Friday, June 20, 2008

How to ensure third party security” might make an interesting article.

http://www.pogowasright.org/article.php?story=20080619113348678

Stolen State Street tower contained 3,659 Exeter Trust customers's data (State Street update)

Thursday, June 19 2008 @ 11:33 AM EDT Contributed by: PrivacyNews News Section: Breaches

Exeter Trust recently notified the Maryland Attorney General's Office that 3,659 of their clients were impacted by the theft of a computer tower from a third-party vendor hired by Investors Bank & Trust (IBT) to assist in compiling data required for federal regulators as part of the merger between State Street and IBT.

The stolen tower contained over 4 million emails which included individual names, social security numbers and/or checking account numbers. The server containing the email and client data was not recovered.

According to Megan Henry, the Executive Vice President of Exeter, the theft occurred on December 18, 2007. State Street notified Exeter on May 25, informing them that they had learned of the breach on January 25th and that it had taken them 4 months to review the 4 million emails to determine how many contained personally identifiable information.

In its notification letter to its clients, Exeter did something that other companies may wish to emulate: they not only set up a client assistance team with a phone number, but indicated the names and positions of the assistance team, which include the Executive Vice President of the company, the supervisor of account administration of individual services group, and three named senior account administrators.



Driver's licenses used to “prove” age?

http://www.pogowasright.org/article.php?story=20080619102908883

Facebook software glitch exposes drivers' license images

Thursday, June 19 2008 @ 10:29 AM EDT Contributed by: PrivacyNews News Section: Breaches

Given all of the significant concerns raised about social networking sites and privacy, it seems almost ironic that Facebook, Inc. has notified the Maryland Attorney General's Office that on May 2, a glitch during a software update exposed some members' driver's license images to anyone viewing those pages for a period of about two hours.

Simon Axten of Facebook does not indicate how many members were affected by the breach in total, but notes that there was no evidence [Translation: “We don't keep no stinking records” Bob] that the 2 Maryland residents had their pages viewed during the critical time period.

Sometimes it pays not to be so popular, perhaps.



Eventually these thefts will result in changes in procedure... Eventually.

http://www.pogowasright.org/article.php?story=20080619110617565

Stolen SunGard Availability Services laptop contained employee data

Thursday, June 19 2008 @ 11:06 AM EDT Contributed by: PrivacyNews News Section: Breaches

A laptop stolen from a SunGard HE employee earlier this year was not the only laptop containing personal information that was stolen.

In a report to the Maryland Attorney's General Office, SunGard Availability Services (SAS) reports that a company laptop was stolen on March 5th from an employee's car while it was parked outside a mall in King of Prussia, Pennsylvania.

Personal information including names, Social Security numbers, and in some cases, date of birth, address, phone number, compensation, and other human resources-related information on about 160 current and former SAS employees was on the laptop

The laptop was reportedly "protected with a complex alphanumeric password."



I wonder who holds the record? Is 'five' even in the top 100?

http://www.pogowasright.org/article.php?story=20080619112124526

LPL FInancial reports 5th breach in less than a year

Thursday, June 19 2008 @ 11:21 AM EDT Contributed by: PrivacyNews News Section: Breaches

LPL Financial reports that hackers compromised the logon password of one of their financial advisors for what LPL believes was an attempt to gain access to customer accounts in a "pump and dump" penny stock scheme.

This is not the first report of this kind from LPL. As reported on PogoWasRight.org previously, LPL Financial also discovered a similar scheme in July 2007 that covered 9 states and 14 financial advisors and that had gone on over a period of months. This latest incident reportedly occurred on May 5th and was detected the same day.

According to the letter signed by Keith H. Fine, the customer data potentially accessed included unencrypted names, addresses, and Social Security numbers of LPL customers and non-customer beneficiaries, but "LPL cannot determine whether the protected information was actually accessed." The Maryland AG's site reports that the total number of potentially affected individuals for the incident was 185, two of which are Maryland residents.



Some information is clearly required for business processes to function. (If you don't tell Sears where you live, they can't deliver your new refrigerator.) But who decides which “business processes” are appropriate?

http://www.pogowasright.org/article.php?story=20080619163642205

Ca: NB Power wants too much information from ratepayers - Tories

Thursday, June 19 2008 @ 04:36 PM EDT Contributed by: PrivacyNews News Section: Non-U.S. News

Opposition leader Jeannot Volpe is questioning NB Power's policy of collecting personal information on all persons residing at an address before connecting power.

But NB Power said the practice is designed to protect customers from identify theft, collect old debts and make sure ratepayers aren't taken advantage of.

Source - The Daily Gleaner



Isn't there a law requiring auto manufacturers to ensure spare parts are available for at least 10 years after manufacture stops? Should there be one for digital products that extends as long as the bit & bytes?

http://techdirt.com/articles/20080619/0907281455.shtml

Microsoft Keeps DRM Servers Alive For Now; Won't Screw Over Own Customers For A Few More Years

from the well,-that's-something dept

For years, we've given examples of how DRM ends up screwing over customers one way or another. One of the most obvious ways is when that DRM requires files to "check in" over the internet to work, and the company that manages the "check in" server takes it down. That's what's Microsoft announced it was doing with its incredibly-misnamed "PlaysForSure" DRM servers back in April. This was, effectively, going back on the terms of the deal they offered to music buyers. Following the outcry in response, however, it appears that Microsoft has reconsidered, saying that it will keep the servers running at least until 2011. So for the 35 people or so who bought into the PlaysForSure system, you have another 3 years to find new DRM-free sources of music.



Sneaky security tricks. Pass this to your security manager

http://www.infoworld.com/article/08/06/20/Software_makes_virtual_servers_a_moving_target_1.html?source=rss&url=http://www.infoworld.com/article/08/06/20/Software_makes_virtual_servers_a_moving_target_1.html

Software makes virtual servers a moving target

Businesses can cut the damage hackers inflict by managing virtual servers and reducing the time that any one version of a server is exposed to the Internet, researcher says

By Tim Greene, Network World June 20, 2008

Carefully managed virtual servers can make the job of attackers more difficult by reducing the time that any one version of a server is exposed to the Internet, according to a George Mason University professor who has developed software that phases virtual servers in and out of use.

... "If you take a server offline every minute, the intruder has just one minute to play games," he says.

Timing capabilities within SCIT manage the life cycles of virtual servers, making sure some server is always available so that service is uninterrupted, Sood says. To client machines, SCIT-ized virtual servers appear as if they are a single server.

... Once a server has been in use for the prescribed period, it is taken offline where it can be killed. The SCIT Controller generates replacement virtual servers from a server image of known state. Used virtual servers can be analyzed before they are killed to look for whether any attacks were carried out against them. They can also be saved but kept offline for future reference, Sood says.



Is it a legal question or merely a technical one?

http://blogs.computerworld.com/why_its_ok_to_steal_wi_fi

June 19, 2008 - 12:41 P.M.

Why It's OK to 'Steal' Wi-Fi

TIME Magazine printed this week a piece called, "Confessions of a Wi-Fi Thief," in which author Lev Grossman admits to using his neighbors' open Wi-Fi connections from inside his apartment.

Grossman writes that "stealing" Wi-Fi might be illegal (statutes vary according to where you live) but "definitely unethical." He also mentions a recent survey that found a slim majority -- 53% -- have "stolen" Wi-Fi.

I disagree with Grossman. I don't think it's unethical to "steal" Wi-Fi -- or even possible without deliberate hacking. And it shouldn't be illegal to simply use an open, unprotected wireless network.

1. By using a Wi-Fi network you're asking for, and receiving, permission from the owner.

When you open up your trusty laptop, check for available networks, choose one and click "Connect," you're instructing your computer hardware and software to communicate with the hardware and software that's providing the Wi-Fi network and ask permission to use the network.

When you do this, a router either grants permission, and assigns an IP address for you to use, or denies permission. If the connection simply works, it means by definition that the network is set up to automatically grant you permission to use it, and to actively provide the means for you to do so.



Repeated break-ins, spyware, password theft, this kid did it all.

http://www.technewsworld.com/rsstory/63483.html?welcome=1213967933

Teen Hacker Could Get 38-Year Sentence for Fixing Grades

By Katherine Noyes E-Commerce Times Part of the ECT News Network 06/19/08 2:02 PM PT



If your security logs aren't kept or aren't reviewed you will never stop this.

http://it.slashdot.org/article.pl?sid=08/06/19/1711257&from=rss

1 In 3 Sysadmins Snoop On Colleagues

Posted by timothy on Thursday June 19, @01:13PM from the and-they-steal-chips-and-soda dept. Security

klubar writes

"According to a a recent survey, one in three IT staff snoops on colleagues. U.S. information security company Cyber-Ark surveyed 300 senior IT professionals, and found that one-third admitted to secretly snooping, while 47 percent said they had accessed information that was not relevant to their role. Makes you wonder about the other 2 out of 3. Did they lie on the survey or really don't snoop?"



For educational purposes only! (Includes some defensive tips)

http://tech.slashdot.org/article.pl?sid=08/06/19/1433212&from=rss

Guide to DIY Wiretapping

Posted by CmdrTaco on Thursday June 19, @11:16AM from the do-you-hear-what-i-hear dept. Communications Security

Geeks are Sexy writes

"ITSecurity.com has a nice piece this week on how wiretapping works and how you can protect yourself from people who wants to snoop into your life. From the article 'Even if you aren't involved in a criminal case or illegal operation, it's incredibly easy to set up a wiretap or surveillance system on any type of phone. Don't be surprised to learn that virtually anyone could be spying on you for any reason.'"

Maybe I'm on the wrong track here, but I guess I assumed that wiretapping now happened in secret rooms at the telco, and not by affixing something physically to a wire in your home, but I'll definitely be aware next time I hear a stranger breathing next time I'm stuck on hold.



Future: Eventually, all movies (and music and everything else digital) will come via the Internet. We will only watch movies on our computers if we are traveling. Home viewing will be on our 72” wall mounted tv/monitor

http://news.cnet.com/8301-13845_3-9972548-58.html?part=rss&tag=rsspr.6242049&subj=news

June 19, 2008 6:53 AM PDT

Watch feature films free of charge at Hulu.com

Posted by Rick Broida

Many people already recognize video-streaming service Hulu.com as a great destination for watching TV shows (it has every single episode of Arrested Development, people!), but did you know it also offers movies?

... You'll have to sit through the occasional commercial--and stay tethered to your PC, of course--but that's a small price to pay for watching free movies on demand.



Global Warming! Neanderthal SUVs? Dinosaur flatulence?

http://www.eurekalert.org/pub_releases/2008-06/uoca-gic061808.php

Greenland ice core analysis shows drastic climate change near end of last ice age

Temperatures spiked 22 degrees F in just 50 years, researchers say

Public release date: 19-Jun-2008

Contact: Jim White jwhite@colorado.edu 303-492-2219 University of Colorado at Boulder



Dilbert on Security Cameras

http://dilbert.com/strips/comic/2008-06-20/

No comments: