Thursday, August 21, 2008

Couldn't happen to a better victim (from a Security Manager's perspective) Willing or not, this CEO will learn a lot about security and privacy in the next few months.

http://www.pogowasright.org/article.php?story=20080820190921706

UK bank chief stung in ID theft scam

Wednesday, August 20 2008 @ 07:09 PM EDT Contributed by: PrivacyNews

Accounts belonging to Andy Hornby, 41, who earns an estimated £1m a year, were frozen after unauthorised withdrawals of at least £7,000 from his accounts. UK tabloid The Sun reports that crooks used an old bank statement from Hornby to pose as the bank chief.

Hornby, who took over as chief exec of HBOS in 2006, was reportedly told of the breach while he was on holiday. The exact mechanism of the audacious scam is unclear, but it seems that a fraudster succeeded in persuading HBOS to issue replacement cards or other account credentials.

Source - The Register Thanks to Brian Honan for the link.

[From the article:

HBOS declined to discuss the alleged fraud, which raises questions about its internal systems as well as the care its chief exec takes with his own banking details.

The breach is hugely embarrassing, but not unprecedented. In January a thief defrauded Barclays of £10,000, having tricked staff into handing out a credit card while posing as its chairman Marcus Agius.



Greetings new customer! Welcome to the Wells Fargo family! We want you to enjoy all the benefits available to our existing customers, so let me explain our friendly Victims of Identity Theft process...”

http://www.pogowasright.org/article.php?story=20080820201047602

Another Wells Fargo incident: Tape with bank records ‘lost'

Wednesday, August 20 2008 @ 08:10 PM EDT Contributed by: PrivacyNews

A computer data tape with customer information from five new Wells Fargo banks is missing.

Banks involved are Shoshone First Bank in Cody and Powell, Jackson State Bank & Trust, Sheridan State Bank, First State Bank of Pinedale and United Bank of Idaho in Driggs.

“The tapes were being transported from one bank site to another,” SFB executive vice president Glenn Ross said. “When they (staff) arrived at the site they discovered the tape was missing.”

The information on the computer tape included names, addresses, Social Security numbers and account numbers.

“The tapes may have contained account balances and phone numbers, but we can't say they specifically had that information for all customers,” Ross added.

Source - Cody Enterprise

[From the article:

“But we can definitely say this wasn't a theft. [I can say the moon is made of green cheese... Bob]

“The tape was lost in transit,” he added. “People can feel safe the information wasn't stolen.” [“Rejoice! It wasn't hackers! We have met the enemy and they is us!” Bob]



This could be interesting. Let's hope they use a rating scale with levels like: “Totally Clueless” “It Takes Real Work to be This Bad” and “Forest Gump could Hack these Bozos”

http://www.pogowasright.org/article.php?story=20080821071616702

Hilb Rogal & Hobbs To Launch Privacy Breach index With Ponemon Institute

Thursday, August 21 2008 @ 07:16 AM EDT Contributed by: PrivacyNews

Hilb Rogal & Hobbs Co. said it teamed with the Ponemon Institute, a privacy and information management research firm, to launch the Privacy Breach Index. Hilb Rogal & Hobbs indicated the Privacy Breach Index as the first publicly available benchmarking tool to objectively measure a company's response to data loss or theft, especially when it concerns information about people and their families.

Source - RTTNews

A copy of the Privacy Breach Index(TM) Executive Summary and a questionnaire that can be used to create a company's PBI score will be made available for download via the following link: www.hrh.com/privacy.


Related? Maybe we should blame the victim.

http://techdirt.com/articles/20080820/0302342042.shtml

30% Of Internet Users Admit To Buying From Spam

from the hence-your-email-inbox dept

Over the years, we've seen plenty of studies or reports about the people who actually buy from spam. The percentages vary widely, with one report saying 4% of spam recipients buy from spam, another saying 11% and another saying 20%. Those were all a few years ago. A more recent study is now claiming that 30% of people will readily admit to buying from spam. Of course, the methodologies could be different, as some may count things such as marketing emails that you signed up for as spam, while others probably would not. Either way, it's clear that plenty of people [a tiny percentage of a global population Bob] are still buying, because otherwise spam would have died out a long time ago.

There is one other interesting point made in the study. It notes that the industry consensus is that less than one in a million emails leads to a sale (actually, the report says ten in ten million, but I don't see why that shouldn't be reduced), but that number is somewhat misleading, because so much spam is caught in filters. So, the percentage of spams that get through and lead to a sale is much, much higher.



Definitely needs work, but has potential!

http://www.infoworld.com/article/08/08/20/Online_encyclopedia_lists_internal_network_security_threats_1.html?source=rss&url=http://www.infoworld.com/article/08/08/20/Online_encyclopedia_lists_internal_network_security_threats_1.html

Update: Online encyclopedia lists internal network security threats

Promisec includes popular Web-based applications among possible data-loss threats

By Amir Ben-Artzi, IDG News Service August 20, 2008

A free online encyclopedia of internal network security issues was released Tuesday by network security provider Promisec, which includes popular Web-based applications among possible data-loss threats.



Law in the Cloud. Understand the technology you use or it will bite you. (Technology is like lion taming...) “Ignorance of the (lack of a) law is no excuse!”

http://www.pogowasright.org/article.php?story=200808201905450

Cloud computing lets Feds read your email

Wednesday, August 20 2008 @ 07:05 PM EDT Contributed by: PrivacyNews

... On July 11, 2008, Steven Warshak, the president of a nutrition supplement company, learned the hard way (pdf) about the dangers of using web-based email. On May 6, 2005, the government got such an order for the contents of his emails.

Generally, the internet service provider (ISP) is required to give the subscriber notice of the subpoena, but the statute allows a delay of up to 90 days if the government just asks for the data and the court finds that "there is reason to believe that notification of the existence of the court order may have an adverse result", like endangering the life or physical safety of an individual, flight from prosecution, destruction of or tampering with evidence, intimidation of potential witnesses, or otherwise seriously jeopardizing an investigation or unduly delaying a trial. Using this provision the government got an order allowing it to delay telling Warshak of its access for 90 days, until early July 2006. July came and went, as did August, September, October, November, December, January, February, March, April and May of 2007 before the government finally got around to telling Warshak that it had been reading his mail.

Source - The Register

Thanks to Brian Honan for the link.

[From the article:

Warshak, like many others, used web-based or third-party provided email services like Yahoo! mail and NuVox communications. Thus, his inbox and outbox were literally out of his hands. If Warshak had used an internal email service that he controlled and the government wanted to get access to the contents of his email, they would have had to do it the old-fashioned way: Obtain a search warrant supported by probable cause, issued by a neutral and detached magistrate, specifying the place to be searched and the items to be seized. [Choosing new technologies removes your rights under old laws (and constitutions) Bob]

... The Warshak court said that it had no idea if emails potentially seized by the government without a warrant would be subject to any expectation of privacy by Warshak. The Court noted that ISPs have all kinds of policies and practices regarding the privacy of their customers electronic communications, with some like AOL saying that the ISP "will not read or disclose subscribers' emails to anyone except authorized users," some like Juno saying they "will not intentionally monitor or disclose any private email message" but that it "reserves the right to do so in some cases" and some like Yahoo stating that they shall have the right to pre-screen content, or that content may be provided to the government on request.

... The government urged the court to go even further, arguing that there is no constitutional protection of privacy in email where, for example, the ISP used malware scanners to look for malicious code in email or deep packet inspection of email.

... The real problem with the Warshak Court's ruling - and here is where it gets dangerous - is that it essentially held that your expectation of privacy with respect to the government's seizure of your email is dictated by the terms of the contract with the ISP.


Related

http://www.pogowasright.org/article.php?story=20080821060546400

AU: No such thing as privacy: top judge

Thursday, August 21 2008 @ 06:05 AM EDT Contributed by: PrivacyNews

PEOPLE'S willingness to talk loudly on mobile phones and reveal personal information about themselves online indicates that the privacy laws may require a rethink, says the country's top judge, Murray Gleeson.

In his final public address as Chief Justice of the High Court, Justice Gleeson said yesterday that he had begun to change his view that "certain things … were self-evidently private".

Source - The Sydney Morning Herald

[From the article:

Graham Greenleaf, an expert on privacy and information technology law at the University of NSW, said that legal definitions of privacy were "not static" and new technologies had enabled people to be increasingly willing to disclose information [Probably lost something in the translation from the Australian, but aren't we assuming “Perfect Knowledge” of the technology and the consequences of its use? Bob] that would once have been considered private.

... "People are only now beginning to understand the privacy implications of social-networking sites and user-generated content … It may be that the pendulum will swing away somewhat from the great enthusiasm for disclosure that we are seeing now." [Let's encourage that... Bob]


Related Brief but interesting...

http://www.lrb.co.uk/v30/n16/soar01_.html

Short Cuts

Daniel Soar

[You have no privacy – deal with it. Bob]


Related Then there are the “Please don't through me into the brier patch” laws.

http://blog.wired.com/27bstroke6/2008/08/analysis-fcc-co.html

Analysis: FCC Comcast Order is Open Invitation to Internet Filtering

By David Kravets EmailAugust 20, 2008 | 3:53:43 PM

... In essence, the commission said carriers cannot discriminate against file sharing protocols, but they may act as a traffic cops and block illegal material and "transmissions that violate copyright law."

[The order: http://blog.wired.com/27bstroke6/files/comcastdecision.pdf


Related? We need to search the world for better interpretations of the US Constitution?

http://www.wired.com/politics/security/commentary/securitymatters/2008/08/securitymatters_0821

Boston Court's Meddling With 'Full Disclosure' Is Unwelcome

Bruce Schneier

In eerily similar cases in the Netherlands and the United States, courts have recently grappled with the computer-security norm of "full disclosure," asking whether researchers should be permitted to disclose details of a fare-card vulnerability that allows people to ride the subway for free.

The "Oyster card" used on the London Tube was at issue in the Dutch case, and a similar fare card used on the Boston "T" was the center of the U.S. case. The Dutch court got it right, and the American court, in Boston, got it wrong from the start -- despite facing an open-and-shut case of First Amendment prior restraint.



Our “First Line of Defense” -- god help us. (Probably been done hundreds of times before, but domestic calls don't impact the budget.)

http://it.slashdot.org/article.pl?sid=08/08/21/1241250&from=rss

FEMA Phones Hacked, Calls Mideast and Asia

Posted by CmdrTaco on Thursday August 21, @09:30AM from the oh-that's-just-not-good dept. Security

purplehayes writes

"A hacker broke into a Homeland Security Department telephone system over the weekend and racked up about $12,000 in calls to the Middle East and Asia. The hacker made more than 400 calls on a Federal Emergency Management Agency voicemail system in Emmitsburg, Md., on Saturday and Sunday, according to FEMA spokesman Tom Olshanski."

[From the article:

The voicemail system is new and recently was installed.

... This type of hacking is very low-tech and "old school," said John Jackson, a St. Louis-based security consultant. It was popular 10 to 15 years ago.

... Sprint caught the fraud over the weekend and halted all outgoing long-distance calls from FEMA's National Emergency Training Center in Emmitsburg. [I hope they checked with someone first! Bob]



Is this truly the first? No court has said “you must read the entire law before claiming a violation?”

http://blog.wired.com/27bstroke6/2008/08/judge-copyright.html

Judge: Copyright Owners Must Consider 'Fair Use' Before Sending Takedown Notice

By David Kravets August 20, 2008 | 6:21:03 PM

In the nation's first such ruling, a federal judge on Wednesday said copyright owners must consider "fair use" of their works before sending takedown notices to online video-sharing sites.

The 10-page decision (.pdf) came a month after Universal Music told a San Jose, California federal judge that copyright owners need not consider the "fair use" doctrine before issuing takedown notices requiring online video-sharing sites to remove content.

... Fogel added that an "allegation that a copyright owner acted in bad faith by issuing a takedown notice without proper consideration of the fair use doctrine thus is sufficient to state a misrepresentation claim."

... The case considered a lawsuit brought by a Pennsylvania woman whose 29-second garbled video of her toddler dancing to Prince's "Let's Go Crazy" was removed last year after Universal sent YouTube a takedown notice under the DMCA. [and a boring little video at that... Bob]

... Universal argued that copyright owners may lose the ability to respond rapidly to potential infringements if they are required to evaluate fair use prior to issuing takedown notices. [“You want us to actually look at it? What are you, nuts!” Bob]



I hope these guys don't fly very often...

http://jurist.law.pitt.edu/paperchase/2008/08/ninth-circuit-rules-people-on-no-fly.php

Ninth Circuit rules people on 'no-fly' list can challenge status in federal courts

Devin Montgomery at 2:39 PM ET Tuesday, August 19, 2008

The US Court of Appeals for the Ninth Circuit [official website] ruled [decision, PDF] Monday that those placed on the government's "no-fly list" can challenge their inclusion on the list in federal district courts. The issue came before the court in a case brought by a woman on the list, in which a district court had ruled that it lacked jurisdiction because of a law [statute text] exempting Transportation Security Administration (TSA) [official website] orders from federal trial court review. Reversing the decision, the Ninth Circuit held that the Terrorist Screening Center [official website] which actually maintains the list is a subsection of the Federal Bureau of Investigation (FBI) and is therefore subject to review by the district courts:



Shouldn't management be logging and reviewing this already?

http://www.pogowasright.org/article.php?story=20080820190328984

Ie: New guidelines to tighten up data protection in insurance sector

Wednesday, August 20 2008 @ 07:03 PM EDT Contributed by: PrivacyNews

Plans have been announced to make the data protection in the insurance sector more secure..... It follows revelations that the Department of Social and Family Affairs was routinely leaking social welfare and employment records to the insurance firms, to help them investigate claims.

Under the new code, companies must keep a record of exactly how their customers' personal data is being used.

Source - breakingnews.ie Thanks to Brian Honan for the link.


On the other hand...

http://www.pogowasright.org/article.php?story=20080820201308546

Changes to PCI standard not expected to up ante on protecting payment card data

Wednesday, August 20 2008 @ 08:13 PM EDT Contributed by: PrivacyNews

The group that administers the Payment Card Industry Data Security Standard — or PCI, for short — this week released a summary of the changes that are being made to the requirements in a revision scheduled to be published in October.

As expected, the modifications that the PCI Security Standards Council is implementing in the upcoming Version 1.2 of the standard are largely incremental in nature and appear unlikely to cause any major new compliance challenges for companies, analysts said. In fact, the update will ease some of the mandates set by the standard, such as how quickly software patches need to be applied to systems.

Source - Computerworld



Now there's a sad statistic

http://tech.slashdot.org/article.pl?sid=08/08/20/2233221&from=rss

42% of Web Users Sneak Onto Other Online Accounts

Posted by samzenpus on Wednesday August 20, @09:51PM from the what-are-you-doing-there dept. The Internet

An anonymous reader writes

"In an online survey, 42 percent of Internet users admitted to logging into other people's email and social networking accounts without their knowledge. The poll doesn't ask if passwords were found, granted, or stolen — which would make for further interesting results. The write-up summarizing the results defines the respondents as part of an "educated tech-readership" and questions the ethics of logging onto someone else's account, and whether those differ depending on the person and relationship."



Tools & Techniques: Don't bother detecting secret messages, just scramble them. Let's hope this does not become common. Imaging the impact if x-rays are modified, for example.

http://digg.com/security/Are_you_hiding_secret_messages_in_LOLCAT_photos

Are you hiding secret messages in LOLCAT photos?

spectrum.ieee.org — Earlier this year, someone at the US Department of Justice smuggled sensitive financial data out of the agency by embedding the data in several image files. Defeating this exfiltration method, called steganography, has proved particularly tricky, but one engineering student has come up with a way to make espionage work against itself.

http://spectrum.ieee.org/print/6593

[From the article:

Bertolino’s method turns this technology on itself. The key to jamming steganography, he says, is using steganography—what he calls “double-stegging.” Double-stegging adds some noise, scrambling some of the image’s least-significant bits. “As long as you’re damaging at least some part of the file,” Bertolino explains, the hidden file becomes garbled and cannot be deciphered.



Youse want solar energy wid dat?” Pizza Hut Buy enough pizza and you can disconnect from Xcel...

http://hardware.slashdot.org/article.pl?sid=08/08/21/127236&from=rss

Solar Cells - Made In a Pizza Oven

Posted by CmdrTaco on Thursday August 21, @08:46AM from the because-you-can dept. Power Science

stylemessiah writes

"The winner of several Eureka Science Awards in Australia is a crafty chick who devised a way to create solar cells cheaply using a pizza oven, nail polish and an inkjet printer. This was developed to address the high cost of cells and in particular for the worlds poorest regions. She wanted to give the @2 billion people around the world who dont have electricity the gift of light and cheap energy. This could have profound (and a good profound) implications for education and health in those in the poorest regions in the world. And it all started with her parents giving her a solar energy kit when she was 10..."



Let's gang up on that bastids!

http://www.killerstartups.com/Web-App-Tools/phonespamfilter-com-get-rid-of-telemarketers

PhoneSpamFilter.com - Get Rid Of Telemarketers

PhoneSpamFilter.com offers users a huge database (over 50,000) of known telemarketers. Users visit the site and can register their own complaints about telemarketers. Many, many users do so each day. If a user just wants to get some information about who called from a given phone number, that's possible too. PhoneSpamFilter.com also offers several tools for users to block telemarketers from calling them at home. The site has Windows-based software and an API, each of which can allow users to sidestep phone solicitors.

http://www.phonespamfilter.com/



Tools & Techniques: Plus it's a (rather geeky) list! (How could I not include it.)

http://www.bespacific.com/mt/archives/019108.html

August 20, 2008

New on LLRX.com: Technology Tools for Information Management

Technology Tools for Information Management - Roger V. Skalbeck and Barbara Fullerton's share a fast paced presentation of 19 practical, low cost and innovative tech tools they respectively use on a regular basis. So if you are looking for ideas to improve your use of Outlook, RSS, Adobe, and enhance your presentations and collaborative goals, this article is a must read.

[This one is interesting:

Ponyfish

This is a web-based tool that lets you create an RSS feed from a page that doesn't otherwise have one. You simply browse to the page, click on a few links where new material appears, and it generates the feed for you.



Inevitable

http://techdirt.com/articles/20080819/0326152027.shtml

If You're Looking To Learn Basic Economics, Here's A Free Textbook

from the cool dept

Against Monopoly points us to an LA Times story about an economics professor from Caltech, R. Preston McAfee, who has written what he calls an "open source" economics textbook. Y ou can download the textbook for free, and can even modify it (he offers up both a pdf version and a "source code" Word doc). It's not quite "open source" in that you're not allowed to do anything commercial with it, but it's certainly a lot cheaper than a standard econ textbook. We get plenty of questions here about where one should start learning about economics knowledge -- and while a textbook without a teacher isn't always the best place, if you did want to dig into a text, this is obviously a good place to start.

I haven't gone through the whole thing, but a quick spot check on various topics suggests that (at least in that random sample) the text is clear, well-written and does a good job explaining those concepts. And while it doesn't get into anything beyond your basic intro econ, the guy does seem to recognize the basic economics of information. As he notes in the LA Times article:

"What makes us rich as a society is what we know and what we can do. Anything that stands in the way of the dissemination of knowledge is a real problem."

And, in the opening itself certainly suggests he understands the whole scarce/infinite goods dichotomy:

Economics studies the allocation of scarce resources among people – examining what goods and services wind up in the hands of which people. Why scarce resources? Absent scarcity, there is no significant allocation issue.

Indeed. And, it's nice to see scarcity becoming absent from a good econ text as well, so "allocate" away.



But Honey! I'm doing it for my health!

http://science.slashdot.org/article.pl?sid=08/08/20/1751246&from=rss

Research Suggests Polygamous Men Live Longer

Posted by timothy on Wednesday August 20, @02:23PM from the depends-which-part-of-utah dept. Medicine Science

Calopteryx writes

"Want to live a little longer? Get a second wife. A study reported in New Scientist suggests that men from polygamous cultures outlive those from monogamous ones. After accounting for socioeconomic differences, men aged over 60 from 140 countries that practice polygamy to varying degrees lived on average 12% longer than men from 49 mostly monogamous nations."



English, as she is spoke (The sad part is, I can't even guess what some of these people intended to say...)

http://engrishfunny.com/

Engrish Funny

Engrish Pictures and other Funny Engrish Mistakes in English from around the world.

No comments: