Tuesday, July 08, 2008

Very light on details...

http://www.pogowasright.org/article.php?story=20080708064442955

Florida Organ and Tissue Registry security flaw exposes 55,000 donors' details

Tuesday, July 08 2008 @ 06:44 AM EDT Contributed by: PrivacyNews

Q: What happened?
A: We learned of a potential security flaw in the state’s Organ and Tissue Registry. We stopped all access to the database, identified the flaws and corrected them.

Q: What information was potentially accessed?
A: The database includes names, addresses, social security numbers, dates of birth, and driver’s license numbers.

Q: How do I know whether my records were affected?
A: The system has identified approximately 55,000 individuals whose information may have been viewed by unauthorized persons. We are in the process of contacting each person affected by mail.

Source - Florida Agency Healthcare Administration FAQ on Organ and Tissue Database breach

Note: According to a report by ABC, the breach occurred on June 20th and was fixed the next day. [This makes it sound like a hacker attack Bob]



BreachBlog makes some amusing (and very familiar) comments on the breaches it reports...

http://breachblog.com/2008/07/07/usfoodservice.aspx

Laptop containing personal information is stolen from U.S. Foodservice

Posted by Evan Francen at 7/7/2008 11:28 PM

... Reference URL: New Hampshire State Attorney General breach notification



Old news I thought. Everyone knows the job sites are skimmed... Don't they?

http://www.pogowasright.org/article.php?story=20080707101918952

Trojan trawls recruitment sites in ID harvesting scam

Monday, July 07 2008 @ 10:19 AM EDT Contributed by: PrivacyNews

Hackers have turned the harvesting of personal information from Monster.com and other large US jobsites into a lucrative black market business

A Russian gang called Phreak has created an online tool that extracts personal details from CVs posted onto sites including Monster.com, AOL Jobs, Ajcjobs.com, Careerbuilder.com, Careermag.com, Computerjobs.com, Hotjobs.com, Jobcontrolcenter.com, Jobvertise.com and Militaryhire.com. As a result the personal information (names, email addresses, home addresses and current employers) on hundreds of thousands of jobseakers has been placed at risk, according to net security firm PrevX.

Source - The Register

Thanks to Brian Honan for this link.



...because... (I can't be everywhere and do everything!)

http://www.pogowasright.org/article.php?story=20080707074528459

Data “Dysprotection:” breaches reported last week

Monday, July 07 2008 @ 07:56 AM EDT Contributed by: PrivacyNews

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent



http://www.technewsworld.com/rsstory/63696.html

5 Ways to Build an Indestructible Customer Data Fortress

By Kristin Lovejoy E-Commerce Times Part of the ECT News Network 07/08/08 4:00 AM PT

On June 30, data security standards set by the Payment Card Industry (PCI) became mandatory for organizations that handle online credit card payments. This is a significant milestone in the ongoing push to strengthen online security as these important standards have moved from recommendations to hard and fast mandates.

Key Issues [These are far from new Bob]

As it pertains to efforts around PCI DSS compliance and protection of customer data, there are five key issues that organizations must not overlook to improve their overall security stature:

1. First, retailers need to be vigilant in managing the chain of custody and closely monitoring how business partners are handling data.

2. Privileged user access also is important. This means monitoring the activities of those individuals who have root access to sensitive data and implementing necessary controls to ensure information is protected.

3. Another major security hazard lies in "unstructured" data -- information outside of databases, typically stored in documents.

4. Additionally, shared accounts and passwords are often culprits of security breaches. Shared passwords are used 73 percent of the time to manage network devices, according to the Password Research Institute. This makes it impossible to track and monitor user activity, prove segregation of duties, restrict access to cardholder data based upon principle of least privilege, etc.

5. Lastly, default passwords and settings left unchanged -- particularly at the organization's perimeter -- are an open invitation to hackers. Organizations should do a thorough check for default settings. Although most organizations have a "no default" mandate in their written policies, enforcement is not always vigilant.



They capture ans index everything, why should this be different?

http://www.pogowasright.org/article.php?story=20080707180614650

Stolen data live on in Google searches

Monday, July 07 2008 @ 06:06 PM EDT Contributed by: PrivacyNews

A Colorado woman logged on to her computer in April, voted on a CNN poll, shopped for airline tickets and calculated payments for a $25,000 car loan from Wells Fargo.

She didn't suspect that a malicious software program was recording every keystroke - frequent-flier numbers and passwords, her home address and phone number, an online conversation she was having with some friends.

But it was, and months after authorities were alerted to the breach and disabled the server in Malaysia where her data were being stored, the information was still available online - in a Google search.

Source - SFGate

[From the article:

Finjan reported the stolen data to a variety of authorities, but one of them, the FBI, said it wasn't concerned with the cache - only the evidence on the server.

"We tell people we can't be responsible for protecting data or ensuring that whatever is happening is all cleaned up," said Joe Schadler, a spokesman for the FBI's San Francisco office. "We're not security experts."

[I wonder if there is a business model here. Sell a “locate and destroy” service to breach companies so they can protect the victims – like credit monitoring but more immediate... Bob]



It has started. No doubt this will become much more interesting during the Democratic Convention...

http://thinkprogress.org/2008/07/07/librarian-with-mccainbush-sign-kicked-out-of-public-campaign-event/

Librarian with ‘McCain=Bush’ sign charged with trespassing at public campaign event

Sen. John McCain (R-AZ) was in Denver, CO, today for a town hall meeting. The event, at the Denver Center for the Performing Arts, was billed as “open to the public.” Yet Carol Kreck, a 61-year-old librarian carrying a “McCain=Bush” sign, was taken away by police for trespassing. A police officer told Kreck:

You have two choices. You can keep your sign here and receive a ticket for trespassing, or you can remove the sign and stay in line and attend this town hall meeting.

[Wouldn't all those who voted for Bush think the sing pointed out a good thing? Bob]



Interesting, but I suspect you don't need an close approximation of a signature to commit fraud.

http://www.pogowasright.org/article.php?story=20080707080142160

NZ: Watchdog warns against posting signatures online

Monday, July 07 2008 @ 08:01 AM EDT Contributed by: PrivacyNews

The Privacy Commissioner says the posting of signatures in online registers is a matter of concern, after an Auckland-based IT contractor found his published and available to anyone at the Charities Commission website.

Privacy Commissioner Marie Shroff says signatures posted online present some concerns. She encourages agencies to obscure, suppress or pixelate them wherever possible.

Source - Computerworld



Asking the question from a reverse perspective, How important (risk level) must it be before it is appropriate to take fingerprints (or other biometrics)

http://www.pogowasright.org/article.php?story=20080707074638224

Ca: Hands off LSAT students' fingers

Monday, July 07 2008 @ 07:46 AM EDT Contributed by: PrivacyNews

A recent decision by the Privacy Commissioner of Canada found that taking finger/thumb prints from those writing the Law School Admission Test (LSAT) is a privacy breach and must be stopped.

Source - David Canton, in CANOE

[From the article:

The Commissioner considered this four-point test:

- Is the measure demonstrably necessary to meet a specific need?

- Is it likely to be effective in meeting that need?

- Is the loss of privacy proportional to the benefit gained?

- Is there a less privacy-invasive way of achieving the same end?



I guess remaining anonymous is no longer an option? Perhaps anonymous equals sex offender? Perhaps terms of service has the force of law? (Does that work both ways?)

http://yro.slashdot.org/article.pl?sid=08/07/07/1824228&from=rss

User Charged With Felony For Using Fake Name On MySpace

Posted by ScuttleMonkey on Monday July 07, @03:53PM

from the understand-before-you-prosecute dept.

Recently a user, Lori Drew, was charged with a felony for the heinous crime of pretending to be someone else on the Internet. Using the Computer Fraud and Abuse Act, Lori was charged for signing up for MySpace using a fake name.

"The access to MySpace was unauthorized because using a fake name violated the terms of service. [Which is a felony? Bob] The information from a "protected computer" was the profiles of other MySpace users. If this is found to be a valid interpretation of the law, it's really quite frightening. If you violate the Terms of Service of a website, you can be charged with hacking. That's an astounding concept. Does this mean that everyone who uses Bugmenot could be prosecuted? Also, this isn't a minor crime, it's a felony punishable by up to 5 years imprisonment per count. In Drew's case she was charged with three counts for accessing MySpace on three different occasions."

[A (up till now) useful site: http://www.bugmenot.com/ Bob]



Looks interesting for the e-Discovery crowd...

http://www.cs.ucl.ac.uk/staff/S.Attfield/desi/DESI_II_agenda.html

DESI II

Second International Workshop on Supporting Search and Sensemaking for Electronically Stored Information in Discovery Proceedings

Wednesday June 25, 2008 - University College London, U.K.

The full proceedings as a zipped pdf



This could be useful...

http://www.killerstartups.com/Web-App-Tools/sisense-com-business-intelligence-dashboard/

Sisense.com - Business Intelligence Dashboard

Sisense, a company which specializes in business intelligence or decision support, has just launched Prism an information analysis tool which supports out of the box connectivity to different data sources. Prism allows data to be picked apart, processed, and scrutinized from a WYSIWYG interface with emphasis on visuals and instant results. Users can easily create dashboards, reports, widgets and charts; Sisense connects to Excel, SQL, and Oracle. They’ve also got a beta Amazon S3 Dashboard which basically makes it easy to make sense of Amazon’s S3 data with visualizations of your service’s stats. Developers can receive data as charts, in tabular format, and they can schedule key performance indicator reports. Prism is a free 10meg download which comes with video tutorials and a learning center for beginners.

http://www.sisense.com/default.aspx?AspxAutoDetectCookieSupport=1



You never know what your are buying... Why would any company voluntarily cripple their product? Do they see the $99 option as a money maker (like the airlines charging to check a bag?)

http://digg.com/hardware/Bend_Over_Dude_You_re_Getting_A_Dell

Bend Over Dude, You’re Getting A Dell

ripten.com — Some Dell laptops come with dissabled audio ports, after pressure from the RIAA. Dell will enable them for you for only $99. Bargin.

http://www.ripten.com/2008/07/07/bend-over-dude-youre-getting-a-dell/



From the comments, this could become a hot discussion topic, but since the lobbying is all on one side, all we can do is complain.

http://tech.slashdot.org/article.pl?sid=08/07/07/2351252&from=rss

Telecoms Suing Municipalities That Plan Broadband Access

Posted by kdawson on Monday July 07, @08:04PM from the buggy-whips-mean-jobs dept.

Law.com has up a review of ongoing and historical cases of telecoms suing municipalities that plan broadband networks. In many cases those same telecoms have spent years ignoring as potential customers the cities and towns now undertaking Net infrastructure projects, only to turn around and sue them. One lawyer who has defended many municipalities in this position says, "This is similar to electrification a century ago when small towns and rural areas were left behind, so they formed their own authorities." Bob Frankston has been writing for years about the financial model of artificial scarcity that underlies the telecoms businss plans. This post gives some of the background to the telecoms' fear of abundance.



I don't often get to say nice things about Comcast! This should be a natural reaction to new technologies – figure out how to monitor them and how to use them to enhance the organization.

http://www.boston.com/business/technology/articles/2008/07/07/hurry_up_the_customer_has_a_complaint/

Hurry up, the customer has a complaint

As blogs expand the reach of a single voice, firms monitor the Internet looking for the dissatisfied

By Carolyn Y. Johnson Globe Staff / July 7, 2008

When C.C. Chapman noticed a blemish in his high-definition television's reception during the NBA playoffs recently, he blasted a quick gripe about Comcast into the online ether, using the social network Twitter.

Minutes later, a Twitter user named ComcastCares responded, and within 24 hours, a technician was at Chapman's house in Milford to fix the problem.

"I was so floored," said Chapman, who runs a digital marketing agency and advises companies to do what he experienced with Comcast - listen to what customers are saying about them online and respond. "When it actually happened to me, it blew me away," he said. "Now I have a case study."

... Other companies are moving in the same direction.

At Southwest Airlines, the social media team includes a chief Twitter officer who tracks Twitter comments and monitors a Facebook group, an online representative who fact checks and interacts with bloggers, and another who takes charge of the company's presence on sites such as YouTube, Flickr, and LinkedIn. So if someone posts a complaint in cyberspace, the company can respond in a personal way.



Tools & Techniques Adding the “I'm being coerced” option.

http://it.slashdot.org/article.pl?sid=08/07/08/027220&from=rss

TrueCrypt 6.0 Released

Posted by kdawson on Tuesday July 08, @05:36AM from the plausible-deniability dept. Encryption Security

ruphus13 writes

"While most of the US was celebrating Independence Day, the true fellow geeks over at TrueCrypt released version 6.0 of TrueCrypt over the long weekend. The new version touts two major upgrades. 'First, TrueCrypt now performs parallel encryption and decryption operations on multi-core systems, giving you a phenomenal speedup if you have more than one processor available. Second, it now has the ability to hide an entire operating system, so even if you're forced to reveal your pre-boot password to an adversary, you can give them one that boots into a plausible decoy operating system, with your hidden operating system remaining completely undetectable.' The software has been released under the 'TrueCrypt License,' which is not OSI approved."



http://news.cnet.com/8301-1023_3-9985074-93.html?part=rss&subj=news&tag=2547-1_3-0-5

July 7, 2008 5:02 PM PDT

Geeks get a word in with Merriam-Webster

Posted by Michelle Meyers 4 comments

Geek culture is once again showing its influence over the mainstream lexicon in the latest version of the Merriam-Webster Collegiate Dictionary, which includes word additions such as webinar, malware, netroots, pretexting (thank you Hewlett-Packard), and fanboy (thank you Apple).



Another large list of free stuff. How can I resist?

http://www.opensourcewindows.org/

Open Source Windows



Is this an indication that the government wants to tax your ancestors?

http://www.bespacific.com/mt/archives/018734.html

July 07, 2008

USA.gov’s Family History and Genealogy page

Family History and Genealogy page includes the following topical links:



Something for my Process Engineering Class... (Perhaps you should check the design your apprentice architect came up with?

http://digg.com/comedy/Is_There_Something_Wrong

Is There Something Wrong?

flickr.com — Can you find what is wrong with this building?

http://www.flickr.com/photos/14309899@N08/2647737270/sizes/o/


Ditto

http://news.yahoo.com/s/nm/20080707/tc_nm/usa_education_technology_dc

Technology reshapes America's classrooms

By Jason Szep Mon Jul 7, 10:42 AM ET

... Education experts say her school, the Lilla G. Frederick Pilot Middle School in Boston, offers a glimpse into the future.

It has no textbooks. Students receive laptops at the start of each day, returning them at the end. Teachers and students maintain blogs. Staff and parents chat on instant messaging software. Assignments are submitted through electronic "drop boxes" on the school's Web site.

... Classwork is done in Google Inc's free applications like Google Docs, or Apple's iMovie and specialized educational software like FASTT Math.

... "Our projections show that 50 percent of high school courses will be taught online by 2019. It's about one percent right now," said Horn, executive director of education at Innosight Institute, a nonprofit think tank in Massachusetts.


Ditto. Perhaps some ideas (at least a list of risks)

http://tech.slashdot.org/article.pl?sid=08/07/08/0116238&from=rss

Handling Flash Crowds From Your Garage

Posted by kdawson on Tuesday July 08, @02:50AM from the to-scale-or-not-to-scale dept. The Internet Networking IT

slashdotmsiriv writes

"This paper from Microsoft Research describes the issues and tradeoffs a typical garage innovator encounters when building low-cost, scalable Internet services. The paper is a more formal analysis of the problems encountered and solutions employed a few months back when Animoto, with its new Facebook app, had to scale by a factor of 10 in 3 days. In addition, the article offers an overview of the current state of utility computing (S3, EC2, etc.) and of the most common strategies for building scalable Internet services."

No comments: