Saturday, June 14, 2008

Trends: Employees prefer their own computers over those provided by their employers, especially when the employer is a government entity and computers are supplied by the lowest bidder. This is no excuse for failure to secure sensitive data.

http://www.dailymail.co.uk/news/article-1026365/Anti-terror-police-chief-laptop-stolen.html

Anti-terror police chief has laptop stolen

By Daily Mail Reporter Last updated at 10:30 PM on 13th June 2008

A LAPTOP belonging to a senior police officer who has access to counter-terrorist intelligence has been stolen.

The computer, which was owned by Rob Beckley, deputy chief constable of Avon and Somerset, was taken from his car outside Marylebone railway station in Central London on Wednesday.

It is believed his police driver was distracted by one thief while another made off with the laptop.

Police sources say Mr Beckley, a former member of the terrorism committee of the Association of Chief Police Officers, had insisted on using his own computer when he joined the force last year.

As a result, none of the information accessible from the machine - which includes anti-terror details, private information about individual officers, and details of criminal investigations, suspects and undercover operations - is encrypted.

... Yesterday, Mr Beckley said IT experts were working to ensure no one outside the force would be able to use the computer and log on to police servers. [This should be trivial – turn of his ID Bob]

... But he refused to discuss why Mr Beckley had insisted on having his own laptop and why information had not been encrypted.


...but the BBC says:

http://news.bbc.co.uk/2/hi/uk_news/england/bristol/somerset/7454567.stm

Police data 'secure' after theft

... It said the laptop had encryption software on it [Was it used? Bob] and that police computer systems used multiple passwords.

"There was no data breach and steps taken were as a precautionary measure."



I mentioned this one yesterday – looks like the judge agrees.

http://blog.wired.com/27bstroke6/2008/06/judge-scuttles.html

Judge Scuttles Ameritrade Hacking Settlement

By David Kravets June 13, 2008 9:58:33 PM

A federal judge on Friday declined to approve a proposed settlement of a class-action representing as many as 6.3 million TD Ameritrade customers whose privacy was breached when hackers stole personal identifying customer information.

U.S. District Judge Vaughn Walker was concerned whether the deal, which gives more than $1.8 million in legal fees to the plaintiff's attorneys, would provide any real benefits to the class of online brokerage customers.

... Walker said there were no "facts which would allow the court to make a proper valuation of the settlement, which on its own does not include any monetary relief."

... Among other things, the accord requires the company to post information on its web site regarding "important information on protecting your assets from online threats such as identity theft, phishing, spyware, viruses, e-mail fraud and stock touting spam."

Ameritrade also agreed to retain independent experts to conduct bi-annual penetration tests at least through 2009. It has also retained ID Analytics, a company specializing in identifying organized identity theft. "Two such analyses already have been performed and have identified no evidence of identity theft," according to the accord.

Also, the deal requires a $20,000 donation to the Honeynet Project and $35,000 to the National Cyber Forensics and Training Alliance.


Maybe this guy will have more luck?

http://www.sltrib.com/ci_9577038

Ex-patient sues storage firm over stolen U. records

Proposed class-action suit claims company was negligent; attorney says university is next

By Stephen Hunt The Salt Lake Tribune Article Last Updated: 06/14/2008 01:21:31 AM MDT



There is more than one way to make money from a breach... (Could be an educational video at some point?)

http://news.cnet.com/8301-10784_3-9967594-7.html

Leaked AOL search logs take stage in new play

Posted by Holly Jackson June 13, 2008 10:00 AM PDT

Imagine every question you've typed into an Internet search engine suddenly appearing online for the world to scrutinize. What would the queries say about you? Would the world view you as totally mundane? Totally bizarre?

Would your search log be intriguing enough to draw thousands upon thousands of viewers?

Brat Productions, a theater company in Philadelphia, found one such search string more than compelling enough to form the basis of its new play, User 927.



Wow! Could we do this in the US? (This happened in January, but I must have missed it.)

http://www.complianceandprivacy.com/News-UKIC-requires-laptop-encryption.html

ICO takes enforcement action against Marks & Spencer

M&S ordered to encrypt all hard drives by April 2008

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act.

... An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. [Third party again. Bob] In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.

... The ICO has now issued M&S with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008. [This was issued in late january. Imagine the scramble! Bob] Failure to comply with the Enforcement Notice is a criminal offence and may result in the ICO taking further action against the company.

[The order:

http://www.ico.gov.uk/upload/documents/library/data_protection/notices/m_and_s_sanitiseden.pdf



Another summer page turner...

http://www.bespacific.com/mt/archives/018584.html

June 13, 2008

Identity Theft: The Aftermath 2007

Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.



Interesting that the authors of the browser can't turn off all the logging.

http://news.cnet.com/8301-10789_3-9967829-57.html

Firefox 3 won't have 'private browsing'

Posted by Robert Vamosi June 13, 2008 5:55 AM PDT

... The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.

... He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.

... You can hear more of my interview with Nightingale on my Security Bites podcast here.



We're the government and we're here to help you.”

http://www.infoworld.com/article/08/06/13/FBI_warns_of_childsupport_card_scam_1.html?source=rss&url=http://www.infoworld.com/article/08/06/13/FBI_warns_of_childsupport_card_scam_1.html

FBI warns of child-support card scam

Phishing scam targets single parents who use EPPICards, which work like debit cards and are promoted as alternative to child support payment checks

By Robert McMillan, IDG News Service June 13, 2008

The U.S. Federal Bureau of Investigation warned Friday that online scammers are now targeting single parents who use the EPPICard system to receive child-support payments.


Related? Or just a disaster waiting to happen...

http://cbs4denver.com/local/unemployment.Chase.Colorado.2.747887.html

New State Debit Cards Are Costing The Unemployed

Written by CBS4 special projects producer Libby Smith Jun 13, 2008 2:25 pm US/Mountain

DENVER (CBS4) ―

... Desimone has a receipt showing she was charged 50 cents just to check the balance in her unemployment account.

When you start to read the fine print on the CAP card, there are more charges:

-- $1.50 for using a non-Chase ATM
-- $5.00 for a teller transaction at a non-Chase bank
-- $12.50 to write a check on the account

... "I can't take my debit card to my lease office to pay my rent ... and say, 'Here' ... that doesn't work," Bruck said.

She has to go to an ATM get her money out in cash and carry it to her own bank.

... Lori Halpenny was also laid off this year. She's uncomfortable giving her personal information to a bank where she doesn't have an account.

"Which was frightening to me because of all the problems with identity theft," Halpenny told CBS4.

She says she not only have her social security number and other information to Chase, but she had to agree to allow the information to be shared with "third party affiliates" as well.



Tools & Techniques: Someone needs to think this through...

http://blog.wired.com/27bstroke6/2008/06/mobile-phone-nu.html

Mobile Phone Number Moving Caused Feds to Wiretap Wrong American

By Ryan Singel June 12, 2008 5:33:29 PM

In poring through the latest round of documents the FBI turned over to the Electronic Frontier Foundation about how the FBI legally plugs into the nation's telephone system, THREAT LEVEL discovered that the nation's secret spy court repeatedly questioned the FBI in 2005 and 2006 about whether the Bureau was exceeding its wiretap authority.

But there were other fine eavesdropping nuggets in those pages, including info on when the FBI learned to wiretap VOIP calls, how number portability messed with FBI taps, and a moment of candor from an FBI technician about how the FBI's wiretapping software could work with the NSA's warrantless wiretapping program.

For instance, the FBI accidentally listened in on one innocent American phone conversations due to a hack a phone company used to let people take port their phone numbers from one cell provider to another. At issue is a workaround used by CDMA providers, where a carrier assigns an alias number to a ported number in order to speed up switching at a user's usual calling area. The workaround has the unfortunate side effect of occasionally reporting the alias -- which could actually be a real person's number -- instead of the real caller to the FBI's wiretapping software.

In the FBI's own words, "due to misinformation in the call records, the unrelated subscriber was temporarily included in the investigation" and "this error has recently misled a few FBI investigations.



Is a fine sufficient?

http://techdirt.com/articles/20080613/0131051395.shtml

'Free Software' Scammers Fined $2.2 Million

from the this-is-not-the-'free'-business-model-we're-talking-about dept

We've seen various incarnations of the scam (often found in infomercials) where a company offers you something for "free," but in the fine print, you're really signing up for an ongoing paid service. For years, some of the biggest "ringtone" companies made much of their money this way, offering "free" or cheap ringtones that actually involved the user signing up for a monthly service without realizing it. The infamous "Video Professor" has been accused of running a similar system, though the company vehemently denies this.

Either way, it appears that the FTC is starting to crack down on some of these practices, fining a competitor to "Video Professor," called ThinkAll, $2.2 million. Apparently ThinkAll took this scam to a new level. It offered "free" software, where you simply had to pay for the shipping and handling -- though, it sounds like that was really just so the company could get your credit card on file. After receiving that first free CD, customers were offered 3 more titles totally free (not even any shipping). If you decided to accept that software (and why wouldn't you?) it made you check a box saying you had read the terms of service. Of course no one reads the full terms of service, which include (hidden down in the 7th paragraph) the fact that in accepting this "free" software, you're actually agreeing to sign up for a monthly fee-based service. Quite sneaky... until the FTC stepped in. Hopefully other businesses take notice and start avoiding these types of scams.

No comments: