slashdot.org/article.pl?sid=07/04/11/239243&from=rss

Xeroxing Personal Data From Your Browsing History

Posted by samzenpus on Wednesday April 11, @10:27PM from the xerox-knows dept.

grease_boy writes "Xerox has filed a patent covering a technique to recover demographic information like your age, sex and perhaps even your income by analysing the pattern of web pages you browse. They want to license the technique to online advertisers and shops. Read the full patent here."


There's gold in them thar clicks!

http://techdirt.com/articles/20070410/140020.shtml

ISPs On Selling Your Clickstream Data: No Comment

from the move-along-now-nothing-to-see-here dept

Last month there was a story floating around about how ISPs are making a lot of money selling off your clickstream data -- something they don't advertise, but which could have tremendous privacy implications. ISPs stayed pretty quiet following that and hoped the story would blow over -- but Broadband Reports points us to the news that the intrepid reporters over at Wired are calling up various ISPs to try to get a straight answer as to whether any of the big names are selling data on what you do online. So far, there seem to be an awful lot of "no comments" (or similar answers) on the list. While the ISPs seem to hope that this story will disappear, it has the makings of something that will come back to bite them in the future. Generally speaking, if ISPs are unwilling to admit to a reporter that they're selling customer data to third parties, that probably means they shouldn't be doing it...



New term?

http://techdirt.com/articles/20070411/101656.shtml

US Air Force Aims High With Bluespam

from the droppin-bombs dept

It seems that more and more brands and companies are trying to market themselves via Bluespamming -- sending out unsolicited messages and requests for connections to nearby mobile phones via Bluetooth. Marketers that use the practice, of course, don't call it Bluespam, and see it as a wonderful mechanism to use, even though the vast majority of people that receive the messages aren't interested in them. Now, it's the US Air Force that's turning to Bluespamming, as it plans to use the method to harass mobile phone users at a NASCAR race this weekend. A rep says Bluespamming will help prove the Air Force's high-tech chops to impressionable kids, while somebody from its ad agency says that it will help attract "tech savvy" recruits. Would they say the same things about email spam? Probably not. It's hard to see how annoying just about anybody with a Bluetooth phone in a particular area is a good way to market yourself, and never mind the horrific user experience of delivering content via mobile marketing. Needless to say, it's great to see the US government getting into the spamming business.



Using technology to get the word out...

http://www.pogowasright.org/article.php?story=20070411224745742

ANNOUNCE: New video on REAL ID

Wednesday, April 11 2007 @ 10:47 PM CDT - Contributed by: PrivacyNews - Fed. Govt.

Sent to us by the ACLU:

The ACLU has put out a new video short on the Real ID issue.

The piece (about 90 seconds long) stars Bill Cattorini, a retired Chicago fireman who's been caught in a bureaucratic limbo because of a discrepancy between the birth date listed on his driver's license and the date on his social security card. That was never an issue until Illinois began trying to comply with some parts of Real ID. Now Cattorini can't drive.

Cattorini is hardly unusual in having a quirk or discrepancy in his bureaucratic records. He represents the millions of others who will face similar problems, and worse, if Real ID goes into effect.

The ACLU has also set up an action center, where activists can see what's going on in their state - in states where legislation is moving, it lets activists shoot a message to their state legislators.



There are innocent people?

http://www.bespacific.com/mt/archives/014527.html

April 11, 2007

Tarlton Law Library Announces Actual Innocence Awareness Database

"The Tarlton Law Library has compiled an Actual Innocence awareness database which contains citations (and links, where possible) to current articles, scholarship, legislation and other materials in the dynamic world of wrongful convictions. The materials are classified into what are considered the primary causes of wrongful conviction: forensics/DNA; eyewitness identification; false confessions; jailhouse informants; police and/or prosecutorial misconduct; and ineffective representation. There is also a “general” category for those items which defy further categorization. The website will be updated as new resources become available. Please direct any questions or comments about this service to Melissa Bernstein."



Could it be that they have more money?

http://techdirt.com/articles/20070411/154713.shtml

Why Is It That Online Services Companies Need To Be Moral -- But Individuals Don't?

from the just-wondering dept

And here we go again. The latest politician to point the blame gun at the wrong target is the UK's education secretary, Alan Johnson. He was out complaining about cyberbullying and said that websites that host videos have a "moral obligation" to filter such content and take it down. There's been a lot of overreacting to cyberbullying lately, including things like banning YouTube in schools because it's been used for cyberbullying. However, again, the blame-placing is totally misguided. It's not YouTube or any other site's fault or "moral responsibility" to deal with the sophomoric actions of kids. It's the kids themselves and their parents. If YouTube has a "moral responsibility" to guard against this type of thing, then why don't the kids themselves have a much larger moral responsibility? Why isn't the education secretary focused on, I don't know, actually educating students about bullying, so they can learn how to better deal with it, rather than pretending he can hide it by asking online sites to deal with the problem. He also seems somewhat confused (someone should educate him) about how the internet actually works, and why it's really not reasonable or feasible for these sites to monitor and filter such content. Finally, the focus on the "cyber" part of the bullying is also misguided. Bullying is bullying -- and why should it matter if it's done online or done in person? The focus should be on bullying, period, without worrying about whether or not it involves the internet. Pretending that you've solved bullying just because you've taken it offline is a head-in-the-sand approach, where you pretend that just because you can no longer see it, it's gone away.



FUD as driver of law?

http://it.slashdot.org/article.pl?sid=07/04/11/1952247&from=rss

The Myth of the Superhacker

Posted by CowboyNeal on Wednesday April 11, @04:49PM from the scourge-of-the-internet dept. Security The Internet

mlimber writes "University of Colorado Law School professor Paul Ohm, a specialist in computer crime law, criminal procedure, intellectual property, and information privacy, writes about the excessive fretting over the Superhacker ( or Superuser, as Ohm calls him), who steals identities, software, and media and sows chaos with viruses etc., and how the fear of these powerful users inordinately shapes laws and policy related to privacy and digital rights."



Dilbert on e-discovery...

http://www.unitedmedia.com/comics/dilbert/archive/images/dilbert2007458210412.gif