Tuesday, December 09, 2008

Trojan eliminated, although it to a complete re-install of the operating system (Okay, I'm too lazy to go through the 647 steps needed to remove it manually) Gives me an excuse to rethink my data layouts as I reload everything from backups...



Self-exam. Not bad for someone not getting mandatory reports.

http://www.pogowasright.org/article.php?story=20081208140352497

Data breaches in New York State: we don't know the half of it

Monday, December 08 2008 @ 02:03 PM EST Contributed by: Dissent

Those of us who report on data breaches or who try to analyze trends have often lamented that we only see the tip of the iceberg in terms of what gets reported or made readily publicly available. Newly obtained data from NYS suggest that we may be doing better than we thought, but there is still much room for improvement and greater transparency.

In September, Massachusetts published a report showing that for the first 10 months after mandated notifications to the state went into effect, they received 318 reports, with 625,365 residents affected by the breaches. The majority of breaches were reported by the financial sector.

For purposes of comparison, and for the first 9 months of 2008, New York State received 399 breach reports affecting almost 2 million residents (although some residents may have been involved in one or more incidents and this number may not represent unique individuals). Preliminary analyses of the logs provided by NYS in response to a Freedom of Information Law request indicate that the 399 incidents included approximately 160 stolen computers or stolen laptops, 50 hacks, and 31 reports where the log identified the incident as "insider wrongdoing" or "unauthorized access" by employees. In contrast to the report from Massachusetts, the financial sector accounted for approximately one third of the incidents reported in NYS. More detailed analyses will be provided after all of the raw data are obtained.

But how many of these breaches did we find out about via the media or state attorney general web sites that upload their breach reports? A comparison of the breach reports received by NYS for the 9-month period to PogoWasRight.org, its sister site, PHIprivacy.net, and the OSF DatalossDB revealed that despite its best efforts to scour news, blogs, and attorney general sites, PogoWasRight.org and PHIprivacy.net had found out about and reported (only) 45% of the incidents involving stolen computers, 40% of the hacking incidents, and 42% of the insider reports. Although that is considerably better in some respects that what I had thought we would find, it indicates that there is still much that we are not finding out about. The OSF database, which until recently did not include reports from attorney general's sites and tended to focus on media reports of larger incidents, appears to (only) include approximately 15% of the stolen computer incidents, 25% of the hacking incidents, and less than 15% of the insider incidents.

It is important to note that I harbor no illusion that PogoWasRight.org and PHIprivacy.net are actually finding out about 40 - 45% of all breaches reported in all states. Nor do I ever forget that many breaches do not get reported at all because either states may exempt certain reports or entities may not know that they are obligated to report, or they just may not report for other reasons.

If data breach analyses are to inform policy and laws, then we continue to need more data. Some of us are engaging in a volunteer effort to obtain more reports under Freedom of Information laws which will be shared via OSF's database. Chris Walsh and Dave Shettler (Vice-President/CTO of OSF) have given us a great start, but we need more contributors. If you would like to volunteer to help with the project, you can email any of us. Individuals or businesses who would like to support the project financially can donate to OSF, a 501c(3) organization.



...because...

http://www.pogowasright.org/article.php?story=20081208062346964

Data “Dysprotection:” breaches reported last week

Monday, December 08 2008 @ 06:46 AM EST Contributed by: PrivacyNews

A recap of incidents or privacy breaches reported last week for those who enjoy shaking their head and muttering to themselves with their morning coffee.

Source - Chronicles of Dissent



Told ya!

http://www.dailytech.com/Report++Major+Cyber+Security+Overhaul+Needed/article13626.htm

Report: Major Cyber Security Overhaul Needed

Michael Barkoviak - December 9, 2008 7:00 AM

A new report issued by the Center for Strategic and International Studies urges President-elect Barack Obama to create a new White House department aimed at protecting U.S. cyber interests from hackers and other foreign agents.

[The Report: http://www.csis.org/media/csis/pubs/081208_securingcyberspace_44.pdf



http://www.pogowasright.org/article.php?story=20081209061503659

Ca: ID theft feared with new B.C. driver's licences

Tuesday, December 09 2008 @ 06:15 AM EST Contributed by: PrivacyNews

Security experts say they have managed to "steal" personal data from passports embedded with radio-frequency ID cards, the same technology embedded in some B.C. driver's licences for the purpose of speeding up border crossings.

And Canada's privacy commissioner Jennifer Stoddart says she fears the cards may leave people vulnerable to similar breaches of privacy, which could allow your personal data to fall into the wrong hands.

Source - Vancouver Sun

[From the article:

"These cards are going to have to be read at a distance in order to facilitate the speed at which people go across the border.

"We are told they are encrypted and that they are unassailably encrypted.

... Grunwald, the co-founder of NeoCatena Networks, says his company tested the security on European Union passports with RFID technology and found the information in the cards could easily be stolen. "We were able to read other people's passports on a bus to a plane," Grunwald said.

In that case, a couple of people with a suitcase with a reader inside simply got close enough to other travellers to pick up the information from their passports.

... The RFID readers scan the information at a short range, but Grunwald said longer-range scanning is only limited by the size of an antenna

... "When Japan came out with its RFID passport technology, they said, 'This is the safest thing on earth, there is no way it can be cracked,' and it took about two weeks before it was successfully cloned.



It's like Creationism, some wars you have to re-fight constantly.

http://news.slashdot.org/article.pl?sid=08%2F12%2F08%2F1929259&from=rss

Canadian Groups Call For Massive Net Regulation

Posted by ScuttleMonkey on Monday December 08, @04:25PM from the driving-websites-offshore dept. The Internet Politics

An anonymous reader writes

"Michael Geist is reporting that Canadian cultural groups including ACTRA and SOCAN have called on Canada's telecom regulator to implement a massive new Internet regulation framework. This includes a new three-percent tax on ISPs to pay for new media creation, Canadian content requirements for commercial websites, and licensing requirements for new media broadcasters, including for user-generated content."



Ubiquitous surveillance: So if (like the company that sold malt during prohibition) I tell you “Don't follow this recipe or you will make the illegal substance called Beer” that's okay?

http://www.pogowasright.org/article.php?story=20081208082523390

Court Allows Spyware Program to Go Back on Sale

Monday, December 08 2008 @ 08:25 AM EST Contributed by: PrivacyNews

A Florida company that sells a spyware program must change advertising pitches that emphasize the product's clandestine nature, but the company can continue to sell the application, a U.S. federal court has ruled.

CyberSpy Software had been unable to sell its RemoteSpy application since Nov. 6, when a court granted a request for an injunction after a complaint by the U.S. Federal Trade Commission (FTC).

Source - PCWorld

[From the article:

The FTC alleges CyberSpy marketed RemoteSpy by giving detailed instructions on how to install the program on computers and surreptitiously collect data.

... The new injunction bars CyberSpy from suggesting the program can be secretly installed or that keyloggers can be passed on as innocuous programs.



To see the world as others see it... Something for organizations to emulate.

http://www.bespacific.com/mt/archives/020021.html

December 08, 2008

DHS Risk Lexicon

Risk Steering Committee, DHS Risk Lexicon, September 2008: "The Department of Homeland Security (DHS) is in the process of building an Integrated Risk Management Framework to improve its capability to make risk-informed strategic decisions using systematic and structured assessments of homeland security risk. The Integrated Risk Management Framework includes processes and tools that allow DHS to gather, integrate, analyze, and communicate information about risk such that it can be used to strategically prioritize efforts and resources throughout the DHS enterprise. The DHS Risk Lexicon supports the Integrated Risk Management Framework by defining a single language for DHS risk management. Clear and unambiguous communication amongst risk practitioners, decision makers, and homeland security stakeholders is a key aspect the Departments integrated risk management capability. The DHS Risk Lexicon represents a significant step forward by making available an official set of definitions for risk-related terms for the Department."



Go, go Google gadgets!

http://news.cnet.com/8301-13505_3-10118019-16.html?part=rss&subj=news&tag=2547-1_3-0-5

Google's secret operating system

Posted by Matt Asay December 8, 2008 5:37 PM PST

Reports have spread about a possible new operating system in use at Google, one its employees have been using to browse the Web.

There are all sorts of theories about what Google is up to (from a port of Android to the desktop to a new software-as-a-service infrastructure), but I like OStatic's synopsis and theory most:

Android ported to the PC--or even the 2006-era dream of a "Goobuntu" desktop--are, of course, possible, but if not overly costly for Google to undertake, would at least be major time investments. Those sorts of investments might pay off over time, but a software-as-a-service product (one "to use as an infrastructure for network applications that could be deployed virtually anywhere") gives Google an advantage in the operating-system market, should have a faster return on investment, and complements the free services Google already offers.

No comments: