Thursday, June 26, 2008

Passwords are not adequate security...

http://www.pogowasright.org/article.php?story=2008062508080261

Some Quixtar independent business owners notified that their online accounts compromised

Thursday, June 26 2008 @ 06:20 AM EDT Contributed by: PrivacyNews

On May 27, Quixtar discovered that account passwords and user ids of some of their independent business owners (IBOs) had been compromised and that there was evidence that unauthorized persons were logging into the accounts to change deposit bank information.

Quixtar Director and Associate General Counsel Jon A. Sherk notified the New Hampshire Attorney General's office that the breach did not appear to be due to any insecurity with Quixtar's web site. [other than reliance on passwords alone to secure access... Bob] A spokesperson for Quixtar informed PogoWasRight.org that the problem appeared to originate with an external web site that linked to Quixtar's site.

In their disclosure letter and in their notification to IBOs, the company reported that a "small number" of accounts were accessed with the apparent intent being to divert bonus payments from the IBO's own banks to other banks. No other personal data such as Social Security numbers were viewable. According to the company's spokesperson, some IBOs had their accounts accessed but there was no diversion of bank deposit information, while a small number had their bank info altered.

Quixtar notified affected independent business owners by both email and a notice on their web site on May 30, scrambled passwords for affected users on June 4, and then sent notification by regular mail on June 11. As a precaution, they indicated that they were switching to paper checks for bonus payments for those who had been affected for that month. No IBOs have reportedly suffered any financial losses due to the incident. There has not been an arrest in the case yet.

Quixtar, which is the exclusive representative of Amway on the internet, describes itself as "the number-one online retailer in the Health & Beauty category based on sales, and 22nd among all e-commerce sites, according to Internet Retailer magazine’s “Top 500 Guide.” They have over 300 million independent business owners.



Which is worse, stealing an identity or deleting data required for a accurate diagnosis...

http://www.phiprivacy.net/?p=503

Jun-26-2008

Fired Houston organ bank worker accused of hacking into system

Cindy George of the Houston Chronicle reports on a hacking case that thankfully did not result in an interruption of patient care:

The fired technology director of a Houston organ donation company has been accused of hacking into its computer system and deleting records.

A federal indictment alleges that over two days in November 2005, Danielle Duann illegally accessed and damaged LifeGift Organ Donation Center’s database.

[...]

Duann is charged under a statute that makes it a federal crime to use technology to impair, or potentially impair, medical examination, diagnosis, treatment and care.

Full story - Houston Chronicle

[From the article:

The agency recovered the information from a backup system.

"All of the files were back within several months [Either they weren't very important or recovery was not as simple as suggested Bob] of the hacking and clinical operations were not affected in any way," Graham said.



Hardly a new term of art. A little light for a Wharton article...

http://knowledge.wharton.upenn.edu/article.cfm?articleid=1999

Privacy on the Web: Is It a Losing Battle?

Published: June 25, 2008 in Knowledge@Wharton

... But, what if you visited an investment site, only to find advertising messages suggesting therapies for your recently diagnosed heart condition? Chances are that you would experience what Fran Maier calls the "creepiness" factor, a sense that someone has been snooping into a part of your life that should remain private.


Related? I'll save you the read: NO! Are they doing what they were intended to do? YES!

http://www.securityfocus.com/news/11524?ref=rss

Breach-notification laws not working?

Robert Lemos, SecurityFocus 2008-06-25

The breach-notification laws passed by many states have failed, so far, to produce a measurable impact on identity theft, according to a group of academic researchers that will present their findings on Thursday at the Workshop on the Economics of Information Security (WEIS).

[The paper: http://weis2008.econinfosec.org/papers/Romanosky.pdf



For your security manager and my security class

http://www.bhconsulting.ie/securitywatch/

ENISA Publishes Paper on Securing USB Drives

June 25th, 2008

ENISA(The European Network and Information Security Agency) has recently released an interesting whitepaper on securing USB devices. The paper is a good read highlighting the threats that USB drives pose and listing a number of recommendations to minimise these threats.



Getting the word out...

http://www.f-secure.com/weblog/archives/00001462.html

Wednesday, June 25, 2008

Data Security Summary - January to June 2008

We've published our Security Threat Summary for the First Half of 2008.

You find the report and video from www.f-secure.com/2008/.

You can watch the video via our video-channel:

Or you can watch the video via our lab's YouTube Channel:

If you're behind some restrictive firewalls, such as .mil domains, e-mail and we'll provide you a link for a download. Cheers!



Something make me think they don't quite get it...

http://www.bespacific.com/mt/archives/018664.html

June 25, 2008

U.S. Copyright Office Releases New Technology to Process Applications Online

News release: "Handling about 550,000 copyright claims annually, the U.S. Copyright Office in the Library of Congress is making it much easier for the public to register and protect its collective creativity. On July 1, the Copyright Office will enter the next phase in the implementation of its multi-year business process re-engineering effort to modernize operations from a paper-based to a Web-based processing environment... In July the Copyright Office also plans to release the new Form CO, which effectively replaces six traditional paper application forms. [Good! Bob] Users will complete a Form CO online, [Good! Bob] print it out [Absurd! Bob] and send it to the Copyright Office with payment and a copy(ies) of the work being registered. Each Form CO is imprinted with 2-D barcodes [Why? Bob] that are scanned to automatically transfer the information contained in the form into an eCO service request record. The fee for registering a basic claim using Form CO is $45."



This makes sense. It's where I store my money.

http://www.pogowasright.org/article.php?story=20080625091547859

Majority of Identity Theft Victims Contact Their Financial Services Company Upon Learning of Crime, ITAC Survey Shows

Wednesday, June 25 2008 @ 09:15 AM EDT Contributed by: PrivacyNews

ITAC surveyed 1615 confirmed victims of identity theft helped by ITAC. The majority (65%) said the first thing they did was to contact their financial services company. Ten percent (10%) said they contacted the credit reporting bureaus. Seven percent (7%) contacted the police, and 2% checked their accounts online. Fourteen percent (14%) took different actions, including taking a call from their financial services company about suspicious activity concerning their account and contacting family members.

Source - ITAC Press Release



Some of the best plans (implementation is another topic) come from extreme embarrassment

http://www.pogowasright.org/article.php?story=20080625143016245

UK: Government lays plans to avoid future data security blunders

Wednesday, June 25 2008 @ 02:30 PM EDT Contributed by: PrivacyNews

The loss last year of 25 million records by HM Revenue and Customs (HMRC) was the result of "woefully inadequate" processes for data handling, not individual employees, according to an investigation. The Government has responded with new data security plans.

Three reports were published today relating to last November's news that two discs containing details of 25 million child benefit recipients had gone missing after being sent from HMRC to the National Audit Office (NAO). A fourth report, also published today, dealt with the theft in January of a Royal Navy recruiter’s laptop which contained unencrypted records on more than 600,000 people.

Source - Out-Law.com Links to the three reports can be found in the story.



So was this a politician with an enlightened view of the future, or a consumer who said to himself, “I'm gonna need cyber-cops someday...”

http://www.pogowasright.org/article.php?story=20080625171227601

Kentucky Attorney General’s identity stolen

Wednesday, June 25 2008 @ 05:12 PM EDT Contributed by: PrivacyNews

The Attorney General of Kentucky Jack Conway has had his identity stolen less than a month after setting up cyber crime unit.

Source - vnunet.com



What are the legal consequences of not opening an email? (Assume a recipient who cares about the law)

http://news.slashdot.org/article.pl?sid=08/06/25/1854231&from=rss

White House Refused To Open Unwelcome EPA E-Mail

Posted by timothy on Wednesday June 25, @03:39PM from the that's-one-way-not-to-have-seen-the-rules dept. Government Communications The Courts United States Politics

epfreed writes

"The White House lost a case in the Supreme Court about the need for the EPA to regulate greenhouse gases. So the EPA made new rule. And now the NYTimes reports that the White House did not want to get these new rules from the EPA about greenhouse gases. So they did not open the email."



I don't think I agree. You need a conceptual model as a road map. If the model is mathematical, it is still just a model. (Lots of interesting new terms though...) An article for my math and statistics classes.

http://science.slashdot.org/article.pl?sid=08/06/25/146250&from=rss

Google Begat the End of the Scientific Method?

Posted by CmdrTaco on Wednesday June 25, @11:42AM from the well-i-begat-a-roast-beef-sandwich dept. Google Science

TheSauce writes

"In a fairly concise one-pager from Chris Anderson, at Wired, the editor posits that all of our current (or now previous) models for collecting data are dead. The content is compelling. It notes that we've entered the Age of the Petabyte — where one can collect immense amounts of data that are paradigm agnostic. [What a concept! Bob] It goes on to add a comment from the head of Google's R&D, that we need an update to George Box's maxim: 'All models are wrong, and increasingly you can succeed without them.' Have we reached a time where all of our tool-sets are now made moot by vast clouds of information and strictly applied maths?"

[From the article:

an era of massively abundant data

the most measured age in history

children of the Petabyte Age

Data without a model is just noise.


On the other hand...

http://science.slashdot.org/article.pl?sid=08/06/26/1217221&from=rss

Why the Cloud Cannot Obscure the Scientific Method

Posted by CmdrTaco on Thursday June 26, @08:43AM from the because-of-science-dude dept.

aproposofwhat noted that Ars Technica's rebuttal to Yesterday's story about 'The End of Theory: The Data Deluge Makes the Scientific Method Obsolete'. The response is Why the cloud cannot obscure the Scientific Method and is a good follow up to the discussion.


Related

http://www.tgdaily.com/html_tmp/content-view-38115-113.html

Software predicts fate of death row inmates

Trendwatch By Wolfgang Gruener Wednesday, June 25, 2008 12:35

It turns out that certain profile data can give a clear indication whether a death row inmate will be executed or not. Gender was the most significant factor, as women are rarely executed. A clear indication was also the education level of the inmate, suggesting that the ability of an inmate to direct his appeal process can decide over life and death. The two scientists said that race was not found to be a decisive factor in execution decisions.

While the researchers do not expect their work to have much effect on policy, they believe that the predictions mad have “serious implications” on the fairness of the justice system.


Related? Edumacation in Amurica...

http://techdirt.com/articles/20080625/0306061515.shtml

Some Teachers Embracing Wikipedia, While Others Blame It

from the time-to-join-this-century dept

We've seen this before, of course. There are teachers and professors out there who blame Wikipedia for mistakes students make, and even those who demand that the entire Wikipedia be blocked in schools. However, there are those who are a lot more reasonable about it, recognizing that Wikipedia is just one source among many, and there's value in embracing Wikipedia: teaching kids what it is and how to use it reliably. That seems likely to be a lot more effective and useful for training kids how to critically judge the reliability of information out in the real world. Blocking, banning or blaming Wikipedia seems only designed to put one's head in the sand and pretend it doesn't exist. That's not preparing anyone for the real world.

Techdirt reader cram writes in to point out two contrasting articles that show this dichotomy of thought in action. First is a report out of Scotland last week blaming Wikipedia for kids getting failing grades. This, of course, seems ridiculous. What it really means is that teachers have failed to actually teach kids how to use Wikipedia properly. It's not the fault of Wikipedia -- which is merely an information source. It's a failure of teachers to teach kids how to properly use it. That's why it's nice to see the corresponding article, where students in Australia are now going to have a course available on how to use Wikipedia. That seems a lot smarter than just blaming Wikipedia.



Convergence. “Henry Ford, meet the Internet. Internet, Henry” (and we thought drivers on cell phones were bad)

http://tech.slashdot.org/article.pl?sid=08/06/25/2225230&from=rss

Chrysler To Offer Wireless Internet In 2009 Models

Posted by samzenpus on Wednesday June 25, @07:11PM Transportation The Internet

sunny in Seattle writes

"'Have you ever thought rush hour on the 405 Freeway might be more bearable if you could check your e-mail, shop for a book on Amazon, place some bids on EBay and maybe even, if nobody is looking, download a little porn? Then perhaps you should be driving a Chrysler.' LA Times reports that the nation's third-largest automaker is set to announce Thursday that it's making wireless Internet an option on all its 2009 models. The mobile hotspot, called UConnect Web, would be the first such technology from any automaker."



Tupperware is not a sufficient deterrent.

http://www.cbsnews.com/stories/2008/06/25/earlyshow/main4207156.shtml?source=RSSattr=SciTech_4207156

Taser "Parties" Pitching Them To Women

Not Just For Police Anymore, The Controversial Weapons Are Being Marketed To Civilians

SCOTTSDALE, Ariz., June 25, 2008



For my website class (Perhaps the lecture will be on youtube some day...)

http://www.bespacific.com/mt/archives/018661.html

June 25, 2008

Anthropology of YouTube

Pew Internet news release: "The Library of Congress invited Michael Wesch to deliver the third of four Digital Natives lectures. Wesch, creator of the world-famous YouTube video, The Machine is Us/ing Us, presented the "Anthropology of YouTube" to a packed, fascinated and amused audience on Monday... Wesch said that there are now well over 200,000 three-minute videos posted on YouTube. About half of those videos are posted by 18-24-year-olds."

No comments: