Wednesday, August 20, 2008

When you put all your eggs in one basket, SECURE THAT BASKET!

http://www.pogowasright.org/article.php?story=20080819200619775

Dominion Enterprises Discloses Data Breach in Business Division

Tuesday, August 19 2008 @ 08:06 PM EDT Contributed by: PrivacyNews

Dominion Enterprises today announced that a computer server within InterActive Financial Marketing Group (IFMG), a division of Dominion Enterprises located in Richmond, Virginia, was hacked into and illegally accessed by an unknown and unauthorized third party between November 2007 and February 2008.

The data intrusion resulted in the potential exposure of personal information, including the names, addresses, birth dates, and social security numbers of 92,095 applicants who submitted credit applications to IFMG’s family of special finance Web sites. [This computer serviced several websites... Bob]

Source - Dominion Enterprises



It will never happen to us.

http://www.pogowasright.org/article.php?story=20080819114401513

WA: Kingston Tax Service computers stolen; clients warned of identity theft

Tuesday, August 19 2008 @ 11:44 AM EDT Contributed by: PrivacyNews

Immediate action is necessary on behalf of all Kingston Tax Service clients to protect themselves from identity theft.

Office computers were stolen from the business in a reported burglary sometime before 8:30 a.m. on Aug. 12.

[...] Although the information was password protected, Winsor states they aren't foolproof.

[...] According to Kitsap County Sheriff reports, Winsor believes he saw his computer for sale on Craigslist.com on Aug 14, two days after the burglary.

The computer he suspects was his was listed without its hard drive. He couldn't positively identify the computer because photos of the computer's serial number were blurred, the report states.

Source - North Kitsap Herald

http://www.pnwlocalnews.com/kitsap/nkh/news/27151284.html

[From the article:

Because of the burglary, the message also states that filing some deadlines were missed. [“Not only did we fail to secure your data, we didn't even back it up!” Bob]



This raises a few interesting questions...

http://www.pogowasright.org/article.php?story=20080820055441525

Pilot Sues To Get Off Terror Watch List

Wednesday, August 20 2008 @ 05:54 AM EDT Contributed by: PrivacyNews

A commercial airline pilot and convert to Islam who says his name is on the U.S. government's secret terrorist watch list has fought back, filing a federal lawsuit against the Homeland Security Department and various other federal agencies.

Erich Scherfen said unless his name is removed from the list, he faces losing not only his job but the ability to make a living in his chosen profession.

Source - TheDenverChannel.com

[From the article:

Scherfen said he learned that he was a "positive match" on a list maintained by the Transportation Security Administration in April, when his employer, Colgan Air Inc., suspended him for that reason. [So TSA “ratted him out?” How else would they find out his name was on the list, since TSA claims they won't tell anyone? Bob]



First, read the law! (Second, fix the system? Nahhh too obvious.)

http://yro.slashdot.org/article.pl?sid=08/08/19/1848245&from=rss

MIT Students' Gag Order Lifted

Posted by kdawson on Tuesday August 19, @03:22PM from the common-sense-descends dept.

mytrip and several other readers let us know that a judge in Boston has lifted the gag order — actually let it expire — against three MIT students who discovered flaws in the security of the local transit system, the MBTA. We've discussed the case over the last 10 days.

"Judge O'Toole said he disagreed with the basic premise of the MBTA's argument: That the students' presentation was a likely violation of the Computer Fraud and Abuse Act, a 1986 federal law meant to protect computers from malicious attacks such as worms and viruses. Many had expected Tuesday's hearing to hinge on First Amendment issues and what amounts to responsible disclosure on the part of computer security researchers. Instead, O'Toole based his ruling on the narrow grounds of what constitutes a violation of the CFAA. On that basis, he said MBTA lawyers failed to convince him on two points: The students' presentation was meant to be delivered to people, and was not a computer-to-computer 'transmission.' Second, the MBTA couldn't prove the students had caused at least $5,000 damage to the transit system."



Tools & Techniques: Shouldn't everyone know how to commit computer crimes?

http://digg.com/tech_news/How_I_Stole_Someone_s_Identity_Using_the_Internet

How I Stole Someone's Identity Using the Internet

sciam.com — A little digging on social networks, blogs and Internet search engines lets you put together information about people like pieces of a puzzle —And it's not a pretty picture for security or privacy. I decided to conduct an experiment to see how vulnerable people's accounts are to mining the Web for information.

http://www.sciam.com/article.cfm?id=anatomy-of-a-social-hack



Attention Florida! You can get these cheap, and avoid “hanging chad!” (No need to test, after all, none of these states did...)

http://politics.slashdot.org/article.pl?sid=08/08/20/0212223&from=rss

States Throw Out Electronic Voting Machines

Posted by kdawson on Wednesday August 20, @08:16AM from the returning-to-paper dept.

Davide Marney passes along an AP story about the thousands of voting machines gathering dust in warehouses across the country after states such as California, Ohio, and Florida have banned their use. Many of these machines cost $3.5K to $5K each. Local election boards are struggling to find ways to recover any of the cost of the machines, or even to recycle them. The picture in Ohio is the most confusing, as multiple court cases limit the state's options and result in a situation in which the discredited machines will nevertheless be used in the presidential election coming up in November. The state's new (Democratic) attorney general has just issued a rule banning the practice of election workers taking the machines home with them the night before elections.



(This happened last year.) Like the folks at SlashDot, I wonder if this opinion has been overturned or actually used in defense?

http://news.slashdot.org/article.pl?sid=08/08/19/2028235&from=rss

Judge Rules Man Cannot Be Forced To Decrypt HD

Posted by kdawson on Tuesday August 19, @06:21PM from the cold-dead-fingers dept. The Courts Encryption United States

I Don't Believe in Imaginary Property writes

"In Vermont, US Magistrate Judge Jerome Niedermeier has ruled that forcing someone to divulge the password to decrypt their hard drive violates the 5th Amendment. Border guards testify that they saw child pornography on the defendant's laptop when the PC was on, but they made the mistake of turning it off and were unable to access it again because the drive was protected by PGP. Although prosecutors offered many ways to get around the 5th Amendment protections, the Judge would have none of that and quashed the grand jury subpoena requesting the defendant's PGP passphrase. A conviction is still likely because prosecutors have the testimony of the two border guards who saw the drive while it was open."

The article stresses the potential importance of this ruling (which was issued last November but went unnoticed until now): "Especially if this ruling is appealed, US v. Boucher could become a landmark case. The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for the last decade arguing the merits of either approach."

Update: 08/19 23:49 GMT by KD : Several readers have pointed out that this story in fact did not go unnoticed.



From the e-Discover blog, aA brief overview of hash values and their use in forensics... Looks like lawyers need to study math.

http://ralphlosey.wordpress.com/2008/08/17/new-case-where-police-use-hash-to-catch-a-perp-and-my-favored-truncated-hash-labeling-system-to-id-the-evidence/

New Case where Police Use Hash to Catch a Perp and My Favored Truncated Hash Labeling System to ID the Evidence


Related

http://www.securityfocus.com/brief/801?ref=rss

P2P investigation leads to child-porn busts

Published: 2008-08-19

... The investigation, ... used unspecified "sophisticated computer programs" to identify child pornography stored in folders shared through peer-to-peer applications Law enforcement officers have previously used pattern-matching programs, similar to antivirus scanners, to quickly scan Usenet groups for images that match a list of known images of child abuse.



An interesting concept. You don't need to buy hardware for your backup site, you just describe it and when needed implement a virtual system.

http://www.reuters.com/article/technologyNews/idUSN1936716820080820?feedType=RSS&feedName=technologyNews

IBM invests $300 mln in disaster recovery centers

Tue Aug 19, 2008 11:20pm EDT

BOSTON (Reuters) - IBM plans to spend $300 million this year to build 13 "cloud computing" data centers where businesses can store information for quick retrieval in case their computer systems are destroyed in a disaster.

No comments: