Friday, March 28, 2008

Another TJX victory!

http://www.pogowasright.org/article.php?story=20080327120519773

FTC settles charges against TJX, and Data Brokers Reed Elsevier and Seisint for security failures

Thursday, March 27 2008 @ 12:05 PM EDT Contributed by: PrivacyNews News Section: Breaches

In two unrelated Federal Trade Commission actions, discount retailer TJX and data brokers Reed Elsevier and Seisint have agreed to settle charges that each engaged in practices that, taken together, failed to provide reasonable and appropriate security for sensitive consumer information. The settlements will require that the companies implement comprehensive information security programs and obtain audits by independent third-party security professionals every other year for 20 years.

Source - FTC Press Release

Related - Agreement Containing Consent Order, TJX [pdf], other TJX files
Related - Agreement Containing Consent Order, Reed Elsevier Inc. and Seisint, Inc. [pdf], other Reed Elsevier and Seisint files



Well yes, we knew this... How about more details of what went wrong. (A fairly lucid article from someone who has done their homework)

http://www.pogowasright.org/article.php?story=20080327193959978

Hannaford may not have to pay banks' breach costs under PCI, says Gartner

Thursday, March 27 2008 @ 07:39 PM EDT Contributed by: PrivacyNews News Section: Breaches

If Hannaford Bros. Co. was compliant with the Payment Card Industry (PCI) Data Security Standard at the time it was breached, banks and credit unions will have a hard time getting the supermarket chain to pay their breach-related costs, according to a Gartner Inc. analyst.

Source - Computerworld

[From the article:

Hannaford spokeswoman Carol Eleazer today said the company was certified as being compliant with PCI as recently as this February. Hannaford had been similarly certified last year, Eleazer said.

... Under PCI rules, it is these acquiring banks that are directly responsible for ensuring that their merchants are PCI-compliant.



Apparently China wanted to know... Who else would want that information? The article does not suggest these files were on a computer, so someone had to enter the offices, locate the files (nothing else taken?) and carry them out.

http://www.pogowasright.org/article.php?story=20080327132942768

UK: Sue Barker's personal details stolen in Olympic security breach at BBC

Thursday, March 27 2008 @ 01:29 PM EDT Contributed by: PrivacyNews News Section: Breaches

Detectives have been called into the BBC after the personal files of the 440 staff - including household name presenters - being sent to the Beijing Olympics were stolen.

Two files, containing the accreditation details of presenters such as Sue Barker and Sharron Davies, the Olympic swimming medallist, disappeared from a sport production office.

Internal security is being reviewed after the theft was discovered at the beginning of the week at Television Centre. The police were called after an internal search failed to find them.

Source - Telegraph



You know, we could assemble a great “Don't do this” guide just from the stories on data breaches. I wonder if anyone learns form the failures of others?

http://www.pogowasright.org/article.php?story=20080327193247154

Thief steals records of former, current DHR employees

Thursday, March 27 2008 @ 07:32 PM EDT Contributed by: PrivacyNews News Section: Breaches

A thief has stolen computer records containing identifying information on current and former employees of the state Department of Human Resources, including names, Social Security numbers, birth dates and home contact information, officials said Thursday.

DHR officials say the theft occurred about March 19. An external hard drive that stored a database was removed "by an unauthorized person," according to a statement issued by the agency.

The statement did not say how many employees are affected, but the agency employs about 19,000 people. DHR officials didn't respond to a request for information on the number of employees involved.

Source - AJC

[From the article:

In the meantime, DHR is requiring employees to have password protection on jump and flash drives and portable computers that contain personnel information. [But no encryption? Worthless... Bob]

The agency also instructed workers to secure these items when away from their desks.



Here's a legislative suggestion. Let's fine organizations $10 per individual exposed, with the money going to pay for more “computer cops”

http://www.pogowasright.org/article.php?story=20080328060113425

No sure bets in personal data security

Friday, March 28 2008 @ 06:01 AM EDT Contributed by: PrivacyNews News Section: Breaches

When a Maryland dental HMO acknowledged this week that it had accidentally posted the names, addresses and Social Security numbers of 75,000 members on its Web site, the revelation made news.

But the security breach at The Dental Network is just one of more than three dozen filed so far this year with the Maryland attorney general's office[...]

Thirty-nine businesses or groups have reported losses of sensitive information involving about 87,500 Maryland residents in the three months since a state law took effect requiring that people be informed of such incidents, records show.

And though most of the security breaches are much smaller, they underscore how hard it is to completely protect computerized information. [I would say they show that many organizations still don't protect their data... Bob]

Source - Baltimore Sun



Implications of identity theft. (Something had to go right for this guy eventually)

http://www.pogowasright.org/article.php?story=20080327194123741

Credit bureau settles Los Gatos cancer survivor's suit

Thursday, March 27 2008 @ 07:41 PM EDT Contributed by: PrivacyNews News Section: Breaches

It's mind-numbing what Eric Drew has been through.

The former Los Gatos High School quarterback and runway model was diagnosed with leukemia seven years ago. A hospital lab technician stole his credit cards before he went into surgery. After that, credit card companies first blanketed him with cards he didn't want, then with threatening letters saying he owed them thousands of dollars. He thought his life was over, and even if survived, he was afraid he was financially ruined because of identity theft.

But last week, the 40-year-old Drew announced he'd had a stroke of good fortune.

He settled with TransUnion, a credit reporting company in Chicago, one of six banks and credit card companies he sued under fair-credit and consumer-protection laws.

All Drew would say from his bed at O'Connor Hospital in San Jose - a small grin on his face - was that the money was "considerable" and "unprecedented."

Source - Mercury News

hat-tip, The Consumerist blog

[From the article:

The deal with TransUnion was reached in January. But Drew, who is temporarily living with his parents in Los Gatos because a redwood tree fell onto his San Jose condominium in January, didn't get around until announcing the news until Thursday. He's been undergoing severe joint replacement surgeries, first his hip, then his ankle, and last week, his knee.



Worth a look? Perhaps others could point to these resources?

http://googleblog.blogspot.com/2008/03/privacy-made-easier.html

Privacy made easier

3/28/2008 07:20:00 AM Posted by Jane Horvath, Senior Privacy Counsel

... With that in mind, today we're announcing a revamp of our Privacy Center. The new Center is a one-stop-shop for privacy resources, with various multi-media formats aimed to help you further understand how we store and use data, how to control who you share your data with, and how we protect your privacy.



They will sell this as a medical device (automatically dials 911 when the owner stops breathing) and a security device (works only for the “proper” user) but it could also “report” the DNA scans to insurance companies, governments, and other interested bystanders. Some times there is too much convergence...

http://www.infoworld.com/article/08/03/28/NTT-DoCoMo-steps-towards-bio-sensing-cell-phones_1.html?source=rss&url=http://www.infoworld.com/article/08/03/28/NTT-DoCoMo-steps-towards-bio-sensing-cell-phones_1.html

NTT DoCoMo steps towards bio-sensing cell phones

Researchers demonstrate technology that could eventually enable phones to monitor owner's health

By Martyn Williams, IDG News Service March 28, 2008



Ah... Another political solution to a technological problem.

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9072438&source=rss_news10

Washington state passes RFID antispying law

Skimming personal data off an RFID card could lead to 10-year prison sentence

By Sharon Gaudin

March 27, 2008 (Computerworld) Washington Gov. Chris Gregoire this week signed a bill making it a Class C felony to use radio frequency identification (RFID) technology to spy on someone.

http://search.leg.wa.gov/pub/textsearch/ViewRoot.asp?Action=Html&Item=0&X=328081451&p=1 ??


Related? Or just a “well, duh” article?

http://www.infoworld.com/article/08/03/28/Analyst-Money-will-fuel-mobile-spying-programs_1.html?source=rss&url=http://www.infoworld.com/article/08/03/28/Analyst-Money-will-fuel-mobile-spying-programs_1.html

Analyst: Money will fuel mobile spying programs

Programs could ultimately become harder to detect, speaker at Black Hat says

By Jeremy Kirk, IDG News Service March 28, 2008

... Some of the more well-known spy programs are Neo-cal land FlexiSpy. Neo-call is capable of secretely forwarding SMS (Short Message Service) text messages to another phone, transmitting a list of phone numbers called, and logging keystrokes. FlexiSpy has a neat, Web-based interface that shows details of call times, numbers and SMSes, and it can even use a phone's GPS (Global Positioning System) receiver to pinpoint the victim's location.



Interesting method to improve a weak law.

http://www.pogowasright.org/article.php?story=20080327131317680

Ca: iOptOut: My Response to the Do-Not-Call Disappointment

Thursday, March 27 2008 @ 01:13 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Regular readers of my work will know that I have been frustrated by Canada's do-not-call list, which contains far too many exceptions and has taken an embarrassingly long time to become operational. In response, today I am launching iOptOut, a website that will allow Canadians to opt-out of further phone calls (and emails) from dozens of organizations with a single click.

I began to develop the site soon after the do-not-call bill became law. The premise is simple - under the law, exempted organizations (which include charities, political parties, polling companies, newspapers, and companies with a prior business relationship) are permitted to make unsolicited telephone calls despite the inclusion of a number in the do-not-call registry. However, organizations must remove numbers from their lists if specifically requested to do so.

Source - Michael Geist's Blog



This is interesting. By extension, I could be next (since I link to a link that links to the link the French don't like...) No doubt Napoleon would say, “Je n'ai aucune idée de ce que vous parlez.”

http://www.pogowasright.org/article.php?story=20080327145631880

French court fines user-generated website for privacy breach

Thursday, March 27 2008 @ 02:56 PM EDT Contributed by: PrivacyNews News Section: In the Courts

A Paris court ruled on Thursday that a user-generated website had violated a film star's privacy by hosting a link to a report about him, in a potentially landmark ruling for the French Internet.

The court ruled that fuzz.fr made an "editorial" decision to link to a story on a gossip news site about French actor Olivier Martinez and his relationship with singer Kylie Minogue -- and was therefore responsible for its content.

The fuzz.fr website -- taken offline following the lawsuit -- allowed users to post links to their favourite stories elsewhere on the web, with the most popular ones automatically displayed at the top spot.

Its creator Eric Dupin was ordered to pay 1,000 euros (1,600 dollars) in damages to Martinez and 1,500 euros in legal costs.

Source - AFP



Could this be done correctly?

http://www.pogowasright.org/article.php?story=20080328071331660

Hagens Berman Sobol Shapiro: Heavily Promoted Identity-Theft Protection Company, LifeLock, Sued for Misleading Consumers

Friday, March 28 2008 @ 07:13 AM EDT Contributed by: PrivacyNews News Section: In the Courts

Today an Arizona consumer filed a proposed class-action lawsuit against LifeLock, a heavily promoted company that claims to protect consumers against identity theft. The lawsuit alleges that the three-year-old company defrauds customers by offering services it cannot legally perform, and by touting a $1 million guarantee that the suit alleges is wildly misleading.

Filed in United States District Court for the District of Arizona, the suit seeks to recover money consumers paid to LifeLock.

[...] According to the complaint.... LifeLock will not pay any losses directly to the consumer and does not cover consequential or incidental damages to identity theft. The guarantee is limited to fixing failures or defects in the LifeLock services and paying other professionals to attempt to restore losses.

"The fine print in this $1 million guarantee is so limiting, we think it is almost worthless," said Rob Carey, partner in the law firm Hagens Berman Sobol Shapiro, who is representing consumers. "LifeLock buries the truth beneath a pile of inconsistencies and disclaimers so deep that we believe the intent is to mislead consumers so they don't make claims."

[...] According to the suit, LifeLock's "proven solution" consists of illegally placing and renewing fraud alerts under consumers' names with credit bureaus. Under the federal Fair Credit Reporting Act, however, corporations such as LifeLock are not allowed to place fraud alerts on a consumers' behalf - in fact, according to the complaint, the law was written so as to specifically bar credit-repair companies from improperly using fraud alerts.

Source - PR Newswire



What ever you do, don't fix the problem!

http://techdirt.com/articles/20080326/194543660.shtml

Can The DMCA Be Used To Stifle Speech?

from the we're-about-to-find-out dept

Last summer, we wrote about a very questionable DMCA lawsuit filed by Coupons.com. The company lets people download coupons using its own software. The software is designed to limit how many copies of a coupon people can make. The company accused John Stottlemire of violating the anti-circumvention part of the DMCA by offering up some software that would help people get around the copy limit. However, he didn't just offer up software to do it, elsewhere he explained how you could do it manually, just by deleting a couple of files on your computer. That's hardly a "hack." There was no encryption to defeat, just some files to delete. Basically, Coupons.com couldn't be bothered to come up with a system that was actually secure and put in only the weakest of "protections." [Sound familiar? Bob]

Yet, Coupons.com claims that telling people to delete some files is circumventing their copy protection. The EFF (along with the Samuelson Law, Technology & Public Policy Clinic at UC Berkeley) have now filed an amicus brief with the court pointing out the numerous problems with the charges. As the filing notes, the DMCA is focused on people providing a "technology, product, service, device, component, or part thereof," and comments on a website hardly seem to qualify. It also notes that even if the court interprets written comments to be included, the DMCA is specific that it does not diminish any free speech rights. The filing also looks at other problems with the Coupons.com filing, including the company mixing up the difference between access controls and rights controls. Hopefully the judge realizes that this is (yet another) abuse of the DMCA and tosses the case out quickly.



Ineresting article

http://digg.com/political_opinion/Slate_Magazine_The_Education_of_a_9_11_Reporter

Slate Magazine - The Education of a 9/11 Reporter

slate.com — The inside drama behind the Times' warrantless wiretapping story.

http://www.slate.com/id/2187498/

[From the article:

For more than an hour, we told Bush's aides what we knew about the wiretapping program, and they in turn told us why it would do grave harm to national security to let anyone else in on the secret. Consider the financial damage to the phone carriers that took part in the program, one official implored.



Out of the mouths of babes...

http://techdirt.com/articles/20080327/152312670.shtml

Mainstream Press Finally Realizing That Kids Want To Share News, Not Read News

from the it-took-them-this-long? dept

In an interesting followup to our earlier post about the state of the news business, Robin writes in to point us to a NY Times article all about how a younger generation of news readers now focus on sharing the news, rather than just consuming it. Mathew Ingram highlights the key sentence in the article, from a college student: "If the news is that important, it will find me." Very few mainstream publications have grasped that concept, even if some folks have been saying the same thing for years. It's time for those in the newspaper business to stop thinking of readers as straight consumers. They're distributors, promoters, creators and analysts of the news as well. Once you recognize that, you start to change how you approach the news business. You certainly get rid of paywalls and registration walls, and you start enabling your users to do more, rather than less, with the news.



Is this an indication of where the Feds are heading? (Not enough details in the story)

http://www.pogowasright.org/article.php?story=20080327201017311

RI: Jury Rules Against City In Wiretapping Suit

Thursday, March 27 2008 @ 08:10 PM EDT Contributed by: PrivacyNews News Section: Workplace Privacy

A federal jury returned a verdict against city of Providence authorities for illegally recording the phone calls of their employees at a public safety complex.

City officials said the jury on Wednesday awarded compensatory and punitive damages of about $525,000 to be split among the more than 100 plaintiffs.

Source - turnto10.com



Ignorance or intent?

http://techdirt.com/articles/20080326/170300659.shtml

California Reviews... And Decertifies... More ES&S E-Voting Machines

from the a-lesson-in-weak-security dept

Remember how e-voting firm ES&S was so against letting California's Secretary of State have an independent security team review their e-voting machines? Well, now we know why. The state had already released one damning security report and sued ES&S for giving the state uncertified machines. Now the state has come out with another report on more ES&S machines and the story gets worse and worse and worse. The good news is that California won't certify any of them. The bad news is that ES&S appears to not only be belligerent in not wanting to let California review its machines, but it also seems to be incompetent as well. As Dan Wallach notes in reviewing the report, ES&S appears to have outright ignored issues that the state asked them to address. As for the machines themselves? There seem to be all sorts of problems, including an awful lot of data stored in cleartext rather than encrypted, easily accessible and easily changed or corrupted data, and seldom-used and easily-broken password protection. Physical locks were all easily picked (some within 5 seconds, the rest within a minute). In other words, the security is a near total joke. This, despite the fact that people have been pointing out these kinds of security concerns for over five years. I wonder if the guy from ES&S who showed up a year ago and told us all we had no clue what we were talking about and swearing up and down that the machines were safe will come back and explain these latest results.



This is interesting. I wonder what scared them? (We know it wasn't their customers.)

http://www.pogowasright.org/article.php?story=20080328062048823

Comcast agrees not to interfere with file-sharing

Friday, March 28 2008 @ 06:20 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Comcast Corp., an Internet service provider under investigation for hampering online file-sharing by its subscribers, announced Thursday an about-face in its stance and said it will treat all types of Internet traffic equally.

Source - CNN

[From the article:

On Thursday, Comcast said that by the end of the year, it will move to a system that manages capacity without favoring one type of traffic over another. [I bet they still sell “unlimited” service, and will still impact the same (high volume) people. Bob]



This seems strategically backward to me. Volunteers will report more “incidents” that the cops must investigate, but the cops are overloaded with paperwork today – why generate more?

http://www.pogowasright.org/article.php?story=20080327201201695

AU: Surveillance volunteers need training, says MP

Thursday, March 27 2008 @ 08:12 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The South Australian Opposition says it wants an assurance that volunteers recruited for a new surveillance program will get proper police training.

Police are expected to launch a number of programs for volunteers to carry out surveillance in public areas.

Opposition police spokesman David Ridgway says the plan is good in theory but must be done carefully.

Source - ABC (AU)



I think my hackers would like to try this?

http://www.pogowasright.org/article.php?story=20080328062826706

Next time you go to the loo, bring your locked laptop with you

Friday, March 28 2008 @ 06:28 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Building off recent research that showed how to extract encryption keys from a computer's memory, a penetration testing company has unveiled a tool that sniffs out passwords, documents, and other sensitive data in a matter of minutes.

DaisyDukes is a memory sniffer that resides on a USB device. A researcher can plug it into an unattended machine that is turned on but has been locked and reboot the machine off a compact operating system contained on the drive. Depending on the user's needs, it can be configured to capture the entire contents of a computer's memory, or sniff out only certain types of data - say a password to access the company network or unlock a user's private encryption key.

Source - The Register



My hacker students need heroes...

http://www.infoworld.com/article/08/03/27/Gone-in-2-minutes-Mac-gets-hacked-first-in-contest_1.html

Gone in 2 minutes: Mac gets hacked first in contest

CanSecWest's PWN 2 OWN contest was won in 2 minutes -- after the rules were relaxed a bit -- as Charlie Miller hacked a MacBook Air

By Robert McMillan, IDG News Service March 27, 2008

It may be the quickest $10,000 Charlie Miller ever earned.

... Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.

... Miller, a former National Security Agency employee best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.

He was the first contestant to attempt an attack on any of the systems.

No comments: