Friday, April 25, 2008

A small breach, but some interesting questions...

http://www.pogowasright.org/article.php?story=2008042410244081

'Significant security hole' found in Wisconsin database

Thursday, April 24 2008 @ 10:24 AM EDT Contributed by: PrivacyNews News Section: Breaches

A computer program housing personal information about Wisconsin seniors and disabled people had a "significant security hole," a state health official overseeing the program said in an e-mail obtained by The Associated Press. [AP hacked the email system? Bob]

In addition, a senior center volunteer in McFarland said he could see hundreds of files of people's private information from across the country in the system run by Virginia-based Harmony Information Systems.

Source - Forbes

[From the article:

Chuck Crawford, the deputy security manager at DHFS, said in an e-mail provided to the AP that Harmony would be asked whether it has a confidentiality agreement with the state [Shouldn't the state have a copy? Bob] and what procedures are in place to inform those in the database about how their information is being used.



Another 'consulting firm' with multiple customers' data on their laptops.

http://www.pogowasright.org/article.php?story=20080424111343160

Chipotle Mexican Grill, Inc. employee data on stolen USinternetworking laptop

Thursday, April 24 2008 @ 11:13 AM EDT Contributed by: PrivacyNews News Section: Breaches

Chipotle Mexican Grill, Inc. has become the third company to report [pdf] that their employees' personal information was on a laptop stolen from an employee of USinternetworking. The personal information for the unspecified number of current and former employees included name, address, Social Security number.

Source - Notification to employees [pdf]



“Let's randomly select a few potential victims! Won't that be fun!” (Tip of the hat to Gary at the Law Library!)

http://www.ibls.com/internet_law_news_portal_view.aspx?s=sa&id=1242

UNITED STATES: University Computer Breach Risks Data of Students Who Never Went There

Wednesday, April 23, 2008

A computer server at Antioch University containing more than a decade of sensitive information on 60,000 people, some entirely unconnected with the university, was breached three times last year.

The server contained data going back to 1996 on current and former students and employees, as well as on students who had been scouted by the university but never attended or even applied. The data contained ample material for identity theft—Social Security numbers, names, academic records, and payroll records—but university officials said they do not know of any theft connected to the breaches.

University officials noticed something wrong on February 13, 2008, when users who logged into the server received a "mildly profane" message sent by a virus, according to William H. Marshall, the university''s interim chief information officer. The server was taken offline, and an outside company''s forensic investigation of the server found that "an unauthorized intruder" breached the system on June 9, 2007, June 10, 2007, and October 11, 2007. Mr. Marshall declined to say if he knew if the breach came from an internal or external hacker, citing a continuing law-enforcement investigation.

The university, which has six campuses in four states, began sending out letters about two weeks ago notifying people whose information was compromised and giving them a toll-free number to call for more information. The institution has received about five or six calls a day since then. "The most common calls are from people wondering why Antioch would have had their information on the system in first place, probably rightfully so," said Mr. Marshall.

The university has used outside companies to identify prospective students. "I think it is fairly common for universities, particularly in the last few years, to be more proactive in identifying and tracking students they''re interested in," said J. Brice Bible, chief information officer at Ohio University, which endured high-profile security breaches several years ago. Antioch University officials [Non sequitur alert! Bob] "have obviously acquired information to be competitive, which had made it more challenging for them to maintain a secure environment," he said.

Privacy advocates said there was no excuse for colleges to fail that challenge. "We have a very simple recommendation for universities," says Marc Rotenberg, executive director of the Electronic Privacy Information Center. "If they can''t protect it, they shouldn''t collect it." [Where can I buy this bumper sticker? Bob]



Come for the swimsuit models phone number, leave with their social security numbers...

http://www.pogowasright.org/article.php?story=20080424105656150

SwimwearBoutique.com hacked; customer credit card info accessed

Thursday, April 24 2008 @ 05:32 PM EDT Contributed by: PrivacyNews News Section: Breaches

SwimwearBoutique.com (SWB), a Texas-based online retailer of men and women's swimwear, reports [pdf] that on March 28, it discovered that their databases had been accessed sometime between March 26- March 28. [suggesting that they do not keep logs, which record access to the second. Bob] An unspecified number of customers had their names, addresses, SWB account passwords, email addresses, and credit card information accessed.

In addition to accessing customer data, the intruders reportedly also corrupted existing data, rendering it unusable or unreadable. [Typically, only the loss of data is reported. Bob]

In his notification letter to the New Hampshire DOJ on behalf of SWB, Ronald I. Raether, Jr. of Faruki Ireland & Cox, P.L.L., wrote, "In addition, to any affected customer requesting assistance from us, SWB will offer a year's subscription to the LoudSiren Identity Protection NetworkTM. We are committed to helping our customers affected by these criminal acts."

SWB's notification letter to customers makes no mention of any SWB-subsidized services, [a clever strategy for reducing costs... Bob] suggesting that only customers who call SWB and specifically request assistance will actually be offered the free service. Calls to SWB to clarify this were referred to SWB's attorney, who did not return our call by the end of the day.



Another SunGard victim – no new information

http://www.pogowasright.org/article.php?story=2008042418051084

Stolen laptop contains personal data for 'nearly 2,000' current, prospective Fisher students (Sungard Update)

Thursday, April 24 2008 @ 06:05 PM EDT Contributed by: PrivacyNews News Section: Breaches

Personal information (name, Social Security number, and date of birth) for close to 2,000 current and prospective St. John Fisher students may have fallen into the wrong hands as part of a security breach that involves a number of area colleges.

Source - Cardinal Courier Online Related - St. John Fisher College FAQ



Identity theft immediately! A very bad strategy...

http://www.pogowasright.org/article.php?story=20080425065426750

NY: Credit card info stolen in Canton

Friday, April 25 2008 @ 06:54 AM EDT Contributed by: PrivacyNews News Section: Breaches

Police are investigating hundreds of reports of thefts of credit and debit card numbers belonging to customers who shopped at WiseBuys department store in December.

"We have had hundreds of victims and thousands of thefts. We have had amounts as high as $3,000 and as low as $10," said Sgt. Lori A. McDougal of the village police department. "I would say at this point they total upwards of $100,000."

Victims are all believed to have shopped at the Canton WiseBuys store between Dec. 5 and 20, Ms. McDougal said. Since then, stolen credit card numbers have been used to create fake cards in New York City.

... The Canton store was the only one in the WiseBuys and Hacketts chain that was affected by the number thefts. The stores use the credit card processing system used by nearly every True Value hardware store in the nation, Mr. Garrelts said.

WiseBuys changed its computer system in December and investigators are attempting to determine whether that was when the numbers were stolen, Ms. McDougal said. Village police have begun interviewing about 30 WiseBuys employees but so far have not identified any as suspects.

Source - Watertown Daily Times



Follow-up: A non-TJX reaction after all. PCI security isn't sufficient. ISO 27001 will take 18 months.

http://www.pogowasright.org/article.php?story=20080425072317695

Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI

Friday, April 25 2008 @ 07:23 AM EDT Contributed by: PrivacyNews News Section: Breaches

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption ("customer card information is now encrypted from the PINpad at the store register and remains encrypted while it's in our own internal network"), host and network intrusion prevention systems ("to proactively prevent malware from being installed in our systems") and better payment segmentation.

Source - StorefrontBacktalk



Tools & Techniques for ubiquitous surveillance

http://www.opengpstracker.org/

The Open GPS Tracker is a small device which plugs into a $20 prepaid mobile phone to make a GPS tracker. The Tracker responds to text message commands, detects motion, and sends you its exact position, ready for Google Maps or your mapping software. The Tracker firmware is open source and user-customizable.



It's safe, therefore we can use it more...

http://www.intergovworld.com/article/81ae989f0a01040801dd6a6784e2fdd6/pg1.htm

More privacy-boosting technology begets more video surveillance

By: Rosie Lombardi, InterGovWorld.com (Apr 25, 2008 06:00:00)

... Developed by Karl Martin and Kostas Plataniotis, researchers at the faculty of engineering, their secure visual object coding application uses cryptography techniques to encrypt "objects of interest" within video frames -B faces or other features that may be used to identify a person - and store them separately. In order to view the original complete image, a decryption key is needed to restore the object of interest.



What was the real reason to go to electronic voting?

http://news.slashdot.org/article.pl?sid=08/04/25/0337219&from=rss

Diebold Admits ATMs Are More Robust Than Voting Machines

Posted by Soulskill on Friday April 25, @08:23AM from the votes-on-the-cheap dept.

An anonymous reader points out a story in the Huffington Post about the status of funding for election voting systems. It contains an interesting section in which Chris Riggall, a spokesman for Premier (formerly Diebold) acknowledged that less money is spent making an electronic voting machine than on a typical ATM. The ironically named Riggall also notes that security could indeed be improved, but at a higher price than most election administrators would care to pay. Also quoted in the article is Ed Felten, who has recently found some inconsistencies in New Jersey voting machines. From the Post:

"'An ATM is significantly a more expensive device than a voting terminal...' said Riggall. 'Were you to develop something that was as robust as an ATM, both in terms of the physical engineering of it and all aspects, clearly that would be something that the average jurisdiction cannot afford.' Perhaps cost has something to do with the fact that a couple of years ago, every single Diebold AccuVote TS could be opened with a standard key also used for some cabinets and mini-bars and available for purchase over the Internet."



Will he win if the data has been gathered legally? (e.g. From a state database that failed to remove the SSAN?)

http://www.govtech.com/gt/299913?topic=117671

Missouri AG Attempts to Stop Web Site from Selling Personal Information

Apr 24, 2008, News Report

Attorney General Jay Nixon is seeking to shut down a Web site that permits anyone with a credit card to purchase detailed personal information about Missouri consumers -- including Social Security numbers -- and have its operator fined a significant sum for each violation of state consumer protection laws.

... Anyone who provides this information to third parties is obligated under federal law to ensure that the third party's use of the information is for a legitimate purpose allowed under the law. Nixon says A1 Peoplesearch unethically failed to properly verify the use to which its subscribers put the data the defendant sold to them. [So add a screen that requires you to state the purpose (selected from a pull down menu of 'legitimate purposes') Bob]


Related?

http://yro.slashdot.org/article.pl?sid=08/04/25/1143236&from=rss

Companies To Be Liable For Deals With Online Criminals

Posted by kdawson on Friday April 25, @09:46AM from the sees-you-when-you're-sleeping dept.

Dionysius, God of Wine and Leaf, sends us to DarkReading for a backgrounder on new rules from the FTC, taking effect in November, that will require any business that handles private consumer data to check its customers and suppliers against databases of known online criminals. Companies that fail to do so may be liable for large fines or jail time. In practice, most companies will contract with specialist services to perform these checks. Yet another list you don't want to get on.

"The [FTC's] Red Flag program... requires enterprises to check their customers and suppliers against databases of known online criminals — much like what OFAC [the Treasury Department's Office of Foreign Asset Control] does with terrorists — and also carries potential fines and penalties for businesses that don't do their due diligence before making a major transaction."



I am noticing an increase in the number of articles where reporters are taking organizations to task for failure to secure the data, even doing some basic research to learn what the “normal” practices are.

http://www.pogowasright.org/article.php?story=20080425062120348

Ie: Potential for data leakage rife in Irish organisations

Friday, April 25 2008 @ 06:21 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The failure by Bank of Ireland and other financial institutions as well as some of the largest corporations and government bodies to sign up to an international security standard accredited by the Irish Government means that more embarrassing data leak scandals such as laptop theft will occur again.

Siliconrepublic.com has learned that an important data security management standard ISO 27001, which governs the prevention and handling of security breaches and is used worldwide by financial institutions and government bodies, is not in place in any Irish financial institution – save a Credit Union in Waterford.

The ISO 27001 standard sets out best practices for IT security techniques and management systems.

Source - Silicon Republic

[From the article:

In the UK, for example, all financial institutions have had to qualify for the standard, otherwise the payments association APACS won’t do business with them. [Compare to PCI standard “enforcement”... Bob]

... Asked if organisations are perhaps unaware of the ISO 27001 standard, Brophy said: “Three or four years ago that might have been the case. Anyone who works in IT would know that this standard is a basic minimum requirement and can be tailored to suit any organisation of any size. Waterford Credit Union achieved the standard in recent months. Why larger financial organisations haven’t seen the need to go for it is beyond me.”

On the subject of whether Irish government bodies are subscribing to the standard, Brophy said that despite healthy attendance by government bodies at ISO 27001 training courses, no government body has moved to get certified.



I expect a few amusing articles as this process 'works out the kinks”

http://www.pogowasright.org/article.php?story=20080425061643431

Face scans for air passengers to begin in UK this summer

Friday, April 25 2008 @ 06:16 AM EDT Contributed by: PrivacyNews News Section: Surveillance

Airline passengers are to be screened with facial recognition technology rather than checks by passport officers, in an attempt to improve security and ease congestion, the Guardian can reveal.

From summer, unmanned clearance gates will be phased in to scan passengers' faces and match the image to the record on the computer chip in their biometric passports.

Border security officials believe the machines can do a better job than humans of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports.

Source - Guardian

[From the article:

Border security officials believe the machines can do a better job than humans [Translation: you can trust the machines Bob] of screening passports and preventing identity fraud. The pilot project will be open to UK and EU citizens holding new biometric passports.

But there is concern that passengers will react badly to being rejected by an automated gate. To ensure no one on a police watch list is incorrectly let through, the technology will err on the side of caution and is likely to generate a small number [see below Bob] of "false negatives" [Translation: you can't trust the machines. Bob] - innocent passengers rejected because the machines cannot match their appearance to the records. [Translation: We will deliberately tackle, handcuff and hood, strip and cavity search a few so called “innocents” just to demonstrate that we are serious about protecting innocents” Bob]

... Phil Booth of the No2Id Campaign said: "Someone is extremely optimistic. The technology is just not there. The last time I spoke to anyone in the facial recognition field they said the best systems were only operating at about a 40% success rate in a real time situation. I am flabbergasted they consider doing this at a time when there are so many measures making it difficult for passengers."



The latest French version of our regional TIA systems – they've been doing this since at laeast 1974...

http://www.pogowasright.org/article.php?story=20080424114601906

France 'suspends' Creation of Big-Brother Database

Thursday, April 24 2008 @ 11:46 AM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

The French government will "suspend" the use of new software for recording the personal habits and affiliations of its citizens in a police database, following an outcry by civil rights groups.

Interior Minister Michèle Alliot-Marie took the decision Tuesday to suspend trials of the Ardoise software while officials consider how to reconcile privacy rights and operational needs, her spokesman confirmed Thursday.

Source - CIO

[From the article:

Campaigners say that Ardoise infringes civil liberties by allowing law enforcers to tag a person's file with annotations including "runaway child," "handicapped," "homeless," "trade unionist," "alcoholic," "narcotics user," "transvestite," "transgendered," "homosexual," "prostitute," "person who frequents prostitutes," "psychologically disturbed" or "member of a sect," simply by picking them from a list.

... The database also holds information about religion, sexual orientation and race, according to the Interior Ministry.

[What information do the police need? Bob]


Related. This is what happens when databases are matched...

http://www.pogowasright.org/article.php?story=20080424131800760

IN: Judge refuses to stop license revocations

Thursday, April 24 2008 @ 01:18 PM EDT Contributed by: PrivacyNews News Section: In the Courts

The Indiana Bureau of Motor Vehicles reports that it has revoked the driver’s licenses and ID cards of about 32,455 people this year because their personal information didn’t match Social Security records.

On Wednesday a Marion Superior Court judge denied an injunction that would have temporarily stopped the BMV from revoking the credentials, a new process that began last year.

The injunction was sought by the American Civil Liberties Union of Indiana. It was paired with a class-action lawsuit where the key plaintiff was South Bend attorney Lyn Leone.

Source - WSBT

[From the article:

The ACLU’s lawsuit claimed that it’s against state law and the U.S. Constitution to take away licenses because of mismatches between BMV and Social Security records.

A hearing was held April 11 before Judge Kenneth Johnson in Indianapolis.

In his 44-page ruling, Johnson wrote that the suit failed to show any harm or hardship [I'll have to read the ruling, but no license and the need to re-apply should be harm, right? Bob] to Leone by the BMV’s new screening process, which began last year.

... The BMV says it will reinstate a license — at no charge — if the customer can successfully show their personal information matches that of Social Security records. To date, the BMV says 835 credentials have been reinstated. [Doesn't this suggest that the matching process is flawed? Bob]



Talk on implementation of HIPAA rules.

http://www.phiprivacy.net/?p=313

Apr-25-2008

Pointer: Case Study: Five ways to energize your information security program

Jim Reiner’s presentation at the 15th National HIPAA Summit is now available online.



My friendly neighborhood Linux geek sent me this article. Looks very interesting...

http://www.itwire.com/content/view/17816/1141/1/0/

Ubuntu 8.04’s Wubi makes for universal desktop

by David M Williams Wednesday, 23 April 2008

... Today, I’d like to talk about something else which is new in this release: Wubi, the Windows based Ubuntu Installer.

Wubi offers a remarkable new way of trying out Ubuntu, making it even more of a risk-free proposition than ever before.

... Wubi’s goals are to assist a Windows user unacquainted with Linux in trying Ubuntu out without risking any loss of information, because although the hard disk will be written to there is no disk partitioning or formatting involved. The existing hard drive configurations, and Windows installation, are not affected in any way.

Wubi runs straight from within Windows and will install Ubuntu onto a disk image – that is, a single disk file which emulates a stand-alone hard drive. Using Wubi, Windows users can try Ubuntu out without any complex installation.

... At worst, if you don’t like it, uninstallation is a snap and your computer is left as it was.

... On rebooting I’m greeted with a boot loader menu asking which operating system I wish to use; choosing Ubuntu fires up the new operating system without hitch and with just a few more questions on the way.

No comments: