Thursday, November 06, 2008

I suppose smart people tend to waffle think longer than us normal folk...

http://www.pogowasright.org/article.php?story=2008110605342219

MA: HLS loses sensitive data of 20,000 legal services center clients

Thursday, November 06 2008 @ 05:34 AM EST Contributed by: PrivacyNews

Over 20,000 clients of the Wilmer-Hale Legal Services Center have had their personal data-ranging from addresses and social security numbers to sensitive legal intake information-potentially exposed, the Record learned late last night from Robb London, Associate Director of Communications.

... [Harvard Law School] has sent letters, in both English and Spanish, notifying the 8000 individuals whose SS numbers were lost, giving them a point of contact at LSC, and offering that the law school (at its expense) will be making services available to them for identity and account protection. An additional letter went out to the 13,000 other clients affected.

The tape was lost on or around September 23. LSC has its servers on site in Jamaica Plain, unlike other Harvard clinicals such as Defenders, Prison Legal Assistance Project, or the Harvard Legal Aid Bureau, whose servers are located on campus and are encrypted. Each week, IT sends an employee to LSC to take out the data tapes and to transport them to campus for back up. When IT went to back up the tapes two days after they were delivered from LSC, they noticed that only 5 of the 6 tapes were there.

Source - Harvard Law Record

[From the article:

London described the password protection as, "almost the same level as encryption," and stated that it would take "Herculean efforts and immense computing power," to breach the security of the tape [Think about this: The tape contains digital data. The program that asks for and validates the password is not on the tape. All anyone needs to do is skip the bits that make up the password and start reading the data further into the tape – ask any teenager how to start listening to the Second song on the tape. Bob]

... Nevertheless, in response to this loss, HLS has changed its procedures regarding data protection at LSC. First, the servers at Jamaica Plain site are now being encrypted. [Perhaps they could encrypt the backup files, too? Bob] Second, data transport is now in the hands of a courier service known as Iron Mountain rather than IT. Third, a new tape library for LSC has been purchased, which includes a bar code reader for improved inventory control. [Notice that they start with the assumption that tapes are required. Secure transmission over the Internet would mean there are no tapes to get lost in the first place... Bob]



Failure to remove this information has been a hot topic for several years. How can anyone remain so clueless? (Oh, yeah... West Virginia)

http://www.pogowasright.org/article.php?story=20081105140444691

WV: Web error fallout ongoing

Wednesday, November 05 2008 @ 02:04 PM EST Contributed by: PrivacyNews

The fallout continued Thursday following an error that officials said resulted in the placement of Social Security numbers, birth dates and other personal information onto a county Web site.

Late last week, Jefferson County Clerk Jennifer Maghan said she unveiled a new online search tool that enabled residents and business professionals to access nearly 1.6 million documents that are stored in her office via their home computers.

Maghan said she received a number of compliments about the new program after it debuted, but learned within a matter of days that the deeds and some of the other documents that the service contained featured residents' Social Security numbers and other personal information. [“In all my years processing these form, I never noticed that.” Bob]

Source - The Journal hat-tip, The Breach Blog

[From the article:

"It's on these documents, where a Social Security number had no business being there," she told county commissioners on Thursday. [“They put their social security number on the “Amount paid” line or in the Name field – anyplace we wouldn't notice it.” Bob]



A trivial hack, but see what an automatic censorship program can teach you...

http://www.pogowasright.org/article.php?story=20081105165029800

OR: Restaurant’s computer hacked

Wednesday, November 05 2008 @ 04:50 PM EST Contributed by: PrivacyNews

The computer system of Swee*censored*ers on the River restaurant in Valley River Inn in Eugene was hacked between June 19 and Oct. 3, the restaurant said Wednesday.

Valley River Inn’s computers were not effected.

As a result of the security breach, the information magnetically encoded on credit or debit cards, which may include the cardholder’s name, card number, card expiration date and other information encoded by the card issuer, may have been obtained by unauthorized persons.

Source - Portland Business Journal Related - Sweetwaters on the River Press Release



My guess is that the campaign of 2012 has already started. Some of the comments have other interesting suggestions...

http://it.slashdot.org/article.pl?sid=08/11/05/221222&from=rss

Obama, McCain Campaigns Both Hacked, Files Compromised

Posted by timothy on Wednesday November 05, @06:20PM from the nogoodniks-abound dept. Security United States Politics

dunezone writes

"As the election ends, news is coming out from both campaigns on what happened behind closed doors. During the summer, the Obama campaign had their systems hacked, but so did McCain — and not by each other, but bya third party. '... both the FBI and the Secret Service came to the campaign with an ominous warning: "You have a problem way bigger than what you understand," [Rude, but very FBI? Bob] an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system." The following day, Obama campaign chief David Plouffe heard from White House chief of staff Josh Bolten, to the same effect: "You have a real problem ... and you have to deal with it." The Feds told Obama's aides in late August that the McCain campaign's computer system had been similarly compromised.'"

Also from the article:

"Officials at the FBI and the White House told the Obama campaign that they believed a foreign entity or organization sought to gather information on the evolution of both camps' policy positions — information that might be useful in negotiations with a future administration." [Which of course is silly. Campaign retoric has nothing to do with anything that happens after the election. Bob]



Sounds like a “gang” with very low Identity Theft skills. They need time in prison to perfect their technique...

http://www.pogowasright.org/article.php?story=20081105115023854

CO: Five-member identity-theft ring indicted

Wednesday, November 05 2008 @ 11:50 AM EST Contributed by: PrivacyNews

Five members of an identity theft ring that operated in the Denver metro area have been charged in a 65-count grand jury indictment, authorities say.

... During the investigation that began in April, authorities confiscated nearly 300 fraudulent identification cards and counterfeit checks they had used to steal thousands of dollars from dozens of victims, Friel said. .... The ring burglarized homes and broke into cars to steal credit card information.

Source - Denver Post

Comment: not to impugn the intelligence of clerks and merchants, but: the story says that "The group made their own credit cards that didn't have magnetic strips on the back, Friel said. When asked about the missing magnetic strips, ring members would say the cards were only temporary and ask the clerk to key in the credit card numbers stolen from a valid credit card, he said." A little common sense or caution on the part of the clerks or cashiers might have prevented some of the resulting problems -- Dissent.



I'm sorry they pled guilty. I was hoping for more details during the trial...

http://www.pogowasright.org/article.php?story=20081105180829545

Three Plead Guilty in $2 Million Citibank ATM Caper (follow-up)

Wednesday, November 05 2008 @ 06:08 PM EST Contributed by: PrivacyNews

Three New Yorkers accused of using hacked Citibank ATM card numbers and PINs to steal $2 million from customer accounts in four months have pleaded guilty to federal conspiracy and access device fraud charges.

The defendants -- Ivan Biltse, Angelina Kitaeva and Yuriy Rakushchynets, aka Yuriy Ryabinin -- are among 10 suspects charged earlier this year in connection with a breach of transaction processing server handling ATMs at 7-Eleven convenience stores. The ATMs are branded Citibank, and owned by Houston-based Cardtronics.

Source - Threat Level

[From the article:

Court records indicate a Russian hacker cracked the ATM server in late 2007, and monitored transactions from 7-Eleven cash machines long enough to capture thousands of account numbers and PINs. The Russian then farmed out the stolen data to mules in the United States, who burned the account numbers onto blank mag-stripe cards [Something the Colorado crooks didn't bother with Bob] and withdrew cash from Citibank ATMs in the New York area for at least five months, sending 70 percent of the take back to Russia.

... Citibank hasn't commented on the breach, except to say that customers aren't held responsible for fraudulent withdrawals, and that its own servers weren't compromised. Cardtronics also hasn't commented, but insisted in a July press release that its systems meet the PCI Data Security Standard, [Undoubtedly true. Shows just how poor those standards are! Bob] which sets requirements for credit and debit cards processing systems.

... In addition to looting Citibank accounts, Rakushchynets was accused of participating in a global cybercrime feeding frenzy [Cute! Bob] that tore into four specific iWire prepaid MasterCard accounts last fall. From September 30 to October 1 -- just two days -- the iWire accounts were hit with more than 9,000 actual and attempted withdrawals from ATM machines "around the world," according to an FBI affidavit, resulting in a staggering $5 million in losses.

... Rakushchynets and Biltse agreed to forfeit the cash found stashed in their homes at their arrest: $838,000 for Rakushchynets; $912,500 for Biltse. [Sounds like they don't trust banks... Bob]



Take that, Google!

http://www.pogowasright.org/article.php?story=2008110605453287

Hustinx: nameless data can still be personal

Thursday, November 06 2008 @ 05:45 AM EST Contributed by: PrivacyNews

A person does not have to be identifiable by name for details of their computer usage to be protected by data protection laws, a senior European privacy watchdog has warned.

... Hustinx, who is charged with advising EU institutions on privacy law and ensuring they comply with it, has said in a video published by technology news service ZDNet that companies that gather addresses that might or might not be personal data should just treat them all as personal, with all the restrictions that entails.

Source - Out-Law.com Related - The video at ZD Net



Interesting, but it seems somewhat shallow to me. They consider the CPO and CIO perspective, but not the Board of Directors as a whole. And what about shareholders?

http://www.pogowasright.org/article.php?story=20081105133908736

Paper: The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises

Wednesday, November 05 2008 @ 01:39 PM EST Contributed by: PrivacyNews

Abstract:

This paper presents a consolidated view of the requirements of stakeholders of an enterprise's privacy implementation. Because there are so many stakeholders in enterprise privacy, the paper also analyzes the tension between the stakeholders as they relate to purchasing behavior of privacy enabling technology. An action this paper motivates is the creation of technology so enterprises might operate in a privacy-respecting manner. The paper is meant to encourage development of products and services that have maximum understanding and therefore appeal across the various stakeholders. Some of the assertions in this paper are supported by interviews of stakeholders within a variety of enterprises in and across geographies and business sectors, who each have been promised anonymity. Enterprise customers reading this document will benefit from understanding concerns of other enterprise privacy stakeholders, filling gaps or oversights for privacy problems that may be pending but not yet surfaced in their own enterprise.

Nickel, Cyndi; Sander, Tomas; Bramhall, Pete HP Laboratories HPL-2008-153

Source - The Driving Motivations of Stakeholders in the Delivery of Privacy by Enterprises [pdf] October 21, 2008



Examples – practically Case Studies..

http://www.pogowasright.org/article.php?story=20081106051500683

New resources from the Office of the Privacy Commissioner of Canada

Thursday, November 06 2008 @ 05:15 AM EST Contributed by: PrivacyNews

The Office of the Privacy Commissioner of Canada announced two new resources:

They have produced a guide for businesses., and

They have also introduced a new e-newsletter: Privacy Perspectives - News from the Office of the Privacy Commissioner of Canada that includes cases summaries of PIPEDA decisions. This month's newsletter includes:

  • PIPEDA Case summary #394: Outsourcing of canada.com e-mail services to U.S.-based firm raises questions for subscribers

  • PIPEDA Case summary #393: Laptop theft at bank and long delay before informing victims were both avoidable

  • PIPEDA Case summary #392: Individual objects to being photographed by private investigation firm

  • PIPEDA Case summary #391: Company must not charge flat fee to process access request



For your security manager (The link does not take you to a PDF)

http://it.slashdot.org/article.pl?sid=08/11/05/2042211&from=rss

Critical Vulnerability In Adobe Reader

Posted by timothy on Wednesday November 05, @05:32PM from the see-attachment dept. Security Bug Media

An anonymous reader writes

"Core Security Technologies issued an advisory disclosing a vulnerability that could affect millions using Adobe's Reader PDF file viewing software. Engineers from CoreLabs determined that Adobe Reader could be exploited to gain access to vulnerable systems via the use of a specially crafted PDF file with malicious JavaScript content. Successful exploitation of the vulnerability requires that users open a maliciously crafted PDF file, thereby allowing attackers to gain access to vulnerable systems and assume the privileges of a user running Acrobat Reader."



How to steal passwords wholesale...

http://www.killerstartups.com/Web20/iforgotmypassword-org-store-all-your-passwords-online

IForgotMyPassword.org - Store All Your Passwords Online

http://www.iforgotmypassword.org

The I Forgot My Password website is there to ensure you can give your memory a break and store all your passwords in the same place. Some might say that storing such information on the web it is not the safest thing to do, [Ya think? Bob] but different people want different things, and I think it is best to have alternatives to choose from rather than being always stuck with the same options and resources.

... You can also register for free easily and become a site user in no time at all.



Attention Class Action Lawyers!

http://tech.slashdot.org/article.pl?sid=08/11/05/2220213&from=rss

D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection

Posted by timothy on Wednesday November 05, @06:45PM from the not-polite dept. Networking Businesses Technology

chronopunk writes

"Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"



An interesting 'call to arms' but the link to e-discovery resources and blogs is more useful...

http://ralphlosey.wordpress.com/2008/11/05/the-e-discovery-crisis-an-immediate-challenge-to-our-nations-law-schools/

The E-Discovery Crisis: An Immediate Challenge to our Nation’s Law Schools

[e-Discovery resources and Blogs: http://www.ims-expertservices.com/newsletters/sept/guide-toe-discovery-resources-on-theweb-093008.asp



Making life easier for us perverts! privacy advocates!

http://www.pogowasright.org/article.php?story=20081105080844694

New Firefox privacy mode released to testers

Wednesday, November 05 2008 @ 08:08 AM EST Contributed by: PrivacyNews

Late Monday a small, yet big Firefox feature was released to testers of Minefield, Mozilla's testbed application for new browser innovations. The new feature is private browsing, also known in some circles as "porn mode." When toggled, it takes your Web history, user names, passwords, searches, and cookies and bins them the second you close out the window, effectively making it appear that the session never existed.

Source - Cnet

No comments: