Tuesday, April 22, 2008

Another SunGard victim. It will be interesting to see how long they can hide the magnitude of this one... One of my students pointed me to the Univ of Miami

http://www.pogowasright.org/article.php?story=20080422071108916

Personal info at risk in laptop theft (Sungard Update)

Tuesday, April 22 2008 @ 07:11 AM EDT Contributed by: PrivacyNews News Section: Breaches

Another security breach — this time following the theft of a laptop owned by the company which implements the Banner system — has exposed the names and Social Security numbers of over 130 individuals related to Binghamton University.

This weekend the University notified 11 students and about 120 applicants that their names and Social Security numbers were saved on a laptop belonging to an employee of SunGard Higher Education, which was stolen on March 13.

Source - Pipe Dream

hat-tip, ESI

[One of my students pointed me to this article on the Univ of Miami Bob]

http://www.scmagazineus.com/University-of-Miami-admits-to-stolen-medical-records/article/109195/



Don't you love British sarcasm?

http://www.pogowasright.org/article.php?story=20080421162625306

UK: Someone's put their foot in it at Boots

Monday, April 21 2008 @ 04:26 PM EDT Contributed by: PrivacyNews News Section: Breaches

Boots is the latest company to be embarrassed by the loss of confidential information after a drug addict stole a back-up tape with details of customers to whom the company had sold dental insurance. Boots is blaming Medisure, the insurer, which is blaming the security firm that was transporting the tape. No one is saying much more, and the whereabouts of the tape, or indeed why it should have attracted the interest of an opportunistic thief, is unclear.

The thief was caught on CCTV. [It's the UK. CCTV is everywhere! Bob] The pharmacist and the insurer have written to an unspecified number of customers reassuring them that the data, including dates of birth and bank account details, are inaccessible without specialist machinery. [You need a tape drive, or one of those services that move the data to CDs for you. Bob] As The Register, the online IT magazine, points out acidly: “That's all right then, because surely there are no ties between thieves in this country and hackers in, for example, the former Soviet bloc?”

Source - Times Online



Perspective: If you don't have mandatory disclosure laws, there is little incentive to move quickly.

http://www.pogowasright.org/article.php?story=20080421161738759

Ie: Data probe after BoI laptops theft

Monday, April 21 2008 @ 04:17 PM EDT Contributed by: PrivacyNews News Section: Breaches

Sensitive information about 10,000 Bank of Ireland customers has been stolen.

[...] The records of 10,000 customers on the computers included credit history, some medical backgrounds for life insurance quotes, personal pension plan details, dates of birth, addresses and bank account details. All the material was contained on the four laptops stolen between June and October 2007.

The laptops were not encrypted, therefore whoever has them has full access to the customers' data. A spokesperson for the bank has confirmed to RTE that it is currently encrypting all its computer - up to 5,000 of the bank's laptops - a process that is likely to take two weeks.

Source - RTÉ.ie

[From the article:

RTE News understands that none of the customers has been informed, but the bank is intending to do so shortly.



I bet they have a reeeeallly strong policy that permits them to do this. “In an attempt to 'make the punishment fit the crime,' we have discarded these employees without thinking about it...”

http://www.pogowasright.org/article.php?story=20080421171505548

(follow-up) Two employees out of a job after discarding files incorrectly

Monday, April 21 2008 @ 05:15 PM EDT Contributed by: PrivacyNews News Section: Breaches

Two employees of an organization that serves homeless veterans are out of their jobs.

This after, a 24-Hour News 8 exclusive report over the weekend that discovered hundreds of files containing personal information about some of those veterans in a dumpster.

Source - WISH-TV

[From the article:

"One of our case managers erroneously labeled a box trash, actually three of them that came out of his office. The supervisor did not do what she should have done and check those. Neither one of them is with us any more,...



Makes you wonder: if this is more important than finding Osama? if it was a reciprocal agreement? If governments truly believe they can do anything to “mere citizens?”

http://www.pogowasright.org/article.php?story=20080421124605312

Secret pact allows the US to spy on UK motorists

Monday, April 21 2008 @ 12:46 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

THE UK Home Secretary secretively signed a "special certificate" last year that gives foreign security agencies real-time access to traffic camera images and related data monitoring British motorists on highways throughout the UK.

Opposition politicians and civil liberties advocates yesterday accused Gordon Brown's government of attempting to hide from Parliament its covert plans to facilitate international surveillance of UK citizens in violation of privacy laws.

Source - The Inquirer

[From the article:

Opposition politicians and civil liberties advocates yesterday accused Gordon Brown's government of attempting to hide from Parliament its covert plans to facilitate international surveillance of UK citizens in violation of privacy laws. [Indicating it was reciprocal... Bob]



Some interesting questions and a proposal or two...

http://www.phiprivacy.net/?p=290

Apr-21-2008

Contractor or vendor woes (commentary)

A few recent breaches involving health information have gotten me thinking more about contractor or third party data losses. Is our reaction to such incidents the same as it would be if the hospital, insurance company, or other covered entities directly experienced the breach or loss themselves?


Related? Who 'repairs' your computer?

http://www.pogowasright.org/article.php?story=20080421175225860

CT: Hard Drive Containing Personal Info Sold To Student

Monday, April 21 2008 @ 05:52 PM EDT Contributed by: PrivacyNews News Section: Breaches

A student bought a computer hard drive and discovered that it contains personal information about people with ties to the University of Connecticut.

Ryan Green, a junior at UConn, bought the drive at the UConn Co-op for $200 and discovered it already contained information.

[...] Green found about 10,000 private pictures, 10,000 Microsoft Word documents and even some sensitive personal information like credit cards and driver's licenses. " It's multiple people's data, entire computers," Green said.

[...] Authorities said the information belongs to 10 people, all who have a connection to the university. Police said early indications suggest that all had their computers serviced at the co-op between November and March.

Source - WFSB



CyberWar? (I wonder if they created the PowerPoint on their Lenovo laptop?)

http://hardware.slashdot.org/article.pl?sid=08/04/22/1317212&from=rss

FBI Concerned About Implications of Counterfeit Cisco Gear

Posted by timothy on Tuesday April 22, @10:10AM from the now-watch-these-chickens-well dept. Security United States Hardware

SpicyBrownMustard writes

"An FBI PowerPoint presentation provides details about a criminal investigation into counterfeit CISCO hardware originating from China, and sold by Gold/Silver partners to numerous US government, military, and intelligence agencies. The concern of the article's author and the FBI is that the counterfeit equipment may be state-sponsored to aid in accessing otherwise secure systems (slides 46+47). Says the article author: 'The threat is real. Compromised hardware of potentially hostile foreign origin sits within secure networks of the US government, military, and intelligence services. And as you now see, the FBI has been concerned about it.'"

We've mentioned the seizure of some of this equipment before, but this presentation adds quite a bit of detail, and highlights the FBI's concern of Chinese government involvement.



Close to home...

http://www.pogowasright.org/article.php?story=20080422082903928

Boulder district OKs cell phone search limits

Tuesday, April 22 2008 @ 08:29 AM EDT Contributed by: PrivacyNews News Section: Minors & Students

The Boulder Valley School District won't search a student's cell phone without the permission of the student or parent under an agreement reached with the American Civil Liberties Union.

The only exception is an emergency in which there is an imminent threat to public safety, said district spokesman Briggs Gamblin.

The agreement came out of talks between the district and the American Civil Liberties Union, which sent a letter to the district in October objecting to the actions of officials at Monarch High School in Louisville.

Source - Rocky Mountain News



Hillary is a hacker!

http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html

Hacker Redirects Barack Obama's site to hillaryclinton.com

A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.



More fun election news! Can you say, “E-chad?” (Is this practice for November?)

http://arstechnica.com/news.ars/post/20080421-pa-primary-will-be-unauditable-gop-blocks-e-voting-reform.html

PA primary will be unauditable; GOP blocks e-voting reform

By Jon Stokes Published: April 21, 2008 - 02:30PM CT

On the eve of tomorrow's hotly contested and relatively close Democratic presidential primary in Pennsylvania, a number of voting activists are sounding the alarm one last time about the state's election systems. Over 85 percent of PA voters will vote on paperless touchscreen machines that are hackable, failure-prone, and fundamentally unauditable.

[During prohibition, Malt came in a package printed with the recipe for beer along with the warning that “accidentally” mixing the ingredients listed would make an illegal beverage. In that same vein, this from the article:

Sixteen counties will use the Diebold Accuvote TS touchscreen model. Regular Ars readers will recall that my 2006 article, "How to steal an election by hacking the vote," described in some detail how to steal an election using this machine. (I hope that nobody from PA decides that it would be a good idea to print copies of the free PDF of this how-to article to bring to the polls with them as a form of protest, because you would probably get in trouble. So don't do that.)



For my Computer Security (Forensics) class

http://www.bespacific.com/mt/archives/018157.html

April 21, 2008

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition, April 2008: "Computers and other electronic devices are being used increasingly to commit, enable, or support crimes against persons, organizations, or property. This National Institute of Justice guide is intended for first responders to a variety of crime scenes who may have the responsibility of protecting, recognizing, collecting, and preserving electronic evidence at the scene." (NCJ 219941, 74 pages, PDF)



Amusing but too limited to be useful...

http://www.pogowasright.org/article.php?story=20080421172604770

NJ Supreme Court rules Internet user has right to privacy

Monday, April 21 2008 @ 05:26 PM EDT Contributed by: PrivacyNews News Section: In the Courts

The state Supreme Court ruled today that under the New Jersey Constitution an Internet user has the right to privacy in the subscriber information maintained by the individual's Internet service provider.

Ruling in the case of Shirley Reid, a Cape May County woman who was charged with hacking into her employer's computer system after police obtained her identity from Comcast by using a municipal court subpoena, the high court unanimously held law enforcement had the right to investigate her but should have, instead, used a grand jury subpoena.

The court upheld a state appeals court ruling that overturned the conviction for second-degree computer theft.

Source - NJ.com

[From the article:

Ruling in the case of Shirley Reid, a Cape May County woman who was charged with hacking into her employer's computer system after police obtained her identity from Comcast by using a municipal court subpoena, the high court unanimously held law enforcement had the right to investigate her but should have, instead, used a grand jury subpoena.



Summary of a warrantless wiretapping case, and a ethical dilemma for lawyers

http://www.pogowasright.org/article.php?story=20080422063733172

State Secrets: A government misstep in a wiretapping case.

Tuesday, April 22 2008 @ 06:37 AM EDT Contributed by: PrivacyNews News Section: Surveillance

One Friday afternoon in August, 2004, a Washington, D.C., attorney named Lynne Bernabei received a package from the Department of the Treasury. The government was investigating one of her clients, the American branch of a Saudi charity called the Al Haramain Islamic Foundation, which had been active in fifty countries. Al Haramain had come under scrutiny, as had many other Islamic charities, after the attacks of September 11, 2001, and Treasury Department investigators believed that Al Haramain’s American branch, which was based in Oregon, had connections to Al Qaeda. In response to a request from Bernabei for evidence against her client, the government had turned over two sets of documents, primarily media reports that referred to other branches of Al Haramain. None of the materials demonstrated a direct connection between the Oregon branch and Al Qaeda.

Source - Patrick Radden Keefe, in The New Yorker hat-tip, Cryptome

[From the article:

The attorneys representing Al Haramain had been dealing with a novel quandary of legal ethics. If they had a reasonable belief that any telephone conversation with Seda or Buthi might be monitored by the N.S.A., could they talk to their clients without violating attorney-client confidentiality?



For my Math students (I'm teaching linear algebra)

http://digg.com/software/25_000_000_000_Eigenvector_Linear_Algebra_Behind_Google

$25,000,000,000 Eigenvector: Linear Algebra Behind Google

rose-hulman.edu — The paper describing Google's $25 billion dollar equation.



Too strange to be true?

http://gizmodo.com/382026/a-cellphones-missing-dot-kills-two-people-puts-three-more-in-jail

A Cellphone's Missing Dot Kills Two People, Puts Three More in Jail

No comments: