Saturday, December 06, 2008

Can they be this dumb? Apparently there was no actual security – not even a worthless password. Pure “Security by Obscurity” Do they know the Google (and others) already have this data?

http://www.pogowasright.org/article.php?story=20081206065916344

Email error exposes NACDS applicant database

Saturday, December 06 2008 @ 06:59 AM EST Contributed by: PrivacyNews

The National Association of Chain Drug Stores (NACDS) reports that its scholarship applicant database was made available to applicants due to the inclusion of the wrong link in an email [Instead of “www.your.file” they sent “www.entire.file” Bob] sent to applicants on October 7th. As a result of the error, the 160 applicants were able to access each other's application data, which includes name, Social Security number, and home and school addresses.

Phillip L. Schneider, President, notes that NACDS was notified of the problem on October 7th and disabled the link on October 8th.



RIAA-like bluff tactics in the UK – did they break the law? The author of this article thinks so.

http://www.pogowasright.org/article.php?story=200812050941311

UK: Accused of Illegal File-Sharing? Complain to the Government

Friday, December 05 2008 @ 09:41 AM EST Contributed by: PrivacyNews

Lawyers in the UK are obtaining the personal details of over 25,000 alleged file-sharers for the purposes of sending them a £500+ bill accompanied by threats of being sued. Read why the government’s Information Commissioner has let down every single one of them and why each disclosure could be a serious breach of the Data Protection Act.

Source - TorrentFreak

[From the article:

However it was only when responses started to flood in - many in their hundreds to Lawdit Solicitors - did it become clear that while IP addresses could reveal a name and real-life address, it did not reveal the culprit. It proved very little. It certainly did not prove that any copyright infringement had taken place, far from it. Only by inspecting the hard drive of the customer’s computer could you do this. If there were any other evidence to sit alongside the IP address, for example a user name or password of the file sharing software you could sympathize with the rights holder.

... The silence is even more deafening in that on 29 January 2008, the ECJ held that Community law does not require member states to oblige ISPs to disclose details of suspected file-sharers to enable a copyright owner to bring civil proceedings.



Lots of small breaches (due to P2P) for just 30 days... Share this with your Security manager!

http://breachblog.com/2008/12/05/redteam.aspx?ref=rss

P2P breaches you don’t read about in the news...

A friend of mine recently updated me about what he’s been working on and what he’s found in the past 30 days on P2P networks. Rian Wroblewski is the Director of Open Source Cyberintelligence at RedTeam Protection and he’s a skilled information security researcher, especially when it comes to finding sensitive information on P2P networks.



Update. The BNP is apparently filled with nuts, so disclosing the list of members was similar to releasing mental health records – and the perpetrator was so nuts, she was kicked out of the party! (At least, that's how I read it.)

http://www.pogowasright.org/article.php?story=20081205094020148

Two arrested in Notts over BNP membership leak

Friday, December 05 2008 @ 09:40 AM EST Contributed by: PrivacyNews

Police have arrested two people in Notts over the unauthorised release of the British National Party membership list.

The Post understands officers raided a house in the county last night.

Today a spokeswoman for Dyfed Powys Police said: "We can confirm that last night Nottinghamshire Police arrested two people as part of a joint investigation with Dyfed Powys Police and the Information Commissioner's Office in conjunction with alleged criminal offences under the Data Protection Act.

Source - ThisisNottingham.co.uk



I've been sensing this from the articles I read, but it's good to have statistical confirmation.

http://www.pogowasright.org/article.php?story=20081205191331977

Survey: The best privacy advisers in 2008

Friday, December 05 2008 @ 07:13 PM EST Contributed by: PrivacyNews

Which are the best firms at helping organizations navigate the complexities of managing customer and employee information? That's the question I posed last month to over 2,000 people responsible for data protection. This was the third year asking this question (see "The best privacy advisers in 2007" and "The best privacy consultancies"), so we're now able to see some trend lines. I was surprised at the results.

Source - Computerworld

[From the article:

The most remarkable finding was that 31% of companies said they're planning to increase their 2009 budgets for outside privacy advice,

... How can data protection officers survive the budget scalpels everyone else is facing? One possible answer makes sense: Boardroom executives perhaps no longer view data privacy and security as remote risks that can be put off for a better day. If these dollars are getting sheltered or even augmented, executives must now see privacy as a bottom-line objective with immediate impact on earnings.



Interesting article with implications for e-Discovery and Data Mining

http://www.infoworld.com/article/08/12/05/Guide_to_finding_the_right_search_solution_1.html?source=rss&url=http://www.infoworld.com/article/08/12/05/Guide_to_finding_the_right_search_solution_1.html

Guide to finding the right search solution

Surveys show most companies have yet to find the right search tool for their business

By Paul Doscher, Network World December 05, 2008

... The amount of data that companies generate is staggering and shows no sign of slowing. IDC estimated that digital content and replicated data exceeded 281 exabytes in 2007 and expects it to grow 10 times before 2011.


Related Tool for searching outside the organization... They profile four, but Clusty seems the most interesting.

http://news.cnet.com/8301-17939_109-10114454-2.html?part=rss&subj=news&tag=2547-1_3-0-5

Can you ditch Google for a metasearch engine?

Posted by Don Reisinger December 5, 2008 11:57 AM PST

... The biggest issue facing any metasearch engine is determining how it can compete with Google, Yahoo, and Microsoft without copying them. Clusty does it by "clustering" search results based on keywords contained in the query.

If you search for something simple like "CNET," you'll find a list of results like any other search engine. But to the left of those results, Clusty also displays keywords like "reviews," "networks," and "downloads" that you can click on to narrow results down to a specific topic and find exactly what you're looking for sooner.



At the intersection of Law and Technology, you have a opportunity to connect with (draw in) others interested in the issues being contested. Perhaps Harvard will be joined by hundreds of lawyers and techies, but they only need to connect with the one who provides the winning strategy!

http://news.slashdot.org/article.pl?sid=08%2F12%2F06%2F0117204&from=rss

RIAA Vs. Web 2.0? Social Media and Litigation

Posted by Soulskill on Friday December 05, @10:14PM from the onward-and-upward dept. The Courts The Internet

NewYorkCountryLawyer writes

"After learning that Professor Nesson's CyberLaw class at Harvard Law School has set up a Facebook page to assist in its defense of Joel Tenenbaum in an RIAA case, SONY BMG Music v. Tenenbaum, Wendy Davis of the Online Daily Examiner opines that 'Web 2.0,' and more particularly, the 'social media,' are playing an increasingly important role in RIAA litigation. We at Slashdot have already learned that principle, and have made good use of it, as have our friends at Groklaw."



Ja, dem Dutch boys is smart! And artistic too!

http://news.slashdot.org/article.pl?sid=08%2F12%2F06%2F0321205&from=rss

Amazon Fights Piracy Tool, Creators Call It a Parody

Posted by Soulskill on Saturday December 06, @12:13AM from the it-was-uh-uh-art-yeah-that's-the-ticket dept.

jamie points out an interesting story which started a few days ago, when a pair of students from the Netherlands released a Firefox add-on which integrated links to the Pirate Bay on Amazon product pages. Customers who had the add-on would see a large "Download 4 Free" button next to items which were also available on the Pirate Bay. The add-on quickly drew notice, and the creators were hit with a take-down notice and threats of litigation from Amazon. Now, the students have removed the add-on, and they are claiming an unusual defense: "'Pirates of the Amazon' was an artistic parody, part of our media research and education at the Media Design M.A. course at the Piet Zwart Institute of the Willem de Kooning Academy Hogeschool Rotterdam, the Netherlands. It was a practical experiment on interface design, information access and currently debated issues in media culture. We were surprised by the attentions and the strong reactions this project received. Ultimately, the value of the project lies in these reactions. It is a ready-made and social sculpture of contemporary internet user culture." [Obviously! Bob]



Sounds like this was not the best way to notify users. How would you do it?

http://www.pogowasright.org/article.php?story=20081205160240712

Facebook security warning leaves users confused

Friday, December 05 2008 @ 04:02 PM EST Contributed by: PrivacyNews

Facebook today sent out a security warning to some of its users alerting them that their passwords have been changed due to alleged suspicious activities happening on their accounts.

The email appears to be a reaction from the social network due to the newest appearance of Koobface, a worm that preys on the paranoia of users and leverages seemingly trusted redirects to infect its victims.

In the email, Facebook tells its users that they need to reset their passwords but only after running their current antivirus protection to make sure they aren’t already infected. In the same breath, however, the Facebook Security Team tells its users never to click on suspicious links — even though its own email is suspect.

Source - ZDNet

[About Koobface: http://www.washingtonpost.com/wp-dyn/content/article/2008/12/05/AR2008120501081.html

The Koobface messages carry subject lines like "You look so funny on our new video" or something similar, and contain a link to a video site that appears to contain a movie clip. If the user tries to watch it, a message appears saying that he or she needs the latest version of Flash Player in order to play the clip. This tricks users into downloading a file carrying the malware.



Once I've made my website students suffer through my class, building their website from the code up, I give them tools like this.

http://www.killerstartups.com/Web20/viviti-com-build-your-own-website-with-ease

Viviti.com - Build Your Own Website With Ease

https://www.viviti.com

A service that has just moved out of private beta, Viviti will enable anybody to come up with his or her dream website in a hassle-free manner. Generally speaking, the site offer more than 100 templates to choose from, and in the event none of these matches you vision one can be created from scratch.

The whole system is an intuitive and flexible one, as no programming knowledge is required – all you have to do is click, drag and drop things into place. No coding experience is necessary at all.

Registration to the site is also an effortless task, and once you have submitted your e-mail address and chosen a web address for your brand new site you are ready to go.

No comments: