Friday, September 12, 2008

____

How vague can a disclosure be? Wouldn't it be useful to know who was breached? When the breach occurred and what dates the records lost cover?

http://www.pogowasright.org/article.php?story=2008091113194251

American Express notifying some customers of breach at unnamed merchant

Thursday, September 11 2008 @ 01:19 PM EDT Contributed by: PrivacyNews

Evan Francen of The Breach Blog has uploaded a notification letter dated August 26th received by one of his site's readers. No other information about the breach seems to be available at this time, but it is interesting that AmEx notified the customer about a cancelled account and indicates that it will monitor the (cancelled) account for activity.

Francen wonders whether this breach might be related to the recent revelation that a computer containing customer data was sold on ebay. It's a good question. Would that companies provide us with more details in their notification letters.



How do I interpret this? Is it more FBI braggadocio? (“This arrest solves 92% of all crime worldwide.”) Is it true, but they don't want to embarrass anyone? Is it true, and the economhy would collapse if the scope was revealed? Would FOIA answer any of these questions?

http://www.pogowasright.org/article.php?story=20080912061716454

Hacker pleads guilty in breach (TJX update)

Friday, September 12 2008 @ 06:17 AM EDT Contributed by: PrivacyNews

Federal prosecutors won a guilty plea yesterday from one of 11 men who made up a ring that was charged last month with the largest data theft case in history, involving tens of millions of customers of retailers, including TJX Cos. of Framingham and BJ's Wholesale Club of Natick.

Separately the government also said it has evidence the group breached the security of many more businesses than previously disclosed.

... And in a separate court filing yesterday, Heymann wrote the government has evidence that Toey and his coconspirators hacked into "numerous other businesses." The filing did not disclose the businesses, and Heymann did not release any more details in court.

Source - Boston.com

Comment: and were the customers of those "numerous other businesses" ever notified of the breaches? Did the businesses even know that they had been breached or did the federal government not communicate with them? -- Dissent



If it was common practice to encrypt any files transmitted with the public key of the recipient, this would have been a non-issue.

http://www.pogowasright.org/article.php?story=20080911164953517

Personal Information Of 23,000 Ivy Tech Students Sent Out Over E-Mail (update)

Thursday, September 11 2008 @ 04:49 PM EDT Contributed by: PrivacyNews

The personal information of about 23,000 Ivy Tech students was accidentally sent out in an e-mail to 1,400 people, according to a letter from the school.

In the letter Ivy Tech Indianapolis Vice President of Administration William Morris writes that the e-mail was sent during the last week of July.

He said an employee intended to e-mail the list -- which included the names, addresses and Social Security numbers of students who were enrolled in distance-education courses -- to a colleague. Instead, the file drop was sent to an e-mail group that included about 1,400 current and former Ivy Tech Indianapolis employees, including some current and former student employees.

Source - The Indy Channel



It looks like the courts are becoming better educated on security “Best Practices” (Or maybe this one was just glaringly obvious...)

http://www.pogowasright.org/article.php?story=20080911153348950

Brokerage to pay fine for alleged security breach (LPL Financial update 2)

Thursday, September 11 2008 @ 03:33 PM EDT Contributed by: PrivacyNews

A brokerage firm has agreed to pay a $275,000 fine following a series of alleged online hacking incidents into customer accounts.

The Securities and Exchange Commission said Thursday that LPL Financial Services failed to protect its customers' personal information, leaving at least 10,000 clients vulnerable to identity theft.

Source - Associated Press

Note: this appears to be related to two breaches reported on PogoWasRight.org here and here. LPL Financial has reported six breaches that we know of in the past year.

Updated 9-12-08: See also SEC Charges LPL Financial for Failing to Protect Customer Privacy in Financial News and the SEC Order [pdf], which pretty much says that LPL knew back in 2006 that they were at risk on security and didn't do enough to protect customer data.

[From the SEC Order:

    Regarding password complexity, LPL’s internal auditors identified the following weaknesses concerning the BranchNet application: (1) RR passwords did not meet industry standards for so-called “strong” passwords, because, among other things, the passwords had no requirements on length or alphanumeric/special character combinations; (2) passwords were not set to expire after a certain period of time; (3) users could not change their own passwords; and (4) there was no automatic lockout feature related to unsuccessful login attempts. Additionally, over 300 LPL information technology employees had access to a list of BranchNet passwords, and a number of former employees likely had access to such a list before leaving the firm.



The cost of Identity Theft just went up...

http://www.law.com/jsp/article.jsp?id=1202424426977

Identity-Theft Victims Owed Duty of Care in Bank Fraud Investigations, N.J. Court Says

Mary Pat Gallagher New Jersey Law Journal September 11, 2008

A bank that pursues criminal charges against an innocent third party whose identity is stolen and used to defraud the bank can be sued for negligence and malicious prosecution, an appeals court held Tuesday in a case of first impression in New Jersey.

The court, in Brunson v. Affinity Federal Credit Union, A-4439-06, ruled that financial institutions and fraud investigators have a duty to "pursue with reasonable care their responsibility for protecting not only their own customers, but non-customers who may be victims of identity theft."



This Ausie author misses the whole point. A cost/benefit analysis is logical for businesses, but a “Look! I'm doing something to protect you, let's not talk about cost & benefits” approach wins votes and therefore is the default among politicians.

http://business.smh.com.au/business/the-terrifying-cost-of-feeling-safer-20080826-435l.html?page=fullpage#contentSwap2

The terrifying cost of feeling safer

Ross Gittins August 26, 2008

... It's now clear that when people think about defence and national security, the main thing they have in mind is the risk of terrorism, not the risk of invasion by another country.

... It's a well-known finding of psychology that humans tend to overestimate the probability of rare events, while underestimating the probability of more common events. That's partly because rare events may be more dramatic and tend to stick in our minds, whereas more frequent events tend to fade into the background.



Are we Balkanizing Law Enforcement?

http://news.slashdot.org/article.pl?sid=08/09/12/1239243&from=rss

Senate Judiciary Committee Approves Copyright Cops

Posted by kdawson on Friday September 12, @08:54AM from the keystone-of-the-law dept. Government

I Don't Believe in Imaginary Property writes

"The Senate Judiciary Committee has approved the EIPA (the Enforcement of Intellectual Property Rights Act of 2008), which would create copyright cops. And these cops would take over the RIAA's War on Sharing by filing civil lawsuits and using civil forfeiture laws to take any and all computers engaged in infringement. Worse, they would even seize computers (such as servers or database farms) that house the data of innocent people, and these people would not have any right to get their data back. At best the 'virtual bystanders' who happened to have data on a computer used for infringement could get a protective order saying that no one should go rummaging through their stuff. Perhaps the only good thing in the bill is that they've excluded DMCA circumvention from the list of grounds for seizure. So while the Senators believe this is needed to combat foreign copyright infringement cartels, it's entirely likely that innocent people will be harmed by this law."



...but if the location data is stored at the phone company all bets are off?

http://www.pogowasright.org/article.php?story=20080911095912725

New Court Decision Affirms that 4th Amendment Protects Location Information

Thursday, September 11 2008 @ 09:59 AM EDT Contributed by: PrivacyNews

In an unprecedented victory for cell phone privacy, a federal court has affirmed that cell phone location information stored by a mobile phone provider is protected by the Fourth Amendment and that the government must obtain a warrant based on probable cause before seizing such records.

The Department of Justice (DOJ) had asked the federal court in the Western District of Pennsylvania to overturn a magistrate judge's decision requiring the government to obtain a warrant for stored location data, arguing that the government could obtain such information without probable cause. The Electronic Frontier Foundation (EFF), at the invitation of the court, filed a friend-of-the-court brief opposing the government's appeal and arguing that the magistrate was correct to require a warrant. Wednesday, the court agreed with EFF and issued an order affirming the magistrate's decision.

Source - EFF


Related?

http://www.pogowasright.org/article.php?story=20080911165542607

IPhone Takes Screenshots of Everything You Do

Thursday, September 11 2008 @ 04:55 PM EDT Contributed by: PrivacyNews

Your iPhone is watching you.

If you've got an iPhone, pretty much everything you have done on your handset has been temporarily stored as a screenshot that hackers or forensics experts could eventually recover, according to a renowned iPhone hacker who exposed the security flaw in a webcast Thursday.

Source - Gadgets Lab


Related? Governments will be able to claim, “We're just following International Standards...”

http://www.pogowasright.org/article.php?story=20080912053748872

U.N. agency proposes curbs on Internet anonymity

Friday, September 12 2008 @ 05:37 AM EDT Contributed by: PrivacyNews

A United Nations agency is quietly drafting technical standards, proposed by the Chinese government, to define methods of tracing the original source of Internet communications and potentially curbing the ability of users to remain anonymous.

The U.S. National Security Agency is also participating in the "IP Traceback" drafting group, named Q6/17, which is meeting next week in Geneva to work on the traceback proposal. Members of Q6/17 have declined to release key documents, and meetings are closed to the public.

Source - Cnet



Facts suggest little real privacy...

http://www.pogowasright.org/article.php?story=20080911131658691

Debunking Google's log anonymization propaganda

Thursday, September 11 2008 @ 01:16 PM EDT Contributed by: PrivacyNews

Google announced on Monday that the company will be reducing the amount of time that it will keep sensitive, identifying log data on its search engine customers. To the naive reader, the announcement seems like a clear win for privacy. However, with a bit of careful analysis, it's possible to see that this is little more than snake oil, designed to look good for the newspapers, without delivering real benefits to end users.

Source - Surveill@nce St@te, on Cnet

[From the article:

As an example, an IP address of a home user could be 173.192.103.121. After 18 months, Google chops this down to 173.192.103.XXX.

Since each octet (the numbers between each period of an IP) can contain values from 1-255, Google's anonymization technique allows a user, at most, to hide among 254 other computers. In comparison, Microsoft deletes the cookies, the full IP address and any other identifiable user information from its search logs after 18 months.

Google has now revealed that it will change "some" of the bits of the IP address after 9 months, but less than the eight bits that it masks after the full 18 months. Thus, instead of Google's customers being able to hide among 254 other Internet users, perhaps they'll be able to hide among 64, or 127 other possible IP addresses.


Related? The Commish' talks about working with Facebook on Privacy (very positivly) and mentions another video on how to set privacy rules in Facebook – but I can't seem to find that one.

http://www.pogowasright.org/article.php?story=20080912054913961

Your privacy, your responsibility says Ontario Privacy Commissioner

Friday, September 12 2008 @ 05:49 AM EDT Contributed by: PrivacyNews

Ann Cavoukian talks about working with Facebook on boosting user privacy, and has some cautionary words for job seekers using social networking. Istory and video)

Source - ITBusiness.ca



How is this different than looking at the pictures displayed in an employee's cubicle?

http://tech.slashdot.org/article.pl?sid=08/09/11/208206&from=rss

One In Five Employers Scan Applicants' Web Lives

Posted by timothy on Thursday September 11, @04:38PM from the other-four-are-lying dept. Social Networks Privacy

Ned Nederlander writes

"CareerBuilder's new survey finds: 'Of those hiring managers who have screened job candidates via social networking profiles, one-third (34 percent) reported they found content that caused them to dismiss the candidate from consideration.' Some red flags: content about applicant using drugs or drinking, inappropriate photos and bad-mouthing former bosses."



“Look. We only want docile customers who are cheap to service. (Sheep who are too ignorant to complain about the lousy service) We won't kick real users off our system, just heavily restrict the bandwidth we promised them without letting them out of their contracts.”

http://digg.com/tech_news/AT_T_Changes_TOS_Start_Slowing_Rebel_Downloaders_Next_Month

AT&T Changes TOS, Start Slowing Rebel Downloaders Next Month

gizmodo.com — AT&T's just updated its terms of service for broadband customers, and starting next month, if you're a heavy downloader, get ready to have your connection squeezed to a trickle. While they haven't implemented usage caps a la Comcast (yet) they are using a similar traffic management technique starting on Oct. 18 that will slow down your whole...

http://gizmodo.com/5048091/att-changes-terms-of-service-will-start-slowing-rebel-downloaders-next-month



SETI at home, adopted for storage. Should be fun for the e-Discovery lawyers...

http://hardware.slashdot.org/article.pl?sid=08/09/11/1742223&from=rss

Online Storage With a Twist

Posted by timothy on Thursday September 11, @01:57PM from the wiseacres-will-volunteer-to-store-porn dept. Data Storage Encryption Privacy The Internet

mssmss writes

"For a long time, I have been looking for a way to securely store my files online without being tied to a single vendor — whose survival my storage depends on. It looks like Wuala has a way to do this, according to this story in the Economist. They use donated disk space of users to scatter your encrypted files over multiple computers."



Hey! I gots kulcha...

http://www.killerstartups.com/Video-Music-Photo/passionato-com-buy-classical-music

Passionato.com – Buy Classical Music

Are you tired of iTunes’ focus on popular music? If you’re looking for a place to find all your classical music cravings, check out Passionato.com. On this rapidly growing online store, you’ll find the world’s largest library of DRM-free classical tracks from both major and independent labels. The tracks you purchase from the site can be transferred to any device and burned into CDs, making it a lot easier for you to share your music and take it with you on the go. If online retailers focused more on DRM-free tracks, they would probably sell a lot more, and these guys seem to know that. Like with any other store, the music is divided into many categories to make finding it easier. You can search for music by label, genre, periods, artists, and even composers. Classical music lovers are going to love this site and its comprehensive library.

http://www.passionato.com/

No comments: