Tuesday, May 13, 2008

We didn't understand the first few times, so we asked them to do it again, only slower.”

http://www.pogowasright.org/article.php?story=20080512125921999

Another Laptop Stolen from Pfizer, Employee Information Compromised (updated)

Monday, May 12 2008 @ 12:59 PM EDT Contributed by: PrivacyNews News Section: Breaches

About 13,000 employees at Pfizer Inc., including about 5,000 from Connecticut, had their personal information compromised when a company laptop and flash drive were stolen, the pharmaceutical giant confirmed today.

The data breach, which occurred about a month ago, was the second this year affecting Pfizer Inc. employees and the sixth made public in a one-year span dating back to May 2007. More than 65,000 data-breach notifications have been sent out by Pfizer over the past year, including more than 10,000 to employees from Connecticut

Source - The Day Updated 5-13-08: The Day

[From the article:

The company said late Friday in an e-mail to affected employees, including many at Pfizer Global Research and Development campuses in Groton and New London, that no Social Security numbers were on the encrypted laptop, but names, home addresses, home telephone numbers, employee identification numbers, positions and salaries were possibly compromised by an unencrypted flash drive. [“Next time we may encrypt the sensitive data and not bother to encrypt the junk data. But it may take a few more breaches to get it worked out...” Bob]



When bureaucracy designs security...

http://www.pogowasright.org/article.php?story=20080512122027751

UK: Crooks access NHS database

Monday, May 12 2008 @ 12:20 PM EDT Contributed by: PrivacyNews News Section: Breaches

THE £12billion NHS computer system lay in tatters last night — as it emerged CROOKS may have accessed patient records.

A security card flaw has left the system open to abuse for two years.

Sensitive medical details, addresses and National Insurance numbers of every patient in the country could have been seen by ANYONE in a GP surgery or hospital without using the special swipe card.

.... the controversial Choose and Book system allows GPs to view patient records online, book appointments and order medicines through their computer.

But a GP in Hornchurch, Essex, found he could log on to the system without inserting his "smart card" into the reader device.

Source - The Sun



In the category: “No good deed goes unpunished”

http://www.infoworld.com/article/08/05/12/Phishers-scamming-IRS-rebates_1.html

Phishers scamming IRS rebates

A new scheme sends a fraudulent IRS that directs users to a Web site that asks for their bank account information in order to direct deposit their stimulus checks

By Tim Greene, Network World May 12, 2008

Scammers want your IRS refund checks and have devised at least one phishing scheme to get it, according to the FBI.

The e-mail, which purports to be from the IRS advises recipients that the best way to get their economic stimulus rebate money is by direct deposit. It then directs them to a Web site that asks them to enter bank account information and other personal data.

To encourage recipients to respond, the e-mail warns that not filling out the form will mean a delay in receiving the check.



Have I missed something? When did these guys get 'promoted' to criminal mastermind? (Add Dave & Buster's to the breach list in May 2007...)

http://www.pogowasright.org/article.php?story=20080512201234592

TJX credit card heist suspect, 2 others, accused of new scam

Monday, May 12 2008 @ 08:12 PM EDT Contributed by: PrivacyNews News Section: Breaches

Three men - one of them suspected of playing a role in the heist of 45.6 million credit cards from retailer TJX Companies - have been accused of hacking into cash register terminals belonging to a restaurant chain and installing software that sniffed credit card numbers.

According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX's rather porous network. He remains incarcerated in Turkey, where an application for extradition to the US is pending. Yastremskiy also went by the name Maksik.

Source - The Register

[From the article:

According to a 27-count indictment unsealed Monday, the scheme was carried out in part by Maksym Yastremskiy. In July, the Ukrainian was arrested in a Turkish resort town for allegedly selling large quantities of credit card numbers, many of which were siphoned out of TJX's rather porous network.

... The men managed to install the packet sniffers remotely by socially engineering individuals, according to the indictment, which didn't elaborate. [“Hello, we is your computers service men. Give us access so we can fix all your problemz. Bob]

[From article two:

"We don't have any information that suggests this person was the one who committed the attack on TJX, but at some point he did come into possession of the (stolen TJX) card accounts."



This would be unbelievable except for things like the Pfizer article.

http://www.pogowasright.org/article.php?story=20080512131157657

UK companies: Leaking like a sieve?

Monday, May 12 2008 @ 01:11 PM EDT Contributed by: PrivacyNews News Section: Breaches

Most UK companies are losing data every month a survey has found.

The majority of UK businesses, 79 per cent, are losing data at least once per month, according to the survey of 250 senior IT staff at businesses larger than 1,000 staff.

More than a quarter, 28 per cent, suffered data loss on a weekly or more frequent basis the report by IT management company CA found.

Source - Silicon.com



Tools & Techniques (For the “we don't need no stinking encryption” crowd.)

http://arstechnica.com/news.ars/post/20080512-deep-packet-inspection-under-assault-from-canadian-critics.html

Deep packet inspection under assault over privacy concerns

By Nate Anderson | Published: May 12, 2008 - 12:03PM CT

Add the Canadian Internet Policy and Public Interest Clinic (CIPPIC) to the list of groups concerned about the privacy implications of widespread deep packet inspection (DPI) by ISPs. CIPPIC has filed an official complaint with Canada's Privacy Commissioner, Jennifer Stoddart, asking her office to investigate Bell Canada's use of DPI (and we're flattered to be quoted as an expert source in the complaint). In addition, the group would welcome a wider investigation into possible DPI use at cable operators Rogers and Shaw, as well.

In writing up this morning's announcement of a massive new 80Gbps DPI appliance from Procera Networks, I noted that privacy concerns were one of the storm clouds in DPI's bright blue skies. Because DPI can drill down into packet headers and then further into the actual content being pumped through the tubes, it raises all sorts of questions from privacy advocates concerned about the easy collection of private personal information. Current gear is so sophisticated that it can reconstitute e-mails and IM conversations out of asymmetric traffic flows and it can essentially peek "under the hood" of any non-encrypted packet to take a look at what it contains.

... The issues go beyond just IP addresses, encompassing attorney/client privilege, trade secrets, and other protected communications, but DPI vendors have assured Ars that they have little interest in examining content; most traffic information can be gleaned from packet headers, destination IP addresses, flow patterns, handshakes, and the like. Given the sheer capabilities of these devices, though, it seems at least worthwhile to have a detailed discussion about the potential privacy implications.

Further reading:



At last! A firm grasp of the obvious!

http://www.pogowasright.org/article.php?story=20080512121101577

U.K. defence department adopts encryption after data breaches

Monday, May 12 2008 @ 12:11 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Following a spate of high profile data breaches, the U.K. Ministry of Defence is set to install encryption software on 20,000 of its laptops.

It will install BeCrypt's Disk Baseline software across Royal Airforce, Army and Navy laptops, and users will need to be authenticated before they can access encrypted data. [Up 'till now, anyone could access the data? Bob] The MoD said the new BeCrypt software would be easily integrated with future technology too.

It will protect data across a range of levels, from 'Classified' to 'Secret' levels, and in some cases 'Top Secret' data.

Source - InterGovWorld.com



Selling a remedy for anything you fear...

http://www.pogowasright.org/article.php?story=20080512121233653

West Virginia Class Action Lawsuit Filed Against LifeLock Alleging Deceptive Marketing Practices

Monday, May 12 2008 @ 12:12 PM EDT Contributed by: PrivacyNews News Section: In the Courts

Marks & Klein, LLP today filed its third class action lawsuit against LifeLock, Inc., a provider of identity theft protection services, and its CEO Richard "Todd" Davis. The lawsuit was filed in the Circuit Court of Jackson County, West Virginia (Docket No. 08-C-69), on behalf of Kevin Gerhold of Falling Rivers, as well as all other LifeLock subscribers in West Virginia.

This latest action followed suits filed by the firm in April on behalf of Dr. and Mrs. Gerald Falke of Hagerstown, Md., as well as all other LifeLock subscribers in Maryland; and in March on behalf of Dr. and Mrs. Warren Pasternack of East Brunswick, N.J., as well as all other New Jersey LifeLock subscribers.

Source - PR Newswire

[From the article:

The lawsuits allege that LifeLock and its multi-million-dollar advertising campaign provided false and misleading information about the limited level of identity protection the company provides, and failed to warn them about the potential adverse impact the company's services could have on their credit profiles. The complaints also allege that the CEO has himself been a victim of identity theft by multiple offenders while a customer of LifeLock's services.

...

Beyond the charges leveled in the Complaints, lead counsel Paris related the story of a Wisconsin consumer who contacted the firm regarding her accidental experience with LifeLock. "Her debit card was stolen and the thief had the audacity to use the card to buy a subscription to LifeLock," he noted. "Most disturbingly, LifeLock issued the subscription to the thief in the thief's name, clearly failing to verify the appropriate information."



No you don't understand, it's secret evidence in our “Double Secret Probation” case, and even if we made the whole thing up, it's private!”

http://cbs4denver.com/local/greeley.school.video.2.721808.html

May 12, 2008 9:40 am US/Mountain

Greeley Schools Won't Let Parent See Bus Video

GREELEY, Colo. (AP) ― Greeley school officials say privacy laws prevent them from letting a parent see a surveillance videotape after his son was disciplined for a fight on a school bus.

Mike Moskalsk says he asked to see the video taken on the bus after his son was suspended for 10 days after the April fight. Moskalsk says his son didn't start the fight but was defending himself.

Greeley-Evans School District officials say that to release the tape, they would have to get permission from the parents of all the children shown, or digitally blur their faces. They say either option would cost too much.

About 80 percent of the district's buses have surveillance cameras. Officials say surveillance tapes are reviewed only if problems are reported on a run.



Tools & Techniques: Arming for Cyberwar?

http://www.f-secure.com/weblog/archives/00001434.html

Tuesday, May 13, 2008

US Air Force Colonel Proposes Skynet

This month's issue of Armed Forces Journal features an article by Col. Charles W. Williamson III titled: Carpet bombing in cyberspaceWhy America needs a military botnet

It's a provocative essay… that fails to convince us of the need for an AF.MIL botnet.


On the other hand...

http://ask.slashdot.org/article.pl?sid=08/05/13/1313249&from=rss

Just How Effective is System Hardening?

Posted by timothy on Tuesday May 13, @09:31AM from the how-large-is-your-facade dept.

SkiifGeek, pointing to our recent coverage of what the NSA went through to create SELINUX, wants to know just how effective system hardening is at preventing successful attack, and writes

"When Jay Beale presented at DefCon 14, he quoted statistics (PDF link) that Bastille protected against every major threat targeting Red Hat 6, before the threats were known. With simple techniques available for the everyday user which can start them on the path towards system hardening, just how effective have you found system and network hardening to be? The NSA does have some excellent guides to help harden not only your OS but also your browser and network equipment."



Tools & Techniques: It will never replace SuperGlue! (but it does let us treat kids like sex offenders!)

http://yro.slashdot.org/article.pl?sid=08/05/12/1633251&from=rss

To Curb Truancy, Dallas Tries Electronic Monitoring

Posted by ScuttleMonkey on Monday May 12, @01:15PM from the kids-aren't-people dept.

The New York Times is reporting that a school district in Texas is trying a new angle in combating truancy. Instead of punishing students with detention they are tagging them with electronic monitoring devices.

"But the future of the Dallas program is uncertain. Mr. Pottinger's company, the Center for Criminal Justice Solutions, is seeking $365,000 from the county to expand the program beyond Bryan Adams. But the effort has met with political opposition after a state senator complained that ankle cuffs used in an earlier version were reminiscent of slave chains. Dave Leis, a spokesman for NovaTracker, which makes the system used in Dallas, said electronic monitoring did not have to be punitive. 'You can paint this thing as either Big Brother, or this is a device that connects you to a buddy who wants to keep you safe and help you graduate.'"



...and it only took 109 pages to do it!

http://www.pogowasright.org/article.php?story=20080512125329740

FTC Approves New Rule Provision Under The CAN-SPAM Act

Monday, May 12 2008 @ 12:53 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

The Federal Trade Commission has approved four new rule provisions under the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM or the Act). The provisions are intended to clarify the Act’s requirements. The provisions and the Commission’s Statement of Basis and Purpose (SBP) will be published in the Federal Register shortly. The new rule provisions address four topics: (1) an e-mail recipient cannot be required to pay a fee, provide information other than his or her e-mail address and opt-out preferences, or take any steps other than sending a reply e-mail [confirming that the email address was active... Bob] message or visiting a single Internet Web page to opt out of receiving future e-mail from a sender; (2) the definition of “sender” was modified to make it easier to determine which of multiple parties advertising in a single e-mail message is responsible for complying with the Act’s opt-out requirements; ['cause we wouldn't like to stop them all... Bob] (3) a “sender” of commercial e-mail can include an accurately-registered post office box ['cause physical addresses were too easy to locate Bob] or private mailbox established under United States Postal Service regulations to satisfy the Act’s requirement that a commercial e-mail display a “valid physical postal address”; and (4) a definition of the term “person” was added to clarify that CAN-SPAM’s obligations are not limited to natural persons. [It applies to Republicans too? Bob]

Source - FTC Related - Text of the Federal Register Notice



Is the telephone industry doomed? (I think so...)

http://tech.slashdot.org/article.pl?sid=08/05/13/1225259&from=rss

Homemade VoIP Network Over Wi-Fi Routers

Posted by timothy on Tuesday May 13, @08:53AM from the warms-the-cochleas-of-the-heart dept. Communications Hardware Hacking Networking Wireless Networking

AnInkle writes

"A blogger on The Tech Report details his research and testing of wireless voice communication options for remote mountainous villages in rural undeveloped areas. The home-built project involves open-source software, low-cost wireless routers, solar power, mesh networking, unlicensed radio frequencies and VoIP technology. Although his research began several months ago, he has concluded the first stage of testing and is preparing to move near one of the sites where he hopes to eventually install the final functional network. Anyone with experience or ideas on the subject is invited to offer input and advice."


Related

http://hosted.ap.org/dynamic/stories/A/ANDROID_CLASS?SITE=VALYD&SECTION=HOME&TEMPLATE=DEFAULT

MIT students show power of open cell phone systems

By BRIAN BERGSTEIN May 12, 2:52 PM EDT

CAMBRIDGE, Mass. (AP) -- What do you want your cell phone to be able to do?

Massachusetts Institute of Technology professor Hal Abelson put that question to about 20 computer science students this semester when he gave them one assignment: Design a software program for cell phones that use Google Inc.'s upcoming Android mobile operating system.



I know a few lawyers who would dispute this. But then, they dispute everything...

http://science.slashdot.org/article.pl?sid=08/05/12/205217&from=rss

First Space Lawyer Graduates

Posted by ScuttleMonkey on Monday May 12, @05:11PM from the great-more-lawyers dept. Space Education

PHPNerd writes

"Over at space.com is an interesting article about the first space lawyer. He graduated from the University of Mississippi. ' Any future space lawyer might have to deal with issues ranging from the fallout over satellite shoot-downs to legal disputes between astronauts onboard the International Space Station. The expanding privatization of the space sector may also pose new legal challenges [...] "We are particularly proud to be offering these space law certificates for the first time, since ours is the only program of its kind in the U.S. and only one of two in North America," said Samuel Davis, law dean at the University of Mississippi.'"



Tools & Techniques: Recovery is pricey (esp. compared to backups) but much more 'doable' than even the manufacturers think.

http://hardware.slashdot.org/article.pl?sid=08/05/12/2330200&from=rss

A Walk Through the Hard Drive Recovery Process

Posted by kdawson on Monday May 12, @08:02PM from the it's-dead-jim dept. Data Storage Hardware Hacking

Fields writes

"It's well known that failed hard drives can be recovered, but few people actually use a recovery service because they're expensive and not always successful. Even fewer people ever get any insights into the process, as recovery companies are secretive about their methods and rarely reveal any more information that is necessary for billing. Geek.com has an article walking through a drive recovery handled by DriveSavers. The recovery team did not give away many secrets, but they did reveal a number of insights into the process. From the article, "'[M]y drive failed in about every way you can imagine. It had electro-mechanical failure resulting in severe media damage. Seagate considered it dead, but I didn't give up. It's actually pretty amazing that they were able to recover nearly all of the data. Of course, they had to do some rebuilding, but that's what you expect when you send it to the ER for hard drives.'"

Be sure to visit the Museum of Disk-asters, too.



Fun! YouTube for Physicists! (You could do this in any field)

http://news.slashdot.org/article.pl?sid=08/05/13/0350215&from=rss

Lectures On the Frontiers of Physics Online

Posted by kdawson on Tuesday May 13, @08:14AM from the current-perimeter dept. Education Science

modernphysics writes

"The Outreach Department at Canada's Perimeter Institute for Theoretical Physics offers a wide array of online lecture playbacks examining hot topics in modern physics and beyond. Presentations include Neil Turok's 'What Banged?,' John Ellis with 'The Large Hadron Collider,' Nima Arkani-Hamed with 'Fundamental Physics in 2010,' Paul Steinhardt with 'Impossible Crystals,' Edward Witten with 'The Quest for Supersymmetry,' Seth Lloyd with 'Programming the Universe,' Anton Zeilinger with 'From Einstein to Quantum Information,' Raymond Laflamme with 'Harnessing the Quantum World,' and many other talks. The presentations feature a split-screen presentation with the guest speaker in one frame and their full-frame graphics in the other."



I'll have to see if there is a “student” registration available.

http://www.infoworld.com/article/08/05/12/Hackers-create-their-own-social-network_1.html?source=rss&url=http://www.infoworld.com/article/08/05/12/Hackers-create-their-own-social-network_1.html

Hackers create their own social network

'Ethical hacking' group has signed up more than 1,000 members for the House of Hackers network since its launch

By Matthew Broersma, IDG News Service May 12, 2008

Hackers now have their own social network, backed by GnuCitizen, a high-profile "ethical hacking" group.

The network, called House of Hackers, has signed up more than 1,000 members since its launch earlier this week, according to the site.

GnuCitizen set up the network in order to promote collaboration among security researchers. The site's founders said they use "hacker" in the complementary sense.

... GnuCitizen is encouraging businesses to use the site to seek out security researchers for jobs or particular projects.



Here is a 'How to' (along with a bit of Why), but I can see this as a simple e-business model. “Click here and remove unwanted software and free up disk space.” Note: there are many similar tools out there...

http://www.cnet.com/8301-13880_1-9941808-68.html?part=rss&tag=feed&subj=Workers'Edge

Identify mystery apps installed on your PC

Posted by Dennis O'Reilly May 12, 2008 12:00 PM PDT

I'm always looking for a little bit more performance from my PCs, so I regularly use Piriform's free CCleaner utility to clear out the clutter on my systems' hard drives.

... The last time I ran CCleaner on my XP test machine, it freed up almost 2GB of hard-drive space by removing temporary Internet files, sweeping out the Recycle Bin, and deleting various Windows updates and other system and application files I no longer needed. Then I clicked the program's Tools option to view the applications installed on the PC.

... It would be nice if Windows provided some clues about the programs it lists in XP's Add or Remove Programs and Vista's Programs and Features. For example, Programs and Features on my Vista system lists the Viewpoint Media Player, but it offers no hint as to where the program came from, apart from the date it was installed. From what I was able to gather after a Web search, the utility is related to the display of 3D effects in AIM.

Since I use Trillian and Google Talk for my IM sessions, I don't need the Viewpoint player. A bigger question is how the program got on my PC in the first place. [and this is (presumably) legitimate software. Imagine if it was malware and didn't want to be found? Bob] It didn't come preinstalled on the machine, and no other programs were loaded on the same date as it was. Still, the next most recent software installation was AIM itself, which had an installation date one month later than the Viewpoint player.

However the program managed to slip onto my PC, removing it freed up more than 7MB of hard-disk space.



Business model. Act as the meeting place for people who put on seminars and those who want to attend.

http://www.killerstartups.com/Web-App-Tools/Markthisdatecom---Share-Your-Favorite-Events/

Markthisdate.com - Share Your Favorite Events

Markthisdate is a Holland-based site that allows you to download the calendars of your favorite events directly to your favorite calendar program and thereby keep tabs on your favorite things. There are a number of calendars to choose from, for example, the Beijing Olympics, and you simply have to click “add to my calendar” when you would like to download the times and dates of an event to your icalendar. You can also add calendars to Markthisdate, something that is especially handy for those looking to self-promote their act.

http://www.markthisdate.com/info/faq.html



Business Model: Find a niche and become an expert

http://www.killerstartups.com/Web20/VinoGustocom---Interactive-Community-for-Wine-Lovers/

VinoGusto.com - Interactive Community for Wine Lovers

Vinogusto, launched in January last year, is an interactive community website aimed at promoting the enjoyment of wine, including through oenotourism. [TSA will perform a cavity search if you wear this t-shirt when entering the country. Bob] Registered users have their own page where they can share wine experiences, such as by reviewing a visit to a particular winery or rating a wine they drank. You can search wines by name, country of origin, color, and price, or browse by tags or “Hot wines.” Wine professionals can use the site as a promotion tool, with prices ranging from 50 to 450 Euros per year for various promotion plans. Vingogusto.com is currently available in four languages: English, French, Spanish, and Dutch. It features around 24,000 wines and over 37,000 wineries, with numbers growing regularly as users contribute.

http://www.vinogusto.com/

No comments: