Wednesday, March 19, 2008

Perhaps not exactly TJX, but big, with the potential to be a great “Bad example” for the textbooks.

http://www.pogowasright.org/article.php?story=20080318175429785

Hannaford and the evolution of the data breach

Tuesday, March 18 2008 @ 05:54 PM EDT Contributed by: PrivacyNews News Section: Breaches

As the rash of large data breaches and thefts continues unabated, it’s important to resist the urge to lump them all together. Not all breaches are created equal, and the latest one, at Hannaford supermarkets, illustrates this point perfectly. A lot of people are comparing the incident to last year’s breach at TJX, but the two stories have far less in common that it appears at first blush.

Source - Security Bytes

[From the article:

The details of the Hannaford incident are still pretty murky, but the language in the statement from the company’s CEO and other bits of data that have emerged today suggest that the chain may have been the victim of a man-in-the-middle attack.


Related

http://www.pogowasright.org/article.php?story=20080318180218605

Hannaford Bros. Was in Compliance with PCI When Hacked

Tuesday, March 18 2008 @ 06:02 PM EDT Contributed by: PrivacyNews News Section: Breaches

Fraudsters obtained payment card data originating with Hannaford Bros. Co. while the regional supermarket chain was compliant with the Payment Card Industry data-security standard, or PCI. The disclosure may mark the first publicly known breach of a PCI-compliant merchant.

“We were certified [as PCI-compliant] last spring and we were recertified in February,” Hannaford vice president of marketing Carol Eleazer tells Digital Transactions News. She could not identify Scarborough, Maine-based Hannaford’s PCI assessor. Some 4.2 million credit and debit card numbers were exposed in a breach that happened between Dec. 7 and March 10 (Digital Transactions News, March 17). Some 1,800 cases of fraud are believed linked to the breach.

Hannaford’s president and chief executive, Ronald C. Hodge, indicated in a statement on Monday that the hacker or hackers obtained card numbers and expiration dates during the authorization process, implying possible illicit access as data moved between point of sale terminals, electronic cash registers, or servers. The PCI standards require encryption of data that are in transit. Older payment-processing technology can leave wireless data exposed to interception for a fraction of a second during authorizations.

Eleazer did not have further details on Tuesday about exactly how the fraud happened, saying it is under investigation by the U.S. Secret Service and experts inside and outside the company. But she does say that Hannaford had been using data encryption all of last year. In fact, she adds, “in 2007 we had just recently upgraded our wireless encryption.”

Source - Digital Transactions


Related only because the mention Hannaford, but it would be interesting to compare policies. Where do they see the risk?

http://www.pogowasright.org/article.php?story=20080319071900534

The pros and cons of data breach insurance

Wednesday, March 19 2008 @ 07:19 AM EDT Contributed by: PrivacyNews News Section: Breaches

Security incidents at the Hannaford Bros. Co. supermarket chain and elsewhere illustrate the importance of a good response plan, but industry experts are less than enthusiastic when asked if such a plan should include data breach insurance.

Some experts say it doesn't hurt to include the insurance as part of a larger data breach response program. But in general data breach insurance is an immature product that lacks uniformity from one provider to the next, others warn.

Source - SearchSecurity.com


Related? Scene of the next big data breach?

http://www.bespacific.com/mt/archives/017845.html

March 18, 2008

Study of Worldwide Airports Reveals Wireless Security Risks for Travelers and Airport Operations

Press release: "...AirTight® Networks, the global leader for wireless intrusion prevention systems...issued the findings from its study to assess information security risk exposure of laptop users at fourteen airports in the United States, Canada and Asia. The company set out to understand the risks to business travelers and their corporate networks of data leakage while those airline passengers are sending sensitive information using unsecured wireless access points while at the airports. It found surprising results, however, regarding the security posture of private Wi-Fi networks in these airports as well as the rapid spread of viral Wi-Fi networks.

One of the most surprising findings of this initial study was that some ticketing systems, baggage systems, shops and restaurants were using open or poorly secured wireless networks. Of the Wi-Fi networks detected by AirTight researchers, 77 percent were non-hotspot (i.e. private) networks and of those, 80 percent were unsecured or using legacy WEP encryption, a fatally flawed protocol. Based on detailed analysis of these access points, there is a high probability that some of these networks are used for critical airport logistics and operations. The consequences of this lack of security could result in disruption of baggage or passenger ticketing systems."



Another hack! Perhaps they should take my Computer Security class?

http://www.pogowasright.org/article.php?story=20080319072437119

UK: Credit details stolen in Carshalton internet fraud

Wednesday, March 19 2008 @ 07:24 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hundreds of customers have had their credit card details stolen after a Carshalton homeopathic store was hit by internet fraudsters.

Naturally Thinking in Carshalton High Street was targeted by hackers in October 2007 who gained access to customer details via the store's 24 hour online shopping website.

....hackers were able to get hold of customers' credit card numbers and personal details, including addresses.

One customer found a £4000 watch on his credit card bill which he had not bought and several other customers reported between £600 and £800 worth of unaccounted expenditure on their cards.

Source - Wimbledon Guardian



Another interesting (double-secret-probation type) business model.

http://www.pogowasright.org/article.php?story=20080319074029652

Don't Want A Debit Card? Key Bank Will Charge You $1 A Month

Wednesday, March 19 2008 @ 07:40 AM EDT Contributed by: PrivacyNews News Section: Businesses & Privacy

After hearing about Hannaford's giant customer data breach yesterday, Brian decided to cancel the debit card he'd used there. That's when he found out that Key Bank really wants you to have a debit card. In fact, they'll charge you a small monthly fee to not have one linked to your "free checking" account. We figure that this means Key Bank makes about $12 a year more off of customers who have linked debit cards—and that if you want greater security on your account, it's going to cost you.

Source - The Consumerist



This falls into the category I call “Don't let 'em gather no evidence!”

http://www.pogowasright.org/article.php?story=20080318170855308

UCLA hospital bans cellphones, laptops

Tuesday, March 18 2008 @ 05:08 PM EDT Contributed by: PrivacyNews News Section: Breaches

UCLA’s neuropsychiatric hospital has banned all cellphones and laptop computers after a patient posted group photos of other patients on a social networking website, officials confirmed Monday.

Dr. Thomas Strouse, medical director of the Resnick Neuropsychiatric Hospital, said in a statement that the decision was part of “UCLA Health System’s ongoing efforts to enhance patient privacy and confidentiality in compliance with California’s patient rights law.”

[…] UCLA spokeswoman Dale Tate said the hospital became aware of the posted photos coincidentally from a nurse’s family member. The patients apparently all gave their consent to be photographed, Tate said.

“I was concerned about the potential covert use of such cameras, without the consent of those being photographed, or under circumstances where someone’s agreement to be photographed might not be well-reasoned or fully competent,” Strouse said in the statement.

[…] Other hospitals have banned cellphone cameras as well. Rady Children’s Hospital in San Diego forbade employees from carrying cellphones in patient-care areas after investigators found images of children, taken at the hospital, on a respiratory therapist’s computer and cellphone. The therapist later pleaded guilty to child molestation and exhibiting a minor in pornography.

Source - Los Angeles Times



Another first for New Jersey?

http://hosted.ap.org/dynamic/stories/C/CAMPUS_GOSSIP?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

College Gossip Site Under Scrutiny

By BRAD HAYNES Associated Press Writer Mar 18, 8:36 PM EDT

TRENTON, N.J. (AP) -- New Jersey prosecutors have subpoenaed records of JuicyCampus.com, a Web site that publishes anonymous, often malicious gossip about college students.

Language on the site ranges from catty to hateful and offensive. One thread, for example, on the "most overrated Princeton student" quickly dissolves into name-calling, homophobia and anti-Semitism.

JuicyCampus may be violating the state's Consumer Fraud Act by suggesting that it doesn't allow offensive material but providing no enforcement of that rule - and no way for users to report or dispute the material, New Jersey Attorney General Anne Milgram said Tuesday.



I frequently rant about reliance on passwords. Here is a site (one of many) where you can determine how difficult your passwords would be to guess (using password cracking software) and why...

http://www.killerstartups.com/Web-App-Tools/PasswordMetercom---Test-Your-Password-Strength/

PasswordMeter.com - Test Your Password Strength

The Password Meter is a free program that will assess the general strength of any password you enter, so you can get an idea of how secure your password really is.

http://www.passwordmeter.com/



No doubt this will solve everything!

http://www.pogowasright.org/article.php?story=20080319064300233

Facebook adds privacy features

Wednesday, March 19 2008 @ 06:43 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Facebook Inc. is tweaking the privacy settings on its popular online hangout to let users exert greater control over which of their friends are allowed to see personal details they post.

The Palo Alto-based company said it would add features Tuesday night that will give its 67 million active users the option of selecting individual users who can or can't access certain parts of their pages.

Source - Forbes



Electronic devices are merely “containers,” and searching them increases national security, and the moon is made of cheese, and politicians have no hidden agenda, and....

http://www.pogowasright.org/article.php?story=20080319064023831

Handhelds, laptops are next privacy frontier

Wednesday, March 19 2008 @ 06:40 AM EDT Contributed by: PrivacyNews News Section: In the Courts

William Leask may seem an unlikely and unseemly poster child for the privacy rights of Canadian travellers, considering he will appear in a Fort Erie, Ont., courtroom today to learn his sentence for crossing the Peace Bridge with child pornography on his laptop computer.

But legal experts say his case raises a larger and often overlooked issue – the power police and security officials have to probe the vast amounts of personal information contained on mobile electronics. They can now get access to mountains of digital information without a search warrant by confiscating or searching physical devices such as laptop computers or cellphones equipped with e-mail, such as BlackBerrys, something experts believe represents a gaping hole in Canadian law.

Source - globeandmail.com

[From the article:

The situation in the U.S. has reached the point where some businesses, such as Toronto-based law firm Blaney McMurtry LLP, now require that employees ensure their laptops are “wiped clean” of any sensitive information before they cross an international border. The firm is drafting a similar policy for its BlackBerry devices.

... Most experts agree that the U.S. Constitution states that normally, government officers would need a warrant to search through the contents of someone's BlackBerry, cellphone or laptop. However, Orin Kerr, a law professor at George Washington University, says border crossings are an exception.



This is interesting – but ultimately useless.

http://techdirt.com/articles/20080317/162504563.shtml

Ohio E-Voting Machines Declared A Crime Scene?

from the good-luck-trying-to-pull-out-the-evidence dept

While it's difficult to believe some of the more conspiracy-minded theories that have gone around concerning voting results from Ohio in 2004, the simple fact that there's absolutely no way to go back and review the results highlights exactly the problem with e-voting machines. Ohio's current secretary of state has now declared some of the machines used in the '04 election as a crime scene to be investigated, but everyone admits that there's little to no chance of being able to recreate what actually happened on election night, and no way to tell if the machines acted properly or if they malfunctioned. And, if they did malfunction, there's no way to tell if it was due to an accident or something underhanded. In other words, whether or not everything worked great or everything worked terribly, there's simply no way to tell. That is why so many of us have trouble with the concept of e-voting machines. Even if they work perfectly, there's no way to confirm that -- and it just leads to more speculation and conspiracy theories about "stolen" elections



Always a topic of interest – how far behind the industry is the government?

http://www.bespacific.com/mt/archives/017844.html

March 18, 2008

DHS Privacy Office - 2008 Data Mining Report

2008 Data Mining Report (PDF, 46 pages), February 11, 2008. "This is the third report by the Privacy Office to Congress on data mining. This report identifies the data mining activities deployed or under development within DHS, as defined by the Data Mining Reporting Act, and describes the framework the Department will use to report on such activities in the future pursuant to Section 804 of the Implementing Recommendations of the 9/11 Commission Act of 2007, entitled, “The Federal Agency Data Mining Reporting Act of 2007” (Data Mining Reporting Act)."

  • 2007 Data Mining Report (PDF, 42 pages). "This is the second report by the Privacy Office to Congress on data mining. This report describes data mining activities deployed or under development within the Department that meet the definition of data mining as mandated in House Report No. 109-699 - Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2007, and for Other Purposes."



The world, she is a-changing

http://news.wired.com/dynamic/stories/Q/QWEST_BUYOUTS?SITE=WIRE&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2008-03-18-14-08-13

Qwest Land-Line Workers Offered Buyouts

By P. SOLOMON BANDA Associated Press Writer Mar 18, 5:30 PM EDT

DENVER (AP) -- Up to 700 technicians and other Qwest Communications employees who work on traditional land telephone lines have been offered voluntary buyouts, the company announced Tuesday.


Related. Indications another “industry” is dying?

http://techdirt.com/articles/20080318/074802570.shtml

Science Journal Won't Publish Papers Because Authors Want To Put Them On Wikipedia

from the mine,-all-mine! dept

Over the last few months, we've been hearing more and more stories concerning some of the ridiculous levels of control that academic journals exert over the copyrights on the various papers and research they publish. Since many of those journals are ridiculously expensive, much of this important research is basically locked up entirely. This is especially troublesome when it comes to publicly funded research, which you would think should be available to the taxpayers who paid for it. While we've definitely seen a trend towards more open rules to publishing, many journals are still behind the curve. Reader parsko writes in to alert us to the news of the American Physical Society, which withdrew the offer to publish two recent studies in the Physical Review Letters because the authors wanted to be able to publish parts of the study in Wikipedia. Since the APS requires you hand over the rights to the study, they wouldn't allow it, and turned down the papers because of it. Not surprisingly, various scientists are upset about this, pointing out that it seems totally contrary to the purpose of the journal to hide such information using copyright claims. The APS has now said that it will reconsider the policy at its next meeting, but the fact that it even got this far suggests how locked down many of these journals are.



So Bear Sterns is in good hands?

http://slashdot.org/article.pl?sid=08/03/18/1928245&from=rss

JP Morgan's Insider Trading How-To On Wikileaks

Posted by kdawson on Tuesday March 18, @10:38PM from the ten-bee-five-dash-one dept. Businesses The Almighty Buck

An anonymous reader writes

"In an internal JP Morgan document published recently, Wikileaks exposes JPM's efforts to circumvent insider trading regulations, enabling their wealthy clients to profit even when others are losing. The document reads like a how-to and explains how to take advantage of SEC Rule 10b5-1, which has long been considered ripe for abuse. Now this abuse is publicly documented and will be hard to ignore."



Psst! Pass it on!

http://googleblog.blogspot.com/2008/03/google-for-non-profits.html

Google for Non-Profits

3/18/2008 01:15:00 PM Posted by Chris Busselle, Investments Manager, Google.org

Many of you spend your days making this world a better place, and we want to do our part to help. Today, we're excited to launch Google For Non-Profits, a one-stop shop for tools to help advance your organization's mission in a smart, cost-efficient way.



This is an interesting model – do you suppose they have a rep on each campus or work through the schools?

http://kaaltv.com/article/stories/S374305.shtml?cat=10728

INTERNET INSITE: Take virtual college tours online

Posted at: 03/11/2008 07:46:25 AM By: Justin Piehowski, Web Manager

... Instead of shelling out the cash to visit the campuses all around the country, try heading first over to ecampustours.com. The site has 360 degree virtual tours of just about every college campus in the country (the University of Minnesota--Twin Cities, my alma-mater, is one campuses that's noticeably absent).

You must first register on the site before looking, but after that, it is fairly easy to use. Just do a search for the college you'd like to see by name or by selecting a state.

https://www.ecampustours.com/virtualtours/manageaccount/createaccount.aspx



Won't this amaze my Statistics students! (You don't suppose the researchers too have a high “to much beer” correlation?) Perhaps we should get a government grant to study wine, Jack Daniels, etc

http://science.slashdot.org/article.pl?sid=08/03/19/0211242&from=rss

Scientists' Success Or Failure Correlated With Beer

Posted by kdawson on Wednesday March 19, @05:34AM from the malt-does-more-than-milton-can dept.

mernil sends in an article from the NYTimes that casts a glance at a study done in the Czech Republic (natch) on what divides the successful scientists from the duffers.

"Ever since there have been scientists, there have been those who are wildly successful, publishing one well-received paper after another, and those who are not. And since nearly the same time, there have been scholars arguing over what makes the difference. What is it that turns one scientist into more of a Darwin and another into more of a dud? After years of argument over the roles of factors like genius, sex, and dumb luck, a new study shows that something entirely unexpected and considerably sudsier may be at play in determining the success or failure of scientists — beer."



I wonder what the Swim Suit issue looked like 53 years ago?

http://www.bespacific.com/mt/archives/017837.html

March 18, 2008

Sports Illustrated Poised to Release Free Searchable Archive Dating Back 53 Years

New York Times: On Thursday [March 20, 2008] Sports Illustrated "will introduce the Vault, a free site within SI.com that contains all the words Sports Illustrated has ever published [over 53 years] and many of the images, along with video and other material, in a searchable database."



A legend is gone.. He wrote: “Any sufficiently advanced technology is indistinguishable from magic.” And “When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.”

http://science.slashdot.org/article.pl?sid=08/03/18/2214208&from=rss

Arthur C. Clarke Is Dead At 90

Posted by kdawson on Tuesday March 18, @06:27PM from the pod-bay-doors-are-open dept.

Many readers are sending in word that Arthur C. Clarke has died in Sri Lanka. He wrote over 100 books including 2001: A Space Odyssey and Rendezvous With Rama, and popularized the ideas of geosynchronous communications satellites and space elevators.



Because I like lists...

http://c4lpt.co.uk/recommended/top100.html

Top 100 Tools for Learning Spring 2008

Interim rankings as at 19 March 2008

No comments: