Wednesday, April 16, 2008

Always worth attending (and a bargain to boot!)

http://www.privacyfoundation.org/

LEGAL ETHICS AND PRIVACY ISSUES IN DISCOVERY OF -- ESI ELECTRONIC STORED INFORMATION

Morning/Lunch Seminar FRIDAY, MAY 2, 2008

Reservations required, contact:

Diane Bales, Law Coordinator 303.871.6580; Email: dbales@law.du.edu



Little detail (so far)

http://www.pogowasright.org/article.php?story=20080416074959759

UVa laptop stolen, had sensitive data

Wednesday, April 16 2008 @ 07:49 AM EDT Contributed by: PrivacyNews News Section: Breaches

A laptop stolen from a University of Virginia employee contained sensitive information about more than 7,000 students, staff and faculty members. Stolen from an unidentified employee from an undisclosed location in Albemarle County, the laptop contained a confidential file filled with names and Social Security numbers.

Source - DailyProgress.com



Oops...

http://www.pogowasright.org/article.php?story=20080416080713783

Corrections Web glitch shows state IDs to bloggers

Wednesday, April 16 2008 @ 08:07 AM EDT Contributed by: PrivacyNews News Section: Breaches

A recent glitch in the state Corrections Department's Web site allowed bloggers to access the Social Security numbers of violent offenders in Oklahoma.

Bloggers from a computer programming Web site found the information and alerted the department, said agency spokesman Jerry Massie. The list contained the names, addresses and Social Security numbers of some 6,000 people.

So far, there is no evidence that identities have been stolen from the convicted felons and sex offenders on the list. Sex offenders are required to register their addresses with local authorities.

Source - NewsOK.com

hat-tip, The Corrections Connection blog

[From the article:

Massie said the discovery was the result of "weaknesses in the application” on the state's Web site. [The computer decided to put DoC data on someone else's server... Right... Bob]



A lot of effort for a dumpster...

http://www.pogowasright.org/article.php?story=20080415111008406

UK: Student files are lost

Tuesday, April 15 2008 @ 11:10 AM EDT Contributed by: PrivacyNews News Section: Breaches

HUNDREDS of files containing information about students applying for loans were stolen from a secured skip destined for the shredder..... It was the first time Havering Council used a skip to store information awaiting destruction - and it proved to be the last time this method was adopted, confirmed the Town Hall.

...It is thought a large specialist truck broke into the locked yard of the Broxhill Centre in Havering-atte-Bower and lifted the 30-foot steel skip onto its base.

A council spokesman said the thieves were "most likely" interested in the expensive container, as opposed to the files, since they arrived in a truck designed to lift it. [On the other hand, this was clearly the container with the most valuable information... Bob]

Source - Romford Recorder



VPNs are no protection? Interesting that they included a long list of changes they made – looks like they had practically no security in place prior to the incident.

http://www.pogowasright.org/article.php?story=20080415132544944

Stryker Instruments reports network intrusion, possible access of employee info

Tuesday, April 15 2008 @ 01:25 PM EDT Contributed by: PrivacyNews News Section: Breaches

On Feb. 18, Stryker Instruments discovered that there had been unauthorized access to its virtual private network multiple times over a period of months. One of the medical technology firm's servers involved contained a database of Social Security numbers of certain employees in 48 states plus Puerto Rico.

Stryker's investigation led them to conclude that the intruder was a former employee but they were unable to determine if any personal data were actually accessed. They were also unable to confirm that it was the particular former employee they suspect.

In its April 10th letter to the New Hampshire DOJ, Curt Hartman, President of Global Instruments and Jud Hoff, Vice-President, describe how on March 4, they requested that the Minneapolis office of the FBI investigate the matter, but the FBI declined to go forward with a criminal investigation on March 20.

In response to the breach, Stryker took a number of steps to harden its access, authentication measures, and internal audit procedures, as described in their letter. They also sent notification letters to those affected and arranged for credit monitoring and credit restoration services, if needed.

[From the article:

Stryker immediately disabled the domain administrator service account through which the unauthorized user had accessed the VPN. [Anyone want to bet this was the default ID and password? Bob]



Not enough facts! Probably stolen by a gang of wholesale computer thieves, but I'd like to know if the business associate's headquarters was in New Hampshire. If so, were most of their patients non-residents and therefore they didn't need to report them?

http://www.pogowasright.org/article.php?story=20080415112041579

Stolen computers contained patient data from EHS patients

Tuesday, April 15 2008 @ 11:20 AM EDT Contributed by: PrivacyNews News Section: Breaches

Elliott Health Systems, Inc. (EHS) in New Hampshire has notified the New Hampshire Department of Justice that on February 22, 2008, 10 computers were stolen from the headquarters of a business associate, Advanced Medical Partners, Inc. (AMPI).

By letter dated March 3, 2007 (sic), EHS reported that the computers may have contained ePHI on 6 NH residents such as names, dates of service at EHS, the name of their insurance company and the patients’ date of birth. EHS reports that they were told by AMPI that the computers have safeguards in place, including password against access to this information.

Source - PHIprivacy.net



Good news: CEOs (or their secretaries) are too smart to click on these links. Bad news: They forward the e-mails to their lawyers...

http://yro.slashdot.org/article.pl?sid=08/04/15/2135254&from=rss

Fake Subpoenas Sent To CEOs For Social Engineering

Posted by kdawson on Tuesday April 15, @06:38PM from the whale-fishing dept. Security The Courts News

An anonymous reader writes

"The Internet Storm Center notes that emails that look like subpoenas are being sent out to the CEOs of major US corporations. The email tries to entice the victim to click on a link for 'more information.' According to the ISC's John Bambenek: 'We've gotten a few reports that some CEOs have received what purports to be a federal subpoena via email ordering their testimony in a case. It then asks them to click a link and download the case history and associated information. One problem, it's [totally] bogus. It's a "click-the-link-for-malware" typical spammer stunt. So, first and foremost, don't click on such links. An interesting component of this scam was that it did properly identify the CEO and send it to his email directly. It's very highly targeted that way.'"



They are not amused...

http://blog.wired.com/27bstroke6/2008/04/cia-copies-thre.html

Look Ma, I'm on CIA.gov

By Ryan Singel April 14, 2008 | 2:26:05 PM

In an age where JavaScript is so ubiquitous that some websites won't even load if you don't enable in your browser, cross-site scripting hacks are everywhere - letting malicious or merely mischievous hacker create links that have some very unintended consequences on websites that are not careful to keep from executing other people's code.

Most are run-of-the-mill and hardly worth writing about, but reader Harry Sintonen writes in with a vulnerability on the CIA's site that THREAT LEVEL can't resist.



Free speech? Giving Darwin a hand?

http://www.reuters.com/article/internetNews/idUSL1578685820080415

France to crack down on "pro-anorexia" Web sites

Tue Apr 15, 2008 5:00pm EDT

PARIS (Reuters) - French politicians called on Tuesday for stiff penalties of up to three years jail and heavy fines against "pro-anorexia" Web sites and publications that encourage girls and young women to starve themselves.



This is interesting. Expect at least a full Division of lobbyists...

http://www.pogowasright.org/article.php?story=20080416081213714

Consumer groups urge "do not track" registry

Wednesday, April 16 2008 @ 08:12 AM EDT Contributed by: PrivacyNews News Section: Internet & Computers

Two consumer groups asked the Federal Trade Commission on Tuesday to create a "do not track list" that would allow computer users to bar advertisers from collecting information about them.

The Consumer Federation of America and the Consumers Union also urged the FTC to bar collection of health information and other sensitive data by companies that do business on the Internet unless a consumer consents.

Source - Reuters



When all you have is a hammer, every problem looks like a nail...

http://www.pogowasright.org/article.php?story=20080415132343872

UK: More RIPA Creep

Tuesday, April 15 2008 @ 01:23 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

I previously blogged about the UK's Regulation of Investigatory Powers Act (RIPA), which was sold as a means to tackle terrorism, and other serious crimes, being used against animal rights protestors. The latest news from the UK is that a local council has used provisions of the act to put a couple and their children under surveillance, for "suspected fraudulent school place applications"

Source - Schneier on Security blog



I'll be looking for details...

http://www.iht.com/articles/ap/2008/04/15/europe/EU-GEN-Germany-Computer-Surveillance.php

Germany moves ahead with computer surveillance guidelines

Tuesday, April 15 2008 @ 01:12 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Germany's top security and law officials agreed Tuesday to new guidelines regarding the surveillance of personal computers in cases of terrorism or other serious crimes, the Interior Ministry said.

Interior Minister Wolfgang Schaeuble and Justice Minister Brigitte Zypries agreed upon the new framework to conform with a legal ruling from the country's highest court. It was the last stumbling block in putting together new guidelines for Germany's national intelligence services, which will now be sent to the country's states for further discussion.

Source - International Herald Tribune

[From the article:

In February, Germany's Constitutional Court in Karlsruhe established the privacy of data stored or exchanged on personal computers as a basic right protected by the nation's constitution, allowing surveillance only in exceptional cases.

The court ruled online surveillance could only be used when it could be established that there was a concrete danger, such as the planning of terrorist acts or other attacks on life or freedom.



What they want is a “Bill of Wrongs”

http://www.usatoday.com/tech/news/techpolicy/2008-04-15-comcast-bill-of-rights_N.htm

Comcast wants 'Bill of Rights' for file-sharers, ISPs

Posted 17h 54m ago By Peter Svensson, Associated Press

NEW YORK — Comcast, under federal investigation for interfering with the traffic of its Internet subscribers, said Tuesday it wants to develop a "Bill of Rights and Responsibilities" for file sharing.



Less than it appears at first sight?

http://techdirt.com/articles/20080415/022244853.shtml

Did DirecTV Hire Satellite Hackers To Leak Dish TV Smart Cards?

from the seems-a-bit-extreme dept

I had missed this story when it came out last week, but thanks to a reader (who prefers to remain anonymous) for sending it in. Apparently, Dish Network is suing DirecTV, claiming that DirecTV (and its parent News Corp) hired notorious satellite TV hackers to break Dish's encryption and "flood the market" with hacked smart cards. That's quite a claim, and it will be interesting to see what evidence the company has to back it up. After all, reverse engineering a product is perfectly legal -- and, indeed, DirecTV claims that's all it did. Furthermore, it seems doubly strange that DirecTV would go down this route after so thoroughly pissing off smart card hackers of all kinds a few years ago by accusing them all of stealing DirecTV signals with almost no evidence, and then pushing many to pay up to avoid a lawsuit. It's also hard to see what the real benefit to DirecTV is of such a plan. Making it easier to get Dish for free shouldn't increase DirecTV's market at all. One would hope that Dish actually has some serious evidence to go along with these claims.



Advertising on the cheap?

http://techdirt.com/articles/20080415/111640856.shtml

Pirate Bay Wants IFPI To Pay Up For Danish ISP Block

from the poking-ifpi-with-a-stick dept

The folks behind the Pirate Bay certainly aren't ones to shy away from a fight. In fact, they seem to enjoy it. The latest is that they're demanding compensation from the IFPI for downtime associated with the IFPI's successful efforts to force Danish ISPs to block access to The Pirate Bay. The Pirate Bay says it will ask for a "reasonable" sum, rather than an extraordinary amount as is typical of the entertainment industry. It also says it will use any money it gets from the IFPI to fund Danish artists who want to give away their works online. While the guys at the Pirate Bay reasonably complain that the entire lawsuit between the IFPI and Danish ISPs never involved The Pirate Bay or gave the site a chance to make its own argument (despite being entirely about the site), this request for compensation may be pushing the boundaries a bit -- especially considering that even The Pirate Bay folks have admitted that the ban eventually resulted in more traffic. Perhaps they should send some money to the IFPI to thank them for all that "free" advertising.



For my Computer Security class...

http://www.f-secure.com/weblog/archives/00001421.html

Malware Analysis Course Coming to a Close

Posted by Antti @ 11:56 GMT

We've been running a course at the Helsinki University of Technology covering malware analysis and antivirus technologies

As soon as we announced that we were running such a unique course, we received lots of questions about the material. So now we're happy to announce that all the course material from the lectures are publicly available from the course webpage.

... You can try your own skills on the homework assignments here. Do note that all the test samples available for download are harmless.



To what end? Ringtones?

http://www.bespacific.com/mt/archives/018104.html

April 15, 2008

NORAD/USNORTHCOM Tapes from 9/11 Posted Online

"The North American Aerospace Defense Command and the United States Northern Command have released a copy of their audio files, telephone conversations and situation room discussions, from the terrorist attacks on September 11, 2001. The files are posted on governmentattic.org via this link.

  • "NORAD-USNORTHCOM 9-11 audio recordings – Over 100 hours of audio recordings of various military communications channels on September 11, 2001. Made available in multiple mp3 files."

No comments: